Group Risk Development (Grid) is warning insurers not to enter into service level, non-disclosure, data processing and other supplier agreements with corporate customers.
The four issues were raised as the group risk trade body updated its statement of best practice for the industry.
The body said an increasing number of employers “are proposing additional supplier agreements, non-disclosure agreements, data-processing agreements, and service-level agreements, in addition to, or instead of the insurance policy itself”.
It argued these agreements were “not usually appropriate for group risk business and that the policy document itself is a sufficient contract”.
“As the UK’s insurance sector is already a highly regulated industry with significant levels of protection embedded, employers can be confident that whichever insurer they select, they will be covered by the same rigorous industry standards,” it added.
It highlighted four specific areas where it believed insurers should not be entering into contractual agreements with their customers.
Service level agreements
“It is recommended that insurers do not enter into contractual service level agreements, although these may be agreed as a statement of principle,” Grid said.
It recognised that in other business relationships when a firm is supplied a service on which it depends to operate its business, if that service is not supplied to a suitable standard, the firms’ business could suffer, financially.
However, Grid noted: “Most group risk insurers have a set of minimum service standards. Financial services regulation is based on a mixture of principles and outcomes.
“Regulatory expectations that service meets reasonable customer expectations and how any complaints are handled.
“An independent complaints mechanism, the Financial Ombudsman Service (FOS) may consider the complaints of smaller businesses and insured persons if not resolved.”
It added that regulations require insurers to only provide products that represent fair value to customers and that the features and construction minimise the risk of foreseeable harm to customers.
“This means that a good proportion of the premium is set aside to meet claims and firms run the risk of regulatory sanctions if service levels are deemed unacceptable,” Grid continued.
“It is therefore not appropriate for them to form part of a legally binding agreement and they are not outlined in the insurance policy.
“The provision of group risk cover is a product, not a service,” it said.
Supplier agreements
“Insurers should not enter into supplier agreements as these are not appropriate to Group Risk business.,” Grid stated.
It noted that group risk insurers are authorised by the Prudential Regulatory Authority (PRA) and
regulated by the Financial Conduct Authority (FCA) and the PRA to provide insurance.
“An insurer may also include value-added services alongside the insurance; however, these are generally provided by third parties as they are not authorised to provide these services directly,” Grid said.
It added that supplier agreements, for example those typically used for the supply of goods or services, are unsuitable for documenting insurance.
They often conflict and could potentially override quotation and policy terms and other conditions.
Non-disclosure agreements
“It is recommended that insurers do not enter into generic non-disclosure agreements that are not specifically drawn up for use with group insurance products,” Grid warned.
It noted that protection for clients is already provided by FCA regulations and the Data Protection Act 2018 (DPA), and these agreements can conflict with an insurer’s responsibilities under this UK legislation and regulations.
“Generic non-disclosure agreements often include clauses that are incompatible with insurance law,” Grid said.
Data processing agreements
“It is recommended that insurers do not enter into data processing agreements, as under the DPA they and their clients are data controllers,” Grid said.
It noted that insurers determine the purpose and manner any personal data is, or will be, processed, which means they are independent data controllers.
Joint data controller agreements, or unnecessary processing agreements where the customer mistakenly believes an insurer may process personal data on their behalf, could cloud the responsibilities and create unnecessary risks for customer, it added.
Areas of misunderstanding
Grid argued these issues were resulting because of misunderstanding by companies wanting group risk insurance.
“When companies purchase products or services, they quite reasonably wish to ensure that the company they are purchasing the products or services from acts in an appropriate manner and that they are protected if problems arise,” it said.
“However, companies are often unfamiliar with the way that group risk insurance operates in the UK, or the protection automatically provided through financial services laws and regulation.”
It continued: “The service which a firm provides in managing the insurance provided is a high priority for all firms who will need to meet regulatory standards.
“However, making this a contractual obligation for group risk cover is not appropriate.”
Additional supplier agreements not necessary
Paul White, chairman of Grid (pictured) said: “We believe that additional supplier agreements, which are often better suited for other products and services, are not necessary when purchasing group risk insurance because a policy document itself gives all the reassurance and protection required.
“Any other agreements could make it difficult for the insurer to carry out its normal activities in connection with the insurance and conflict with the insurer’s regulatory and legal responsibilities.
“We hope the statement will support insurers, intermediaries and their clients in making the group risk procurement process more efficient for everyone involved.”