The Office of the Superintendent of Financial Institutions (OSFI) recently revised its Guideline B-10, Outsourcing of Business Activities, Functions and Processes. The outsourcing guideline was changed because legislation no longer requires federally regulated financial entities to obtain the approval of OSFI to maintain and process outside Canada information or data relating to the preparation and maintenance of certain corporate, accounting and customer records. For the purposes of the outsourcing guideline and this update, 'outsourcing' is the performance by a service provider of a business activity, function or process that is, or could be, undertaken by the company itself.
Although the outsourcing guideline makes outsourcing of business activities easier, this update outlines some of the reasons why financial institutions may reconsider whether the changes made are actually beneficial to their businesses.
As a result of changes to the outsourcing guideline, insurance companies and branches have greater flexibility in the outsourcing of their business activities. However, insurers are ultimately accountable for all outsourced activities and OSFI maintains that it preserves supervisory powers over the activities of insurers, whether these are conducted in house or outsourced. Where Canadian insurance companies have foreign operations, the outsourcing guideline applies to these operations as well.
The outsourcing guideline requires that insurers:
- evaluate the risks associated with outsourcing arrangements;
- develop a process to determine the materiality of outsourcing arrangements;
- implement a programme for managing and monitoring risks;
- ensure that the board of directors or chief agent receives information sufficient to enable it to discharge its duties; and
- refrain from outsourcing activities to their external auditor that would make the auditor no longer independent of the insurer.
Outsourcing within the corporate family
While insurers are required to consider the risks attendant to all outsourcing arrangements, the outsourcing guideline is risk-based and provides that insurers are to devote more attention and resources to those outsourcing arrangements that are more material in risk to the insurer. Where the outsourcing arrangement is between the insurer and a member of the insurer's corporate group (ie, a subsidiary of the insurer, a parent of the insurer or another subsidiary of the insurer's parent), OSFI has reduced expectations for risk management and mitigation by the insurer, even though these expectations still exist, and outsourcing arrangements that are more material continue to be accompanied by higher expectations of the insurer by OSFI. Outsourcing arrangements within a corporate group should, at a minimum, include:
- outsourcing agreements that describe the arrangement;
- an appropriate business continuity plan;
- a process for monitoring and oversight; and
- the legislative requirements relating to the location of records.
Accountability of directors
As with many corporate decisions, the board of directors or chief agent of the insurer is accountable for decisions and policies relating to outsourcing. These include assessing outsourcing arrangements for materiality and developing and implementing an outsourcing risk management programme. The board of directors of a Canadian insurance company is also required to approve an outsourcing risk philosophy and policy for the insurer. Management of insurers must also review the effectiveness of outsourcing policies.
Risk management may be scaled to take into account the different levels of risk attendant to various outsourcing arrangements. The materiality of an outsourcing arrangement will depend on the extent to which the arrangement has the potential to have an important influence on a significant line of business of the insurer.
Insurers should consider the following when assessing the materiality of an outsourcing arrangement:
- the impact of the outsourcing arrangement on the finances, reputation and operations of the insurer, or a significant business line, particularly if the service provider or a group of affiliated service providers should fail to perform;
- the ability of the insurer to maintain appropriate internal controls and meet regulatory requirements, including those of OSFI, particularly if the outsourced party were to experience problems;
- the cost of the outsourcing arrangement;
- the degree of difficulty and time required to find an alternative service provider or to bring the business activity back in-house to the insurer; and
- the potential that multiple outsourcing arrangements provided by the same service provider can, in the aggregate, have a significant influence on the insurer.
Where all or substantially all of a management oversight function (including financial analysis, compliance, internal audit, senior management and risk management) is outsourced, this transaction should always be considered material, except where the function is outsourced to another member of the insurer's corporate group.
Arrangements that likely are not material outsourcing arrangements include those where there are many similar providers in the marketplace and there is low cost and low inconvenience in switching between providers. However, where the volume or nature of business conducted by the contractor changes significantly, the insurer should reassess the materiality of the arrangement.
