Outsourcing in the Insurance Sector: changes under the new Solvency II regulatory framework

Introduction

The Solvency II Directive (2009/138/EC) sets out the framework for a revised regulatory regime for the insurance sector, reforming capital requirements and risk management for insurers and reinsurers within the EU. With the Directive nearing its implementation date of 1 January 2016, the Delegated Regulation (2015/35/EC) (supplementing the Directive) was published in the EU Official Journal on 17 January 2015. The Delegated Regulation sets out detailed requirements, based on the provisions set out in the Solvency II Directive, which constitute the core of the single prudential rulebook for insurance and reinsurance, set to replace certain aspects of the FCA and PRA Handbooks next year.

The new regulatory framework brings changes to the requirements for outsourcing, including detailed provisions which must be included in a written outsource agreement required with any service provider providing services which are “for any critical or important operational functions or activities” (in contrast to the current SYSC provisions, which deal with “material outsourcings”). Explanatory Notes to the 2013 Level 3 Guidelines (published by the EIOPA) give examples of critical or important functions or activities and these include investment of assets or portfolio investment, claims handling, provision of data storage and the provision of on-going day-to-day systems maintenance or support (the latter two of which are likely to be of significance in many technology related services). However, as the test for whether a function is important will be whether it is essential to the operation of the insurer, it appears likely that arrangements which fell into the “material” category will also be caught by the new wording.

Current Regime

Principle 3 of FCA’s Principles for Business states that firms must take reasonable care in organising their affairs responsibly and effectively, including ensuring that adequate risk management systems are in place. Any outsourcing by insurers must therefore be organised in accordance with this principle, with some flexibility allowed in the choice of system implemented, providing that it is adequate.

The Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) contains the current guidance relating to operational risk, encompassing outsourcing. SYSC 13 and 14 deal with outsourcing requirements relating to operational risk and risk management respectively. In particular, SYSC 13.9.5 requires insurers to take reasonable care when outsourcing and requires them to have regard to specific provisions when negotiating contracts with service providers.

Changes under Solvency II

The Solvency II Directive is set to bring in changes to the current regime. Articles 41 to 49 focus on ensuring insurers and reinsurers establish systems which lead to good governance. Article 49 deals with outsourcing, making it clear that insurance and reinsurance undertakings remain fully responsible for discharging all of their obligations under the Solvency II Directive when they outsource functions or any insurance or reinsurance activities and requiring that outsourcing of critical or important operational functions or activities shall not be undertaken in such a way as to lead to any of the following:

• materially impairing the quality of the system of governance of the undertaking concerned;
• unduly increasing the operational risk;
• impairing the ability of the supervisory authorities to monitor the compliance of the ndertaking with its obligations; or
• undermining continuous and satisfactory service to policy holders.

What is required to meet the Article 49 outsourcing principles?

Article 274 of the Delegated Regulation provides information as to what is required to meet the overarching principles in Article 49 of the Solvency II Directive and is considerably more detailed than the existing regime with regard to outsourcing.

Article 274(1) requires insurance and reinsurance undertakings to establish a written outsourcing policy which takes account of the impact of outsourcing on its business and the reporting and monitoring arrangements to be implemented in cases of outsourcing. As set out in the Level 3 Guidelines published in 2013, the policy should also set out the due diligence process which is to be completed, before any outsourcing arrangements are concluded. When undertaking the outsourcing of critical or important functions or activities, insurers and reinsurers must also consider the extent to which they are able to control a service provider which is part of their own company group (Article 274(2)). Pre-contact due diligence must include an assessment of the service provider’s conflicts of interest, capacity to perform the contract and financial and technical abilities (Article 274(3)(a) and (b)). Article 274(5) also sets out additional due diligence which must be performed where the outsourcing relates to “critical or important operational functions” including adequacy of the service provider’s risk management and internal control systems.

Article 274(4) states the twelve requirements which an outsource agreement for any critical or important operational functions or activities must contain. The table below sets out a comparison of the detailed requirements of Article 274(4) and the equivalent SYSC 13.9.5 provision. Whilst some Article 274(4) requirements are similar to those under SYSC 13.5.9, the catch is that they tend to be more specific and detailed than the SYSC 13.5.9 requirements and often include additional obligations. For instance:

• Under Article 274(b), the outsourcing agreement must clearly state the service provider's commitment to comply with all applicable laws, regulatory requirements and guidelines as well as policies approved by the insurance or reinsurance undertaking and to cooperate with the undertaking's supervisory authority with regard to the outsourced function or activity. This goes into much further and contains more detail than SYSC 13.9.5(5) which only requires regard to compliance with the firm’s policies and procedures (for example, information security).
• Under Article 274(4)(f), the outsourcing agreement must clearly state that the insurance or reinsurance undertaking reserves the right to be informed about the outsourced functions and activities and their performance by the services provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what has to be taken into account when performing the outsourced functions or activities. This is more specific than the higher level reporting requirement in SYSC 13.5.9(1) which says that a firm should have regard to reporting or notification requirements it may wish to impose on the service provider.

Consequently, provisions in existing outsource agreements which continue after 31 December 2015 will need careful review to check that they are sufficiently broad and detailed enough.

Requirements which are new and have no equivalent in SYSC 13.9.5 are generally what one would normally expect in a good outsourcing agreement (see table below for further details).

Additionally, it would be prudent to include drafting in the outsource agreement to cover the following:

• the outsourcing does not entail the breaching of any law in particular with regard to rules on data protection (Article 274(3)(e));
• the service provider is subject to the same provisions on the safety and confidentiality of information relating to the insurance or reinsurance undertaking or to its policyholders or beneficiaries that are applicable to the insurance or reinsurance undertaking (Article 274(3)(f)). This requirement is similar to SYSC 13.5.9(3) under which a firm should have regard to information ownership rights, confidentiality agreements and Chinese walls (information barriers) to protect client and other information (including arrangements at the termination of the contract);
• the requirements in Article 275(5) that the insurance or reinsurance undertaking that is outsourcing critical or important operational functions or activities to: (i) verify that the service provider has the necessary financial resources to perform the additional tasks in a proper and reliable way, and that all staff of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable; and (ii) ensure that the service provider has adequate contingency plans in place to deal with emergency situations or business disruptions and periodically tests backup facilities where necessary, taking into account the outsourced functions and activities (similar to the requirement in SYSC 13.9.8 that a firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider including significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement).

Comment

Insurers and reinsurers should use the time until the Directive is implemented next year to review any existing outsource arrangements which will continue after 1 January 2016 and, where necessary, take steps to ensure compliance. They should also ensure that any outsourcing arrangements currently under negotiation or which commence negotiation during 2015 incorporate the mandatory requirements contained in the Delegated Regulations. The table provided below may provide useful guidance in this regard but is not a substitute for carrying out a detailed legal review of existing arrangements. Please contact us if you would like us to assist with carrying out audits of existing outsource agreements and/or to advise on suitable changes which may be required.

Further Reading

Commission Delegated Regulation 2015/35

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:JOL_2015_012_R_0001&from=EN

Solvency II (Directive 2009/138/EC)

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0138&from=EN