Skip to main content
Article | FI Observer

Outsourcing: risk and reward – will your insurance respond?

Risk & Analytics|Financial, Executive and Professional Risks (FINEX)
COVID 19 Coronavirus

By Caroline Sawyer and Hollie Mortlock | May 20, 2020

How does outsourcing certain processes or functions affect your risk profile and how might your insurance respond when issues arise in respect of outsourced services?

Introduction

The drive to provide faster and simpler distribution channels to customers and reduce costs has meant that outsourcing is a key competitive enabler to many financial institutions (FIs). However, there are risks associated with contracting services to a third party and the transfer of data necessary for them to perform those services.

In the current environment, the impact of the COVID-19 pandemic may make it difficult or impossible for contractual counterparts to perform their obligations. There may be difficult contractual issues to address around whether contracts have been frustrated, or if force majeure or “material adverse change” clauses apply. Where services can be performed, changes in usual operating procedures may result in IT failures which may affect data centres, telecom connections and data storage solutions, amongst others, and risks of errors, poor quality service and loss or misuse of customer data may be exacerbated by having employees working from home or off sick.

As outsourcing has become commonplace and particular service providers dominate the market, the risks to the industry of systemic failure increases. It is therefore not surprising that outsourcing and its associated risks have appeared firmly on the agenda of many regulators globally for some time as part of their focus on operational resilience. In recent years we have seen several high-profile cases where firms have received substantial fines as a direct result of failings connected with their outsourced activities, in the UK and Ireland in particular1. As a live test of operational resilience, regulators will be scrutinising how firms continue to provide services during and after the COVID-19 pandemic.

Legal and regulatory framework

A commonly used legal structure for outsourcing by FIs is for the FI to sub-contract work to a third-party service provider whereby the supplier provides services using its own resources and employees. This typically includes outsourcing financial or other business processes (e.g. accounting, call centres, human resources), IT functions (e.g. network management, application development and cloud computing) and professional functions (e.g. legal, accounting, procurement and administrative support). This structure maintains the customer relationship with the FI.

FIs may be required to notify the regulator where it engages a third-party service provider, for example if it is a “material” outsourcing arrangement. Regulatory obligations vary globally, but there does appear to be a general principle, which applies to a greater or lesser degree depending on the jurisdiction, that while firms can outsource business activities, they cannot outsource their responsibilities. Firms cannot delegate or contract out of their regulatory obligations when outsourcing2. Therefore, FIs may effectively be held liable for failings on the part of a third-party service provider.

Consequently, the risk of outsourcing is that FIs will be held liable for failings in respect of the provision of services (or failure to provide services) to their customers over which they do not have full control. This includes poor quality or absence of service or possibly loss or misuse of customer data due to the transfer of data between firms.  In Europe for example, under the General Data Protection Regulation (GDPR), penalties for data breaches can be severe3. The risk of cyber-attacks may also be increased if the service provider uses less sophisticated IT systems.

For this reason, conducting thorough due diligence in respect of the service provider, putting in place measures to ensure quality control and policing the activities of the service provider is critical. These protective measures are typically catered for in the contract with the service provider and may be a regulatory requirement. However, they will not necessarily guarantee that an FI will avoid losses. Enforcing contractual rights may be challenging, especially if the outsourced services are performed across borders. Furthermore, due diligence and contractual protections will not necessarily offer adequate protection in the event of a pandemic. It remains to be seen how contractual termination provisions will be relied upon and tested in the courts in the current circumstances. The final form of protection is to ensure your insurance policies provide appropriate cover in respect of outsourced services.

Insurance Considerations

From an insurance perspective, there are a number of important points to consider to ensure your insurance programme provides effective cover. We address some of these points below.

Crime policies

Crime policies typically cover direct loss suffered by a firm as a result of (i) employee infidelity or (ii) various other dishonest or fraudulent acts carried out by third parties. Where outsourced entities may have access to the firm’s funds or assets and there is therefore a risk of infidelity, the question is whether such infidelity will fall within the scope of the Crime policy. The key is often the breadth of the definition of “employee”. If “employee” is defined in the policy to include the employees of the outsourced entities whilst performing functions on behalf of the firm, coverage should apply.

Professional Indemnity policies

Clients or customers may bring claims alleging negligence or other failures in the provision of services by the firm which may arise from failures or potential failures by the third-party service provider. In the current pandemic, outsourced service providers may be under particular pressure to be able to provide continuity of services and to maintain high service standards in light of the challenges they may face. These claims may be covered by a professional indemnity policy.

