Outsourcing in the Insurance Sector: changes under the new Solvency II regulatory framework

04/03/2015

Introduction

The Solvency II Directive (2009/138/EC) sets out the framework for a revised regulatory regime for the insurance sector, reforming capital requirements and risk management for insurers and reinsurers within the EU. With the Directive nearing its implementation date of 1 January 2016, the Delegated Regulation (2015/35/EC) (supplementing the Directive) was published in the EU Official Journal on 17 January 2015. The Delegated Regulation sets out detailed requirements, based on the provisions set out in the Solvency II Directive, which constitute the core of the single prudential rulebook for insurance and reinsurance, set to replace certain aspects of the FCA and PRA Handbooks next year.

The new regulatory framework brings changes to the requirements for outsourcing, including detailed provisions which must be included in a written outsource agreement required with any service provider providing services which are “for any critical or important operational functions or activities” (in contrast to the current SYSC provisions, which deal with “material outsourcings”). Explanatory Notes to the 2013 Level 3 Guidelines (published by the EIOPA) give examples of critical or important functions or activities and these include investment of assets or portfolio investment, claims handling, provision of data storage and the provision of on-going day-to-day systems maintenance or support (the latter two of which are likely to be of significance in many technology related services). However, as the test for whether a function is important will be whether it is essential to the operation of the insurer, it appears likely that arrangements which fell into the “material” category will also be caught by the new wording.

Current Regime

Principle 3 of FCA’s Principles for Business states that firms must take reasonable care in organising their affairs responsibly and effectively, including ensuring that adequate risk management systems are in place. Any outsourcing by insurers must therefore be organised in accordance with this principle, with some flexibility allowed in the choice of system implemented, providing that it is adequate.

The Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) contains the current guidance relating to operational risk, encompassing outsourcing. SYSC 13 and 14 deal with outsourcing requirements relating to operational risk and risk management respectively. In particular, SYSC 13.9.5 requires insurers to take reasonable care when outsourcing and requires them to have regard to specific provisions when negotiating contracts with service providers.

Changes under Solvency II

The Solvency II Directive is set to bring in changes to the current regime. Articles 41 to 49 focus on ensuring insurers and reinsurers establish systems which lead to good governance. Article 49 deals with outsourcing, making it clear that insurance and reinsurance undertakings remain fully responsible for discharging all of their obligations under the Solvency II Directive when they outsource functions or any insurance or reinsurance activities and requiring that outsourcing of critical or important operational functions or activities shall not be undertaken in such a way as to lead to any of the following:

  • materially impairing the quality of the system of governance of the undertaking concerned;
  • unduly increasing the operational risk;
  • impairing the ability of the supervisory authorities to monitor the compliance of the ndertaking with its obligations; or
  • undermining continuous and satisfactory service to policy holders.

What is required to meet the Article 49 outsourcing principles?

Article 274 of the Delegated Regulation provides information as to what is required to meet the overarching principles in Article 49 of the Solvency II Directive and is considerably more detailed than the existing regime with regard to outsourcing.

Article 274(1) requires insurance and reinsurance undertakings to establish a written outsourcing policy which takes account of the impact of outsourcing on its business and the reporting and monitoring arrangements to be implemented in cases of outsourcing. As set out in the Level 3 Guidelines published in 2013, the policy should also set out the due diligence process which is to be completed, before any outsourcing arrangements are concluded. When undertaking the outsourcing of critical or important functions or activities, insurers and reinsurers must also consider the extent to which they are able to control a service provider which is part of their own company group (Article 274(2)). Pre-contact due diligence must include an assessment of the service provider’s conflicts of interest, capacity to perform the contract and financial and technical abilities (Article 274(3)(a) and (b)). Article 274(5) also sets out additional due diligence which must be performed where the outsourcing relates to “critical or important operational functions” including adequacy of the service provider’s risk management and internal control systems.

