Is insurance the new banking? Part 2: outsourcing issues

This series of articles explores the extent to which the general insurance (“GI”) market has recently become a primary target of regulators’ activities, or is merely the ‘collateral’ victim of banking regulation.

Our previous article considered the context for the implementation of the ‘Senior Managers & Certification Regime’ (“SMCR”), and in particular its incremental application to the GI intermediary market. The article compared regulatory pronouncements about GI in 2002-2004 with findings from April 2019’s Thematic Review (TR 19/2) on the “General insurance Distribution Chain” by the Financial Conduct Authority (“FCA”).

This article considers recent regulatory publications as to problems with outsourcing in the banking and GI industries, and in which industry are participants running the greater risks of regulatory enforcement in its approach to outsourcing (also referred to as ‘delegation’ or ‘sub-contracting’).

On 29 May 2019 Raphael & Sons PLC, a bank, was fined an aggregate £1.89m by the FCA and Prudential Regulation Authority (“PRA”) for failings in relation to its outsourcing of certain functions for its ‘pre-paid’/‘charge’ card operations (eg for payments of wages in lieu of bank account transfers, or gift cards).

The operations involved a process whereby the facilitation and management of transactions and balances, including payments made by customers via charge cards, were sub-contracted by Raphaels to ‘Card Programme Managers’ (“CPMs”) via ‘(CPM) Agreements’(“CPMAs”), and CPMs in turn sub-contracted payment authorisations and transaction reporting to ‘(card) Processors’ via IT Service Contracts (“ISCs”).

Raphaels contracted with Processors directly to the extent of a ‘Compliance Agreement’ that allowed Raphaels to issue instructions in particular circumstances (eg that the Processor decline a transaction if a CPM breached its sub-contract with Raphaels). However, there was –

• no effective alignment between (i) Raphaels’ risk management systems (eg risk profile analysis and risk appetite statement) and (ii) the terms of CPMs and ISCs, and
• no effective methodology (e.g. due diligence, monitoring) to do so.

In particular, there was no alignment of respective business continuity/disaster recovery plans/policies (“BCP”). CPMAs did not substantively provide for the alignment of CPMs’ (and their Processors’) BCPs with Raphaels’ own.

The 2019 fine related to an 8-hour IT outage at a Processor from December 2015 as a result of which 3,367 Raphaels customers were unable to use their charge cards to make payments or check balances; 5,356 attempted transactions, with an aggregate value of £558,400, were declined (the “Outage”). The Outage followed a similar incident at the same Processor in April 2014 which Raphaels failed to investigate and learn from effectively.

The FCA/PRA made particular note of a Final Notice against Raphaels in 2015 in respect of outsourcing management failures between 2006 and 2014, and that after the Outage Raphaels –

• appointed a new senior management – including compliance – team,
• commissioned a skilled persons report, and
• implemented a remediation plan.

What lessons might be learned from the above as to the GI industry’s approach to outsourcing?

Our previous article considered the FCA’s perspective on such approach. This perspective is informed by thematic reviews the FCA undertook contemporaneously with the circumstances underlying the fines against Raphaels: ‘Delegated authority: Outsourcing in the general insurance market’ (TR15/7) and ‘Principals and their appointed representatives in the general insurance sector’ (TR16/6).

These reviews were referred to in TR19/2, in particular in the following text:

“Our work on the GI distribution chain has revealed the extent to which many [emphasis added] firms have failed to respond sufficiently to our previous work and interventions … While we have seen some progress in the governance and controls around [outsourcing] … we often encountered a lack of customer focus or consideration of value. This was both in deciding what activities to undertake, who to partner with and what products to sell/distribute; as well as in the systems, controls frameworks, monitoring and MI …”

An example intervention given in TR19/2 is: “Liberty Mutual Insurance Europe SE (‘Liberty’) [being fined] over £5m (post reduction for early settlement) in October 2018 [following] an Enforcement action [for] failings in claims handling in a GI distribution chain.”

The final notice for Liberty (the “LFN”) included the following finding with clear parallels with findings as to Raphaels: “Liberty did not undertake an adequate risk assessment, review or adequately plan for ongoing monitoring before the commencement of the arrangement to ensure that the [outsourced mobile phone insurance distributor – the “Third Party”] would administer claims and complaints on Liberty’s behalf in a way which would ensure that Liberty complied with its regulatory obligations.”

For understanding the FCA’s perspective on GI outsourcing, it is notable that the LFN explained that:

• after the FCA’s 2013 Thematic Review, Mobile phone insurance – ensuring a fair deal for consumers (TR 13/2), Liberty began a detailed investigation into the Third Party’s claims/complaints handling;
• Liberty’s Audit Committee asked its compliance function to undertake increased engagement with the Third Party, but the compliance function was “‘entirely reliant’ on information being provided by the Third Party” in reaching judgments that “the Third Party was ‘professional and well run’”;
• moreover, the Audit Committee reported to the Board that: “the ‘slim margins on the [the Third Party] business’ meant that Liberty would have to put ‘a lot of [compliance] effort into an arrangement where they don’t make much money or any money back from it.’”

The LFN does not record what the Board’s response the above report was or any analysis and decision-making by Liberty on risk/cost benefits: the LFN is open to the inference that Liberty was willing to underwrite a book of business where it was unclear how compliant the handling of the book was.

The handling – and especially the payment – of claims on GI products is of course the crucible for ascertaining their value from the (potentially) different perspectives of insurers, intermediaries, customers, the FCA and the PRA. Differences in perspective arise from the GI market’s wish to maintain profitability and capital, which claims payments inevitably reduce.

Profitability considerations are also a key factor in other regulatory yardsticks for value:

• relative or ‘differential’ pricing between –
  • versions of a product which share essentially the same risk mitigant effects and/or
  • different customers that share essentially the same risk profile; and
• composition of gross premium, especially customer service value as a component of that premium.

As TR19/2 puts it: “Customers may pay substantially more for a product which delivers no additional benefits compared to alternative, less expensive products available in the market … This could occur when a firm distributes the product to customers outside the target market or due to conflicts of interest in a firm’s remuneration structure incentivising it to sell a particular product [or] … customers paying increased prices as a result of remuneration that is paid to firms in the distribution chain who incur little cost or deliver little benefit to customers.”

While differential or ‘dual’ pricing in GI is of course part of a broader set of converging regulatory initiatives by the FCA and Competition and Markets Authority around the ‘loyalty penalty’ faced by customers, including vulnerable customers and the mortgage and savings markets, the FCA has plainly identified that remuneration in outsourcing, alongside value for customers, is inextricably linked, and that failings in these areas are a particular problem for GI.

This article was originally published by Thomson Reuters Regulatory Intelligence on 19 July 2019.