Almost four years after the implementation of the EU Solvency II Directive (2009/138/EC) in Sweden, insurers are still devoting significant resources to identifying, understanding and putting into practice the complex regulatory legislation governing outsourcing arrangements. Issues that typically arise include:
- the distinction between outsourcing and the mere purchase of a service;
- whether an outsourced activity is important or critical for the insurer;
- whether outsourcing to a country outside the European Union is permissible; and
- the issues that insurers must consider when employing third-party cloud services.
These and other questions must be handled by insurers in their day-to-day operations in order to ensure compliance with outsourcing regulations.
In light of the many questions, the Swedish Financial Supervisory Authority (SFSA) recently published a Q&A report(1) and podcast to shed light on its position on regulated outsourcing.
This article outlines some of the SFSA's recent clarifications and comments on outsourcing and the main requirements surrounding insurers' outsourcing arrangements.
The EU Solvency II Directive was implemented in Sweden in 2016 through the Insurance Business Act, which defines outsourcing as contracting someone to perform activities or functions that are part of the insurer's business. The Insurance Business Act expressly provides that outsourcing does not relieve the insurer of its responsibility to fulfil the outsourced function.
When outsourcing activities or functions, insurers must ensure that service providers:
- cooperate with the SFSA as regards the outsourced activities or functions;
- allow the insurer, its internal and external auditors and the SFSA to access information on the outsourced activities or functions; and
- grant the SFSA full access to the service provider's facilities.
Insurers must also establish a written outsourcing policy that considers the impact of outsourcing on their business and the reporting and monitoring arrangements to be followed. Moreover, insurers must comply with additional requirements when outsourcing concerns critical or important operational functions or activities (so-called 'critical functions').
An insurer must determine whether an activity is a critical function based on whether the activity is essential to its operations, such that it would be unable to deliver its services to its policyholders without said activity. However, the four key functions (risk management, compliance, actuarial and internal audit function) are always considered critical functions. Insurers are prohibited from outsourcing critical functions if this would:
- materially impair the quality of the system of governance;
- unduly increase the operational risk;
- impair the SFSA's ability to supervise the insurer; or
- undermine continuous and satisfactory service to the policyholders.
An outsourcing agreement on important or critical functions must be reported to the SFSA prior to its implementation and include specific provisions set out in the EU Solvency II Directive.
Insurers may obtain further guidance from the guidelines on systems of governance published by the European Insurance and Occupational Pensions Authority (EIOPA) and the upcoming guidelines on outsourcing to cloud service providers currently being drafted by EIOPA.
The SFSA's recent Q&A report on outsourcing aims to clarify numerous legal aspects surrounding outsourcing arrangements. The SFSA stresses the importance of insurers undertaking individual risk assessments regularly. Since all insurers operate under unique circumstances, their own risk assessment/analysis is central for determining whether a function may be outsourced at all and to what extent follow-up work on the outsourcing arrangement should be performed. For example, the SFSA notes that the difference between outsourcing and the mere purchase of a service may be identified based on the insurer's individual risk analysis, meaning that it is specific and varies from case to case. Therefore, all arrangements with third parties (regardless of it being outsourcing or the purchase of a service) should be evaluated with a risk-based approach and handled accordingly.
The SFSA emphasises that the importance or critical nature of a function or activity is not static. In other words, a function that was not deemed as important or critical when outsourced may become important or critical at a later stage. This could be due to, for example, the function being used more frequently, more information being handled within the function or a combination of both.
The SFSA also stresses the importance of providing for an unrestricted right of audit in relation to outsourcing agreements. However, even though such right must be expressed as unrestricted in the agreement, the insurer is to some extent free to choose how it will exercise its right if it corresponds to the insurer's risk profile. Contrary to some (perhaps unfounded) views from within the financial sector that the SFSA would oppose the use of cloud service providers, the SFSA confirms that outsourcing to a cloud service provider is not prohibited as such. Nevertheless, the SFSA expresses that the cloud outsourcing agreement must contain no auditing restrictions or restrictions that would impair the risk management, system of governance or supervision of the outsourcing arrangement.
According to the SFSA, two factors typically increase risk in an outsourcing arrangement:
- what is usually referred to as 'sub-outsourcing' or 'chain outsourcing'; and
- outsourcing to a country outside the European Union (a third country).
While insurers technically can outsource in both ways, they must always retain the necessary control and supervision of functions and activities. Since the legal requirements are the same as with other, less complex outsourcing arrangements, the burden on insurers increases significantly. For example, in case of sub-outsourcing, insurers must perform a risk analysis on each level of sub-outsourcing, which is time consuming and increases their costs and workload. In case of outsourcing to a third country, apart from the apparent logistical difficulties, a thorough due diligence of relevant laws (eg, on data protection) should be considered a minimum.
Finally, the SFSA emphasises that its view on outsourcing arrangements is the same regardless of the financial regulatory framework. Financial institutions are expected to handle third-party risks equally irrespective of which financial sector they are active in (eg, banking, credit institutions or insurance). Therefore, according to the SFSA, insurers may seek direction from the European Banking Authority's new guidelines on outsourcing arrangements (EBA/GL/2019/02), even though the guidelines do not directly apply to them.
The steps that insurers must take when outsourcing may seem straightforward in theory; however, the reality facing parties dealing with regulatory outsourcing issues on a daily basis is far from straightforward.
Given the number of questions raised by the imprecise outsourcing requirements, the SFSA's recent clarifications are likely to be embraced by the industry. For clarity, Swedish insurers should refer to the European Banking Authority guidelines and the SFSA's view on cloud service providers and emphasis placed on the importance or critical nature of a function or activity not being static. The SFSA has also clarified that although insurers must ensure unrestricted auditing rights in outsourcing agreements, they have some leeway on how to exercise their auditing rights.
However, significant uncertainty remains regarding, for example, the emphasis on insurers' thorough risk assessment as a means of distinguishing between the purchase of a service or outsourcing in order to determine what type of monitoring should be performed and whether outsourcing is permitted.
To say that a risk assessment will provide an insurer with an answer sounds simple in theory, but in practice it can raise difficult considerations and decisions. To ensure compliance, some insurers are therefore inclined to play it safe by applying the provisions on the outsourcing of critical functions to most of their outsourcing arrangements. On the other hand, some insurers interpret the regulation less strictly by not applying the outsourcing regulation at all or applying only the stricter provisions relating to critical functions to a few of their outsourcing arrangements.
A heterogeneous interpretation of the outsourcing provisions is unfortunate and the rationale behind the outsourcing regulations was most likely not that their application would vary between insurers due to differences in interpretation. Further clarification on the outsourcing regulations is therefore highly likely.
For further information on this topic please contact Hans Hammarbäck, Lovisa Hedlund or Kevin Perback at Mannheimer Swartling by telephone (+46 859 506 426) or email ([email protected], [email protected] or [email protected]). The Mannheimer Swartling website can be accessed at www.mannheimerswartling.se.
(1) The SFSA's Q&A can be found here.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.