In March this year our article on Outsourcing for insurers - How to outsource without outrage noted the Hong Kong Insurance Authority (HKIA) had produced a Guidance Note for insurers on outsourcing but that this was still in draft.
The HKIA has now finalised that draft which has become the Guidance Note on Outsourcing (GN14) and confirmed this will come into force on 1 January 2013.
GN14 sets out the key issues an authorised insurer in Hong Kong must take into account when planning and implementing its outsourcing arrangements. It also sets out how the HKIA will monitor these outsourcing arrangements.
As with other HKIA guidance notes, failure to comply is likely to lead to the HKIA questioning whether the insurer is fit and proper to be authorised to carry on insurance business in Hong Kong. But perhaps equally importantly GN14 provides practical guidance for insurers on how to identify and mitigate the risks of outsourcing. Insurers should understand that successful outsourcing is all about managing these risks.
GN14 is almost identical to the draft guidance note but insurers who have not already taken steps to comply now only have a short time to do so. The high-level principles on outsourcing for insurers are set out below
Notification and supervision
Notification is the key requirement. An insurer must notify the HKIA not less than three months before either:
- Entering a new outsourcing agreement
- Significantly varying an existing material or overseas outsourcing arrangement
The insurer must satisfy the HKIA that it has taken into account all essential issues and implemented the risk management measures outlined in GN14. If not the HKIA may require the insurer to take action to address its concerns. There is no guidance on what constitutes a significant variation to an existing arrangement but clearly anything which impacts on these issues or risk management measures is likely to trigger the notification requirement.
If an insurer already has an outsourcing arrangement in place when GN14 comes into effect it must, by 1 February 2013, furnish the HKIA with the following particulars:
- The service outsourced
- The name of the service provider
- The location where the outsourced service is performed
- The commencement date and expiry or renewal date of the outsourcing agreement
- A copy of the outsourcing agreement
Insurers must also carry out a risk and materiality assessment on all outsourcing arrangements by 1 April 2103 and correct any deficiencies in those arrangements by 1 January 2014.
GN14 grants the HKIA the power to conduct regular monitoring of outsourcing arrangements and to require an insurer to make alternative arrangements if it considers these are necessary. These powers are extremely wide and it remains to be seen how the HKIA will exercise them in practice.
Practical risk management strategies
GN14 sets out a number of risk management strategies the HKIA requires an insurer to implement when entering outsourcing arrangements. The procedures adopted must be disclosed to the HKIA as part of the notification process explained above.
The main risk management strategies are:
- Outsourcing policy - the insurer must develop a clear internal policy setting out the criteria it uses to assess the materiality and risks from the outsourcing arrangement, the identities of the parties involved and their responsibilities and the framework for ongoing monitoring of the arrangements.
- Materiality assessment - the insurer must develop a framework for assessing the materiality of any outsourcing arrangement it proposes. This assessment will be a qualitative judgment and will ultimately determine whether the insurer must notify the HKIA of that arrangement.
- Risk assessment - the insurer must carry out a risk assessment of the outsourcing arrangements including an assessment of the financial, operational, legal, and reputational risks. Before implementing the proposed arrangement the insurer must exercise due diligence and care to ensure that all risks identified have been addressed.
Service provider - the insurers must exercise due diligence and care when selecting a service provider. GN14 lists a number of factors it must take into account when determining which service provider to use. These factors include:
- Reputation, experience and quality of service
- Financial soundness, in particular, the ability to continue to provide the expected level of service
- Managerial skills, technical and operational expertise and competence and, in particular, the ability to deal with disruptions in business continuity
Outsourcing agreement - all outsourcing arrangements must be set out in a written, legally binding agreement. GN14 lists certain matters that must be considered when negotiating the agreement. These include:
- Scope of the outsourced service
- Contractual obligations and liabilities of the insurer and the service provider
- Performance standards to be provided by the service provider
- Information and asset ownership rights, information technology security and protection of confidential information
- Contingency planning
- Guarantees and indemnities from the service provider
- Information confidentiality - the outsourcing must comply with all Hong Kong laws and statutory requirements, including the Personal Data (Privacy) Ordinance (PDPO). Proper safeguards must be in place to ensure ongoing compliance.
- Monitoring and control - the insurer must ensure it has sufficient internal resources to monitor and control its outsourcing arrangements.
- Contingency planning - disaster recovery and business continuity plans must be in place for both the insurer and the service provider to ensure that there is no business disruption if there is a disaster or system failure.
Overseas outsourcing - GN14 sets out the additional factors the insurer must consider when engaging in overseas outsourcing. These include:
- Country risk - i.e. the social, political and economic conditions in the overseas jurisdiction
- Information confidentiality - i.e. access to information by regulating authorities or police in the overseas territories
- The transfer of personal data - i.e. the application of s.33 of the PDPO and transferring personal data outside Hong Kong
- Sub-contracting - the HKIA requires the insurer to contractually oblige the service provider to comply with GN14 and procure that its sub-contractors also comply with that Guidance Note.
Compliance with GN14 will clearly be an important consideration when an insurer enters into an outsourcing arrangement. But there are other legal and commercial issues which are equally as important.