Systems and controls changes for insurance intermediaries

Out-Law Guide | 20 Nov 2008 | 2:31 pm | 6 min. read

This guide is based on UK law. It was last updated on 20th November 2008. From 1st April 2009, insurance intermediaries in the UK will be subject to new rules and guidance on outsourcing and managi...

This guide is based on UK law. It was last updated on 20th November 2008.

From 1st April 2009, insurance intermediaries in the UK will be subject to new rules and guidance on outsourcing and managing conflicts of interest.

The Financial Services Authority (FSA) is extending to so-called "non-scope" firms the common platform of high-level rules and guidance on organisation, systems and controls that currently apply to investment firms and credit institutions subject to the Markets in Financial Instruments Directive (MiFID) and the Capital Requirements Directive.

The extension does not apply to insurers or to Lloyd's, who will be covered as part of the FSA's work in implementing the new European solvency regime, Solvency II.

Many of the other provisions in the common platform already apply to non-scope firms, in which case they will simply be moved to a different chapter in the systems and controls (SYSC) section of the FSA's Handbook. In some areas, however, more detailed guidance has been added.

Announcing its final rules in September 2008, the FSA said its aim was to maintain "a consistent and flexible framework of standards".

"Apart from outsourcing and conflicts of interest, which are largely new to non-scope firms, the guidance in the common platform should give non-scope firms more certainty, not less, since it contains more detail …on what they might do to meet the few high-level rules."

Outsourcing

Outsourcing arrangements bring with them increased operational risk. By delegating tasks it would normally undertake itself, a firm could potentially transfer responsibility for risk, management and compliance to a third party who may not be subject to the same level of regulation.

To address this, extensive outsourcing guidelines already apply to many types of firm. For insurance intermediaries, however, current guidance is minimal. They are simply reminded that they cannot contract out of their regulatory responsibilities by outsourcing their functions.

This stems from the Principal 3 requirement in the FSA Handbook that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

The FSA now wants all firms to be subject to the same standards when outsourcing and these are set out in SYSC 8.

The new provisions, however, will not apply to existing outsourcing agreements. Nor do they apply to insurers, who will continue to abide by their own (broadly similar) guidance until after implementation of Solvency II.

Critical functions

As from April 2009, it will be a rule that, where a firm outsources "critical or important" operational functions or any of its regulated activities, it remains fully responsible for discharging all its regulatory obligations.

A function is critical or important if a defect or failure would materially impair the firm's continuing compliance with its regulatory obligations, its financial performance, or the soundness or continuity of its regulated activities.

What is critical or important will vary from firm to firm. The guidance gives examples of things which will not be regarded as critical, such as training, billing and security. Services provided to the firm which do not form part of its regulated activities and information services that are standardised across the market are also on the non-critical list.

Avoiding undue risk

New guidance provides that firms outsourcing such functions should take reasonable steps to avoid undue operational risk. Firms should exercise due skill and care when outsourcing and take steps appropriate to the particular outsourcing contract to ensure a number of conditions are satisfied.

These include: making sure the provider has the ability (and any necessary authorisation) to provide the service, supervising the outsourced functions, assessing performance and taking action if the provider falls short of the required standards.

The provider should disclose anything that may prevent it carrying out its duties effectively and the outsourcing firm should be able to terminate the arrangement without damaging the service it provides its own clients.

The provider should also be required to protect confidential information about the outsourcing firm and its clients. And all the respective rights and obligations of the parties should be set out in a written agreement.

Where necessary, a disaster recovery plan should be set up and back-up facilities periodically tested.

In addition, the firm, its auditors and the FSA should have access to data related to the outsourced activities and to the provider's business premises. Firms should be in a position to provide the FSA, on request, with information on their supervision of the outsourcing arrangements.

Conflicts of interest

Insurance intermediaries are already subject to Principle 8, which requires them to manage conflicts of interest fairly, both between themselves and their customers, and between customers.

