EIOPA improves cloud guidance for insurers

Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, was commenting after the European Insurance and Occupational Pension Authority (EIOPA) published its finalised guidance on outsourcing to cloud service providers. The guidance, which will apply from 1 January 2021, is relevant to insurance and reinsurance providers and expands upon legislative requirements contained in the EU's so-called 'Solvency II' framework.

In its paper, EIOPA confirmed that it had made changes to the draft guidelines it had issued for consultation last year in light of feedback received from Pinsent Masons.

Scanlon said the changes reflected in the finalised guidance bring the provisions into greater alignment with previous outsourcing guidance published by the European Banking Authority (EBA). This means that financial institutions, particularly those operating banking and insurance arms, will find it easier to implement standardised risk management processes to address the challenges entailed in adopting cloud-based solutions in the heavily-regulated financial services sector.

Scanlon said: "When regulators bring out guidance and impose rules which vary slightly from requirements for regulated entities, this can lead to unintentional consequences and cost for financial institutions. Ultimately, this cost is borne by the customer and therefore it is a positive to see that EIOPA has taken the views of the sector into account and made some adjustments to its final guidance."

Insurers that outsource critical or important operational functions are subject to more stringent regulatory obligations than where more basic functions are being outsourced. Pinsent Masons had pointed out that the concept of 'materiality' is relevant to an assessment insurers must make as to whether an outsourcing of a critical or important function materially impairs the quality of their system of governance under the Solvency II regime, and therefore its use in another context could be confusing.

EIOPA has also dropped plans to require insurers to assume that their purchase of goods or services from, or entry into other arrangements with, cloud providers constitute outsourcing arrangements that are subject to its guidance in cases where the matter is unclear. Pinsent Masons had questioned the justification for such an assumption.

Another amendment that EIOPA made clarified what contractual requirements insurers must meet when agreeing contracts for the outsourcing of critical or important operational functions or activities with cloud providers. Specifically, it confirmed that agreed service levels should be specified in the contracts and these should "include precise quantitative and qualitative performance targets". EIOPA's draft guidance had called for the service levels to be "directly measurable", but the wording was deleted after Pinsent Masons said it was unclear how insurers could comply with that obligation.

Another change made by EIOPA means that insurers' outsourcing policies will not have to include extensive details of the different contractual requirements for material and non-material cloud outsourcing arrangements. The policy will only have to make reference to the existence of those requirements.

EIOPA also confirmed other documentation requirements that insurers face in relation to sub-contractors involved in the outsourcing of critical or important operational functions or activities. It said that insurers should record "the countries where the sub-contractors are registered, where the service will be performed and, if applicable, the locations (i.e. countries or regions) where the data will be stored", but dropped plans to require the location of data in transit in the cloud also to be documented.

EIOPA further clarified what it means by its requirement that insurers develop exit plans that are 'sufficiently tested'. It said that meeting this testing standard might entail "carrying out an analysis of the potential costs, impacts, resources and timing implications of the various potential exit options". The example had not been included in the draft guidelines.

The finalised guidance also addresses topics such as rights of audit, data and systems security and business continuity planning.

All new cloud outsourcing arrangements entered into or amended on or after 1 January 2021 will be subject to the guidelines, while insurers will have until the end of 2022 to bring cloud outsourcing contracts entered into prior to that date into line with the new requirements.

EIOPA said it expects insurers to update their internal policies and processes to reflect the new guidelines by the beginning of 2021, and meet the documentation requirements for cloud outsourcing arrangements related to critical or important operational functions or activities by 31 December 2022.

Last month, the Bank of England confirmed that insurers lag banks in their adoption of cloud-based solutions in the UK.