Outsourcing is a key strategy for many insurers Ash Saluja and Paul Edmondson describe regulatory requirements and the need for best practice.

Insurance companies and managing agents have used outsourcing for many years to reduce costs, to enable them to concentrate on core business areas and to improve client service. Some insurers (particularly those in run-off and 'virtual' insurers) have reached the point where all but a handful of activities are effectively outsourced.

From a regulatory perspective, insurers and their senior management remain ultimately responsible for outsourced activities, and the implementation of an effective risk management framework is therefore essential to any successful outsourcing. The general experience of the regulator over the past few years is that outsourcing is vulnerable to a risk of non-compliance because of failures of control and management controls which have been improperly relinquished to the service provider. For example, if claims handling is outsourced, there is a risk that claims will not be handled in a timely manner, or that they will be improperly declined, to the detriment of clients. If accounting functions are outsourced and not properly performed, the board may have an incorrect understanding of the insurer's financial position.

FSA requirements

The UK Financial Services Authority (FSA) has responded to the ever-increasing volume of outsourcing by increasing the volume of regulation. There is a real onus on insurers to implement systems and controls to ensure all risks are properly identified and managed in accordance with FSA requirements.

Insurers should therefore take particular care to manage material outsourcing arrangements, where the outsourcing relates to a key element of the insurer's business (for example, claims handling, record keeping, IT systems). All of the main elements of a material outsourcing arrangement, including the decision to outsource, contractual provisions and ongoing relationship management, are now covered by specific FSA regulation.

The FSA's general expectation that all insurers that outsource certain functions should ensure that such arrangements are set up in a controlled manner is underpinned by FSA Principle 3 - that firms should be organised and control their affairs responsibly and effectively with adequate risk management. In addition, insurers are subject to more concrete set of rules and guidance set out in the FSA's Senior Management, Systems and Control Sourcebook (SYSC). The FSA's Integrated Prudential Sourcebook, which comes into effect shortly, also contains a specific chapter dealing with outsourcing.

Planning and implementation

Three questions need to be considered before deciding to outsource:

- How will the proposed outsourcing affect the insurer's risk profile, business strategy and ability to meet regulatory obligations? This will inevitably vary according to the proposed service being provided. There is a considerable difference between appointing a service provider to carry out claims handling or maintenance of an IT system rather than, for example, printing marketing literature.

- What due diligence does the insurer need to carry out on the service provider? Again, the level and type of due diligence will vary according to the service being provided. At a minimum, insurers will want to assess the service provider's financial stability and credentials and expertise in the relevant area. Insurers also need to assess whether any of the service provider's existing commitments will conflict with the proposed arrangements (for example, if one service provider will be running a call centre for several insurers).

- How will the firm ensure a smooth transition to the new arrangements?

For example, which key stakeholders need to be on board for the decision making process (including those external to the insurer, such as brokers) and who at the insurer needs to be involved in the transfer of the business to the service provider (including senior management in the relevant business area, IT, HR, finance, compliance etc)?

Outsourcing, like any other business opportunity, should be properly planned and clear objectives should be set. The reasons why a business decides to outsource will define the success of the outsourcing activity and should be documented carefully. It is also important to identify and document the risks that will arise from the loss of direct control over the performance of the outsourced operations, so that the right balance can be struck when negotiating with the service provider.

HR issues can be among the most problematic of the many that have to be dealt with during the course of any outsourcing proposal. It is, of course, well established and understood that TUPE (Transfer of Undertakings (Protection of Employment) Regulations) will generally apply where a service is outsourced or where there is a change of service provider. A fundamental part of the transaction may be the value of any existing pension fund that is to be transferred.

There has been criticism that it appears to be much easier for insurers and captives outside the UK (including insurers regulated in other EEA jurisdictions) to outsource. Is such criticism justified? The UK is one of the leading jurisdictions in which insurers have chosen to outsource as a matter of course, so the standard of regulation in other jurisdictions has yet to catch up. In addition, there is the argument that the regulation of outsourcing is no more than good business practice and whilst it may slow down the process of outsourcing, it does not prevent it taking place.