In addition, the Insurance Conduct of Business Sourcebook includes specific guidance on managing conflicts of interest in relation to inducements. Informal guidance on conflicts of interest generally has also been published by the FSA, the Association of British Insurers and the British Insurance Brokers Association.

As with outsourcing, however, the FSA wants one set of provisions to apply to all firms. These are set out in SYSC 10.

"We do not expect our proposal to result in significant changes in firms' behaviour," the FSA states in its policy paper, "with the possible exception of the degree in which firms may rely on disclosure as a means of managing conflicts of interest".

Identifying conflicts

A new rule provides that firms must take all reasonable steps to identify conflicts of interest between the firm (or a "relevant person," such as the directors, partners, appointed representatives and employees of the firm or of its appointed representatives) and a client, and between clients.

Another new rule says firms must have in place effective organisational and administrative arrangements with a view to taking all reasonable steps to prevent conflicts of interest from giving rise to a material risk of damage to its clients' interests.

The guidance helps firms identify such conflicts and sets out a list of what they should take into account, as a minimum.

The warning signs include: if the firm or a relevant person is likely to make a financial gain at the client's expense, has a vested interest in the outcome of a transaction, an incentive to favour one client over another or will receive an inducement other than a standard commission or fee for the service.

This last proviso exonerates standard commissions and fees from being treated as inducements. But it may raise issues as to what is "standard".

Disclosure

A new rule provides that, before undertaking business for a client, firms must disclose to that client conflicts which have not been adequately managed (in that the firm cannot be reasonably confident that any risk of damage to the client's interest has been prevented).

This disclosure must include enough detail to enable the client to make an informed decision. A special concession for insurance intermediaries means that it need not be given in a durable medium, since many insurance sales are carried out by telephone.

But firms are specifically warned not to over-rely on disclosure as a way of avoiding managing conflicts of interest appropriately.

Conflicts policy

SYSC 10 also sets out detailed guidance on setting up an effective conflicts policy appropriate to the firm and its business.
The policy should identify circumstances where conflicts are likely to arise and specify procedures and measures to manage such situations.

Examples given include establishing "Chinese walls" to prevent the exchange of information between relevant persons where this may harm clients' interests and removing direct links between the remuneration of relevant persons engaged in activities where a conflict of interest might arise.

Firms should also keep records of circumstances where conflicts have arisen or might arise.

ICOBS

The new rules and guidance on conflicts will sit alongside ICOBS, although there is one consequential amendment to the claims handling provisions in ICOBS 8.

Previous guidance for intermediaries on managing conflicts through disclosure and client consent has been withdrawn. The amended version provides that, where it is not possible to manage a conflict of interest, intermediaries should consider whether declining to act would be the most reasonable step to take.

Other provisions

Most of the remaining provisions in the common platform already apply to insurance intermediaries in substantially similar form. There are, however, a few relatively minor changes.

Organisational requirements

SYSC 4 sets out new guidance for intermediaries on their business continuity policies and makes some changes to the allocation of responsibility for compliance.

Firms are currently required to appoint one FSA-approved person to allocate responsibility for overseeing systems and controls compliance to the firm's directors and senior managers.

This will continue to apply to "secondary" insurance intermediaries (those whose main purpose is to carry on activities other than regulated activities). But for other insurance intermediaries, responsibility for regulatory compliance will be shared by the firm's senior management collectively.

Segregation of duties

SYSC 5 extends existing guidance for intermediaries on the segregation of duties, setting out the benefits of segregation and which duties should be segregated. 

The guidance identifies four functions - the authority to initiate a transaction, bind the firm, make payments and account for it – that should not normally rest in the same person.

Firms should also ensure that all relevant persons are aware of its procedures and that these procedures are regularly monitored and evaluated. If a firm has too few staff to be able fully to segregate, it will need to have adequate compensating controls in place, such as regular reviews by senior managers. 

Although some of this will be new for insurance intermediaries, the FSA believes most of it is implicit anyway from existing requirements and that it will not result in any change in market behaviours.

See: