Are there restrictions on outsourcing parts of the business?
Insurance & Reinsurance (3rd edition)
Brazilian Employment Courts do not permit the outsourcing of activities that are part of the core business of the company. However, there are proposals in Congress, and a pending judgment before the Supreme Court, to ease these restrictions.
An insurer could outsource its assessment business to insurance adjusters and their selling business to insurance brokers and agents. Otherwise, insurers must not outsource any critical or core part of the business. The insurer shall be liable for the activities of the insurance adjusters, brokers or agents performed on the behalf of the insurer.
There are restrictions on outsourcing parts of business, as the EU Solvency II Directive provides for specific rules (and restrictions) in terms of outsourcing.
In accordance with the EU Solvency II Directive, in cases where an insurer outsources part of its business, the insurer will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, the outsourcing of an important or critical activity or function must not lead to any material impairment in the quality of the undertaking’s system of governance, any increase of the operational risk, any impairment of the ability of the regulator to monitor compliance of the company or undermining of continuous and satisfactory service to policyholders.
The Danish FSA supervises the outsourcing activities and must be notified of any outsourcing activity.
Agreements by which the “essential functions” of an insurance company are outsourced to service providers (“Outsourcing Agreements”) are considered to be a part of the business plan of an insurance company.
Such Outsourcing Agreements must be submitted to FINMA during the licensing process (ISA 4 para 2 lit j). It is deemed an amendment of the business plan if an existing insurance company enters into an outsourcing agreement. Thus, it has to inform FINMA accordingly. The amendment of the business plan is deemed approved if FINMA does not start any investigations within 4 weeks.
According to the new FINMA Circular 2018/3 on Outsourcing, which has entered into force on 1. April 2018 in principle, all essential functions of an insurance company can be outsourced, except senior management and controlling by senior management, if the following prerequisites are met:
- The eligibility of the service provider must be documented.
- Responsibility for outsourced services remains with the insurance company.
- The insurance company must be entitled to examine the provider’s business at any time; FINMA’s supervision must not be impeded by outsourcing.
- Outsourcing to a service provider based abroad is admissible only if the insurance company can prove that examination and supervision rights by FINMA are not impeded by such outsourcing
- Outsourcing Agreements must be made in writing and provide for a minimum content set out in detail in FINMA’s circular
Outsourcing Agreements entered into by insurance companies before April 2018 are not affected by the new Circular as such. However, any amendment in such Agreements will subject them to the rules of Circular 2018/03
The ACGFC also regulates “Executive Officers” of an insurer. The specific qualification requirements of Executive Officers under the ACGFC include background requirements that the individual has not declared bankrupt and has not being sentenced to a suspension or imprisonment without labor or heavier punishment. Upon the appointment of an Executive Officer, an insurer shall publicly disclose the appointment of the Executive Officer and his/her qualifications on its website, company materials, etc. and shall report same the FSC.
An insurer shall appoint at least one (1) person to oversee its compliance with internal control standards, investigate violations of the standards, and take charge of general affairs related to internal control as a “Compliance Officer”. The Compliance Officer is appointed among inside directors or operational officers as an executive of the insurer. Furthermore, the same requirements shall similarly apply to the appointment, dismissal, term of office, etc. of a Risk Manager of an insurer.
Insurance companies must set appropriate policies and procedures to test, manage and track the subcontracted processes for managing the operational risks associated with outsourcing, Such policies and procedures must consider:
- Selection process of the service provider;
- preparation of the outsourcing agreement;
- management and monitoring of the risks associated with the subcontracting agreement;
- implementation of an effective control environment;
- establishment of continuity plans;
- Outsourcing agreements must be formalized through a duly executed contract, which must include service level agreements, and clearly define the responsibilities of the supplier of the company.
Insurers assume full responsibility with any third party for the results of the outsourced processes, and may be penalized for the non-compliance. They must also ensure the maintenance of secrecy and confidentiality of the information that might be provided to them.
