SOLVENCY II AND OUTSOURCING
Solvency II comes into force on 1 January 2016 after many years of anticipation and postponed implementation dates. Whilst much of the focus is on the capital and solvency requirements that it requires of businesses providing insurance and reinsurance services, it also contains more stringent requirements in relation to an (re)insurer's outsourcing arrangements.
All outsourcing arrangements need to comply with these requirements and so entities that provide insurance / reinsurance services must ensure their arrangements are negotiated to take them into account. Moreover, existing outsourcing contracts need to comply and so there is now a window of time in which to review the terms and put in place any remedial actions before the implementation date of 1 January 2016.
In this note, for ease, when we refer to insurer we refer to any (re)insurer or insurer within the ambit of Solvency II.
What is Solvency II?
Solvency II is the framework for the EU regulatory regime for insurers; it is, in many ways, the insurance equivalent of Basel for banks.
When does it come into force?
The provisions come into force on 1 January 2016.
Does Solvency II apply to all insurers / reinsurers?
Broadly yes - it doesn’t apply to insurers with less than €500,000 in annual premium, and should be applied in a proportionate manner depending on the size of the insurer in question.
Does Solvency II apply to banks that have insurance business?
Yes. It applies to any undertaking that provides insurance or reinsurance services. It applies to the bank's contracts that relate to its insurance activities.
Why is it relevant to outsourcing?
Part of the Directive contains provisions relating to the entering into and management of outsourcing arrangements by insurers and reinsurers.
What outsourcing contracts does Solvency II apply to?
The provisions of Solvency II (strictly speaking the Directive itself and the Delegated Regulation (2015/35/ EC)) apply to any outsourcing arrangement, except that certain more detailed provisions apply only to the outsourcing of critical or important functions - please see below.
There is no definition of outsourcing or of "critical or important" within the Directive or the Delegated Regulations. However guidance issued in 2013 indicates that it is for the insurer to determine whether a particular sourcing arrangement constitutes outsourcing or not. It goes on to say that where an insurer provides insurance services to a policyholder and certain elements of those services are provided by a third party then unless the policyholder has a direct relationship with the third party, that is outsourcing. Likewise, any reliance on a third party for functions enabling an insurer to provide insurance services is likely to be outsourcing. In broad terms, the guidance says, the more substantial or frequent the advice or service is, the more likely it is to be outsourcing.
Likewise, "critical or important" is left to the insurer to determine.
Examples of critical or important functions include:
- design and pricing of insurance products;
- investment of assets or portfolio management;
- claims handling;
- provision of regular / constant compliance, internal audit, accounting risk management or actuarial support;
- the provision of data storage;
- provision of on-going day to day systems maintenance PR support; and
- the Operational Risk Self Assessment process.
By contrast, activities that are not critical or important are:
- provision of advisory services (such as legal advice) or services that do not form part of the insurer's insurance / reinsurance activities;
- purchase of standardised services, including data services;
- provision of logistical support such as cleaning or catering; and
- provision of elements of HR support such as recruiting temporary employees and processing payroll.
What are the Solvency II requirements in respect of outsourcing contracts?
Article 49 of the Directive provides three overriding principles in relation to outsourcing. These are:
- insurance firms remain fully responsible for discharging all the Solvency II Directive requirements, notwithstanding any outsourcing;
- outsourcing of critical or important functions must not be undertaken so as to lead to:
- materially impairing the quality of system of governance of the firm,
- unduly increasing the operational risk,
- impairing the ability of supervisory authorities to monitor compliance of the firm, or
- undermining continuous and satisfactory service to policyholders; and
- firms must notify the supervisory authority in a timely manner prior to any outsourcing of critical or important functions, as well as any material developments in relation to such arrangements.
Sitting underneath the Directive, is the Delegated Regulation (2015/35/EC) which sets out a greater level of detail in support of the principles in the Directive to be adhered to by insurers.
