Lloyd's Market Association Bulletin
LMA22-012-SM | 25 March 2022
Outsourcing and Operational Resilience Update
Outsourcing and Third Party Risk Management
Introduction and timeline
The PRA has outlined new, and clarified existing, expectations around outsourcing and third party risk management. This note is intended to summarise the new requirements and advise what the LMA is doing with respect to relevant market agreements. This note is not intended to be an exhaustive summary of the requirements; the full Supervisory Statement can be found at SS2/21.
Managing agents are expected to comply with the expectations in SS2/21 by Thursday 31 March 2022. Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations by 31 March 2022. Managing agents should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point as soon as possible on or after 31 March 2022.
The PRA elaborates on its definition of outsourcing and other agreements between firms and third parties which fall outside that definition that it refers to as third party arrangements and notes that the latter are still subject to the PRA Fundamental Rules and expectations around
operational resilience, business continuity, governance and risk management.
It should be noted that managing agents should already have considered much of what is discussed in SS2/21 in their implementation of Solvency II.
The PRA Rulebook defines outsourcing as ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’.
It follows that delegated claims handling is outsourcing. However, the PRA states in the final bullet point of paragraph 2.4 that delegated underwriting is NOT considered to be outsourcing.
The PRA expects firms to consider the materiality of all outsourced and third party contracts. Chapter 5 provides commentary on materiality and the way it should be assessed.
All outsourced contracts require a written agreement. For outsourced contracts deemed material, Chapter 6 sets out the minimum terms which should be set out in the agreement.
Chapter 7 sets out the PRA’s expectations around data, including choice of location, storage, security and transfer.
Third party agreements
Third party agreements are defined as any agreement between a firm and a third party which is not an outsourced contract. As stated above, the PRA has clarified that delegated underwriting is NOT outsourcing. Therefore, delegated underwriting agreements are third party arrangements.
The PRA expects a firm to consider the materiality of its third party arrangements using the criteria set out in Chapter 5. Where a firm deems such an arrangement ‘material’ or ‘high risk’, it should implement proportionate, risk-based, suitable controls. The controls do not need to be the same as those applied to outsourcing arrangements. However, the controls should be appropriate to the materiality and risks of the arrangement and as robust as those that would apply to outsourced contracts with equivalent materiality or risk. A firm should apply stricter controls to material third party arrangements than to non-material outsourced contracts.
Chapter 4 deals with governance. The PRA reiterates that boards and senior management, in particular individuals performing SMFs, cannot outsource their responsibilities. The PRA goes on to state that boards should:
- set ‘the control environment throughout the firm, including the appetite and tolerance levels in respect of outsourcing’ and third party risk management;
- ‘bear responsibility for the effective management of all risks to which the firm is exposed’, including by:
- appropriately ‘identifying and [having an] understanding of the firm’s reliance on critical service providers’; and
- ensuring that the firm has ‘(from board level downwards) appropriate and effective risk management systems and strategies in place to deal with outsourced service providers’.
The PRA requires managing agents to allocate responsibility for a firm’s regulatory obligations in relation to outsourcing to an SMF. The PRA’s expectation (though not mandatory) is that the outsourcing responsibility will be assigned to the COO (SMF24) if the managing agent has one.
Firms should meet the expectations in this SS in a manner appropriate to: their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function, in line with the principle of proportionality.
However, there are certain requirements which must be met regardless of proportionality including:
- a written outsourcing policy, approved by the Board
- allocation of regulatory responsibility for outsourcing to an SMF
- maintenance of appropriate operational resilience frameworks and business continuity plans and
- appropriate record keeping.
LMA model agreements
The LMA has reviewed its model Delegated Claims Agreement (LMA9188) against SS2/21.
We consider the LMA9188 is fit for purpose as an outsourced contract for managing agents to use with most outsourced claims handling companies. The provisions of LMA9188 have been reviewed against the provisions required for a material outsourced contract as set out in in Chapter 6 of SS2/21. The areas that may need to be amended depending on the materiality of the contract are:
- Geographical restrictions regarding where the services may be performed.
- Specific IT security provisions (considering proportionality and materiality).
We do not intend to amend LMA9188 to be more prescriptive as it will often be used for non-material claims handling contracts.
We have not reviewed LMA3133 as it would be considered a third party arrangement and the appropriateness of the agreement should be determined by the managing agent in light of the materiality of the delegated underwriting agreement taking a proportionate approach.
This is the position for London firms. Regulators in the EU have different approaches so for instance LIC may take a different view of the outsourcing (and materiality) under f the LIC operating model.
Actions for managing agents
Managing agents should ensure they are familiar with the requirements and expectations set out in SS2/21. As stated above, many of the elements discussed in SS2/21 will have been considered in managing agents’ implementation of Solvency II.
However, managing agents should:
- Review the appropriateness of their written outsourcing policy.
- Ensure the policy has been approved by the Board and is subject to regular review.
- Consider the materiality of their outsourced contracts and third party agreements.
- Ensure material outsourced contracts meet the requirements set out in Chapter 6 of SS2/21.
- If using LMA 9188 for delegated claims agreements, consider which agreements are material and consider strengthening the agreement if appropriate (including consideration of the two aspects above).
- Ensure material third party agreements (including material binding authority agreements) contain appropriate provisions.
- Ensure that they have appointed a SMF responsible for outsourced activity.
Operational Resilience Update from the FCA and PRA
The regulators have reiterated comments previously made that, as this is principles-based regulation, there will naturally be an evolution of implementation. The FCA appreciates the work of the LMA Working Group in helping to shape a common view across the market and would like to be kept appraised of how the market is interpreting the new rules and its thinking as this evolves, especially in relation to the unique subscription model of Lloyd’s and company markets. In due course, the FCA and PRA will share key findings from the information request that went out to 40 firms in their joint exercise.
Some of the key points of clarification were as follows. For full details, please refer to the complete document on the LMA website.
Notifying the regulator of operational disruption during the implementation period
The regulators have clarified that their position in respect of notification of operational disruption during the 3 year implementation period. Firms already have an obligation to notify regulators in the event of severe operational disruption (PRA Fundamental Rule 7 and FCA Principle 11). If firms have operational disruption that results in a breach of impact tolerance these should be recorded in the self-assessment along with lessons learned and proposed remediation plans. There are no additional reporting requirements on firms as a result of FCA Policy Statement PS21/3 or SS2/21.
Common market approach to delegated authority business
The FCA agreed that the current market approach was proportionate.
Underwriting new business as an Important Business Service
From an FCA perspective, where there is a high-degree of substitutability between insurers for customers being able to obtain cover then there is no point of harm if those customers can simply obtain their cover elsewhere.
When does the clock start ticking in respect of an incident when measuring impact tolerances?
It is up to firms to decide when they declare an incident within their own business continuity/disaster recovery response plans. The starting point is when it would be normally recognised internally. Firms should be clear about this in their self-assessment documentation.
How much detail do the regulators need to see in the self-assessment?
A good rule-of thumb is that whatever firms are sharing with their Boards for review and sign-off is likely an appropriate level of detail for the regulator.
Xchanging central services contracts
The current Xchanging central services contracts are currently being re-negotiated with DXC to incorporate provisions for Operational Resilience and PRA SS2/21 on Material Outsourcing. These negotiations are due to conclude by 31 March and a summary of key changes will be communicated as soon as possible after that.
Should you have any queries regarding the above, or require any further information, please contact Steve or Matt.