Solvency II: new regulatory requirements for outsourcing by insurance undertakings

The EU's Solvency II Directive codifies and harmonises EU insurance regulation. It sets out broader risk management requirements and requires firms to hold enough capital to cover all their expected future insurance or reinsurance liabilities. The new outsourcing requirements are set out in article 274 of the European Commission's delegated regulation which supplements the directive. This came into effect on 18 January 2015.

Article 274 contains some high level requirements that will apply to any outsourcing by an insurer, but many of them will only apply to the outsourcing of "critical or important operation functions or activities" (which replaces the existing concept of "material outsourcing"). While insurers will be required to set their own criteria for deciding whether a function or activity is critical or important, and whether it is being outsourced, guidelines on system of governance and own risk solvency assessment (ORSA) by EU regulator the European Insurance and Occupational Pensions Authority (EIOPA) (12-page / 297KB PDF) give some examples.

Critical or important functions

In broad terms, the more substantial or frequent the advice or service to be provided by a third party is, the more likely it will be an 'outsourcing' for the purposes of the rules. Critical or important functions or activities will include:

• underwriting in the name of and on account of the insurer;
• design and pricing of insurance products;
• investment of assets or portfolio management;
• claims handling;
• provision of regular or constant compliance, internal audit, accounting, risk management or actuarial support;
• provision of data storage;
• provision of ongoing, day-to-day systems maintenance or support;
• ORSA process.

Outsourcing agreement requirements

In all cases where critical or important functions are to be outsourced, there must be a written outsourcing agreement which clearly states all of a number of requirements. These requirements include:

• duties and responsibilities of both parties;
• compliance with all applicable laws, regulatory requirements and guidelines and cooperation with the undertaking's supervisory authority;
• disclosure of any development which may have a material impact on the service provider's ability to carry out the outsourced functions and activities;
• termination rights and periods;
• the insurer's right to be informed about the outsourced functions and activities and to issue general guidelines and instructions;
• protection of confidential information;
• access to information relating to the outsourced functions and activities;
• sub-outsourcing by the service provider.

This is a  development to the existing FCA Senior Management Arrangements, Systems and Controls (SYSC) rules, under which insurers are required only to have regard to certain items. In addition, the delegated act includes more detailed requirements on insurers' policies on, and governance of, outsourcing than under the existing regime.