For any significant outsourcing, a formal analysis of the associated risks must be carried out and reported to the Board for approval. It is understood under 'significant' any subcontracting that may expose the company to a significant risk, in case of failure or suspension of the service, by affecting its income, solvency, or operational continuity. The outsourcing of one or more risk management functions shall be considered significant.
Moreover, in the case that a company intends to outsource the processing of data to such a significant extent that the service is rendered overseas, it shall be subject to prior express authorization by the SBS.
Since 1 January 2016, the externalization of certain critical operational functions or activities – such as risk management, compliance, internal auditing or actuarial functions – are subject to specific regulatory requirements, pursuant to Solvency II.
Outsourcing must be subject to:
- a written outsourcing policy,
- a contract between the insurance undertaking and the service provider (which must include mandatory, standardized provisions), a prior notification to the ACPR, and
- verifications, by the undertaking, that the service provider has:
1. the ability, the capacity and authorizations required by law to deliver the required functions or activities satisfactorily,
2. the necessary financial resources to perform the additional tasks in a competent and reliable way, as well as the necessary human resources, and
3. adequate contingency plans enabling it to deal with emergency situations or business disruptions.
These rules also apply in case of intra-group outsourcing, especially where the service provider is in a different geographical region.
In general, all insurers are allowed to outsource certain parts of their functions or insurance activities, but have to ensure compliance with all supervisory rules and requirements. BaFin has issued guidelines on the "minimum requirements for the business organisation of insurance undertakings ("Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen (MaGo)") in February 2017. To this end, insurers have to establish written guidelines. If insurers want to outsource one of the four key functions identified in the Solvency II Directive (risk management, compliance, internal audit and actuarial functions), they have to appoint an "outsourcing officer" responsible for supervising the outsourcing process.
Insurers intending to outsource important functions or the insurance activities of sales, portfolio management, claims administration, accounting or asset investment and management immediately have to notify BaFin of their intention, providing a draft of the contract they intend to conclude with the service provider pursuant to Section 47 No. 8 VAG. The notification submitted to BaFin has to contain the name of the service provider, its address, a description of the scope of the outsourced activities, the reasons for outsourcing and, if key tasks are outsourced (in particular one of the four key functions identified in the Solvency II directive) the name of the competent person at the service provider.
In March 2018, the Commissioner published a circular “Outsourcing in Institutional Bodies” which applies to Insurance Companies.
The gist of the circular are:
1. Outsourcing activities do not release the Insurer’s from liability according to the Law for the tasks outsourced.
2. The Insurer’s board reviews and confirms what are the activities that should be outsourced. Such discussion must take place at least every 4 years. The Board will review the risks derived from outsourcing activities and will ratify any outsourcing of substantial activity as well as its outsourcing policy.
3. A special control and check-up measures will be established to review outsourced activities.
4. Any outsourcing activity should be established in a written contract.
Subject to the above, all Insurers’ activities including substantial activities can be outsourced.
APRA's Prudential Standard CPS 321 regulates the outsourcing of any material business activities for general and life insurers. The standard does not impose any express restrictions on outsourcing but does require all insurers and reinsurers to notify APRA within 20 business days of the execution of an outsourcing agreement. This notification must be accompanied by a summary of the key risks and mitigation strategies involved. The insurer or reinsurer must also provide information sufficient to demonstrate to APRA that the entity has a business case for the outsourcing, has engaged in a selection process for the project and has established procedures to monitor the performance of the agreement.
Beside the controls upon intermediaries, IVASS also performs a supervision upon the distribution of the insurance products in accordance to Article 182 of the Italian Private insurance Code.
In particular, IVASS ensure compliance with the principles of clarity, recognition, transparency and fairness of advertising and information on the conformity of the insurance contract with the advertising and in the pre-contract negotiations (with the information notice) and the execution of the insurance contract (policy conditions).
