Board members and senior executives working across the UK insurance industry, in particular those in risk, compliance, internal audit and regulatory affairs teams.
The AR regime is a well-established and widely used feature in the UK financial services (FS) industry. The FCA indicates that there are currently around 3,400 principals with c. 37,000 ARs operating across the FS industry – about a third of these ARs are in the general insurance and protection sectors.
As the use of ARs in financial services has continued to evolve, the FCA in its recent work has seen a wide range of consumer harm across all the sectors where firms have ARs. In particular, the FCA has identified significant shortcomings in principals’ understanding of their regulatory responsibilities for their ARs in both the general insurance and investment management sectors. The FCA and HMT consequently consulted on ways to improve the AR regime in December 2021.
Following this, the FCA published a new Policy Statement (PS22/11) in August 2022, confirming its new rules to make principals more responsible for their ARs. The new rules represent a clear step-change in the intensity of the FCA’s supervision of principals. Implementing them will require significant work by principals and their ARs in the months ahead.
In this blog, we explore what the new rules mean for insurance firms and intermediaries that are principals, and what actions they can take in order to comply with the requirements over the coming months. We also analyse how the new rules interact with other regulatory requirements - including the Duty (see our recent blog here) and DAs.
The FCA is seeking to achieve four key outcomes (listed in the table below) with the new rules.
The new rules are split into ”responsibilities” and ”information and notification” requirements for principals, as per the table below.
The FCA requires significantly less data on Introducer ARs (IARs) than it does full ARs. This reflects the limited scope of activities that IARs are permitted to undertake, and lower risk as a result.
The original proposals also included a rule that principals must provide information on their existing ARs. The FCA will proceed with the proposal as consulted – but not through the final rules. For existing ARs, the FCA will collect the data via a s.165 data request, after which principals will have 60 days to submit the data on all existing ARs.
The updated rules will take effect on 8 December 2022. The FCA has put in place a transitional period in respect of the self-assessment document, which will allow principals to prepare their initial assessment and seek approval from their governing body for up to a year after the rules come into force. This should provide some welcome respite for firms as they gather information to comply not only with the new AR regime but also with the various deadlines for implementing the Duty.
In addition, principals should expect to receive a s.165 request about their ARs later in 2022. After that, they will have 60 days to submit the data to the FCA on all their existing ARs.
Meanwhile, the FCA will continue to work closely with HMT and monitor how the regime evolves over time, and whether additional changes are needed. The FCA also plans to publish its response to the feedback received to the discussion chapter (Chapter 5) of the CP separately in 2023.
The new rules mark a more proactive and, in many ways, more intense supervisory strategy by the FCA when it comes to ARs. The rules will affect not only principal firms in that they will have more responsibility in terms of overseeing and reporting information about their ARs. They will also affect ARs themselves who will have to provide their principals with more detailed information on a more regular basis. In the medium term, with more stringent requirements around ARs, some principals may want to re-consider their strategy towards using ARs given the increasing cost of compliance. Some principals may well choose to terminate some of their AR relationships as a result of the rules.
Principals with material numbers of ARs will have a lot to do over the coming months. Principals should review their existing AR arrangements in light of the new requirements and make sure there is an appropriate control framework in place to oversee them. Firms should also review their use of overseas ARs as, according to the FCA, there is “general agreement that there are significant challenges in relation to overseas ARs, which might result in harm to consumers and markets”. These challenges include managing legal, accounting and regulatory requirements for each jurisdiction as well as potential difficulties in having effective communications with ARs due to cultural and language differences. Where firms make use of overseas ARs, they should review and update their oversight frameworks to ensure they address these issues.
Principals should also make sure they have the necessary data on their ARs to respond to the FCA’s s.165 information request as well as the other ongoing notification requirements outlined in the PS. Firms should expect significant scrutiny from the FCA on their data and information submissions. Firms should ensure they understand and analyse the data being submitted from a conduct risk perspective and are able to identify any ARs that are outliers in respect of the key metrics being reported. Finally, principals will have to adjust and enhance their AR MI and reporting systems and processes in order to comply with the FCA’s new information and notification requirements. This includes for example amending the timelines for notifying new AR relationships to the FCA and setting up processes for collecting and reporting on complaints and revenue information from ARs. In practical terms, firms with many AR relationships may decide to use technology to help implement a consistent framework of oversight of ARs. Technology solutions (an example of which you can find here) can gather the required data and provide evidence to feed into the annual self-assessment. A consistent and robust framework is key to ensuring that firms identify emerging conduct risks from their ARs quickly and remediate them proactively in line with the expectations of the Duty.
As principals work to comply with the FCA’s new AR requirements over the coming months, they should bear in mind the requirements under the Duty. The Duty sets higher expectations for the standard of care that firms give consumers. For many firms, the work needed to implement the rules and evidence compliance is extensive. Principals need to ensure they consider the new AR regime alongside the requirements under the Duty, making sure they realise synergies where possible. For example, as principals gather data to respond to the FCA’s incoming s.165 request on ARs, they should, to the extent it is relevant, make use of the data they are collecting to demonstrate compliance with the Duty.
The updated AR rules demonstrate a continuation of the FCA’s scrutiny of third party oversight in the general insurance market. The FCA has previously expressed concerns around the level of oversight of DA arrangements, which are widely used by general insurance firms and intermediaries. As the issues around DAs and ARs are closely linked, firms should look to leverage their existing DA frameworks when overseeing their ARs and other distributors in the market. In some cases, the oversight solution for ARs under the new rules could look similar to what has already been established for DAs over the last few years.
Firms should also consider how they will oversee their DAs which have ARs. For example, where principals have DAs that in turn use ARs, they should consider, in their own oversight of their DAs, how the DA as the principal firm is exercising appropriate oversight of the AR and whether to request the DA to share any specific data or its self-assessment in relation to its oversight of its ARs to ensure a consistent approach in relation to conduct risk appetite and the distribution strategy.
The prevalence of ARs within the general insurance sector also means that client money can often arise from the AR relationship. Where relevant, principals will have to apply the enhanced responsibilities and information and notification requirements to their Client Assets Sourcebook (CASS) due diligence and oversight models. For example, some insurance intermediaries will have to reassess the level of oversight of some of the following key areas:
We expect firms with already very mature AR oversight frameworks to focus on ensuring that they carry out data collection and the self-assessment of compliance in a timely and effective way. However, firms with less mature oversight frameworks and material numbers of ARs will find implementation much more challenging. In some cases, the development of a strengthened framework is likely to lead to them uncovering previously unidentified risks. This could cause them to review and possibly change their current AR arrangements. Finally, firms will be implementing the new AR regime alongside the Duty requirements and they will have to ensure the frameworks are consistent with each other and that they analyse conduct MI from ARs carefully to enable proactive conduct risk identification.