The FCA's latest enforcement action in the general insurance sector is a useful source of conduct risk guidance and a reminder that firms cannot delegate their regulatory responsibilities to outsourced service providers, not even to those that are themselves FCA authorised.

The FCA has fined insurer Stonebridge International Insurance Limited £8,373,600 for breaches of Principle 3 (Management and Control) and Principle 6 (Customers' Interests).

The breaches relate to the period April 2011 to December 2012, during which Stonebridge sold Personal Accident, Accidental Death and Accident Cash Plan insurance policies over the phone, targeting middle-to-low income consumers without degrees or professional qualifications. These products were underwritten by Stonebridge but the sales and post-sales customer services operations were outsourced to authorised intermediaries.

The FCA found that Stonebridge failed to treat its customers fairly by following a business strategy that maximised sales at the cost of the fair treatment of customers.  The FCA identified a number of failings, including sales processes designed by Stonebridge that automatically channeled customers towards more expensive products. Sales processes also encouraged outsourced sales personnel to highlight cancellation rights as a feature of the products whilst its training for post sales cancellation processes encouraged staff to overcome customers' objections, which resulted in customers not succeeding in cancelling policies despite several attempts.

In relation to management and control failings, the FCA found that Stonebridge failed to provide adequate oversight of its outsourced service providers, which resulted in various other TCF failings and customers being put at an unacceptable risk of being mis-sold products.

The FCA's Final Notice to Stonebridge is notable as it sets out Stonebridge's conduct risk management and control failings. We are advising numerous clients on the development of their conduct risk systems and controls and the Final Notice provides a rare glimpse of the FCA's specific expectations in this regard. The Final Notice provides the following examples of Stonbridge's conduct risk failings:

  • "the committee responsible for setting remuneration was not instructed to consider 'TCF' objectives when determining the incentive schemes for its own staff and the staff at the outsourcing companies"
  • "board and executive committees within Stonebridge did not effectively oversee whether the outsourcing companies were adequately addressing the risks affecting customers"
  • "inadequate focus on considering customer specific risks and regulatory obligations when setting remuneration guidelines [...] Stonebridge did not give sufficient weight to addressing the risk of customer detriment when setting up incentive schemes for staff"
  • "Stonebridge did not obtain adequate management information from the outsourcing companies to enable it to identify, measure and manage risks to the fair treatment of customers".

As is usual in cases where the amount of revenue generated by a firm from a particular product line or business area is indicative of the harm or potential harm that its breach may cause, the level of Stonebridge's fine was calculated by the FCA as a percentage of the firm's revenue from sales of the relevant products. Stonebridge's revenue was almost £94m and the FCA fined Stonebridge 15% of this less deductions for mitigating factors and Stonebridge's early settlement.

As well as providing useful conduct risk systems and controls guidance, this award serves as a timely reminder to insurers of the importance of having in place adequate processes for the supervision of outsourced service providers. It is no defence that the service provider is itself an authorised firm with its own regulatory obligations to treat customers fairly.