The Financial Conduct Authority ("FCA") has published its findings from a thematic review into how principals in the general insurance sector comply with regulatory obligations when operating through appointed representatives ("ARs").

The FCA's findings make for uncomfortable reading for many firms operating through an AR model. The FCA found widespread examples of poor practices across the sector and were particularly concerned that principal firms simply do not understand their regulatory obligations. This lack of understanding manifests itself in a number of ways including a failure to assess and manage the risks arising from the ARs' activities.

Firms that operate through an AR model, or deal with firms that operate AR models need to take heed of the thematic review and act on its findings.

The regulatory regime

General insurance mediation activities are regulated activities in the UK and, accordingly, firms undertaking these activities must be authorised or exempt. However, entities can avoid the need to be directly authorised by instead acting as an AR for an authorised principal firm.

The principal firm takes regulatory responsibility for the AR and must put in place a written contract with the AR. Any regulatory failings on the part of the AR, for example mis-selling, complaints handling failures, or indeed any other breach of the FCA Handbook (the "Handbook"), are treated as failings by the principal itself.

The FCA review

The FCA conducted an online survey of 190 principals operating a network of ARs, primarily in the UK general insurance sector. They reported that they had over 6,000 ARs with 75,000 individual representatives operating at 15,000 locations and selling over 10 million policies.

The FCA visited 14 principals and 25 ARs, interviewing senior management and staff, reviewing policies, procedures, documentation and customer files and listening to sales calls.

Key findings

The FCA's review covered three broad areas:

  • business models and risk management;
  • governance and oversight; and
  • customer outcomes.

Business models and risk management

Firms are required to consider how the appointment of ARs impact their business model and core activities, including an assessment of whether there are adequate resources to oversee the AR and enforce compliance with regulatory requirements. Firms also need to understand the nature, scale and complexity of the risks arising from AR activity and put in place arrangements to manage the risk.

Nearly half the principal firms in the FCA's sample failed to demonstrate that they had considered and understood the nature, scale and complexity of the risks arising from ARs' activities and the risks these activities presented to customers. Of particular concern to the FCA was that some ARs were conducting activities outside their principal's areas of expertise.

Specific examples provided by the FCA include:

  • wholesale insurance intermediaries diversifying from core activities by taking on ARs who distributed retail products without identifying additional sales risk, in one case resulting in misselling and unauthorised activity; and
  • firms failing to consider the full costs of maintaining a compliant AR network, followed by insufficient investment in employing sufficient people with sufficient expertise.

Governance and oversight

The majority of firms in the FCA's sample failed to have effective risk management and control frameworks in place. The FCA was concerned to note that some principal firms did not understand their obligations to ensure that their ARs complied with regulatory requirements, particularly in relation to sales activities. Firms also failed to consider how the solvency and suitability of ARs impacted on their own compliance with threshold conditions. Contractual arrangements between principal firms and their ARs were deficient and failed to ensure compliance with relevant requirements and principal firms failed to adequately control and monitor compliance by their ARs.

Specific examples of principal firm failures provided by the FCA include:

  • not conducting appropriate due diligence including considering the fit of ARs with the principal's own business model and activities, type of products sold, sales process and method of sale, risks around AR remuneration models, experience and capability of ARs, conflicts of interest and availability of appropriate staff;
  • not ensuring that contracts with ARs complied with the Handbook requirements for such contracts in FCA rule SUP 12.5;
  • failing to ensure that introducer appointed representatives did not stray into activities for which they were not authorised;
  • failing to enter into a written multiple principal agreement - required where ARs work for more than one principal;
  • not ensuring that professional indemnity insurance covered the activities of appointed representatives as required by the Handbook;
  • not ensuring that all directors of ARs that needed approval were approved;
  • failing properly to monitor training and compliance of individual representatives and sales agents;
  • not collecting management information ("MI") to identify trends and issues and manage risks to the network;
  • failing to follow-up on deficiencies identified in AR audits or montoring visits, or failing to carry out regular assessments;
  • being unwilling to challenge ARs where there was an imbalance in the relationship (for example a small insurance principal with a network of large motor dealer ARs);
  • failing to ensure that training did more than simply maximise sales; and
  • following termination of the AR relationship, failing to ensure that customers could continue to be appropriately serviced including maintaining access to customer records.

