Out-Law / Your Daily Need-To-Know

Regulator sets expectations on Irish insurers’ outsourcing arrangements

Out-Law Analysis | 07 Mar 2022 | 11:37 am | 6 min. read

Recent guidance by the Central Bank of Ireland (CBI) has clarified the regulator’s expectations of insurers and reinsurers that use outsourcing as part of their business models.

Outsourcing is common practice for Irish insurers and reinsurers, and it is very rare to encounter a firm that does not rely on at least one outsourcing arrangement. Reasons for outsourcing vary and include, for example, economies of scale and accessing new insurance related technology.

The CBI guidance (73-page / 1.4MB PDF), published in December 2021, applies to Irish head officed insurers and reinsurers that use outsourcing as a part of their business model. References to “insurers” in this article should be read as referring to insurers and reinsurers. The need for insurers to identify and manage outsourcing risk that has the potential to influence or to threaten their operational resilience forms the basis for the CBI introducing the guidance. While mainly applicable to critical or important outsourcing arrangements, certain requirements (e.g., maintaining an outsourcing register) apply to any outsourcing arrangement.

Irish insurers are already subject to the rigours of complying with the outsourcing requirements of the EU’s Solvency II Directive. The CBI now expects them to consider the guidance as supplemental to those requirements, describing it as “a guide to good practice with regard to outsourcing”. Where the Solvency II outsourcing requirements and guidance are less prescriptive or silent on certain matters, the CBI expects insurers to refer to its supervisory expectations in the guidance.

While the guidance is a detailed paper to navigate, the documenting by the CBI of its expectations around outsourcing is to be generally welcomed by insurers and their advisers alike.

Outsourcing policy

Insurers will be familiar with the requirement under Solvency II to have a written outsourcing policy. EIOPA's Guidelines on System of Governance sets out what, at a minimum, is to be addressed in an outsourcing policy (e.g., a process for determining whether a function or activity is critical or important and business continuity planning).

At section 4.2 of the guidance, the CBI sets out in detail its expectations regarding what is to be addressed in the policy. Insurers should consider completing a gap analysis of their existing outsourcing policy against this section of the guidance.

Complications associated with sub-outsourcing

Commonly, an outsource service provider (OSP) that contracts with an insurer to provide that outsourced services will transfer the performance of some of those services to another service provider (a sub-outsource service provider) under the terms of a sub-outsourcing arrangement. The reasons for sub-outsourcing vary. From our experience, it often occurs where the OSP itself does not have the technical capability to perform one or more aspects of the outsourced services.

In this scenario, there is no contractual relationship between the insurer and the sub-outsource service provider. However, under Solvency II, where an insurer outsources a critical or important function or activity (CIFA) to an OSP, the outsourcing agreement must specify:

  • the terms and conditions under which the OSP may sub-outsource any of the outsourced services; and
  • that the OSP's duties and responsibilities deriving from the outsourcing agreement with the insurer remain unaffected by any sub-outsourcing.

In practice, an outsourcing agreement would usually include a requirement that the OSP obtains the insurer's consent prior to it entering into any sub-outsourcing arrangement.

The CBI notes that an outsourcing chain can become long and complex, and sometimes spread across multiple jurisdictions. The longer that the chain becomes, the greater the challenge to the insurer's visibility, and the CBI's supervisibility, of the outsourced services being performed. Depending on the nature of the OSP's contractual disclosure and consent obligations, it is possible that the insurer may, in practice, be unaware of the degree to which it is dependent on sub-outsource service providers. If a sub-outsource service provider in the chain defaults on its contractual responsibilities, that could seriously impact on the insurer's ultimate ability to continue to deliver services to its policyholders up the chain.

At section 5.1 of its guidance, the CBI sets out its expectations about how the insurer should effectively manage sub-outsourcing risks. In essence, this should be achieved through a combination of the insurer including specific contractual provisions in its outsourcing agreements and applying an appropriate level of direct monitoring of sub-outsource service providers.

Offshoring risks

It is not uncommon for Irish insurers to contract with OSPs that are located outside of Ireland. This may particularly be the case where the insurer is party to a group-wide outsourcing arrangement. While the CBI is not looking to prohibit outsourcing to foreign OSPs, it has concerns that outsourcing to offshore jurisdictions presents particular risks, some of which can significantly complicate an insurer's and the CBI's ability to ensure effective oversight and supervision.

