Are there restrictions on outsourcing parts of the business?
Insurance & Reinsurance
The 2015 Regulations permit an insurance company to be outsourced to a third party, provided that appropriate oversight and control is retained by the insurance company over the relevant function. An insurance undertaking is required to notify the Central Bank before outsourcing any critical and important function or activity and is also required to inform the Central Bank of any subsequent material developments with respect to any such function or activity. Critical or important functions are defined by EIOPA as those that are ‘essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity’.
The 2015 Regulations permit an insurance company to outsource any activity to a third party, provided that appropriate oversight and control is retained by the insurance company over the relevant activity. Where the outsourced activity constitutes a critical and important function of an insurance undertaking, the Central Bank must be notified before outsourcing the activity. Critical or important functions are defined by EIOPA as those that are ‘essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity’. An undertaking is also required to inform the Central Bank of any subsequent material developments with respect to any such outsourced function or activity.
Insurance undertakings are required to have written outsourcing policies in place which clearly define the duties and responsibilities of both parties. In addition, an outsourcing agreement must ensure effective access for the insurer, its external auditor and the Central Bank to all information on the outsourced functions and activities and provide permission to conduct on-site inspections. Any outsourcing must not:
- materially impair the undertaking’s system of governance;
- cause an undue increase in operational risk;
- impair the supervisory monitoring of compliance with obligations; or
- undermine the continuous and satisfactory service to policyholders.
While an insurer can outsource freely to an entity located in another EU / EEA Member State, the Central Bank has been reluctant in the past to authorise an undertaking which plans to outsource a large proportion of its activities to a third country.
In accordance with Solvency II, where an insurer outsources part of its business it will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, insurers must not outsource any critical or important part of the business in such a way as might lead to any material impairment in the quality of the firm’s systems of governance, any increase in operational risks, impairment of the ability of the supervisory authorities to monitor compliance or undermining of continuous and satisfactory service to policyholders.
An insurance company may outsource parts of the operations to an external service provider. The board of directors and the CEO are solely responsible for the outsourced activities. The board of directors or the CEO shall, as part of this responsibility, draw up internal guidelines as to which licensed operations, or operations that have a natural connection with such operations or their support functions, may be outsourced, as well as the manner in which such outsourcing operations shall take place. To the board of directors’ help, the ICC has recently presented its new Principles and guidelines for outsourcing in the financial industry, which lays down practical recommendations and advice on how to best plan, negotiate and execute an outsourcing operation.
If an insurance company intends to outsource a significant part of the licensed operations, or activities that have a natural connection with these operations or their support functions, the company should notify such intentions to the FSA in advance.
In accordance with Solvency II, where an insurer outsources part of its business it will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, insurers must not outsource any critical or important part of the business in such a way as might lead to any material impairment in the quality of the firm’s systems of governance, any increase in operational risks, impairment of the ability of the supervisory authorities to monitor compliance or undermining of continuous and satisfactory service to policyholders. The intention to outsource important insurance functions must be notified to BaFin by providing the draft outsourcing agreement. Section 203 of the German Criminal Code has so far imposed severe limitations on the transfer of sensitive data by a domestic or foreign life or health insurer to an outsourcing provider. After almost 20 years of discussion, this provision is about to be changed in early 2017 to finally open the way for outsourcing by life and health insurers.
Yes, there are restrictions on outsourcing parts of the insurance business. These partly follow from the Financial Institutions Act, partly from the Financial Supervisory Authority Act of 1956. It is common for insurers to outsource parts of their services such as marketing, sales and claims handling. The core work in relation to underwriting and risk assessment may not be outsourced, as these services are strongly linked to the insurance companies’main obligations.
Insurance companies may contract with third parties, services necessary for their operation, in accordance with the general provisions issued by the CNSF, with the authorization of the Governing Board. Chapter 12 of the Circular contains a list of those services that may be outsourced, such as support services for the selection and analysis of risks, administrative services related to the acceptance of risk, risk management or actuarial services.
