This article was first published by Thomson Reuters.
Introduction
This article is the first in a series designed to highlight how, across different financial services industries, Operational Resilience is not merely an ongoing theme or project for compliance, or an end in itself, but is also an essential pathway to meet the requirements of the Consumer Duty and Vulnerable Customers frameworks.
This first article introduces the key concepts and seeks to illustrate them by reference to the FCA’s Operational Resilience insights as to good and bad Operational Resilience practices in the insurance sector.
The essentials
Under SYSC 15A.2 a firm (the next article will address the application of Operational Resilience in more detail; for present purposes, the applicable firms can be described as banks and insurers, plus larger FCA-regulated intermediaries and payment services / e-money businesses) must:
- Identify the ‘important business services’ which it provides (or are provided on its behalf) to any clients and which, if disrupted, could
- “cause intolerable levels of harm” to any client (in short, financial or non-financial “harm from which consumers cannot easily recover” – see FCA Policy Statement 21/3; the next article will address practical indicators in this regard) or
- “pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets”;
(for convenience, the above harms and risks referred to collectively below as “intolerable occurrence”) and
- for each such important business service, set an ‘impact tolerance’, being the maximum level of disruption, in terms of duration and otherwise, after which there would be an intolerable occurrence.
The lessons from insurance
The Financial Conduct Authority (“FCA”) says it “requested information on a voluntary basis from... 47 [insurance] firms... [including] insurers and intermediaries from the wholesale, retail and life insurance sectors... [which the FCA] analysed... in collaboration [as applicable] with the Prudential Regulation Authority...”
The FCA “assessed the answers... [against] 3 criteria...:
- the reasonableness of the important business services and impact tolerances selected
- consideration of consumer harm differentiated by product type or distribution channel
- consideration of consumer harm according to customer type or vulnerability.”
The FCA said that “some” (clearly not all, and possibly only a minority) of the firms “demonstrated a clear understanding of [the] rules”.
Key aspects of good and bad practices involved:
- understanding FCA and Prudential Regulation Authority guidelines and applying these fully to operational resilience programmes
- identifying all the important business services within a firm’s business model, and not seeking to take account of internal services or “irrelevant businesses services”
- considering possible harms at each point of the customer journey including:
- purchasing, amending and renewing a policy – having “correctly identified that no intolerable harm arose from their services being unavailable as similar products were available and easy to substitute”, and “considering the impact of unavailable important business services on [VCs]”; and
- making a claim or a complaint
- deploying considered examples of the types of harm a consumer may experience, differentiated by:
- product type
- customer profile, including commercial and retail customers
- distribution method
- articulating carefully calibrated impact tolerances – in terms of nature, complexity, duration and severity – with accompanying rationales and possible alternatives
- taking proper account:
- of the impact on the financial stability of the UK economy (at least in the case of “firms identified by the PRA as other systemically important institutions and insurers with gross written premiums exceeding £15 billion or technical provisions [in short, claims reserves] exceeding £75 billion, both on a three-year rolling average” – see section 3.15 of PRA Policy Statement 6/21), and
- of safety and soundness and policyholder protection, including (see section 2.5 of PRA Supervisory Statement 1/21) with respect to:
- “the potential to cause knock-on effects for counterparties, particularly those that provide financial market infrastructure or critical national infrastructure ...
- impact on the firm’s profit and loss ...
- the potential to cause legal or regulatory censure ...
- the significance to the policyholder of the risk insured ... and ...
- the potential for significant adverse effects on policyholders if cover were to be withdrawn or policies not honoured.”
- “consumers being unable to cancel a product...
- products and services... [which] have not been appropriately tested in a range of market scenarios ...
- [the distribution] of products... to customers for whom they were not designed...
- consumers incurring overly high charges on a product because they do not understand [its] charging structure or how [this structure] impacts on the [product’s] value...”
- Produce clear and robust conduct management information, which affected their ability to identify and address delays in the claims process.
- Have records of policy wordings that were easily accessible for claims handlers, which resulted in delays for customers...”
The ramifications of harm and customer characterisation
Harm
The concept of preventing customer harm is central to the Consumer Duty.
In particular, the “Cross-cutting obligation” at PRIN 2A.2.8 R provides that: “A firm must avoid causing foreseeable harm to retail customers” (in insurance, these are, broadly speaking, individuals and small corporates).
‘Foreseeable harm’ is not defined, but there is non-Handbook guidance in the FCA’s Finalised Guidance (“FG”) 22/5 in this regard – this guidance is of particular, but not exclusive, relevance for insurance (as per the FCA’s focus above):
That the FCA is not merely hypothesizing the above types of harm can be seen from its General Insurance and Pure Protection sectors Consumer Duty Portfolio letter and its explicit reference to its “review of business interruption insurance claims handling” (the “BII Review”). The latter included findings that “some firms did not:
The above factors indicate that undertaking Operational Resilience analysis should reveal “harms in the customer journey”. These harms will therefore be at least ‘foreseeable’ for the purposes of assessing firms’ compliance with the Consumer Duty. The next article will address the concept of harm that is both foreseeable and from which an easy recovery may not be made.
