Outsourcing by insurers
Many insurers choose to outsource functions or activities in whole or in part to third parties. They are permitted to do so, subject to specific conditions referred to in Section 3.18 of the Financial Supervision Act (Wet op het financieel toezicht – Wft) and Article 49 of the Solvency II Directive (2009/138/EC).
Solvency II imposes requirements to the outsourcing of critical or important functions or activities. In addition, EIOPA Guidelines provide guidance, including the provision that DNB must be notified before outsourcing commences (EIOPA Guidelines 60 and 64 on System of Governance). The third party to which an insurer has outsourced activities may also outsource all or part of these activities to a subcontracting party. If the subcontracting party also outsources activities, an outsourcing chain of service providers is created. The chain ends with management and storage of the data. Critical or important outsourcing also falls under the notification duty. More information can be found on Outsourcing notification by supervised institutions.
In the event of outsourcing, an insurer is still fully responsible. If an insurer lacks a complete picture outsourcing chain, it cannot maintain a firm enough grip on the quality of the outsourced activities. Examples include not knowing where data are stored and how they are secured. Other deficiencies could involve breakdowns of core processes and inconsistencies in data in accounting records caused by software errors. These entail the risk of the insurer failing to comply with relevant laws and regulations. As a result, it could face operational incidents and a loss of reputation.
The DNB Good Practice for Outsourcing by Insurers contains recommendations on all aspects of outsourcing by insurers.
In addition, we have shared findings from a thematic examination into outsourcing by insurers in a sector letter.
EIOPA published its Guidelines on outsourcing to cloud service providers on 6 February 2020. We apply them as part of our supervision, specifically for cloud outsourcing, to supplement our own Good Practice, Outsourcing Insurers.
The Guidelines apply to both individual insurers and insurance groups. Entities subject to other sectoral requirements that are part of a group are excluded from the scope of these Guideline at solo level.
Dates of application
- We expect insurers to apply the Guidelines from 1 January 2021 to all cloud outsourcing agreements entered into or amended on or after this date.
- They must review and amend accordingly existing cloud outsourcing agreements related to critical or important operational functions or activities with a view to ensuring compliance with the Guidelines by 31 December 2022.
- Where needed, they must also update their policies and internal processes by 1 January 2021.
- They must implement the documentation requirements for cloud outsourcing agreements related to critical or important operational functions or activities by 31 December 2022.
EIOPA has issued 16 Guidelines to facilitate compliance by insurers and reinsurers with the outsourcing provisions of Articles 13, 38 and 49 of the Solvency II Directive, and with Article 274 of the Delegated Solvency II Regulation in the event of cloud outsourcing. They build on the guidance provided by EIOPA Guidelines on System of Governance 60-64.
The Guidelines offer insurers guidance in such areas as drafting outsourcing policies and agreements, assessing relevant risks, identifying critical and important outsourced functions and activities, and making arrangements on performance levels and internal control with cloud service providers. In addition, they outline practices with respect to data and system security, recording and enforcing access and audit rights, and a structure for creating a dedicated register of outsourcing agreements.
- Guideline 1 – Cloud services and outsourcing
- Guideline 2 – General principles of governance for cloud outsourcing
- Guideline 3 – Update of the outsourcing written policy
- Guideline 4 – Written notification to the supervisory authority
- Guideline 5 – Documentation requirements
- Guideline 6 – Pre-outsourcing analysis
- Guideline 7 – Assessment of critical or important operational functions and
- Guideline 8 – Risk assessment of cloud outsourcing
- Guideline 9 – Due diligence on cloud service provider
- Guideline 10 – Contractual requirements
- Guideline 11 – Access and audit rights
- Guideline 12 – Security
- Guideline 13 – Sub-outsourcing of critical or important operational functions and activities
- Guideline 14 – Monitoring and oversight of cloud outsourcing arrangements
- Guideline 15 – Termination rights and exit strategies
- Guideline 16 – Supervision of cloud outsourcing arrangements by supervisory authorities
For more information, see: EIOPA website.