In what have been a busy few months for the European Commission and the European Insurance and Occupational Pensions Authority (EIOPA) in filling in some of the gaps in the Solvency II framework, there have been a number of points which will be of particular interest to those whose role involves the commercial and outsourcing operations of insurers. This is an area in which our practice has particular experience and we have published a practice note focussing on the impact of Solvency II in this area with the broadly used Practical Law resource (click here for a copy of our practice note which is in the process of being updated to reflect recent developments). We also provide regular training for in-house teams (both legal and commercial) to illustrate the impact of Solvency II on the negotiation of commercial arrangements.
Amongst a range of draft technical standards published by EIOPA (which principally focus on the practical assessment of an insurer's liabilities), the Commission also published for consultation (in mid-October) a draft Delegated Regulation which aims to make up "the core of the single prudential rulebook for insurance and reinsurance undertakings in the EU".
The latter parts of this Delegated Regulation specifically focus on the second two of the three "Pillars" which make up the Solvency II regime (i.e. harmonised and enhanced governance/risk management and supervisory reporting/public disclosure respectively). Drawing out the key points as far as outsourcing is concerned:
Reporting and Disclosure Requirements
All insurers will be facing the challenge of needing to implement Pillar 3 requirements (relating to supervisory reporting and public disclosure) in a fairly short period of time, given that the pertinent details are only now being fleshed out by EIOPA and the Commission.
However, of note from an outsourcing perspective is a requirement for an insurer's annual 'solvency and financial condition report' to include a description of:
- the insurer's outsourcing policy;
- its outsourcing of any 'critical' or 'important' functions; and
- the jurisdiction in which the provider of those functions are located.
These reports are expected to be made publically available (including via insurers' websites) with prescriptive requirements around the provision of copies of the report to anyone requesting to see one. This is supplemented by more periodical supervisory reporting which must include details of the rationale for any outsourcing of this nature, details regarding the relevant service provider and details of the people responsible for the outsourced service provision in the service provider.
In our view, insurers can therefore expect significantly more public scrutiny (in addition to that from regulators) regarding the outsourced arrangements they put in place and it would be prudent to allow for this specifically in any new arrangements being put in place.
Insurers will also be expressly required to:
- establish information systems which produce 'complete, reliable and consistent' information concerning the insurer's business activities. This is accompanied by an express requirement for an insurer's actuarial function to assess whether the IT systems used in the calculation of technical provisions sufficiently support that insurer's actuarial and statistical procedures. Given the amount of sophisticated modelling and data required to satisfy the Solvency II internal model and capital risk assessment requirements (among others), this is perhaps not surprising, but does create the need for the actuarial and IT functions to ensure they are taking a 'joined up' approach in practice;
- maintain adequate/orderly records in relation to their business and safeguard the security, integrity and confidentiality of their information; and
- implement and maintain a business continuity policy aimed at ensuring the preservation of essential data/functions and the carrying on of insurance activities (or, where that is not possible, the prompt recovery of data or the resumption of business as usual).
To a certain extent, these requirements build on existing guidelines and good practice. However, given the additional public disclosure required (see above) even more attention to these areas is to be recommended.
The Delegated Regulation also includes a number of more specific requirements around the selection of outsourced service providers and the provisions needed in written agreements with anyone providing a 'critical' or 'important' function. These, however, re-iterate preliminary guidance previously issued by EIOPA and are therefore not in themselves new (see copy of our practice note for further details in respect of these).