Tech & Sourcing @ Morgan Lewis


A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.

The FCA is the UK’s “conduct” regulator, with a focus primarily on the regular business conduct of financial services businesses, as compared to the “macro” focus (safety and soundness) of the Prudential Regulatory Authority (PRA) – although there is overlap between the stated remits of the FCA and the PRA, and outsourcing arrangements are subject to scrutiny by both bodies.

A Final Notice was issued by the FCA on 30 October 2018, imposing a fine of £5.2 million (about $6.7 million) on the insurer, a significant fine but still several million pounds less than some of the highest fines issued by the FCA for similar infringements. To place this fine into further context, it follows over £3 million (about $3.7 million) of redress payments made by the insurer to customers who were affected by a third-party arrangement which outsourced all administrative functions associated with the provision of mobile phone insurance on the insurer's behalf, including claims and complaints handling.

The FCA found that the insurer was in breach of two principles (Management and Control, and Customers’ Interests) of the Principles for Business within the FCA Handbook, as well as a specific control and certain industry-specific obligations. The FCA stated that the insurer had, amongst other failures, not adequately assessed the third party’s delivery model and the processes and procedures that the party had in place for claims and complaints handling, and that the insurer failed to implement and maintain adequate measures to monitor the third party’s performance.

It is interesting reading the rationale for the decision derived from the FCA’s investigation, which reveals that the insurer had undertaken what could be described as fairly substantial oversight, including through its internal audit and compliance functions, and therefore this was not an arrangement that was completely neglected or that the insurer was completely blind to. However, the FCA clearly found this oversight activity to be inadequate.

In the report, the FCA highlights that “The breaches caused a risk of loss to individual consumers” – as the first factor in assessing the seriousness of the breach, along with the systemic weaknesses in the insurer's procedures, systems, and controls relating to the third-party relationship. It is this first factor, of the direct effect on retail customers, that we suggest is the key factor behind the investigation and the size of the fine. The FCA’s enforcement actions with respect to outsourcing arrangements are still relatively infrequent. However, if you are a financial services business regulated in the United Kingdom and you have outsourced functions which would have a direct or indirect effect on retail customers if things go wrong, then you must place significant emphasis on ensuring that through your contract and conduct, you actually and effectively oversee, understand, and change—if necessary—the performance of the third-party outsource provider.