In principle, outsourcing of insurance companies’ business is not restricted. However, the Guidelines govern the management of outsourcees.
Moreover, when an insurance company receives business outsourced by another insurance company, it is necessary to obtain approval from the FSA (Article 98, Paragraph 2 of the Insurance Business Act), and in the case of a group company, a notification must be submitted.
Furthermore, it is generally accepted that the core business of an insurance company, such as deciding whether to pay insurance claims, cannot be outsourced due to the licensing system of the insurance business.
Provisions regarding the outsourcing of parts of an insurance business are contained in the Insurance Law, which follows the principles introduced by the Solvency II Directive.
Insurance and reinsurance undertakings remain fully responsible when they outsource functions or any insurance or reinsurance activities to external parties. Outsourcing of critical or important operational functions or activities may not: materially impair the quality of the system of governance of the undertaking concerned, unduly increase operational risk, impair the ability of the KNF to monitor the compliance of the undertaking with its obligations or undermine continuous and satisfactory service to policyholders.
Insurance and reinsurance undertakings must notify the KNF prior to the outsourcing of critical or important functions or activities as well as of any subsequent material developments with respect to those functions or activities. Moreover, the KNF must have access to all relevant data held by the outsourcing service provider as well as the right to conduct on-site inspections.
Each insurance and reinsurance undertaking should have a written policy in relation to outsourcing and ensure that this policy is implemented.
The only restriction is given by the exclusivity of the turn. Insurers can market their contracts through intermediaries. In the same way, technological platforms can be contracted and others in support of the development of their business, without delegating their main function.
Insurance companies may contract with third parties services related to their operation, provided the services are deemed “necessary” for the operation, as set forth in Chapter 12 of the Circular that contains a list of those services that may be outsourced, such as support services for the selection and analysis of risks, administrative services related to the acceptance of risk, risk management or actuarial services. Service agreements entered into by insurance companies to outsource parts of the business must include mandatory clauses and must be filed with the CNSF in the terms set forth in Chapter 12 of the CUSF.
In accordance with Solvency II, where an insurer outsources part of its business it will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, insurers must not outsource any critical or important part of the business in such a way as might lead to any material impairment in the quality of the firm’s systems of governance, any increase in operational risks, impairment of the ability of the supervisory authorities to monitor compliance or undermining of continuous and satisfactory service to policyholders.
There are no express legal provisions restricting insurance fronting transactions in the UAE. There are no legal requirements preventing an insurer from ceding 100 per cent of a written risk (i.e., fronting the risk), either to a local reinsurer or a foreign reinsurer as long as the insurer is in compliance with applicable prudential limitations in the UAE. In practice, however, reinsurers may impose stricter terms and conditions.
Any (re)insurance undertaking that outsources functions, activities or operational tasks, remains responsible for compliance with all prudential requirements.
Outsourcing may not lead to:
• material impairment of the quality of the governance system of the insurance undertaking;
• undue increase of the operational risk;
• impairment of the Bank’s ability to monitor compliance by the insurance undertaking with the obligations laid down by or pursuant to the 2016 Law;
• undermining of continuous and satisfactory service to policyholders, insureds and beneficiaries of insurance policies or the persons with an interest in performance of reinsurance policies.
The (re)insurance undertaking must inform the NBB in due time before outsourcing a function, activity or operational task.
Detailed requirements for outsourcing are set out in Chapter 7 of the NBB’s “Overarching Circular regarding the Governance System”.
Underwriting, claims approvals and actuarial functions may not be outsourced.
An Indonesian insurer may only outsource to foreign (offshore) legal entities engaging in limited activities, such as product research and development, information systems, and other functions that cannot be performed by the Indonesian insurer, subject to giving OJK prior notification.