Article 274(4) states the twelve requirements which an outsource agreement for any critical or important operational functions or activities must contain. The table below sets out a comparison of the detailed requirements of Article 274(4) and the equivalent SYSC 13.9.5 provision. Whilst some Article 274(4) requirements are similar to those under SYSC 13.5.9, the catch is that they tend to be more specific and detailed than the SYSC 13.5.9 requirements and often include additional obligations. For instance:

  • Under Article 274(b), the outsourcing agreement must clearly state the service provider's commitment to comply with all applicable laws, regulatory requirements and guidelines as well as policies approved by the insurance or reinsurance undertaking and to cooperate with the undertaking's supervisory authority with regard to the outsourced function or activity. This goes into much further and contains more detail than SYSC 13.9.5(5) which only requires regard to compliance with the firm’s policies and procedures (for example, information security).
  • Under Article 274(4)(f), the outsourcing agreement must clearly state that the insurance or reinsurance undertaking reserves the right to be informed about the outsourced functions and activities and their performance by the services provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what has to be taken into account when performing the outsourced functions or activities. This is more specific than the higher level reporting requirement in SYSC 13.5.9(1) which says that a firm should have regard to reporting or notification requirements it may wish to impose on the service provider.

Consequently, provisions in existing outsource agreements which continue after 31 December 2015 will need careful review to check that they are sufficiently broad and detailed enough.

Requirements which are new and have no equivalent in SYSC 13.9.5 are generally what one would normally expect in a good outsourcing agreement (see table below for further details).

Additionally, it would be prudent to include drafting in the outsource agreement to cover the following:

  • the outsourcing does not entail the breaching of any law in particular with regard to rules on data protection (Article 274(3)(e));
  • the service provider is subject to the same provisions on the safety and confidentiality of information relating to the insurance or reinsurance undertaking or to its policyholders or beneficiaries that are applicable to the insurance or reinsurance undertaking (Article 274(3)(f)). This requirement is similar to SYSC 13.5.9(3) under which a firm should have regard to information ownership rights, confidentiality agreements and Chinese walls (information barriers) to protect client and other information (including arrangements at the termination of the contract);
  • the requirements in Article 275(5) that the insurance or reinsurance undertaking that is outsourcing critical or important operational functions or activities to: (i) verify that the service provider has the necessary financial resources to perform the additional tasks in a proper and reliable way, and that all staff of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable; and (ii) ensure that the service provider has adequate contingency plans in place to deal with emergency situations or business disruptions and periodically tests backup facilities where necessary, taking into account the outsourced functions and activities (similar to the requirement in SYSC 13.9.8 that a firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider including significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement).

Comment

Insurers and reinsurers should use the time until the Directive is implemented next year to review any existing outsource arrangements which will continue after 1 January 2016 and, where necessary, take steps to ensure compliance. They should also ensure that any outsourcing arrangements currently under negotiation or which commence negotiation during 2015 incorporate the mandatory requirements contained in the Delegated Regulations. The table provided below may provide useful guidance in this regard but is not a substitute for carrying out a detailed legal review of existing arrangements. Please contact us if you would like us to assist with carrying out audits of existing outsource agreements and/or to advise on suitable changes which may be required.

Further Reading

Commission Delegated Regulation 2015/35

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:JOL_2015_012_R_0001&from=EN

Solvency II (Directive 2009/138/EC)

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0138&from=EN

Delegated Regulation (January 2015)

SYSC 13.9.5

Subject

Article

Text

Ref

Text

Parties’ duties and responsibilities

274(4)(a)

The outsourcing agreement must clearly state the duties and responsibilities of both parties involved.

No equivalent.

Compliance with law, regulations, guidelines and policies

Co-operation with supervisory authority

274(4)(b)

The outsourcing agreement must clearly state the service provider's commitment to comply with all applicable laws, regulatory requirements and guidelines as well as policies approved by the insurance or reinsurance undertaking and to cooperate with the undertaking's supervisory authority with regard to the outsourced function or activity.

