Who this blog is for:
Board members and senior executives working across the UK insurance industry, in particular those in risk, compliance, internal audit and regulatory affairs teams.
At a glance:
- The FCA’s updated rules for principal firms (principals) making use of Appointed Representatives (ARs) introduce new responsibilities and requirements and will be effective from 8 December 2022. They signal a clear step-change in the intensity of the FCA’s supervision of principals.
- In the medium term some principals may want to re-consider their strategy towards using ARs given the increasing cost of compliance and the risk of customer harm these arrangements might pose. Some principals may well choose to amend or even terminate some of their AR relationships as a result of these changes.
- The new requirements cover three key areas: design and implementation of a robust AR oversight framework; annual gathering and reporting of AR data; and evidencing compliance with the rules in an annual self-assessment report approved by senior management.
- Principals should review their existing AR arrangements and make any necessary updates to their oversight framework, as well as considering client money due diligence and oversight models in light of the new responsibilities. They will also have to adjust and enhance their Management Information (MI) and reporting systems and processes in place to adhere to the new information and notification requirements.
- Principals will need to produce and document an annual self-assessment of any risks and gaps in compliance with the new rules; firms will have up to 8 December 2023 to prepare and approve the first self-assessment. Principals also have to provide to the FCA annual complaints and revenue information for each of their ARs – this is expected to be required 60 days after the FCA data request at the end of 2022.
- Principals should make sure they consider the new AR regime alongside the requirements under the new Consumer Duty (the Duty), realising synergies where possible. They should also look to leverage their existing Delegated Authority (DA) frameworks when overseeing their ARs and other distributors in the market.
What’s this about?
The AR regime is a well-established and widely used feature in the UK financial services (FS) industry. The FCA indicates that there are currently around 3,400 principals with c. 37,000 ARs operating across the FS industry – about a third of these ARs are in the general insurance and protection sectors.
As the use of ARs in financial services has continued to evolve, the FCA in its recent work has seen a wide range of consumer harm across all the sectors where firms have ARs. In particular, the FCA has identified significant shortcomings in principals’ understanding of their regulatory responsibilities for their ARs in both the general insurance and investment management sectors. The FCA and HMT consequently consulted on ways to improve the AR regime in December 2021.
Following this, the FCA published a new Policy Statement (PS22/11) in August 2022, confirming its new rules to make principals more responsible for their ARs. The new rules represent a clear step-change in the intensity of the FCA’s supervision of principals. Implementing them will require significant work by principals and their ARs in the months ahead.
In this blog, we explore what the new rules mean for insurance firms and intermediaries that are principals, and what actions they can take in order to comply with the requirements over the coming months. We also analyse how the new rules interact with other regulatory requirements - including the Duty (see our recent blog here) and DAs.
What outcomes are the FCA trying to achieve?
The FCA is seeking to achieve four key outcomes (listed in the table below) with the new rules.
Principals to understand their responsibilities, have stronger and better oversight, and take more effective responsibility of their ARs.
Enable the FCA to better challenge firms with, and those looking to appoint, ARs.
Principals to address the problems with their ARs that could cause harm to consumers or markets.
Consumers to access better-quality information on principals and ARs and make good decisions when choosing products or services.
What do the new rules say?
The new rules are split into ”responsibilities” and ”information and notification” requirements for principals, as per the table below.
The FCA requires significantly less data on Introducer ARs (IARs) than it does full ARs. This reflects the limited scope of activities that IARs are permitted to undertake, and lower risk as a result.
Information and notification requirements
…apply enhanced oversight of, and take more responsibility for, their ARs, including ensuring they have adequate systems and controls and sufficient resources and monitoring of AR growth.
…notify the FCA of future AR appointments 30 days before the appointment takes effect.
…take more effective responsibility for their ARs, including by assessing and monitoring the risk that their ARs pose to consumers and market integrity, providing similar oversight as they would their own business.
…complete a review of an AR’s activities and business on at least an annual basis (this annual review focuses on each of the principal’s ARs and assesses the suitability, financial position and fitness and propriety and adequacy of oversight of the individual AR).
…be clear on the circumstances where they should terminate an AR relationship and assist ARs with an orderly wind-down.
…provide complaints and revenue information for each AR to confirm to the FCA on an annual basis (up to 60 business days after the principal’s accounting reference date).
…review information on their AR’s activities, business and senior management annually.
…provide more information on the business of their ARs, including details on any financial non-regulated activities.
…produce a self-assessment document identifying any risks and gaps in compliance with the firm’s obligations as a principal, reviewed and approved by the principal’s governing body at least every year.
…notify the FCA whether they provide currently, or intend to provide, regulatory hosting services 60 days before starting the provision.
The original proposals also included a rule that principals must provide information on their existing ARs. The FCA will proceed with the proposal as consulted – but not through the final rules. For existing ARs, the FCA will collect the data via a s.165 data request, after which principals will have 60 days to submit the data on all existing ARs.
The updated rules will take effect on 8 December 2022. The FCA has put in place a transitional period in respect of the self-assessment document, which will allow principals to prepare their initial assessment and seek approval from their governing body for up to a year after the rules come into force. This should provide some welcome respite for firms as they gather information to comply not only with the new AR regime but also with the various deadlines for implementing the Duty.
