The implementation of Solvency II directive by Order 2015-378 of 2 April 2015 introduces new prudential requirements for insurance companies, mutual funds and provident institutions in terms of outsourcing, contract governance , audit and reporting. These new requirements may affect the information systems of these companies and institutions and require adjustments to their IT contracts. They have until the end of this year to audit and if necessary amend their contracts to comply with the requirements of the directive.
On last April 3, Order No. 2015-378 implementing European Parliament and Council Directive 2009/138/EC of November 25, 2009, on the taking-up and pursuit of the business of insurance and reinsurance ("Solvency II"), was published in the Journal Officiel (the "Order").
This transposition, which involved significantly amending not only the French Insurance Code, but also the Social Security Code, the Mutuality Code and the Monetary and Financial Code within a very short timeframe, took place by order (Article 4 of Act No. 2014-1662 of December 30, 2014, enacting various provisions to adapt French legislation to European Union law in economic and financial matters). The main parts of the Order's provisions will enter into force on January 1, 2016.
The implementation of the Solvency II Directive, mainly in the French Insurance Code, which now plays a pivotal role, introduces new obligations for measuring solvency, strengthening governance and the requirements regarding managing and reporting of risks. These new provisions represent a major development for insurance and reinsurance companies, and they will have operational, organizational, accounting and financial repercussions that will notably affect the collection and production of regulatory data and supervision of IT systems. After a brief presentation of the outlines of the Solvency II Directive and of the Order, we will identify this major reform's practical consequences on the outsourcing of functions and activities and the organization of IT systems and IT contracts concluded by these companies.
Objectives of the Solvency II Directive:
In line with the Basel II Accord, the objective of the Solvency II Directive was to extensively modify the solvency rules that apply in the insurance industry. The new prudential regime it enacts places emphasis on the insurance institution's knowledge of its risk profile and on adapting the capital requirements to this risk profile. Directive 2014/51/EU of April 16, 2014 (referred to as "Omnibus II"), which amended the Solvency II Directive in 2014, specifies the terms of prudential supervision, notably by adapting it to the powers of the European Insurance and Occupational Pensions Authority ("EIOPA"), which was created one year after the Solvency II Directive was adopted.
The Solvency II Directive is based on three pillars. The first, which is a quantitative pillar, specifies the requirements in terms of capital, assessment of commitments and investment policies; the second, a qualitative pillar, specifies obligations in terms of corporate governance and management of risks; the third, pertaining to information, lays down the rules for transparency and reporting to the supervisory authorities and the public.
Overall, the Order has the same structure.
What the Order stipulates:
The prudential rules applicable to the three types of insurance institutions (insurance companies, mutual funds and unions, and provident institutions) are now unified and integrated into only the French Insurance Code. On the other hand, the provisions pertaining to the institutions' governance, contracts and regulations will still be within the scope of the three aforementioned codes depending on the institution involved.
Substantively, the Order implements the requirements of the Directive's three pillars, notably laying down new prudential requirements in the applicable regulatory system, related in particular to the required capital level (Chapter II), new governance obligations (Chapter IV) and management of risks, the creation of new legal forms of "prudential groups" (Chapter VI), obligations for reporting to the French Authority of Prudential Supervision and Resolution ("ACPR" or "Autorité de Contrôle Prudentiel et de Résolution") and for informing the public (Chapter V). The Order also enacted an obligation to invest based on the "prudent person" principle, the definition of which must be provided by a decree in the French Administrative Supreme Court (Conseil d'Etat) (Chapter III).
What is the impact on the governance of IT systems and contracts?
Among the provisions of the Order's qualitative pillar, the reinforcement of internal supervisory procedures will have significant consequences in three areas that affect IT systems and IT contracts: (i) the supervision of outsourcing of functions and activities, (ii) the reinforcement of contractual governance processes, and (iii) the broadening of the scope of auditing and reporting clauses.
- Supervision of outsourcing of functions and activities
The supervisory procedures are expanded in scope to include the services that insurance and reinsurance companies outsource to third-party service providers within the framework of business process outsourcing agreements. Using the same wording as the Solvency II Directive, the Order provides that insurance and reinsurance companies must refrain from outsourcing important or critical operational activities or functions when such outsourcing could possibly seriously compromise the quality of the company's governance system, unduly increase the operational risk, impair the supervisory authorities' ability to verify that the given company does indeed comply with its obligations or if it could undermine continuous and satisfactory service to policy holders, parties taking out or benefiting from contracts and reinsured companies. Companies will have to previously inform the ACPR in a timely manner that they intend to subcontract important or critical activities or functions and they will have to ensure that the selected service providers cooperate with the ACPR (Article L. 354-3 of the French Insurance Code, as amended).
- Reinforcement of contractual governance processes
The Order requires insurance companies to develop written policies covering at a minimum the management of risks, internal supervision, internal auditing and, if applicable, outsourcing. These policies must be approved by the companies' governing bodies and they must be revised annually. To comply with the requirement of reinforcing the internal governance system, these written procedures should take into account how the insurance or reinsurance company's service providers who provide services affecting the IT system will be included in preparing and will participate in executing, for the services involving them, the recovery and continuity plans established by the company. In addition, companies will have to verify the existence and effectiveness of contractual governance, dispute escalation and reporting clauses. Moreover, as supervisory authorities now have the appropriate resources to verify companies' governance systems and to require that they be improved and reinforced, all contractual clauses pertaining to security, information and reporting, quality control, activity continuity and subcontracting will have to be reassessed in light of the new system.
- Revision of auditing and reporting clauses
To make it possible for not only the company outsourcing activities, but also for the ACPR, to perform heightened verifications and audits on outsourced activities, possibly directly at the service provider's, the auditing clauses will have to be expanded in scope to cover such possibilities. Clauses that serve as the framework for relationships with subcontractors will have to be completed to mention the specific case of heightened internal verifications and verifications by the ACPR so as to comply with the Order's obligations.
Lastly, the Order's enactment of provisions pertaining to the supervision of groups, which will have a direct incidence on governance and reporting within groups, could also have an impact on clauses related to the scope and description of services and to audit. For example, a company's exercise of a dominant influence (by means of a centralized coordination) over another company's decisions will likely lead to the inclusion of the latter company within the scope of control of the former. Within this context, it will therefore be necessary to reassess the definitions of "subsidiaries" and of a "group" in contracts and to determine the consequences of the enactment of group verification and supervision on governance clauses.
Companies within the Order's scope have until the year's end to audit their contracts and, if applicable, to renegotiate their terms to insert the new provisions to comply with the Order. The most important objective will be to have the resources, in close cooperation with their service providers, to ensure the governance and management of operational risks that meet the requirements enacted by the Solvency II Directive. Although these developments will not upset the balance of contracts already in force, they may require adjustments to the scope of services requested of service providers and also possibly involve reviewing the contracts' liability clauses.