13.9.5(5)

In negotiating its contract with a service provider a firm should have regard to the extent to which the service provider must comply with the firm’s policies and procedures (for example, information security).

Reporting and notification

274(4)(c)

The outsourcing agreement must clearly state the service provider's obligation to disclose any development which may have a material impact on its ability to carry out the outsourced functions and activities effectively and in compliance with applicable laws and regulatory requirements.

13.9.5(1)

In negotiating its contract with a service provider a firm should have regard to reporting or notification requirements it may wish to impose on the service provider.

Notice period on service provider’s termination

274(4)(d)

The outsourcing agreement must clearly state a notice period for the termination of the contract by the service provider which is long enough to enable the insurance or reinsurance undertaking to find an alternative solution.

No equivalent (although note the business continuity requirements in SYSC 13.9.8 as regards ‘unexpected termination’).

Termination by insurance or reinsurance undertaking

274(4)(e)

The outsourcing agreement must clearly state that the insurance or reinsurance undertaking is able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of services to policyholders.

13.9.5(7)&(8)

In negotiating its contract with a service provider a firm should have regard the need for continued available of software following difficulty at a third party supplier and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:

(a) a change of ownership or control (including insolvency or receivership) of the service provider or firm; or

(b) significant change in the business operations (including sub-contracting) of the service provider or firm; or

(c) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.

Reporting and right to issue instructions

274(4)(f)

The outsourcing agreement must clearly state that the insurance or reinsurance undertaking reserves the right to be informed about the outsourced functions and activities and their performance by the service provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what has to be taken into account when performing the outsourced functions or activities.

13.9.5(1)

In negotiating its contract with a service provider a firm should have regard to reporting or notification requirements it may wish to impose on the service provider.

Confidentiality

274(4)(g)

The outsourcing agreement must clearly state that the service provider shall protect any confidential information relating to the insurance or reinsurance undertaking and its policyholders, beneficiaries, employees, contracting parties and all other persons.

13.9.5(3)

In negotiating its contract with a service provider a firm should have regard to information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract).

Access to information for auditors and supervisory body

274(4)(h)

The outsourcing agreement must clearly state that the insurance or reinsurance undertaking, its external auditor and the supervisory authority have effective access to all information relating to the outsourced functions and activities including carrying out on-site inspections of the business premises of the service provider.

13.9.5(2)

In negotiating its contract with a service provider a firm should have regard to whether sufficient access will be available to its internal auditors, external auditors or actuaries and to the appropriate regulatory and suppliers under material outsourcing arrangements.

Service provider to respond directly to questions from supervisory authority

274(4)(i)

The outsourcing agreement must clearly state that, where appropriate and necessary for the purposes of supervision, the supervisory authority may address questions directly to the service provider to which the service provider shall reply.

No direct equivalent (although note SYSC 13.9.5(2)).

Obtaining information and issuing instructions

274(4)(j)

The outsourcing agreement must clearly state that the insurance or reinsurance undertaking may obtain information about the outsourced activities and may issue instructions concerning the outsourced activities and functions.

13.9.5(1)

13.9.5(8)

In negotiating its contract with a service provider a firm should have regard to reporting or notification requirements it may wish to impose on the service provider.

In negotiating its contract with a service provider a firm should have regard to the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms).

Terms and conditions re subcontracting

274(4)(k)

The outsourcing agreement must clearly state the terms and conditions, where applicable, under which the service provider may sub-outsource any of the outsourced functions and activities.

No equivalent.

Service provider remains liable for sub-contractors

274(4)(l)

The outsourcing agreement must clearly state that the service provider's duties and responsibilities deriving from its agreement with the insurance or reinsurance undertaking shall remain unaffected by any sub-outsourcing taking place according to point (k).

No equivalent (although note SYSC 13.9.4(2)).