This post was first published on our Digital TMT and Sourcing Notes blog.
On 4 March 2020 the Financial Conduct Authority published a short set of findings from its review of outsourcing in the UK life insurance sector. Despite the review’s narrow scope, the FCA’s findings are readily applicable to other outsourcing contexts, so regulated firms outside the life insurance sector should be aware of these. The FCA has tied in this review with its current focus on the operational resilience of regulated firms and the customer impacts caused by disruptions.
The FCA’s findings do not break new ground or offer hard solutions. They instead reinforce the good practice steps that the FCA expects any responsible regulated firm to be taking in its outsourcing of services and functions. The FCA’s findings focus on firms’ ongoing operational management and governance of their outsourcing arrangements – a good reminder that the focus of regulators is on the operational steps taken by a firm to implement contracts with outsourced service providers – whilst the content of the contract is important, it must be seen as but one part of the overall outsourcing lifecycle.
Key takeaways for regulated firms
- Exit and transition out plans should actually explain what steps will be taken to exit and also migrate the outsourced services and functions. Regulated firms should consider and cover all exit scenarios in their exit plans, including unplanned exits.
- Business continuity planning, testing and readiness needs to involve both the customer and the outsourced service provider and both parties’ business continuity plans need to be reviewed and tested.
- Regulated firms should ensure that the management information they receive from their outsourced service providers is of sufficient quality to allow those firms to take timely steps to address issues as they arise, including to address the customer impacts connected with those issues.
- Regulated firms need to factor in the customer impacts and ensure customer fair treatment as part of the oversight and control of outsourcing arrangements. The FCA considers customer impacts to be integral to oversight and control.
The FCA’s review
The FCA’s findings are published here. The FCA’s review sets out its findings in summary form and provides some observations of what it considers to be good and poor practices.
Encouragement for firms to consider unplanned exits links back to the FCA’s observation that there is a concerning reliance on a limited number of outsourced service providers servicing the UK life insurance sector.
This concern applies to other regulated sectors too and the FCA and other regulators are looking at this closely throughout 2020 as part of their focus on operational resilience. See our earlier post on this here.
There is little firms can do to address a concentration among suppliers in the market. But there are practical steps that can be taken, such as identifying likely alternative outsourced service providers, ensuring that data can be readily separated and transferred, and limiting the use of provider-specific IT tools and processes.
|Business continuity planning||
In practice this can be challenging for a firm. Outsourced service providers understandably may not wish to reveal the full details of their business continuity plans and procedures to preserve the confidential information of their other customers. One example of good practice identified by the FCA involved testing being carried out by a qualified third party as a way to overcome this challenge.
|Governance and management information||
The FCA’s findings on governance and management also note the operational steps that firms should take beyond simply having a formal framework. The FCA’s observations illustrate how governance forums should in fact work in practice by: addressing issues within their terms of reference; escalating matters where appropriate; and, importantly, keeping a record of issues raised and any action taken in response.
>> OPERATIONAL RESILIENCE: OUTSOURCING [UK]