In addition, principals should expect to receive a s.165 request about their ARs later in 2022. After that, they will have 60 days to submit the data to the FCA on all their existing ARs.
Meanwhile, the FCA will continue to work closely with HMT and monitor how the regime evolves over time, and whether additional changes are needed. The FCA also plans to publish its response to the feedback received to the discussion chapter (Chapter 5) of the CP separately in 2023.
What do the new rules mean in practice for firms?
The new rules mark a more proactive and, in many ways, more intense supervisory strategy by the FCA when it comes to ARs. The rules will affect not only principal firms in that they will have more responsibility in terms of overseeing and reporting information about their ARs. They will also affect ARs themselves who will have to provide their principals with more detailed information on a more regular basis. In the medium term, with more stringent requirements around ARs, some principals may want to re-consider their strategy towards using ARs given the increasing cost of compliance. Some principals may well choose to terminate some of their AR relationships as a result of the rules.
Principals with material numbers of ARs will have a lot to do over the coming months. Principals should review their existing AR arrangements in light of the new requirements and make sure there is an appropriate control framework in place to oversee them. Firms should also review their use of overseas ARs as, according to the FCA, there is “general agreement that there are significant challenges in relation to overseas ARs, which might result in harm to consumers and markets”. These challenges include managing legal, accounting and regulatory requirements for each jurisdiction as well as potential difficulties in having effective communications with ARs due to cultural and language differences. Where firms make use of overseas ARs, they should review and update their oversight frameworks to ensure they address these issues.
Principals should also make sure they have the necessary data on their ARs to respond to the FCA’s s.165 information request as well as the other ongoing notification requirements outlined in the PS. Firms should expect significant scrutiny from the FCA on their data and information submissions. Firms should ensure they understand and analyse the data being submitted from a conduct risk perspective and are able to identify any ARs that are outliers in respect of the key metrics being reported. Finally, principals will have to adjust and enhance their AR MI and reporting systems and processes in order to comply with the FCA’s new information and notification requirements. This includes for example amending the timelines for notifying new AR relationships to the FCA and setting up processes for collecting and reporting on complaints and revenue information from ARs. In practical terms, firms with many AR relationships may decide to use technology to help implement a consistent framework of oversight of ARs. Technology solutions (an example of which you can find here) can gather the required data and provide evidence to feed into the annual self-assessment. A consistent and robust framework is key to ensuring that firms identify emerging conduct risks from their ARs quickly and remediate them proactively in line with the expectations of the Duty.
How do the new rules interact with the Duty?
As principals work to comply with the FCA’s new AR requirements over the coming months, they should bear in mind the requirements under the Duty. The Duty sets higher expectations for the standard of care that firms give consumers. For many firms, the work needed to implement the rules and evidence compliance is extensive. Principals need to ensure they consider the new AR regime alongside the requirements under the Duty, making sure they realise synergies where possible. For example, as principals gather data to respond to the FCA’s incoming s.165 request on ARs, they should, to the extent it is relevant, make use of the data they are collecting to demonstrate compliance with the Duty.
Leveraging the DA oversight framework
The updated AR rules demonstrate a continuation of the FCA’s scrutiny of third party oversight in the general insurance market. The FCA has previously expressed concerns around the level of oversight of DA arrangements, which are widely used by general insurance firms and intermediaries. As the issues around DAs and ARs are closely linked, firms should look to leverage their existing DA frameworks when overseeing their ARs and other distributors in the market. In some cases, the oversight solution for ARs under the new rules could look similar to what has already been established for DAs over the last few years.
Firms should also consider how they will oversee their DAs which have ARs. For example, where principals have DAs that in turn use ARs, they should consider, in their own oversight of their DAs, how the DA as the principal firm is exercising appropriate oversight of the AR and whether to request the DA to share any specific data or its self-assessment in relation to its oversight of its ARs to ensure a consistent approach in relation to conduct risk appetite and the distribution strategy.
What does this mean for client money?
The prevalence of ARs within the general insurance sector also means that client money can often arise from the AR relationship. Where relevant, principals will have to apply the enhanced responsibilities and information and notification requirements to their Client Assets Sourcebook (CASS) due diligence and oversight models. For example, some insurance intermediaries will have to reassess the level of oversight of some of the following key areas:
- how money is being handled by their ARs and whether this is consistent with the Terms of Business Agreements held with their insurers, the ARs themselves, and their customers;
- trust status and related documentation for their ARs’ bank accounts;
- whether their ARs’ operations have an impact on client money calculation balances and how immediate or periodic segregation is implemented in relation to their ARs;
- MI relating to the level of client money being handled by their ARs; and
- independent accountant reports relating to ARs being able to take any exemptions from the CASS rules.
We expect firms with already very mature AR oversight frameworks to focus on ensuring that they carry out data collection and the self-assessment of compliance in a timely and effective way. However, firms with less mature oversight frameworks and material numbers of ARs will find implementation much more challenging. In some cases, the development of a strengthened framework is likely to lead to them uncovering previously unidentified risks. This could cause them to review and possibly change their current AR arrangements. Finally, firms will be implementing the new AR regime alongside the Duty requirements and they will have to ensure the frameworks are consistent with each other and that they analyse conduct MI from ARs carefully to enable proactive conduct risk identification.