The outsourcing of business by Indian insurers/reinsurers, Branch Offices of Foreign Reinsurers and service companies set up under Lloyd’s India Regulations, is subject to the restrictions prescribed under the applicable law. IRDAI recently issued the IRDAI (Outsourcing of activities by Indian Insurers) Regulations 2017 to revise the existing guidelines and prescribe revised norms applicable to insurers vis-à-vis arrangements with third party service providers regarding such activities which an insurer is required to ordinarily perform itself. These regulations also expressly set out the list of core activities that an insurer is prohibited from outsourcing to third party service providers.
The IRDAI also recently issued the IRDAI (Insurance Brokers) Regulations 2018 (Brokers Regulations) to replace the IRDA (Insurance Brokers) Regulations 2013. The new regulations set out express norms with respect to the outsourcing of activities by insurance brokers in India. Insurance brokers are now expressly prohibited from outsourcing their functions listed in the Brokers Regulations to third party service providers. In addition, insurance brokers are also prohibited from outsourcing risk management and claims consultancy services, unless the insurance broker does not undertake this activity at all.
It is prohibited under the LIA and NLIA for insurance and reinsurance companies to assign or outsource the writing of insurance and the payment of claims under their insurance policies. Assignment and outsourcing of other parts of their business (for example, IT outsourcing) are not prohibited and not subject to specific restrictions.
The implementation of the Solvency II Directive introduced stricter requirements in relation to the outsourcing of parts of an insurer’s business (cf. Article 109 VAG).
Most importantly, insurance undertakings that are outsourcing parts of their business need to ensure that the FMA has effective access to all relevant data held by the outsourcing service provider as well as the provider’s offices.
The FMA needs to be notified of any intention to outsource critical or important operational functions of an insurance undertaking in a timely manner. If the outsourcing service provider itself is neither an insurance nor a reinsurance undertaking, prior approval by the FMA is required.
In any event, outsourcing of critical or important operational functions is prohibited, if the intended outsourcing leads to either,
(1) materially impairing the quality of the undertaking’s system of governance;
(2) unduly increasing the operational risk;
(3) impairing the ability of the supervisory authorities to monitor the undertaking’s compliance with its regulatory obligations; or
(4) undermining continuous and satisfactory service to policyholders.
Where appropriate, approval may be granted conditionally, to prevent the occurrence of one of the aforementioned scenarios or the endangerment of the insureds’ interests.
(Re)insurers are permitted by the 2015 Regulations to outsource many of its functions to a third party service provider or otherwise. In order to do so, (re)insurers must ensure that a written outsourcing agreement is put in place and the (re)insurer maintains proper oversight and supervision of the outsource service provider.
The Central Bank must be notified before outsourcing any activity that constitutes a critical and important function of a (re)insurer. The Central Bank must also be informed by the (re)insurer of any subsequent material developments with respect to any such function or activity. EIOPA defines critical or important functions as those that are ‘essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity’.
(Re)insurers are required to have written outsourcing policies in place which clearly define the duties and responsibilities of both parties. An outsourcing agreement must ensure effective access for the (re)insurer, its external auditor and the Central Bank to all information on the outsourced functions and activities and provide permission to conduct on-site inspections. Any outsourcing must not:
- materially impair the undertaking’s system of governance;
- cause an undue increase in operational risk;
- impair the supervisory monitoring of compliance with obligations; or
- undermine the continuous and satisfactory service to policyholders.
The insurers may outsource parts of their business to third parties. There are however certain restrictions on outsourcing of business and as a main rule these restrictions also apply when outsourcing to entities in the same group. Pursuant to the Norwegian regulation the core parts of the business may not be outsourced, cf. Financial Undertakings Act section 13-4. Outsourcing is only allowed to the extent that it is done in a way that is considered justifiable and/or does not makes the supervision of the outsourced business or the total business difficult. The insurer is always responsible for the outsourced activities. There is an obligation to notify the NFSA in advance of the outsourcing unless an exemption applies. The duty to notify follows from the Norwegian Act on Financial Supervision section 4c.