Two guidance notes of relevance to the insurance industry were issued recently. In September this year, the Office of the Commissioner of Insurance Hong Kong ("Insurance Commissioner") issued the "Guidance Note on Outsourcing" (GN14) ("Outsourcing GN", available here) to provide guidance for authorised insurers in managing the risks associated with outsourcing, as well as setting out the supervisory approach taken by the Insurance Authority ("IA") in respect of such outsourcing arrangements.
This was followed in November by a guidance note issued by the Hong Kong Privacy Commissioner for Personal Data (the “Privacy Commissioner”), “Guidance on the Proper Handling of Customers' Personal Data for the Insurance Industry” (the “Privacy GN”, available here), to provide the insurance industry with practical guidance on how to comply with the Personal Data (Privacy) Ordinance Cap. 486 (the "PDPO") when collecting and using personal data of customers. We highlight below the major recommendations discussed in the Outsourcing GN. Our Newsflash relating to the Privacy GN may be accessed here.
GUIDANCE ON OUTSOURCING FOR INSURERS
It has become increasingly common for companies (including insurance services providers) to outsource certain business functions to third parties. While outsourcing can provide many benefits from a business point of view, there are also a number of risks associated with entrusting such business functions to a third party.
The Outsourcing GN applies to all outsourcing arrangements entered into by authorised insurers based or incorporated in Hong Kong as well as those arrangements relating to the Hong Kong operations of foreign Insurers ("Insurers"). Services such as application and claim processing, policy administration, manpower management, payroll services, marketing and research and IT systems management would generally be considered as "outsourcing" for the purpose of the Outsourcing GN when conducted by third parties, whereas services such as sale of insurance policies by agents, advisory services, loss adjusting services, audit review and banking services generally would not. It is important to note that the Outsourcing GN is not limited to outsourcing arrangements with third party service providers (whether within or outside Hong Kong), and also applies to outsourcing arrangements with other entities within the same corporate group.
The Outsourcing GN sets out 10 "essential issues" that Insurers are expected to take into account when formulating and monitoring outsourcing arrangements, as summarised below:
- Outsourcing policy. Insurers should develop and implement an outsourcing policy (addressing issues such as the criteria for approving outsourcing arrangements, the framework for evaluating outsourcing risks and the materiality of outsourcing arrangements, the persons responsible for approving, assessing and monitoring outsourcing arrangements etc.), and should implement procedures to ensure compliance with the policy by all relevant staff.
- Materiality assessment. Insurers should develop a framework for assessing the materiality of an outsourcing arrangement (taking into account factors such as the impact on the Insurer's financial position, business operation and reputation; the impact on the Insurer's ability to maintain adequate internal controls and meet legal and regulatory requirements; the cost of outsourcing as a proportion of the Insurer's total operating costs; and difficulties associated with finding a replacement service provider etc.). This assessment is important given that materiality triggers reporting requirements to the IA under the Outsourcing GN (as discussed below). A material outsourcing arrangements is one which has the potential to have a significant impact on the Insurer's financial position, business operation, reputation, ability to meet obligations to customers/provide adequate services to customers, or ability to comply with legal and regulatory requirements.
- Risk assessment. Insurers should conduct a comprehensive risk assessment prior to entering into an outsourcing arrangement. Factors to consider may include the impact on financial, operational, legal and reputational aspects of the Insurer's business or any loss to customers that may occur if the third party fails to provide the services. The Insurer should address any risks prior to entering into the arrangement. Fresh risk assessments should be performed where there is a renewal or variation of an existing outsourcing arrangement.
- Service provider. Insurers should take care when selecting service providers, and conduct due diligence to assess their suitability (taking into account factors such as their reputation and experience; financial soundness; reliance on sub-contractors/effectiveness of monitoring sub-contractors; familiarity with the insurance industry etc.). The ability of service providers (including financial strength and technical ability) should be reviewed at least annually.
- Outsourcing agreement. A legally binding written agreement should be entered into with all service providers. The Outsourcing GN sets out a number of matters that may be taken into account when negotiating such agreement, including: the scope and location of the services; performance standards and monitoring; reporting requirements; ownership of information and assets; protection of confidential information; steps for dealing with poor performance; restrictions on sub-contracting; business continuity and transition out plan; and guarantee or indemnity, amongst others. In the event of an intra-group outsourcing arrangement, a MOU endorsed by the board of directors may suffice.
- Information confidentiality. Outsourcing arrangements should comply with the PDPO and any other relevant laws relating to customer confidentiality and the protection of personal data. Insurers should ensure that all customer data is either returned or destroyed upon termination of the outsourcing arrangement. The Outsourcing GN requires notification to the IA in the event of any unauthorised access/breach of confidentiality by the service provider (including any sub-contractors) which impacts the Insurer or its customers. While the scope of this obligation is not entirely clear from the language used in the Outsourcing GN, it appears that this notification requirement is quite broad and is intended to cover both breaches of a duty of confidentiality and breaches of applicable personal data legislation.