The Delegated Regulation provides for the following requirements in relation to outsourcing by insurers and reinsurers:
- the insurer must establish a written outsourcing policy that takes into account the impact of outsourcing on
- its business and the monitoring and reporting arrangements to be implemented in the case of the outsourcing;
- the insurer must ensure that the terms of the outsourcing agreement are consistent with the provisions of article 49 (as set out above); when outsourcing critical or important functions or activities, the firm must undertake a detailed examination to ensure that the potential service provider has the ability and capacity and any authorisation required by law to deliver the required functions or activities satisfactorily, taking into account the insurer's needs and objectives;
- the insurer must ensure the service provider has the necessary financial resources to perform the outsourced functions or activities in a proper and reliable way, and that all staff of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable;
- the insurer must ensure the service provider has adequate contingency plans in place to deal with emergency situations or business disruptions and periodically tests backup facilities where necessary;
- the insurer must ensure the service provider has adopted all means to ensure that no explicit or potential conflict of interests with the firm impairs the needs of the outsourcing firm, (and these will typically also be reflected in contractual obligations);
- the outsourcing must not entail the breaching of any law in relation to the rules on data protection;
- the general terms of the outsourcing agreement must be explained to the insurers' administrative, management or supervisory body and must be authored by them; and
- a written agreement must be entered into with the service provider. That agreement must include provisions that:
- constitute clear statements of the duties and responsibilities of both the service provider and the firm;
- oblige the service provider to comply with applicable laws, regulatory requirements and guidelines (e.g. compliance with data protection requirements), and relevant firm policies and to co- operate with the insurer's supervisory authority;
- oblige the service provider to disclose any development which may have a material impact on its ability to carry out the outsourced functions and activities effectively and in compliance with applicable laws and regulatory requirements;
- ensure that where the service provider terminates the contract, the notice period is sufficiently long to enable the firm to find and implement an alternative solution;
- allow the firm to terminate the arrangement, where necessary, and without detriment to the continuity and quality of its provision of services to policyholders;
- require the supply of information about the outsourced function or activities, including appropriate management and performance information;
- allow the firm to issue general guidelines and individual instructions to the service provider concerning what has to be taken into account when performing the outsourced functions or activities;
- govern the protection of confidential information;
- grant the firm, its external auditor and the regulators effective access to all information relating to the outsourced functions and activities including carrying out on-site inspections of the business premises of the service provider;
- allow, where appropriate and necessary for the purposes of supervision, the supervisory authority to address questions directly to the service provider (which the service provider must reply to); and
- regulate subcontracting and ensuring that the service provider remains responsible for the performance of its obligations under the agreement notwithstanding any subcontracting.
For intragroup outsourcings, the insurer needs to take into account the extent to which it controls the service provider or has the ability to influence its actions. The arrangement ought to be in writing but it is recognised that this could simply be a service level arrangement to reflect that there will not be formal negotiations of the deal / contract terms.
How different is this to SYSC 13 and 14?
SYSC 13 and 14 is broadly drafted on the basis of the insurer "having regard" to certain requirements. This meant that so long as an insurer considered the issues, the inclusion of contractual terms to reflect them was not an absolute regulatory requirement. This allowed insurers slightly more lee-way and flexibility than banks and other common platform firms that are subject to SYSC 8.
The Solvency II requirements are stated as being much more mandatory and as can be seen from the commentary above, outsourcing of critical or important functions MUST comply with these requirements.
WHAT HAPPENS IF YOU DON’T COMPLY?
The requirements will form part of the PRA Handbook. Sanctions for non-compliance with the rules include financial penalties, public censure and suspensions and restrictions on firms.
There remains a window of opportunity to review existing agreements to ensure that they are Solvency II compliant, which they will need to be by 1 January 2016. Any agreements to be put in place now and in the future need to take into account the Solvency II requirements and make sure that the contract terms reflect them.