Are there restrictions on outsourcing parts of the business?
Insurance & Reinsurance
In principle, outsourcing of insurance companies’ business is not restricted. However, the Guidelines govern the management of outsourcees.
Moreover, when an insurance company receives business outsourced by another insurance company, it is necessary to obtain approval from the FSA (Article 98, Paragraph 2 of the Insurance Business Act), and in the case of a group company, a notification must be submitted.
Furthermore, it is generally accepted that the core business of an insurance company, such as deciding whether to pay insurance claims, cannot be outsourced due to the licensing system of the insurance business.
APRA's Prudential Standard CPS 321 regulates the outsourcing of any material business activities for general and life insurers. The standard does not impose any express restrictions on outsourcing but does require all insurers and reinsurers to notify APRA within 20 business days of the execution of an outsourcing agreement. This notification must be accompanied by a summary of the key risks and mitigation strategies involved. The insurer or reinsurer must also provide information sufficient to demonstrate to APRA that the entity has a business case for the outsourcing, has engaged in a selection process for the project and has established procedures to monitor the performance of the agreement.
Yes, the EU Solvency II Directive provides for specific rules (and restrictions) in terms of outsourcing.
In accordance with the EU Solvency II Directive, in cases where an insurer outsources part of its business, the insurer will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, the outsourcing of an important or critical activity or function must not lead to any material impairment in the quality of the undertaking’s system of governance, any increase of the operational risk, any impairment of the ability of the regulator to monitor compliance of the company or undermining of continuous and satisfactory service to policyholders.
The DFSA supervises the outsourcing activities and must be notified of any outsourcing activity.
Provisions regarding the outsourcing of parts of an insurance business are contained in the Insurance Law, which follows the principles introduced by the Solvency II Directive.
Insurance and reinsurance undertakings remain fully responsible when they outsource functions or any insurance or reinsurance activities to external parties. Outsourcing of critical or important operational functions or activities may not: materially impair the quality of the system of governance of the undertaking concerned, unduly increase operational risk, impair the ability of the KNF to monitor the compliance of the undertaking with its obligations or undermine continuous and satisfactory service to policyholders.
Insurance and reinsurance undertakings must notify the KNF prior to the outsourcing of critical or important functions or activities as well as of any subsequent material developments with respect to those functions or activities. Moreover, the KNF must have access to all relevant data held by the outsourcing service provider as well as the right to conduct on-site inspections.
Each insurance and reinsurance undertaking should have a written policy in relation to outsourcing and ensure that this policy is implemented.
Turkish insurance companies can outsource operational parts of the business subject to the restrictions set out in the Regulation no. 29459 on Insurance Support Services, issued by the Undersecretariat. Accordingly, insurance and private pension companies are allowed to outsource ancillary services that are not central to their insurance business such as the claims handling, limitation of risks and losses, salvage and rescue services, health consultancy. Services seconded employees from other firms, legal and tax consultancy services and advertisement services are not subject to these restrictions and can be freely outsourced.
Insurance and private pension companies are required to submit annual reports on the information about the risk management and cost/benefit analysis of their outsourced operations. They are also liable all the damages and losses arising from the outsourced services.
Service must be incorporated in Turkey and registered with the service provider list maintained by the Insurance Information and Monitoring Center. They also need to have appropriate resources and experience, as well as a clean track record in all jurisdictions within the last five years.
The 2015 Regulations permit (re)insurers to outsource many of its functions to a third party service provider or otherwise, provided that a written outsourcing agreement is put in place and the (re)insurer maintains proper oversight and supervision of the outsource service provider.
Where the outsourced activity constitutes a critical and important function of an insurance undertaking, the Central Bank must be notified before outsourcing the activity and is also required to be informed of any subsequent material developments with respect to any such function or activity. Critical or important functions are defined by EIOPA as those that are ‘essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity’.
Insurance undertakings are required to have written outsourcing policies in place which clearly define the duties and responsibilities of both parties. In addition, an outsourcing agreement must ensure effective access for the insurer, its external auditor and the Central Bank to all information on the outsourced functions and activities and provide permission to conduct on-site inspections. Any outsourcing must not:
- materially impair the undertaking’s system of governance;
- cause an undue increase in operational risk;
- impair the supervisory monitoring of compliance with obligations; or
- undermine the continuous and satisfactory service to policyholders.
