CAA specifications regarding the notification regime for outsourcings of significant or critical operational activities or functions

Luxembourg

On 19 August 2022, the Commissariat aux Assurances (the “CAA”) published a new Circular-Letter 22/16 (the “CL”) on outsourcing of significant or critical operational activities or functions in the framework of the amended law of 7 December 2015 on the insurance sector (the “Insurance Sector Law”). The Insurance Sector Law states i.a. under Article 81 that Luxembourg insurance and reinsurance undertakings (the “Undertakings”) must inform the CAA in advance and in good time of their intention to outsource significant or critical activities or functions, as well as of any subsequent significant developments relating to such outsourcings. The CL in this context aims to specify in more detail the notification regime and other applicable internal governance requirements.

Before entering into an outsourcing agreement, and as part of its obligations in this context, any Undertaking must (i) assess whether the outsourcing agreement relates to a significant or critical activity or function (or if the function will become significant or critical in the future) and (ii) document it. Among the factors relevant to such assessment, the CL mentions the impact of such outsourcing on the Undertaking and more specifically (i) on its business plan (e.g., in relation to the Undertaking's overhead costs), (ii) on the Undertaking’s control and supervision over a relevant service provider (e.g., the Undertaking's overall exposure to a single service provider) and (iii) on its brand image (e.g., the Undertaking's reputational risk or risks in relation to data protection and insurance secrecy). It should in this respect be noted that key functions as defined under the Insurance Sector Law and the Solvency 2 Directive[1] (the “Key Functions”), are always to be considered as significant and critical.

When outsourcing personal data or data allowing for the identification of any stakeholder of an insurance policy (i.e. policyholder(s), insured person(s), beneficiary(ies)), the Undertaking must further ensure that insurance secrecy requirements are complied with. The Undertaking must in particular (i) carry out a legal analysis to determine whether it is necessary for the policyholder to accept the outsourcing[2], (ii) document and keep such analysis up to date, (iii) ensure that the staff working for the service provider (or for any service provider to which tasks have been sub-outsourced) cannot access personal data of the policy stakeholders without having the Undertaking’s approval and without having a surveillance mechanism in place allowing the Undertaking to control such accesses; (iv) ensure that the service provider’s accesses are restricted and subject to preventive and detection measures in line with good practice, which shall be reviewed at least on an annual basis; and (iv) have in place measures to prohibit unauthorised access to the Undertaking’s systems (e.g., by providing encrypted access to its telecommunications).

With respect to the notification requirements per se, Undertakings will be required to notify the CAA in the following cases:

  1. in case of outsourcing of significant or critical activities or functions;
  2. in case of outsourcing of a Key Function,
  3. in case of significant changes to the outsourced significant or critical activities or functions; and
  4. in case the outsourcing entails a major change to the Undertaking’s business plan.

The notification shall be carried out at least one month before the outsourcing takes place by using the official excel notification form provided on the CAA website.

Within two months of the signing of the outsourcing agreement, the Undertaking’s compliance officer shall assess and confirm in writing certain of the characteristics of the outsourcing to the CAA, as described in the CL.

The CL further also provides for some exclusions from the notification requirements. In particular, IT outsourcings based on cloud computing infrastructures will be subject to separate notification requirements, as provided for under CAA Circular Letter 21/15. The CL also specifies that outsourcings of day-to-day management or of a key function to a professional of the insurance sector by captive insurance or reinsurance undertakings, as well as the use of intermediaries for the distribution of insurance and reinsurance products, will not need to be notified to the CAA (provided certain conditions specified in the CL are met).

Finally, the CL also provides information for filling in the notification form available on the CAA website.

The CL will apply as from 1 November 2022 to all outsourcing agreements concluded or amended from that date.

Should you have any questions on the above, please do not hesitate to contact one of our experts of the insurance and reinsurance team.

Vivian, Benjamin B., Sarah, Mélanie, Anne

 


[1] Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (recast) 

[2] In accordance with Article 300(2a) of the Insurance Sector Law.