Operational Resilience in Delegated Authority

What firms need to know before the new rules come into place

Operational resilience is high on the agenda of regulators. Both the FCA and the PRA are working on a new set of rules aimed at mitigating ‘intolerable harm’ caused by large-scale disruptive events. On 31^st March, the PS21/3 Building Operational Resilience will come into force. So, what do insurers, brokers and other market participants need to know to be prepared?The background: Why operational resilience matters

Given the current political and economic uncertainty at a global level, firms face an increasing number of operational challenges. As insurers and other businesses continue digitising, their operations and IT systems are becoming more vulnerable. Cyber outages and other disruptive events are also becoming more common. Last year, we witnessed the outage of Crowdstrike Falcon, which caused massive disruptions in the aviation and other industries.

The new requirements in a nutshell

The new regulation, which comes into effect at the end of this month, aims to ensure that financial institutions can continue business as usual in the face of a disruptive event.

The new rulebook requires firms to identify their important business services (IBS) that could pose a risk to financial stability if disrupted. According to the PRA rulebook, firms need to consider several factors, such as their safety and soundness, as well as the degree of policyholder protection in the case of insurers. Regulators pay particular attention to these IBS, as their disruption can lead to ‘intolerable’ levels of harm, including failures in systems, processes, and third parties and people.

A key term is impact tolerance (ITOL), which the FCA defines as ‘the maximum tolerable level of disruption to an important business service, as measured by a length of time reflecting the point at which any further disruption to the important business service could cause intolerable harm… to the customer’ Insurers have identified the following as IBS: underwriting, claims, and complaints.

It is essential to remember that when these services are delegated to third parties, insurers remain responsible for these IBS, even though the third party is delivering the service.

Third-Party Reporting

The two regulators provided further clarity on third-party reporting in a consultation paper they issued in December, 2024, called ‘CP24/28: Operational Incident and Third Party Reporting. ‘In it, the regulators outline the rules for reporting incidents and third-party arrangements. The consultation is closing in just a few days, with firms required to respond to the CP by email by 13^th March. The FCA defines what constitutes an operational incident. When it comes to incident reporting, the FCA specified which types of incidents have to be reported to them while also introducing a standardized template. The reason why the FCA is proposing these new rules is that the current data that they have on third parties is actually limited. And to address this challenge, the FCA will introduce reporting rules for both outsourcing and non-outsourcing arrangements.

The deadline is looming on 31^st March, and all firms need to make sure they are prepared to meet the new rules. Those insurers and firms using third-parties and delegates authorities need to pay particular attention to the new reporting requirements as outlined above. The most important takeaways are that firms need to identify their important business services, while simultaneously managing third-party risks.

For insurers with large books of delegated authority, a critical aspect of managing third-party risks lies in effective data management. In these situations, proper bordereaux management becomes vital, as it ensures that the insurer has access to detailed data from the delegated authority holder.

These reports, whether traditional bordereaux or API, allow insurers to track the performance of their third parties, monitor risks, and ensure compliance with underwriting standards, as well as regulatory requirements such as contract certainty or operational resilience standards. Without a comprehensive solution to manage reporting from these third parties, insurers could find themselves blind to potential disruptions or failures in services that directly impact their important business services. Clear and accurate reporting is essential for mitigating risks and ensuring that you are prepared for any disruptions.

Sources:
https://assets.lloyds.com/media/64dae7ce-ea6e-4ebf-a4fe-be09d44b9c21/Operational%20Resilience%20Guidance.pdf

https://www.regulationtomorrow.com/eu/fca-cp24-28-operational-incident-and-third-party-reporting/

https://www.fca.org.uk/publications/consultation-papers/cp24-28-operational-incident-third-party-reporting

https://www.insurancetimes.co.uk/analysis/industry-deems-regulatory-focus-on-operational-resilience-a-sensible-move/1454485.article