This argument is a strong one: the majority of FSA's requirements on due diligence, contractual terms and relationship management would be recommended by a sensible risk manager or lawyer in any event.

Contractual implementation

The FSA has a long list of issues which need to be considered as part of the contractual negotiations with a service provider. Fortunately, many of these simply reflect good business practice and are intended to ensure three things:

- The insurer obtains sufficient information to enable it to analyse and assess the services provided by the service provider.

- The insurer retains a degree of management control over the arrangements so it can continue to meet its own business standards and FSA requirements - particularly important where an offshore service provider is used. Disaster recovery and business continuity plans are key. The insurer may also need to retain flexibility to alter certain aspects the arrangements, if necessary for regulatory purposes.

- The insurer may terminate the relationship and smoothly implement alternative arrangements if the service provider fails to perform or for other valid business reasons.

The most appropriate methods of charging vary depending on the nature of the outsourced service. Whatever method is chosen, the insurer will wish to impose incentives and protections to ensure that services are delivered to the appropriate standard and that the service provides the expected savings.

Tax issues too will play an important part in considering and pricing outsourcing. In particular, VAT will be an issue for exempt, partially exempt and non-private sector businesses. If such a business outsources work, it may well find that the provider has to charge irrecoverable VAT at 17.5% to costs that would otherwise have been VAT free in the hands of the business. It is necessary to carefully review what is being outsourced to see whether it falls within one of the categories of exempt supplies, and it may be necessary to outsource more, to ensure that the factors at the heart of the exemption remain an essential part of the services bought-in.

Where the agreement is long term or deals with the delivery of complex services, it is essential to insert provisions to allow for changes in the nature of the relationship and any unexpected developments or increased costs. The service agreement should provide for a change procedure to allow for either technological developments or changes in requirements going forward.

Additional issues need to be addressed when assets are transferred as part of an outsourcing agreement, including the transfer back of assets and/or replacement of assets on termination of the outsourcing agreements.

Finally, there may well be circumstances where damage to the customer's business and its loss of profit caused by a breach by the service provider of its contractual obligations may substantially exceed the value of the contract to the service provider. The liability provisions of the service agreement should be strictly and clearly drafted so that both parties know who bears the risk in the event of breaches of the agreement or tortious acts.

Relationship management

A detailed service level agreement will enable the insurer to measure the services against qualitative and quantitative targets. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the insurer should consider the need for an adequate flow of management information and frequent reports to evaluate its performance from the service provider.

Where a service provider fails to perform its obligations, escalation procedures must provide swift remedial action. Any failure to monitor the service provider's performance and rectify deficiencies may be a breach by the insurer's senior management of their obligations under the approved persons regime, for which they would be personally responsible.

Similarly, it is imperative that the services to be outsourced are clearly identified, including any part of the services the insurer wishes to retain.

Clear, defined and measurable performance standards are key to ensuring that the insurer gets what they want and the service provider understands what it is required to deliver.

A general policy

Insurers and their senior management remain ultimately responsible to the FSA for their outsourced activities. As a result, insurers should carefully consider developing a general outsourcing policy, to assess material operational risk and to provide a framework for making decisions on outsourcing, taking into account the FSA requirements.

The key to a successful outsourcing is a three stage process: firstly, you must fully understand what you hope to achieve by the outsourcing; secondly, you must choose a provider who can meet your needs; and thirdly, you must implement a legal and relationship management framework which requires the provider to fulfil its side of the bargain. If you do that, you can look forward to a lasting relationship which meets not only FSA regulatory requirements, but also, more importantly, your own commercial needs.

- Ash Saluja is a solicitor and Paul Edmondson is a partner in the financial services unit of the commercial department at CMS Cameron McKenna.