Customer characterisation: vulnerability
The guidance at SYSC 15A is explicit about identifying customer vulnerability as a factor in Operational Resilience compliance – see e.g. SYSC 15A.2.4:
(1) the nature of the client base, including any vulnerabilities that would make [a client] more susceptible to harm from a disruption ...”
In their Operational Resilience insights, the FCA and Prudential Regulation Authority highlighted that some firms did not “meaningfully consider the impact of unavailable important business services on Vulnerable Customers”. This concept reflects the example of a form of ‘consumer duty’ harm given in FG22/5 expressed as: “consumers with characteristics of vulnerability being unable to access and use a product or service properly because [of unsuitable]... customer support...”
Addressing customer vulnerability under SYSC 15A can be assisted through looking at more specific circumstances addressed in the FCA’s Consumer Duty supervisory correspondence (portfolio / sector letters). Again, taking general insurance as an example, the portfolio letter (see above) referred to the BII Review’s finding that “[firms did not] [a]dequately identify Vulnerable Customers or [firms] took an inconsistent approach in dealing with the needs of Vulnerable Customers”.
Conclusion
It is clear from the shared concepts between the Operational Resilience, Consumer Duty and Vulnerable Customers frameworks that, for larger firms at least, Operational Resilience is a means of ‘across-the-board’ compliance on customer treatment. Further articles will address how smaller firms can benefit from taking an Operational Resilience perspective.
You may be interested in...
Legal Update - DORA
EU Digital Operational Resilience Act: Countdown to comply with the January 2025 deadline
Legal Update
The European Accessibility Act: Inclusive products and services
Legal Update
The FCA comments on competition between big tech firms and financial service firms
Legal Update - Consumer Duty
The Financial Conduct Authority’s approach to AI regulation
Published Article - Consumer Duty
General insurance claims: The Consumer Duty’s easy target?
Legal Update
The EU AI Act: What does it mean for insurers?
Legal Update
The regulators’ pet project
Legal Update
UK falls to lowest position for corruption – so what’s going wrong?
Legal Update
Adapting to change or falling behind? The FCA under fire from the National Audit Office
Legal Update
Premium finance – a poverty premium
Legal Update
The downfall of Vesttoo: Fraudulent letters of credit
Published Article - Consumer Duty
How ‘operational resilience’ enables compliance with the ‘consumer duty’ and ‘vulnerable customers’
Legal Update
Customers in financial difficulty: Cost of living crisis and the FCA
Legal Update - Consumer Duty
Insurance industry Consumer Duty update – Fair value, FCA Dear CEO letters and multi-occupancy buildings
Published Article
Three peaks of consumer protection: Part two — intolerable harm
Published Article
The three peaks of customer protection: How ‘operational resilience’ enables compliance with the ‘Consumer Duty’ and ‘Vulnerable Customers’
Legal Update
AI modelling biases in quote engines
Legal Update
Pitfalls for retailers to avoid when offering access to ‘buy now, pay later’ products
Published Article - Consumer Duty
Consumer duty part 3 - 'The drill-down' into the 'cross-cutting' rules
Legal Update
Code of Conduct for ESG data and ratings providers – bridging the authenticity gap
Legal Update - ESG in 3D
ESG in 3D, December 2022
Legal Update
Code of Conduct for ESG data and ratings providers
Legal Update
All the pieces of the conduct puzzle: Governance, culture, D&I, innovation
Legal Update
Voluntary offset markets for carbon – a bad atmosphere?
Legal Update
‘Decentralised and autonomous’ – evolution or misunderstanding of unincorporated association law?
Legal Update
The FCA’s anti-greenwash proposals
Legal Update
Disability and access in banking
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 4 November 2022
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 28 October 2022
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 7 October 2022
Published Article - Consumer Duty
Consumer duty part 1 - 'The drill-down' into the 'cross-cutting' rules
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 30 September 2022
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 23 September 2022
Legal Update
FCA warns that vulnerable to scams amid cost of living crisis
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 26 August 2022
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 19 August 2022
Legal Update - The Uplink
The Uplink: Financial services regulatory news, 22 July 2022
Legal Update - Consumer Duty
The new Consumer Duty in a nutshell
Legal Update
Should the UK Financial Conduct Authority bring "competitiveness" back into its regulatory agenda?
Opinion
ESG for Beginners
As you probably know by now, the acronym 'ESG' stands for environmental, social and governance. Although the investment community initially coined the term, it has grown into a larger concept that can be applied more broadly to any business or practice.