This post was first published on our Digital TMT and Sourcing Notes blog.
On 4 March 2020, the FCA published a short set of findings from its review of outsourcing in the UK life insurance sector. Despite the review’s narrow scope, the FCA’s findings are readily applicable to other outsourcing contexts, so regulated firms outside the life insurance sector should be aware of these. The FCA has tied in this review with its current focus on the operational resilience of regulated firms and the customer impacts caused by disruptions.
The FCA’s findings do not break new ground or offer hard solutions. They instead reinforce the good practice steps that the FCA expects any responsible regulated firm to be taking in its outsourcing of services and functions. The FCA’s findings focus on firms’ ongoing operational management and governance of their outsourcing arrangements – a good reminder that the focus of regulators is on the operational steps taken by a firm to implement contracts with outsourced service providers – whilst the content of the contract is important, it must be seen as but one part of the overall outsourcing lifecycle.
Key takeaways for regulated firms
- Exit and transition out plans should actually explain what steps will be taken to exit and also migrate the outsourced services and functions. Regulated firms should consider and cover all exit scenarios in their exit plans, including unplanned exits.
- Business continuity planning, testing and readiness needs to involve both the customer and the outsourced service provider and both parties’ business continuity plans need to be reviewed and tested.
- Regulated firms should ensure that the management information they receive from their outsourced service providers is of sufficient quality to allow those firms to take timely steps to address issues as they arise, including to address the customer impacts connected with those issues.
- Regulated firms need to factor in the customer impacts and ensure customer fair treatment as part of the oversight and control of outsourcing arrangements. The FCA considers customer impacts to be integral to oversight and control.
The FCA’s review
The FCA’s findings are published here. The FCA’s review sets out its findings in summary form and provides some observations of what it considers to be good and poor practices.
|Exit plans||Some exit plans lacked detail making it impossible to understand how important elements of exit would in fact be carried out in practice.·
Some exit plans only focused on planned exits and ignored the possibility of sudden, unexpected exits due to termination or insolvency.
Exit plans did not always contemplate the migration and transfer of outsourced services and functions, just their exit from the current outsourced service provider.
|Encouragement for firms to consider unplanned exits links back to the FCA’s observation that there is a concerning reliance on a limited number of outsourced service providers servicing the UK life insurance sector.
This concern applies to other regulated sectors too and the FCA and other regulators are looking at this closely throughout 2020 as part of their focus on operational resilience. See our earlier post on this here.
There is little firms can do to address a concentration among suppliers in the market. But there are practical steps that can be taken, such as identifying likely alternative outsourced service providers, ensuring that data can be readily separated and transferred, and limiting the use of provider-specific IT tools and processes.
|Business continuity planning||A firm which relies on the systems of an outsourced service provider to perform services and functions needs to rely on the provider’s business continuity plan and procedures in respect of those systems, so the firm should satisfy itself (through testing) that such a plan and procedures are robust enough.||In practice this can be challenging for a firm. Outsourced service providers understandably may not wish to reveal the full details of their business continuity plans and procedures to preserve the confidential information of their other customers. One example of good practice identified by the FCA involved testing being carried out by a qualified third party as a way to overcome this challenge.|
|Governance and managment information||Governance and management of outsourced services and functions should not focus solely on operational performance, but should also consider the outcomes for a firm’s customers as an integral part of a firm’s control over these outsourced services and functions.
A firm needs to ensure that it receives adequate management information from its outsourced services provider which is actionable. The firm then needs to take timely and effective remedial steps to address any operational, compliance or customer-affecting issues, based on that management information.
Firms should have in place a clear governance structure to facilitate timely and effective remediation of issues identified. An example of good practice identified by the FCA included joint forums between the firm and the outsourced service provider, with appropriate upwards reporting lines including to the boards of the entities as necessary.
|The FCA’s findings on governance and management also note the operational steps that firms should take beyond simply having a formal framework. The FCA’s observations illustrate how governance forums should in fact work in practice by: addressing issues within their terms of reference; escalating matters where appropriate; and, importantly, keeping a record of issues raised and any action taken in response.