A professional indemnity policy will respond in the event a firm is legally liable for failings in the provision of services (and for the costs defending such allegations). The involvement of a third-party service provider can complicate the liability analysis, particularly if the failing can be attributed either in whole or in part to the third-party service provider. To the extent liability can be attributed to a third-party service provider, the loss that flows from it may not be recoverable under a professional indemnity policy. If however the firm is legally liable for the loss but can subsequently seek to make a recovery from the third-party service provider, for example for contributory negligence, insurers may indemnify the firm and then seek to make a recovery from the third-party service provider, per the subrogation provisions in the policy. This can be complex to resolve, particularly if the third-party service provider has contractually limited its liability in the service agreement. In the meantime, a firm may wish to resolve a situation with a client with insurers’ support.

In practice, clients or customers may make claims against the firm and / or the third-party service provider, depending on their understanding of the service arrangements, and who they consider to be their best source of recourse. Where claims are brought by the firm’s clients or customers directly against the third-party service provider, the policy should also respond (subject to terms and conditions), if in fact the firm is vicariously liable for the third-party service provider.

The process of defending a claim by a client or customer may require documents and evidence from the service provider. This can be pre-empted in the contractual documentation by including appropriate cooperation provisions but may nevertheless be an additional hurdle in the defence of a claim and from a practical perspective, depend upon the strength of the commercial relationship with the third-party service provider and their willingness to assist, absent court intervention.

Potential outsourcing failures may also attract regulatory scrutiny. Regulatory fines fall outside the scope of professional indemnity policies for public policy purposes. Nevertheless, the costs of complying with subpoenas and assisting regulatory investigations, which can be very high, may be covered. This type of cover can vary in scope – it may extend to individuals acting in a professional capacity and/or the firm and may apply at differing stages of regulatory enquiry, so it is important that you understand what cover you have and ensure that it is aligned to your risks.

Directors’ and Officers’ (D&O) Liability policies

Outsourcing activities to third parties may expand the risks faced by the senior individuals at the firm. Claims or regulatory action could, for example, be brought against insured persons in relation to the selection and/or supervision of the outsourced entities or for data breaches connected with transferring data to third party suppliers. In the UK, under the Senior Managers and Certification Regime (SMCR), there must be a Senior Manager in the firm who is personally responsible for outsourced functions4. D&O policies vary in scope so it is important to ensure the policy covers the individuals which the firm intends to be covered and consequently that the policy limits are adequate.

Cyber policies

Whilst Cyber policies typically include coverage for the provision of services by third party cloud / data storage and data processors, they do not typically include coverage for other types of outsourced services. Outsourcing and the providers you engage are a key rating element, and it is therefore important that insurers are advised of the firms you engage at policy inception. In the event you engage additional providers mid-term, you would be well advised to keep your insurers advised of these changes. Failure to advise insurers may impact or possibly void your policy in the event of a loss arising from outsourced parties who have not been agreed by insurers.

Conclusion

Outsourcing provides huge opportunities to improve the product and servicing offerings to customers and clients and potentially provide substantial cost savings. However, the ultimate responsibility of all of these functions remains with the firm. Outsourced service arrangements may come under pressure as service partners enact plans to continue to operate during and in the wake of the COVID-19 pandemic. This may negatively impact the continuity of services provided, quality of services and use of customer data and could lead to customer claims against FIs.  Broadly drafted Crime, Professional Indemnity, D&O and Cyber policies can include coverage for outsourced activities but as always, the devil is in the detail. Consult with your broker to ensure you have the right cover in place.

Disclaimer

Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. For global client programs it is critical to consider all local operations and how policies may or may not include COVID-19 coverage.

The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal and/or other professional advisors. Some of the information in this publication may be compiled by third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such information. We assume no duty in contract, tort, or otherwise in connection with this publication and expressly disclaim, to the fullest extent permitted by law, any liability in connection with this publication. Willis Towers Watson offers insurance-related services through its appropriately licensed entities in each jurisdiction in which it operates.

COVID-19 is a rapidly evolving situation and changes are occurring frequently The information given in this publication is believed to be accurate at the date of publication shown at the top of this document. This information may have subsequently changed or have been superseded, and should not be relied upon to be accurate or suitable after this date.

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In the United States, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc.

Footnote

1 For example, in the UK, the fine levied against R. Raphaels & Sons plc last year in relation to their outsourced pre-paid and charge cards https://www.fca.org.uk/news/press-releases/fca-and-pra-jointly-fine-raphaels-bank-1-89-million-outsourcing-failings

2 For example, in the UK https://www.handbook.fca.org.uk/handbook/SYSC/8/1.html

3 https://gdpr.eu/fines/

4 https://www.handbook.fca.org.uk/handbook/SYSC/26/10.html?date=2018-12-10

Authors


Head of FINEX Financial Institutions Product Development

Alex Muralles
US Head of FINEX Financial Institutions

Susan Finbow
Global Head of FINEX Financial Institutions

Contact Us