While the CBI does not appear to make an express distinction, it would seem to generally view outsourcing to non-EU jurisdictions as having the potential for greater risk in comparison to outsourcing within the EU. The CBI’s concerns appear to be focused on issues such as the physical distance of the insurer from the jurisdiction from where the outsourced service is being performed and that the OSP's jurisdiction may have a very different – or non-existent – regulatory regime.

Where an insurer outsources, or is proposing to outsource to, an offshore jurisdiction, the CBI now expects the insurer to assess ‘country’ risk. This assessment is expected to cover aspects including regulatory environment, legal risk, political climate risk, time-zone differences and employment law conditions. The CBI expects insurers to pay particular attention to the jurisdictional and other complications that might arise in the event of an OSP's insolvency (e.g., recovery of data and records, protection of intellectual capital) or termination of the outsourcing arrangement.

In practical terms, before an insurer enters into an outsourcing arrangement with an OSP located in an offshore jurisdiction, it should consider obtaining local legal advice in that jurisdiction as part of its due diligence of the OSP.

Importantly, the CBI notes that it may restrict an insurer from offshoring activities where, for example, supervisibility is severely constrained or non-existent. This may include scenarios where there is no college of supervisors, no memorandum of understanding between Ireland or the EU and that jurisdiction, and little or no contact with regulators in the jurisdiction in question. In the case of a proposed CIFA outsourcing arrangement, the CBI expects an insurer to inform it of circumstances where such issues may arise before committing to an offshoring arrangement.

While it may be commercially or operationally attractive for an insurer to outsource to an OSP located in offshore jurisdiction it should, as part of its initial due diligence on the OSP, carefully consider whether the jurisdiction's legal, regulatory or political environment may give the CBI cause for concern.

Groupwide reliance on a single outsourcer

Commonly, an Irish insurer which is part of an international group would, together with other insurers that are part of the same group, rely on the same OSP to provide services to it. 

From a group wide perspective, it often makes sense operationally and commercially for multiple insurers within the group to contract with the same OSP, whether a third-party service provider or a group services company.  However, if the OSP were to default on its contractual obligations or if there was some other interruption to service provision, there is a potential for risk that the Irish insurer's needs may, in practice, become secondary to the needs of another, perhaps larger, insurer within the same group. The CBI is focused on this potential issue with respect to CIFA outsourcing arrangements, as it now requires insurers to document in their outsourcing registers details of other group companies that rely on the same OSP.

Outsourcing critical functions

Under Solvency II, the test adopted by EIOPA for determining if an outsourcing arrangement is a CIFA is whether the function or activity in question is essential to the operation of the insurer as it would be unable to deliver its services to policyholders without it. EIOPA has issued some guidance on what it considers to constitute CIFAs, including the Solvency II four key-functions (risk management, compliance, internal audit and actuarial), the design and pricing of insurance products, provision of data storage and the ORSA process. However, in our experience it may not always be cut and dried whether an outsourcing arrangement is a CIFA. The distinction between a CIFA and a non-CIFA is an important one, as CIFA outsourcing arrangements attract additional Solvency II requirements, such as the need to have a detailed outsourcing agreement and the need to make a prior formal notification to the CBI.

In its guidance, the CBI elaborates on EIOPA's CIFA test by referring to:

  • the insurer's ability to provide an appropriate degree of protection for those who are or may become policyholders, in line with the CBI's statutory objectives; and
  • the requirement not to undermine the 'continuous and satisfactory service to policyholders' in line with Article 49(2)(c) of the Solvency II Directive.

The CBI requires insurers to document in their outsourcing registers whether or not an outsourced function is considered to be a CIFA – including, where applicable, a brief summary of why or why not. Related to this, the CBI expects the board of directors of an insurer to ensure a methodology exists for determining the 'critical or importance' of services is in place, which is regularly assessed by the board of directors to ensure it remains fit for purpose and is applied consistently across all outsourcing decisions.

Co-written by Stephen Gamble of Pinsent Masons

We are processing your request. \n Thank you for your patience. An unknown error occurred, please input and try again.