As the move to digital solutions, automation and analytics accelerates, firms are relying more heavily on outsourcers and partners to provide these specialised services and regulators want to know how they manage their providers. The revised regulations will have an impact on MGAs and the relationship they have with their insurers. In this article, first published in Insurance Day, GreenKite CEO Sara Ager sets out the issues, and provides practical next steps.
First published on https://insuranceday.maritimeintelligence.informa.com/ 18th January 2022
The risk management of third-party suppliers and outsourcing is changing, with increased focus on due diligence and control testing.
The insurance industry is going through a period of seismic change driven by digitalisation, changing customer expectations, new business models and disruption caused by the global pandemic. Regulators are evolving in response to these changes to ensure operational resilience.
As the move to digital solutions, automation and analytics accelerates, firms are relying more heavily on outsourcers and partners to provide these specialised services and regulators want to know how they manage their providers.
In July 2021 the Financial Conduct Authority issued further guidance on outsourcing, third-party risk management and data security requirements. The guidelines require firms to manage and control their business responsibly, effectively and with adequate risk management systems.
This risk management framework includes the delivery of services required by the firm, so they remain authorised, and the identification and management throughout the life cycle of a third-party arrangement.
The regulations mean the resilience of a business is dependent on its service providers and how they are instructed down the chain, from the insurer to the managing general agents (MGAs), brokers, distribution partners, and aggregator sites. It is now the company’s responsibility to make sure service providers are resilient before they can use them – and to continue to interrogate them throughout their partnership.
The revised regulations will have an impact on MGAs and the relationship they have with insurers.
Assessments are likely to be more onerous, due diligence more detailed with updates ongoing, and there will be more emphasis on operational resilience, business continuity, contingency planning and disaster recovery. Written agreements will need to include data security, a business continuity plan, exit and solvency plans.
MGAs will also be expected to demonstrate their own suppliers’ compliance.
It has always been good business practice to undertake due diligence on third-party suppliers, but now instead of auditing them once a year, it is more about making sure they understand your business. That might mean going back to them when new regulations are introduced.
The more stringent regulations can only strengthen the partnership between an insurer and the MGA to which it gives underwriting authority.
Choosing the right partner means checking they have an established track record, faring well in peer comparison; that they allow oversight to monitor effectiveness of controls; and identifying potential disruption events. It also means they can show evidence of operational resilience, their experience in the sector, and that they allow access to customers.
They must also demonstrate the ability to grow as you grow and be able to handle peaks and troughs in demand and service.
All outsourced partners should be able to provide partner firms with flexibility and scalability, provide space for the team to service business as usual, interact with customers in new ways, and manage services such as compliance, regulations and reporting.
But what if arrangements are already in place with third-party suppliers? In that case, each arrangement should be reviewed to assess materiality versus criticality of the services being outsourced and service should be reviewed to ensure it is suitable for outsourcing. Ask: “Is it an important business service? Was due diligence of the provider undertaken?” If not, request further information.
There should be a written agreement identifying what services can be sub-delegated and what the requirements are to sub-delegate. Reviews should be undertaken of data requirements and provisioning agreements; the solvency of any supplier; your own business continuity and contingency exit strategy; and outsourcing
If not already in place, set up a monitoring programme and a communication plan with the third party. Ensure outsourced services appear on the firm’s risk register, with appropriate controls and reporting, and ensure there is ownership of all providers.
The new regulations will mean a great deal of work, especially for smaller companies, but it is vital to comply with them by two important dates.
By March 31, 2022, the rules set out for operational testing become mandatory.
Here are some key steps that should be carried out to reach regulatory requirements effectively. Firms should:
- Identify important business services (IBS);
- Develop impact tolerances for IBS;
- Map key resources (including material for third parties);
- Identify vulnerabilities;
- Design severe but plausible scenarios;
- Test the scenarios;
- Develop internal and external communication plans;
- Identify goals and lessons learned; and
- Produce a first self-assessment document.
And by March 31, 2025 at the latest, and ideally well before then, firms must have more sophisticated mapping and testing and be able to consistently stay within tolerances.
Good business practices have now become enshrined in regulation, and I believe in the future more business practices will follow suit.
The industry and its regulators are ceasing to view compliance as a tick-box exercise involving a separate team. To be compliant today requires a change of mindset and for the whole business to be involved.
The new regulations will mean a lot more work, especially for small businesses, but it will benefit the industry and strengthen customer confidence, as well as trust between companies, their suppliers and the regulator, to limit the number of unprofitable or risky businesses.