In recent times, outsourcing in the financial services sector has been a firm focus for the FCA. On 30 October 2018, the FCA published another Final Notice in this area, this time in relation to Liberty Mutual Insurance Europe SE for failing to properly oversee the mobile phone insurance claims and complaints handling process administered through a third party.
Whilst this case is somewhat specific in terms of the industry (mobile phone insurance), the profile of the customers (retail) and the activities which caused the breach (claims and complaints handling), there are a number of very important general lessons that are reiterated in the Final Notice which cannot be ignored and which apply equally when outsourcing regulated activities.
Liberty Mutual Insurance Europe SE ("Liberty") (a large UK insurance underwriter) entered into an arrangement with a third party under which the third party was engaged to provide mobile phone insurance ("MPI") to retail customers in the UK.
The third party agreed to undertake all administrative functions associated with the provision of MPI on Liberty's behalf, including claims and complaints handling.
A regulated firm cannot contract out of its regulatory obligations (SYSC 3.2.4), and if a firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system.
As discussed at our Regulatory Litigation Breakfast Seminar in June 2017, irrespective of the activities carried out by a financial services firm, any good outsourcing agreement should be SYSC 8 compliant. A reminder of the points discussed at that seminar can be found here.
The FCA found that, over a period of 5 years, Liberty breached both Principle 3 (Management and Control) and Principle 6 (Customers' Interests) of the FCA's Principles for Business, as well as SYSC 3.1.1. Liberty was also found to have breached a number of industry-specific provisions found in ICOBS (2.2.2 and 8.1.1), and also DISP 1 (which relates to complaints handling and resolution).
The FCA cited the following failures in reaching its conclusions:
- Notwithstanding the fact that the agreement commenced on 5 July 2010, and taking into account that the board of directors was aware that the relationship with the third party was a departure from Liberty's traditional focus, it took considerable time for Liberty to understand the third party's business model, and it wasn't until June 2015 that Liberty fully understood the third party's claims and complaints processes.
- Liberty did not take any steps to assess for itself whether the processes and procedures that the third party would have in place for handling claims and complaints would be compliant with the requirements of the UK regulatory system relating to the fair treatment of customers.
- Liberty did not undertake an adequate risk assessment, review, or adequately plan for ongoing monitoring before the commencement of the arrangement to ensure that the third party would administer claims and complaints on Liberty's behalf in a way which would ensure that Liberty complied with its regulatory obligations.
- Liberty failed to update its existing Treating Customers Fairly Policy in good time to incorporate additional measures arising out of the relationship with the third party.
- There was a lack of oversight by the board of directors and senior management of the development of conduct risk controls. As a result, the design and implementation of an enhanced conduct risk framework did not progress with sufficient speed.
The FCA regarded the failings to be serious because the breaches caused a risk of loss to individual customers, and the breaches revealed systemic weaknesses in Liberty’s procedures and in the management systems and internal controls relating to its MPI business.
The failings resulted in some of Liberty's 2.6 million MPI customers being exposed to unfair treatment in respect of MPI claims and complaints, including: customers being unfairly denied cover for claims for loss or theft; inadequate investigations into customer complaints; and the inappropriate use of a policy exclusion.
The FCA imposed a fine of £5.28 million and Liberty paid out £3.08m in voluntary redress and remediation.
The Liberty Final Notice follows similar findings to those made against Stonebridge International Insurance (£8.4 million fine, August 2014), Raphaels Bank (£1.3 million fine, November 2015); and Aviva (£8.2 million fine, October 2016). As increasing numbers of financial services providers outsource regulatory obligations, the Liberty Final Notice serves as yet another reminder that outsourcing must be done with the full knowledge of the third party partner's practices, and with full and enduring oversight.
It is also worth noting that the FCA acknowledged that Liberty was not wholly absent in its supervision of the relationship with the third party; the Final Notice refers to numerous occasions where Liberty exercised oversight and supervision over the third party. Nevertheless, financial services firms which chose to outsource regulated activities must expect the FCA to hold those outsourcing arrangements to a high standard given the additional inherent risk involved. This sentiment is very much evident in the FCA press release accompanying the publication of the Final Notice in which Mark Steward states that firms must put in place adequate measures, "especially where those functions are outsourced".