Administering material outsourcing contracts
Insurers are required to have a risk management programme that applies to all material outsourcing arrangements. This risk management programme includes:
- an internal due diligence process to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the activities of the insurer and how the business activity is managed;
- policies and procedures to manage risks associated with material outsourcing arrangements, including:
- performance measures;
- reporting requirements;
- a dispute resolution mechanism;
- provisions for termination;
- ownership of and access to intellectual and physical assets;
- contingency planning;
- audit requirements; and
- a business continuity plan of the insurer; and
- monitoring and oversight of material outsourcing arrangements, with such activities to be commensurate with the size and complexity of the arrangement.
Where the insurer is considering outsourcing an activity to a jurisdiction outside Canada, OSFI expects that the insurer will pay attention to the legal requirements of the foreign jurisdiction, including the potential political, economic and social conditions in that jurisdiction, along with any events that may inhibit the ability of the foreign service provider to provide the service. The Insurance Companies Act requires that certain records (including articles of incorporation, bylaws, minutes of meetings, accounting records and all OSFI orders) be maintained in Canada. The insurer is also expected to ensure that OSFI can access in Canada any records necessary to enable it to fulfil its mandate.
Specific new requirements
The outsourcing guideline includes the following additional specific new requirements for insurers entering into outsourcing arrangements:
- Insurers should ensure that the service provider regularly tests its business recovery system relating to the outsourced activity and that any material deficiencies are addressed, as OSFI may ask the insurer to provide a summary of test results;
- Insurers should use the OSFI standardized template to compile a centralized list of material outsourcing arrangements; and
- Insurers' review of the ability of the service provider to be able to continue to deliver the service in the expected manner should relate to the level of risk involved, which review could include an assessment of the service provider's circumstances, including reliance on, and performance of, significant subcontractors.
In these uncertain economic times the outsourcing guideline as revised reflects the business reality that companies - including insurers - are seeking to cut costs through activities such as outsourcing. The revised outsourcing guideline removes some obstacles that insurers faced in earlier versions of the guideline, including the requirement that storage or processing of data outside Canada have the approval of OSFI.
Overall, while OSFI has preserved its ability to oversee and regulate the outsourcing activities of insurers, the changes brought forth by the outsourcing guideline permit insurers to enter into outsourcing agreements relatively easily. This reflects the market reality that insurers have a need for these arrangements. While insurers will still be forced to bear the due diligence and compliance costs of outsourcing, the revised outsourcing guideline lowers these costs.
However, while the revised outsourcing guideline is procedurally beneficial for insurers, it is not clear that it is beneficial substantively. An OSFI regime that required insurers to have material outsourcing arrangements vetted by OSFI meant that OSFI would have difficulty in later claiming that the outsourcing arrangement was somehow improper. The removal of OSFI pre-approval requirements streamlines the outsourcing process, but also downloads risk to insurers: if OSFI identifies a prudential concern with an outsourcing agreement, the insurer will no longer be able to rely on OSFI's pre-approval process as a defence.
In addition, insurers should bear in mind the maxim that 'speed kills'. While efficiency is valuable and a decreased regulatory burden offers additional flexibility, insurers seeking to enter into outsourcing agreements should ensure that the activities that they seek to outsource are the correct activities, and that they are valuing the activities appropriately and paying the appropriate rates.
Financial institutions engaged in outsourcing activities or considering entering into outsourcing arrangements are advised to:
- review the outsourcing guideline to ensure that the outsourcing activities contemplated are permitted;
- assess their own internal operations to ensure that sufficient procedures are in place to protect the institution and that the correct activities are being outsourced at the correct price;
- conduct effective due diligence of the other party, including assessing its financial strength, experience and technical competency;
- ensure that the other party is a credible service provider aware of Canadian laws and practices, with suitable privacy policies and practices;
- inform their OSFI relationship manager when entering into outsourcing arrangements; and
- consult with counsel to ensure that their rights are sufficiently protected, and that the agreement and its implementation do not fall foul of the law, including the outsourcing guideline.