Outsourcing, while not technically prohibited, is becoming a riskier proposition as the various regulators have increased their diligence. While outsourcing some back-office functions may be acceptable, as noted above certain executive and technical functions must be handled by dedicated personnel. This is an area where market participants need to be aware that the regulatory landscape changes may result in certain outsourcing practices that were heretofore tolerated, being ruled to now be improper with minimal notice.
One function that insurers may specifically outsource are its investment activities, pursuant to Article 1 of IA Resolution No. 25 of 2015. However, this does not relieve the insurer of the oversight of, and ultimate responsibility for, any actions taken on its behalf.
The DIFC/DFSA has regulations permitting outsourcing of certain compliance functions for smaller entities, but these must be brought in-house once the size of the relevant entity increases.
The implementation of the Solvency II Directive introduced stricter requirements in relation to the outsourcing of parts of an insurer’s business (cf. Article 109 VAG).
Most importantly, insurance undertakings that are outsourcing parts of their business need to ensure that the FMA has effective access to all relevant data held by the outsourcing service provider as well as the provider’s offices.
The FMA needs to be notified of any intention to outsource critical or important operational functions of an insurance undertaking in a timely manner. If the outsourcing service provider itself is neither an insurance nor a reinsurance undertaking, prior approval by the FMA is required.
In any event, outsourcing of critical or important operational functions is prohibited, if the intended outsourcing leads to either,
- materially impairing the quality of the undertaking’s system of governance;
- unduly increasing the operational risk;
- impairing the ability of the supervisory authorities to monitor the undertaking’s compliance with its regulatory obligations; or
- undermining continuous and satisfactory service to policyholders.
Where appropriate, approval may be granted conditionally, to prevent the occurrence of one of the aforementioned scenarios or the endangerment of the insureds’ interests.
The insurance activity can only be carried out by duly authorised insurance and reinsurance companies, brokers, sales agents and loss adjustors. Thus, this activity can only be carried out by the entity that is authorised to do so. Consequently, insurance companies may outsource certain services as long as these are not activities deemed essential to the insurance business. It is advisable that this is analysed on a case by case basis.
Agreements by which the “essential functions” of an insurance company are outsourced to service providers (“Outsourcing Agreements”) are considered to be a part of the business plan of an insurance company. According to FINMA the following functions are essential for an insurance company: production; portfolio administration; claims handling; accounting; investment and asset management; IT.
Such Outsourcing Agreements must be submitted to FINMA during the licensing process (Art 4 para 2 lit j ISA). It is deemed an amendment of the business plan if an existing insurance company enters into an outsourcing agreement. Thus, it has to inform FINMA accordingly. The amendment of the business plan is deemed approved if FINMA does not start any investigations within 4 weeks.
According to a new draft Circular , which is supposed to become effective on 1 July 2017, in principle, all essential functions of an insurance company can be outsourced, except senior management and controlling by senior management, if the following prerequisites are met:
- The eligibility of the service provider must be documented.
- Responsibility for outsourced services remains with the insurance company.
- The insurance company must be entitled to examine the provider’s business at any time; FINMA’s supervision must not be impeded by outsourcing.
- Outsourcing to a service provider based abroad is admissible only if the insurance company can prove that examination and supervision rights by FINMA are not impeded by such outsourcing.
- Outsourcing Agreements must be made in writing and provide for a minimum content set out in FINMA’s draft circular.
In order to manage the operational risks associated with subcontracting, insurance companies should set appropriate policies and procedures to evaluate, manage and monitor subcontracted processes. Such policies and procedures must consider:
- The selection process of the service provider.
- The preparation of the subcontracting agreement.
- The management and monitoring of the risks associated with the subcontracting agreement.
- The implementation of an effective control environment.
- Establishment of continuity plans.
Subcontracting agreements must be formalized through signed contracts, which must include service level agreements, and clearly define the responsibilities of the supplier of the company.
Insurers assume full responsibility for the results of the subcontracted processes with third parties, and may be penalized for non-compliance. They must also ensure that secrecy and confidentiality are maintained on the information that may be provided to them.
