Many insurers use outsourcing suppliers for a wide range of services from back-office processing, outsourced operations such as claims or use technology outsourcers to support their IT system’s needs. With the forthcoming Solvency II on the near horizon of 1 January 2016, there are several considerations that need to be understood in order to be compliant with the Solvency II detailed requirements.
To meet Solvency II regulations, insurers need to ensure that adequate systems of governance are in place with their outsourcing suppliers. The regulations make it abundantly clear that the insurer remains fully responsible for discharging their Solvency II obligations whether or not these are outsourced. In addition, undertakings seeking to outsource critical or important operational activities or functions need to ensure that outsourced activities do not:
- materially impair the quality of the systems of governance of the undertaking;
- unduly increase the operational risk of the undertaking;
- impair the ability of the supervisory authorities to monitor the compliance of the undertaking with its regulatory obligations, or undermine continuous and satisfactory services of the undertaking to its customers.
In order to meet this over-arching requirement, the Solvency II regulations require the following controls to be in place:
- a written outsourcing policy should set out a risk and impact assessment of outsourcing on an undertaking’s business activities;
- the policy should set out the criteria for determining whether a function or activity is critical or important;
- the policy should also set out the due diligence process that should be followed prior to the outsourcing services of appropriate quality are authorised. The due diligence process should include an assessment of the outsource provider’s financial and technical ability, the required quality controls and capacity requirements to complete the outsourced activity or function as well as any conflicts of interest and how these are to be managed;
- the policy should set out, in detail, the monitoring arrangements required to meet the outsourcing risk assessment and the written details that should be contracted between both parties; and
- the policy should set out the required continuity arrangements and exit strategies for outsourced critical or important activities or functions.
For critical or important activities or functions, the regulations also set out detailed requirements that to ensure that the outsourced supplier has adequate risk management and internal control systems. The outsourcing agreement with the outsourcer also needs to include very specific information on certain areas including:
- the service provider’s commitment and ability to comply with applicable laws and regulations, regulatory requirements as well as the undertaking’s own controls and standards;
- rights to information concerning the performance of outsourced activities or functions;
- rights for the undertaking to make specific instructions and guidance to the outsourced supplier;
- specific details concerning data protection, confidentiality, termination arrangements and ownership rights, and importantly;specific guidance on the quality, seniority and appropriateness of the key persons managing the outsource supplier.
Whilst these rules are similar to the existing requirements for insurers under SYSC 13.9, many of the new Solvency II requirements go into far more detail than in the FCA and PRA handbook and are potentially more onerous.