While an insurer can outsource freely to an entity located in another EU / EEA Member State, the Central Bank has been reluctant in the past to authorise an undertaking which plans to outsource a large proportion of its activities to a third country.
In accordance with Solvency II, where an insurer outsources part of its business it will remain fully responsible for discharging all of its obligations under law, regulation and administrative provisions. Specifically, insurers must not outsource any critical or important part of the business in such a way as might lead to any material impairment in the quality of the firm’s systems of governance, any increase in operational risks, impairment of the ability of the supervisory authorities to monitor compliance or undermining of continuous and satisfactory service to policyholders.
An insurance company may outsource parts of the operations to an external service provider. The board of directors and the CEO are solely responsible for the outsourced activities. The board of directors or the CEO shall, as part of this responsibility, draw up internal guidelines as to which licensed operations, or operations that have a natural connection with such operations or their support functions, may be outsourced, as well as the manner in which such outsourcing operations shall take place. To the board of directors’ help, the ICC has recently presented its new Principles and guidelines for outsourcing in the financial industry, which lays down practical recommendations and advice on how to best plan, negotiate and execute an outsourcing operation.
If an insurance company intends to outsource a significant part of the licensed operations, or activities that have a natural connection with these operations or their support functions, the company should notify such intentions to the FSA in advance.
In general, all insurers are allowed to outsource certain parts of their functions or insurance activities, but have to ensure compliance with all supervisory rules and requirements. To this end, insurers have to establish written guidelines. If insurers want to outsource one of the four key functions identified in the Solvency II Directive (risk management, compliance, internal audit and actuarial functions), they have to appoint an "outsourcing officer" responsible for supervising the outsourcing process.
Insurers intending to outsource important functions or the insurance activities of sales, portfolio management, claims administration, accounting or asset investment and management immediately have to notify BaFin of their intention, providing a draft of the contract they intend to conclude with the service provider pursuant to Section 47 No. 8 VAG. The notification submitted to BaFin has to contain the name of the service provider, its address, a description of the scope of the outsourced activities, the reasons for outsourcing and, if key tasks are outsourced (in particular one of the four key functions identified in the Solvency II directive) the name of the competent person at the service provider.
Yes, there are restrictions on outsourcing parts of the insurance business. These partly follow from the Financial Institutions Act, partly from the Financial Supervisory Authority Act of 1956. It is common for insurers to outsource parts of their services such as marketing, sales and claims handling. The core work in relation to underwriting and risk assessment may not be outsourced, as these services are strongly linked to the insurance companies’main obligations.
Insurance companies may contract with third parties services related to their operation, provided the services are deemed “necessary” for the operation, as set forth in Chapter 12 of the Circular that contains a list of those services that may be outsourced, such as support services for the selection and analysis of risks, administrative services related to the acceptance of risk, risk management or actuarial services. Service agreements entered into by insurance companies to outsource parts of the business must include mandatory clauses and must be filed with the CNSF in the terms set forth in Chapter 12 of the CUSF.
Outsourcing, while not technically prohibited, is becoming a riskier proposition as the various regulators have increased their diligence. While outsourcing some back-office functions may be acceptable, as noted above certain executive and technical functions must be handled by dedicated personnel. This is an area where market participants need to be aware that the regulatory landscape changes may result in certain outsourcing practices that were heretofore tolerated, being ruled to now be improper with minimal notice.
One function that insurers may specifically outsource are its investment activities, pursuant to Article 1 of IA Resolution No. 25 of 2015. However, this does not relieve the insurer of the oversight of, and ultimate responsibility for, any actions taken on its behalf.
The DIFC/DFSA has regulations permitting outsourcing of certain compliance functions for smaller entities, but these must be brought in-house once the size of the relevant entity increases.
The implementation of the Solvency II Directive introduced stricter requirements in relation to the outsourcing of parts of an insurer’s business (cf. Article 109 VAG).
Most importantly, insurance undertakings that are outsourcing parts of their business need to ensure that the FMA has effective access to all relevant data held by the outsourcing service provider as well as the provider’s offices.
The FMA needs to be notified of any intention to outsource critical or important operational functions of an insurance undertaking in a timely manner. If the outsourcing service provider itself is neither an insurance nor a reinsurance undertaking, prior approval by the FMA is required.