In any significant subcontracting, a formal analysis of the associated risks shall be carried out and reported to the Board for approval. 'Significant' means a subcontracting that, in case of failure or suspension of the service, can put the company at significant risk, by affecting its income, solvency, or operational continuity. The subcontracting of one or more risk management functions will be considered significant.
Moreover, in case that companies wish to subcontract their data processing in a meaningful way, in such a way that it is done abroad, they will require prior and express authorization from the SBS.
The outsourcing of business by Indian insurers/reinsurers, Branch Offices of Foreign Reinsurers and service companies set up under Lloyd’s India, is subject to the restrictions prescribed under the applicable law. Broadly, these entities are prohibited from outsourcing their core functions (including underwriting and investments) to third party service providers.
There are no restrictions on outsourcing. However, the insurer concerned must adopt a framework to effectively manage its outsourcing arrangements, such as maintaining a register of its outsourcing arrangements which is to be submitted to MAS on an annual basis or upon request, and conducting independent audits and/or expert assessments of its outsourcing arrangements. The regulatory framework for outsourcing is set out in the Outsourcing Guidelines dated 27 July 2016 of MAS.
Brazilian Employment Courts do not permit the outsourcing of activities that are part of the core business of the company. However, there are proposals in Congress, and a pending judgment before the Supreme Court, to ease these restrictions.
Any activity which is defined as an activity of an insurer can only be conducted by an Insurers.
Notwithstanding the above activities which do not require a license can be outsourced, as long as the outsourcing is in accordance with the policy set by the board of directors of the insurer, in accordance with the circular issued by the Commissioner in this respect.
Yes; Article 92 of the Supervision Act states that every insurance or reinsurance undertaking which outsources jobs, activities or operational functions remains entirely responsible for the fulfilment of its obligations arising from the Supervision Act. Furthermore, the outsourcing of operational functions cannot (1) materially impair the quality of the system of governance of the undertaking concerned, (2) unduly increase the operational risk, (3) impair the ability of the supervisory authorities to monitor compliance of the insurer with its obligations and (4) undermine continuous and satisfactory service to policyholders.
The NBB also requires that an outsourcing policy is drafted and approved by the board of directors of the insurer. An insurer is also obliged to set out a process allowing it to be determined whether a function or an activity is a crucial or important function or activity in respect of the management of the undertaking. Insurance undertakings should also, in a timely manner, notify the supervisory authorities prior to the outsourcing of critical or important functions or activities, as well as of any subsequent material developments with respect to those functions or activities (such as the termination of an outsourcing contract).
The Solvency II regime provides for specific rules in terms of outsourcing.
The Solvency II regime provides for specific rules in terms of outsourcing, in particular for outsourcing of critical or important activities, including prior notification of the ACPR. Indeed, certain activities or functions are considered as important or critical, for example the key regulatory functions (risk-management, compliance, internal audit and actuarial functions) or any activity or function whose interruption is likely to have significant impact on the activity of the insurance company or on its ability to manage risk effectively.
When the execution of an important or critical activity or function is outsourced to a third party, including within the group, the insurance undertaking remains responsible for discharging all or part of their obligations and must keep control of its execution, in accordance with the procedures set out in the written outsourcing policy that the undertaking must put in place (in relation to at least the key regulatory functions when outsourced).
The outsourcing of an important or critical activity or function must not lead to any material impairment in the quality of the undertaking’s system of governance, any increase the operational risk, any impairment of the ability of the regulator to monitor compliance of the undertaking or undermining of continuous and satisfactory service to policyholders.
The federal regulator, OSFI, as well as some of its provincial counterparts, do have rules pertaining to the outsourcing of material business functions by insurers. The applicable rules require that the insurer evaluate the risks associated with all existing and proposed outsourcing arrangements, develop a process for determining the materiality of arrangements, implement a program for managing and monitoring risks commensurate with the materiality of the arrangements, ensure that the board of directors or chief agent receives information sufficient to enable them to discharge their duties and refrain from outsourcing certain business activities to the external auditor.