Customer outcomes

The FCA is always most concerned where regulatory failings result in actual customer detriment. In a third of the principal firms surveyed, the FCA saw examples of potential mis-selling and customer detriment as a result of an AR's actions. This included customers buying products that they may not need, under which they may be ineligible to make a claim or where there was insufficient disclosure of key product information.

The FCA was concerned that a majority of principals in the sample were unable to demonstrate that the customers of their ARs were consistently receiving fair outcomes, as adequate systems were not put in place. A particular concern was those principals who did not realise that they are as responsible for the regulated sales of their ARs as they are for sales made by their own employees.

Other concerns include:

  • firms failing to ensure that post-sale processes were put in place to assess outcomes for consumers supported by complaints and claims MI;
  • almost half of principal firms failing to have appropriate controls in place to protect client money and operating in breach of the FCA's CASS rules; and
  • the existence of significant problems around sale of warranty insurance, travel insurance and guaranteed asset protection ("GAP") insurance.

FCA actions

As a result of the poor results of the thematic review, the FCA has taken early intervention action against a number of firms including:

  • preventing firms from taking on new ARs;
  • in some cases requiring firms to cease some activities;
  • requiring action plans for firms to address issues identified; and
  • commissioning skilled persons reports to consider and address issues identified at two firms.

The FCA will also send "Dear CEO" letters to relevant principal firms setting out their expectations and what actions it expects. The FCA also expects to perform additional work with firms outside the detailed thematic study, referring to the possibility of enforcement action.

What does this mean for firms?

Insurance firms acting as principal

The findings of the thematic review are of most relevance to insurance firms acting as principal. The review is a reminder that principal firms are solely responsible for the activities of their AR network and carry the can for any regulatory failures on the part of their ARs.

Directors, compliance staff and anyone in a firm responsible for its AR network need to read the FCA report in full, and critically assess their own firm's systems and controls. This should include undertaking a gap analysis to identify where the firm falls short and putting in place action plans to remedy shortcomings. Firms that identify significant regulatory failings will need to consider their obligations under the FCA's Principle 11 and may need to report such failings to the regulator.

Given the widespread nature of the failings set out in the thematic review, the FCA will be concerned to ensure that firms take proactive action to deal with their own compliance issues, and the FCA has confirmed that it will be engaging in follow-up supervisory work. Any firms which fail to take such steps may well be referred for enforcement action.

In any enforcement action the FCA will regard it as an aggravating factor, meriting increased penalty, that issues previously the subject of FCA warnings, thematic reviews and "Dear CEO" letters were not addressed at the time of those communications.

Appointed representatives

Entities that enter into AR relationships need to understand the onerous nature of the principal firm's responsibility to ensure compliance with regulatory requirements including that customers are treated fairly and client assets are managed appropriately. By entering into an AR relationship the AR must understand that it will have to cede a substantial amount of control to the principal firm including providing access to the AR's relevant books, records and staff.

Other insurance intermediaries or counterparties Insurance firms often outsource functions such as underwriting, claims management or compliant handling to third party firms. In its publication Delegated authority: Outsourcing in the general insurance market the FCA reminded insurers that they need to perform conduct focused due diligence when selecting third parties.

An insurance firm that outsources functions to a third party firm that operates through ARs will need, as part of that due diligence, to assess conduct risks associated with the principal's oversight of the AR.

Principal firms and ARs operating outside the insurance sector

Although the FCA's thematic review was concerned with the general insurance sector, many of the findings and expectations set out in the thematic review are applicable to other sectors. Firms in other sectors which operate using an AR model should also read the review, consider their own compliance and take appropriate remedial action.