In any event, outsourcing of critical or important operational functions is prohibited, if the intended outsourcing leads to either,
- materially impairing the quality of the undertaking’s system of governance;
- unduly increasing the operational risk;
- impairing the ability of the supervisory authorities to monitor the undertaking’s compliance with its regulatory obligations; or
- undermining continuous and satisfactory service to policyholders.
Where appropriate, approval may be granted conditionally, to prevent the occurrence of one of the aforementioned scenarios or the endangerment of the insureds’ interests.
There are no specific restrictions to outsource business areas. However, the regulation requires that a Project of Formation (regarding an insurance or reinsurance company) indicate the main outsourcing agreements. Risk equity and technical reserves shall follow the guidelines of the regulator’s directives and would not be possible to delegate to third parties.
Agreements by which the “essential functions” of an insurance company are outsourced to service providers (“Outsourcing Agreements”) are considered to be a part of the business plan of an insurance company. According to FINMA the following functions are essential for an insurance company: production; portfolio administration; claims handling; accounting; investment and asset management; IT.
Such Outsourcing Agreements must be submitted to FINMA during the licensing process (Art 4 para 2 lit j ISA). It is deemed an amendment of the business plan if an existing insurance company enters into an outsourcing agreement. Thus, it has to inform FINMA accordingly. The amendment of the business plan is deemed approved if FINMA does not start any investigations within 4 weeks.
According to a new draft Circular , which is supposed to become effective on 1 July 2017, in principle, all essential functions of an insurance company can be outsourced, except senior management and controlling by senior management, if the following prerequisites are met:
- The eligibility of the service provider must be documented.
- Responsibility for outsourced services remains with the insurance company.
- The insurance company must be entitled to examine the provider’s business at any time; FINMA’s supervision must not be impeded by outsourcing.
- Outsourcing to a service provider based abroad is admissible only if the insurance company can prove that examination and supervision rights by FINMA are not impeded by such outsourcing.
- Outsourcing Agreements must be made in writing and provide for a minimum content set out in FINMA’s draft circular.
In order to manage the operational risks associated with subcontracting, insurance companies should set appropriate policies and procedures to evaluate, manage and monitor subcontracted processes. Such policies and procedures must consider:
- The selection process of the service provider.
- The preparation of the subcontracting agreement.
- The management and monitoring of the risks associated with the subcontracting agreement.
- The implementation of an effective control environment.
- Establishment of continuity plans.
Subcontracting agreements must be formalized through signed contracts, which must include service level agreements, and clearly define the responsibilities of the supplier of the company.
Insurers assume full responsibility for the results of the subcontracted processes with third parties, and may be penalized for non-compliance. They must also ensure that secrecy and confidentiality are maintained on the information that may be provided to them.
In any significant subcontracting, a formal analysis of the associated risks shall be carried out and reported to the Board for approval. 'Significant' means a subcontracting that, in case of failure or suspension of the service, can put the company at significant risk, by affecting its income, solvency, or operational continuity. The subcontracting of one or more risk management functions will be considered significant.
Moreover, in case that companies wish to subcontract their data processing in a meaningful way, in such a way that it is done abroad, they will require prior and express authorization from the SBS.
The outsourcing of business by Indian insurers/reinsurers, Branch Offices of Foreign Reinsurers and service companies set up under Lloyd’s India, is subject to the restrictions prescribed under the applicable law. IRDAI recently issued the IRDAI (Outsourcing of activities by Indian Insurers) Regulations 2017 to revise the existing guidelines and prescribe revised norms applicable to insurers vis-à-vis arrangements with third party service providers regarding such activities which an insurer is required to ordinarily perform itself. These regulations also expressly set out the list of core activities that an insurer is prohibited from outsourcing to third party service providers.
The IRDAI also recently issued the IRDAI (Insurance Brokers) Regulations 2018 (Brokers Regulations) to replace the IRDA (Insurance Brokers) Regulations 2013. The new regulations set out express norms with respect to the outsourcing of activities by insurance brokers in India. Insurance brokers are now expressly prohibited from outsourcing their functions listed in the Brokers Regulations to third party service providers. In addition, insurance brokers are also prohibited from outsourcing risk management and claims consultancy services, unless the insurance broker does not undertake this activity at all.