- Monitoring and control. Insurers should have sufficient and appropriate resources to monitor and manage the outsourcing arrangement at all times. The effectiveness and adequacy of such controls should be subject to regular review. The Outsourcing GN sets out a number of recommendations for effective monitoring and control, including ensuring monitoring is conducted by personnel with sufficient expertise, maintaining a central list of outsourcing arrangements and conducting reviews and audits at least annually. Any problems identified should be escalated to the management of both the Insurer and the service provider, and appropriate remedial steps should be taken with respect of any deficiencies. The IA should be notified where a significant problem is identified which has the potential to materially affect the Insurer's financial position, business operation or compliance with legal or regulatory requirements.
- Contingency planning. Contingency plans should be devised by the Insurer (and regularly reviewed) to ensure continuity of services in the event of system failure or other undesirable event, addressing factors such as back-up facilities and alternate service provider, procedures to follow in the event of contingency and responsible personnel. Insurers should also ensure that service providers have their own contingency plans to handle any operational or system problems.
- Overseas outsourcing. Additional considerations and risks may apply where the service provider is located outside Hong Kong (e.g. country risk, access to confidential information by overseas regulators, the need to inform customers, the availability of books and records to the IA in Hong Kong, ability to transfer personal data outside Hong Kong and the governing law of the agreement (preferably Hong Kong law)).
- Sub-contracting. Additional risks may also arise where the service provider is able to sub-contract the services. Procedures should be put in place to control and monitor such sub-contracting arrangements and ensure that the service provider complies with the obligations set out in the Outsourcing GN (as if it were the Insurer) when sub-contracting all or part of the services. The outsourcing agreement should set out restrictions on sub-contracting (e.g. provisions restricting sub contracting without consent and requiring the service provider to assume liability for the acts of its subcontractors). Insurers should ensure that their service providers do not enter into any sub-contracting arrangements which would impede the service provider's ability to comply with the provisions of the outsourcing agreement with the Insurer.
Supervision by the IA
Insurers are required to conduct materiality assessments of all outsourcing arrangements (as discussed above). Where an Insurer intends to enter into a material outsourcing arrangement or significantly vary an existing material outsourcing arrangement, it must notify the IA at least 3 months prior to the arrangement being entered into or significantly varied (unless a shorter notification period can be justified in the circumstances). Insurers should satisfy the IA of their compliance with the "essential issues" outlined above and the IA may request additional information where it deems necessary. If the IA does not respond to the notification within the 3 month notification period, the IA shall be deemed to have consented to the arrangement.
Insurers should provide a copy of the outsourcing agreement to the IA within 30 days of entering into a new material outsourcing arrangement or significantly amending an existing material outsourcing arrangement, along with information relating to: (i) the service outsourced; (ii) the name of the service provider; (iii) the location where the services are to be performed; and (iv) the commencement date and expiry or renewal date of the outsourcing agreement ("Prescribed Information"). Insurers should notify the IA of any changes to the above information and any renewal or termination of the relevant arrangement. The IA may conduct on-site inspections and may require Insurers to submit additional information from time to time. The IA has the power to require Insurers to make alternative outsourcing arrangements in extreme cases.
Commencement and transitional arrangements
The Outsourcing GN is set to come into force on 1 January 2013 ("Commencement Date"). Insurers shall be required to comply with the Outsourcing GN for all new and renewal outsourcing arrangements entered into on or after the Commencement Date. For existing outsourcing arrangements which do not expire before 31 March 2013, Insurers are required to: (i) provide the Prescribed Information and a copy of the outsourcing agreement to the IA within 30 days; (ii) conduct materiality and risk assessments within 3 months; and (iii) correct any areas of non-compliance with the Outsourcing GN within 1 year, of the Commencement Date.
Implications for the insurance industry
While a breach of the Outsourcing GN does not of itself have direct legal consequence for Insurers, such breach may be taken into account by the IA when considering whether to exercise its powers of intervention in relation to an Insurer. In preparation for the Outsourcing GN coming into force, Insurers are advised to conduct a comprehensive review of their outsourcing procedures and practices to determine whether they comply with the requirements set out in the Outsourcing GN (e.g. creating a list of all outsourcing arrangements, evaluating 'materiality' of such arrangements, reviewing such arrangements and identifying any areas of non-compliance, and implementing appropriate policies to manage outsourcing), as well as considering the extent of any disclosure obligations to the IA.
When Insurers outsource services to third parties they should also ensure that they comply with the requirements of the PDPO as well as all relevant guidance notes issued by the Privacy Commissioner (including the Privacy GN and the "Information Leaflet: Outsourcing of the Processing of Personal Data to Data Processors" (available here)), in relation to any personal data. Additional privacy considerations will soon apply to overseas outsourcing, as the Privacy Commissioner is in the process of implementing section 33 of the PDPO, which will restrict the transfer of personal data from Hong Kong abroad except where certain conditions have been met. Insurers should keep watch for guidance issued by the Privacy Commissioner closer to this provision coming into force.