The UK’s PRA has published a set of Q&As on the Senior Insurance Managers Regime that are well worth reading if you outsource your internal audit or actuarial functions, and you’re still struggling to make sense of the rules and guidance in this area.
Q: Can a key function, such as internal audit, be outsourced to a third party provider? Is it possible for someone in the service provider to be the key function holder under the SIMR?
A: Yes – if the firm can meet the outsourcing requirements in the PRA’s rules, and those in Article 274 of the EU Solvency II Delegated Regulation (DR).
“There is a potential choice for firms over whether the (executive) head of internal audit (SIMF 5) should be internal to the firm or an external appointment. The former would mean that there is someone in this role with regular access to and contact with the firm, while the latter might provide more independence and wider experience. A consideration for the firm is who should be accountable for ensuring effective delivery of the key function.
In either event, the individual in an SIMF 5 role would need to have the relevant skills, experience, and resource, to carry out this role, and the firm would need to meet the requirements of Article 271 of the [DR]. For smaller firms, the PRA recognises that a proportionate approach should be applied when considering the suitability of an individual within the firm for such an SIMF 5 role, which reflects the usually less complex systems and smaller scale/scope of the business that is to be monitored.
The PRA does not see the SIMF 5 role as akin to a directorship, rather the SIMF 5 holder is part of senior management reporting in to the board … However, the PRA would always still expect an appropriate key function holder (or SIMF) within the firm to be designated with the overall oversight responsibility for the outsourced key function. The key function holder within the firm who has this oversight responsibility could be a director (eg the chair of the audit committee), or senior manager, who has the relevant capability to carry out that oversight role.
The allocation of the controlled functions and any other key function holders to internal or external staff would need to be justified. The key principles to address here are:
- There should be no ambiguity over exactly who is carrying out the different areas of work and who is responsible for them.
- It should be also be clear where critical decisions and judgements are being made. Individuals making these decisions should be accountable.
- The governance processes should be well defined to ensure sufficient review of outsourced work is being carried out.“
This has been a difficult area for many firms. This answer is hard to square with the regulators’ previous answers to the same question; but it’s “gift horse”, so you prefer not to look it in the mouth (unless you really have to).