There are no restrictions on outsourcing. However, the insurer concerned must adopt a framework to effectively manage its outsourcing arrangements, such as maintaining a register of its outsourcing arrangements which is to be submitted to MAS on an annual basis or upon request, and conducting independent audits and/or expert assessments of its outsourcing arrangements. The regulatory framework for outsourcing is set out in the Outsourcing Guidelines dated 27 July 2016 of MAS.
Brazilian Employment Courts do not permit the outsourcing of activities that are part of the core business of the company. However, there are proposals in Congress, and a pending judgment before the Supreme Court, to ease these restrictions.
Any activity which is defined as an activity of an insurer can only be conducted by an Insurers.
Notwithstanding the above activities which do not require a license can be outsourced, as long as the outsourcing is in accordance with the policy set by the board of directors of the insurer, in accordance with the circular issued by the Commissioner in this respect.
Yes; Article 92 of the Supervision Act states that every insurance or reinsurance undertaking which outsources jobs, activities or operational functions remains entirely responsible for the fulfilment of its obligations arising from the Supervision Act. Furthermore, the outsourcing of operational functions cannot (1) materially impair the quality of the system of governance of the undertaking concerned, (2) unduly increase the operational risk, (3) impair the ability of the supervisory authorities to monitor compliance of the insurer with its obligations and (4) undermine continuous and satisfactory service to policyholders.
The NBB also requires that an outsourcing policy is drafted and approved by the board of directors of the insurer. An insurer is also obliged to set out a process allowing it to be determined whether a function or an activity is a crucial or important function or activity in respect of the management of the undertaking. Insurance undertakings should also, in a timely manner, notify the supervisory authorities prior to the outsourcing of critical or important functions or activities, as well as of any subsequent material developments with respect to those functions or activities (such as the termination of an outsourcing contract).
Since 1 January 2016, the externalization of certain critical operational functions or activities – such as risk management, compliance, internal auditing or actuarial functions – are subject to specific regulatory requirements, pursuant to Solvency II.
Outsourcing must be subject to:
- a written outsourcing policy,
- a contract between the insurance undertaking and the service provider (which must include mandatory, standardized provisions),
- a prior notification to the ACPR, and
- verifications, by the undertaking, that the service provider has:
- the ability, the capacity and authorizations required by law to deliver the required functions or activities satisfactorily,
- the necessary financial resources to perform the additional tasks in a competent and reliable way, as well as the necessary human resources, and
- adequate contingency plans enabling it to deal with emergency situations or business disruptions.
These rules also apply in case of intra-group outsourcing, especially where the service provider is in a different geographical region.
The federal regulator, OSFI, as well as some of its provincial counterparts, do have rules pertaining to the outsourcing of material business functions by insurers. The applicable rules require that the insurer evaluate the risks associated with all existing and proposed outsourcing arrangements, develop a process for determining the materiality of arrangements, implement a program for managing and monitoring risks commensurate with the materiality of the arrangements, ensure that the board of directors or chief agent receives information sufficient to enable them to discharge their duties and refrain from outsourcing certain business activities to the external auditor.
The Ordination Supervision and Solvency of Insurance and Reinsurance Companies Act 2015
states that insurers or reinsurers may externalize relevant functions or operative activities except if this sensibly impairs the quality of corporate governance or unduly increases the operational risk, limits the insurance regulator’s ability to supervise the company or interferes with the service offered to policyholders. It is also stated that with a view to avoid such negative effects, an employee of the insurance company with sufficient knowledge and experience shall be appointed to monitor the performance of the service providers. The insurer is required to notify in advance to the General Directorate of Insurance the outsourcing of critical functions or activities and the regulator may object.
PIRL determines that where an insurance or reinsurance undertaking outsources part of its business, the following conditions shall be met:
a. The services provider cooperates with ASF for the purposes of supervising the part of the business that has been outsourced;
b. The insurance and reinsurance undertakings, the respective auditors and ASF shall have access to the data regarding the outsourced parts of the business;
c. ASF shall have access to the facilities of the services provider.
PIRL further determines that insurance and reinsurance undertakings shall not outsource parts of the business in such a way that may lead to:
a. Impairment of the corporate governance system of the undertaking;
b. An increase in the operational risk;
c. Impairment to the capacity of ASF verifying compliance with the undertakings’ legal duties;
d. Impairment to the services rendered to the policyholders, insureds and beneficiaries.