Challenges and Risks When Outsourcing to a Third-Party Administrator
August 16, 2022
The International Risk Management Institute defines a Third-Party Administrator (TPA) as a firm that handles various types of administrative responsibilities, on a fee-for-services basis.1 These responsibilities are generally executed for insurance carriers and typically include claims administration, loss control, risk management information systems, and risk management consulting.
In addition to a separate article on top risks that carriers face when outsourcing to a Managing General Agent (MGA), in this piece we discuss the challenges and risks when outsourcing to an TPA.
Risks Associated with the Departure from Claim Handling Guidelines
When outsourcing claims handling to a TPA, the Carrier could be exposed to the risk of the TPA not following claim handling guidelines or Service Level Agreements. If guidelines are not followed, the Carrier could be exposed to claims that were denied without merit or improperly disputed; the amount necessary to settle a claim can increase significantly due to lack of a timely investigation and handling of the claim. The TPA not having proper reserving techniques could cause financial harm to the Carrier, which could also result in reinsurance companies not being notified timely causing potential disputes. The Carrier is also exposed to the risk that the TPA’s employees, contractors or the attorneys hired by the TPA lack the skills, experience or knowledge required to administer the claims.
In order to avoid risks associated with hiring a TPA for claims administration, the Carrier should ensure the claims handling guidelines are clear. In addition, the Carrier should audit the TPA at least annually to confirm the implementation and adherence to the guidelines and SLA.
Risk Associated with the Mismanagement of Claims Imprest Account
The claims imprest account must be properly managed in order to effectively operate and lessen risks to the Carrier as it relates to issuance of claim settlement payments.2 This would include having proper controls over check issuance and check authority amounts. Effective internal control to ensure proper segregation of duties should exist such that one employee issues the check and another employee reviews the check and corresponding backup for accuracy and other employees sign and mail the check. Another control that should be in place that two people must review and sign the check when the amount is above a preset threshold.
Since the TPA is responsible for issuing claims settlements, they must ensure that the checks will clear the imprest account by reconciling the bank statement and outstanding checks monthly. This should include a plan to follow-up on outstanding checks that reach 90 days. The TPA should also be aware of escheatment laws for the states where they handle claims and there should be a clear process followed to escheat checks to the corresponding states as necessary.
Another way to ensure that TPA-issued payments have proper funding and clearance for when the checks are presented for payment by the payee is to initiate a positive pay process. Using this process, the TPA would initiate a daily upload to the banking site showing the checks issued for the day. This would also serve as a safeguard to minimize the risk of fraud.
It is also important that the TPA is properly netting recovery checks against future funding in the bank account and properly accounting for voided checks in order to alleviate the risk of overfunding the imprest account.
The Carrier can mitigate many of the risks noted above by having specific processes and procedures detailed in the Agreement, and by implementing an audit strategy on a periodic basis.
Risk of Insufficient Insurance Coverages for Insurer’s Benefit
One of the risks that may not be at the front of the insurer’s mind when hiring a TPA is the potential that the TPA does not have adequate Errors & Omissions policies or Fidelity bonds in good standing. The insurer is relying on the TPA to protect their funds and this includes protecting them from insurable losses to the Carrier’s funds. The contract between the Carrier and TPA should include required minimum limits and maximum deductibles on E&O and Fidelity policies as well as listing the Carrier as an additional named insured in the event of a loss.
Risk of Inaccurate Loss Run Data
The TPA may report loss run data inaccurately or not on a timely basis, which puts the carrier at risk for not having the proper reserves recorded. In addition, inadequate loss run data could lead to poor risk analysis that could affect a decision to continue writing with an MGA or not. Carriers also require accurate loss run data in order to drive proper pricing.
The risk associated with inaccurate reporting by a TPA could have an adverse effect on the reinsurance agreement in place and any potential reinsurance recoverable. To mitigate this risk, the Carrier should ensure monthly reporting, periodic claims reviews and review the monthly reports for any potential anomalies.
Risk of the TPA’s Financial Solvency
Upon inception of many TPA and carrier agreements, the Carrier usually performs a due diligence that will include a review of financial statements and a background check of the principals to assess the TPA’s financial status and stability. If the TPA maintains the Carrier’s funds in a commingled account with the Company’s operating funds, the Carrier faces the risk that the TPA could use the funds collected under their Agreement to cover the TPA’s operating expenses.
To mitigate these potential risks, the Agreement should include the requirements for the TPA to produce their year-end, Audited Financial Statements on a yearly basis within 90 days of the fiscal year-end, along with quarterly unaudited financial statements within 45 days of the quarter close. This will allow the Carrier to monitor on a quarterly basis the financial solvency of the TPA. Additionally, the Carrier should review some key financial ratios against industry standards to reveal data that could indicate a potential solvency issue.
Risk of Not Having Proper Information Technology (IT) Security Controls in Place
In this day and age where data breaches and ransomware are on the rise, having good IT security protocols is an essential business practice. TPAs that handle sensitive data should have best practice IT security protocols in place. Making passwords a minimum length, complexity and changing them at regular intervals can guard against unauthorized access to the system and data. Educating employees about phishing schemes can help prevent data breaches and potential ransomware. Assuring implementation of proper Segregation of Duties (SoD) process and controls such that no single person is in a position to perform incompatible roles is an important IT security control.
Carriers can mitigate many of the risks noted by having requirements in the TPA Agreement as well as examining the implementation of the key controls noted above during an inspection.
Risk Associated with Disruption of Service
During the Covid-19 pandemic when businesses were forced to work remotely, having a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP) are as important as ever. Were TPAs able to effectively and efficiently transact business? Was there a disruption in client service? Were the Carriers able to manage the relationship? Continuing business operations and being able to report data is a critical risk associated with outsourcing business to TPAs. This would include having comprehensive data back-up plans, identification of alternative worksites as well as proper testing of restoration of back-up files at regular intervals.
As guidance on the requirements of a DRP/BCP is not always included in the TPA Agreement, addressing it in some manner in the Agreement is recommended. As part of the annual review of the TPA, Carriers should request a copy of the DRP/BCP.
Risk Associated with Incomplete and/or Manual Data Feeds
A significant risk to the Carrier is not receiving complete, accurate and timely loss data. If loss data is not reported, the Carrier would not be able to properly reserve on their exposures. Each of these could harm statutory reporting along with reporting to reinsurers. In some instances, reporting is done via manually e-mailing spreadsheets; in these instances the Carrier would have to either upload the spreadsheets received or manually input the financial results. This could lead to delays in transmissions due to the manual process or the mis-keying of information.
To mitigate these concerns the Carrier can require an automated data feed that is sent on a specific day of each month or week. This will allow accurate and timely reporting and uploading to the Carrier’s system. The data transmission method should be included in the Agreement and continued compliance should be monitored on a periodic basis.
Outsourcing to a TPA can be risky but having proper oversight will help mitigate these risks, along with having a comprehensive Agreement that includes key requirements. Periodic inspections of the TPAs should be carried out to help supplement the ongoing monitoring activities.
In a separate article we discuss the top challenges and risks that carriers face when outsourcing to a Managing General Agent (MGA), identifying some specific issues that arise in the MGA relationship and how they can be mitigated.
1: “Third-Party Administrator (TPA)”, International Risk Management Institute web site, accessed July 29, 2022. https://www.irmi.com/term/insurance-definitions/third-party-administrator
2: “CLAIMS IMPREST ACCOUNT Sample Clauses”, LawInsider.com web site, accessed July 29, 2022. https://www.lawinsider.com/clause/claims-imprest-account
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.