Although concerned insurance companies should already integrate outsourcing principles reviewed by the National Bank of Belgium (“NBB”) on successive occasions in 2020, we are noticing some cases of non-compliance within the sector, probably due to the difficulty of navigating between the different regulations and recommendations issued by the Belgian and European regulators. With the Digital Operational Resilience Act (DORA) coming into force in January 2025, and the resulting potentially increased scrutiny by the regulator, it may be recommended to plan a monitoring exercise to ensure that these outsourcing principles are properly applied and documented, in preparation for any inspection by the NBB.
1. Concept
The Governance Circular of the NBB defines outsourcing as calling on third parties to carry out activities or implement procedures that (i) are specific to the insurance company and (ii) are performed on a recurring or continual basis. Outsourcing can pertain to services rendered to insureds (such as call centers, etc.), administrative tasks (such as bookkeeping, claims settlement, investment management, etc.) as well as specialized internal functions (e.g., IT, internal audit, data management, etc.).
There are two types of outsourcing: ‘standard’ outsourcing and the outsourcing of a critical or important function or activity (“CIFA”), which implies that the function or activity concerned is crucial for the company’s operation, in the sense that the company would not be able to provide its services to policyholders without this function or activity. In other words, the critical or important functions or activities are those that are fundamental to the insurance business. Examples thereof are:
- design and pricing of insurance products;
- investment of assets or portfolio management;
- provision of computer data storage;
- Own Risk and Solvency Assessment (ORSA);
- independent control functions: Risk, Compliance, Audit and Actuary.
In case of CIFA outsourcing, additional, stricter rules apply compared to the rules for a standard outsourcing.
2. General rules for each type of outsourcing
The following requirements must be met in case of outsourcing:
- The insurance company must ensure that it retains full responsibility for fulfilling all its obligations under the Solvency II Law regarding:
- the quality of the governance system;
- the operational risk;
- the NBB’s ability to monitor compliance; and
- a continuous and satisfactory service to policyholders, insureds and beneficiaries of insurance policies.
- The insurance company puts an outsourcing policy in writing, taking into account certain principles related to sound management. In this policy, the insurance company includes its approach and processes that apply to the outsourcing, and especially regarding:
- the process to identify outsourcing (standard/CIFA);
- the due diligence process and monitoring system;
- the written agreement with the service provider;
- the rules for continuity plans;
- the rules for processing of personal or confidential data;
- the rules for documentation (outsourcing register) and reporting to the NBB.
- The insurance company is advised to keep a register including information on all outsourcing arrangements within the company, distinguishing between the standard and CIFA outsourcings.
All these requirements are described in detail in the NBB Governance Circular.
3. CIFA outsourcing
For CIFA outsourcing, additional, more stringent requirements are applicable, in addition to the above-mentioned general requirements:
- For the selection of the service provider, the insurance company must:
- assess whether the outsourcing authorization conditions are met;
- carry out an enhanced due diligence process;
- perform a risk assessment;
- identify and assess the conflicts of interest that could arise from the outsourcing.
- An insurance company must inform the NBB of any planned CIFA outsourcing (in principle, six weeks before the entry into force of the outsourcing).
- The NBB requires certain mandatory clauses in the agreement with the service provider, with special attention given to the clauses regarding:
- sub-outsourcing;
- access, information and audit rights;
- security of data and systems; and
- termination rights.
- In the post-contractual stage, close monitoring of the outsourcing arrangement is required, with particular focus on the service provider’s risk management and internal control system, the insurance company’s own risk management and internal control system concerning outsourcing, a monitoring system, the service provider’s contingency plans and a documented exit strategy.
- The insurance company is required to submit the list of CIFA outsourcings (template required) on an ongoing basis (and not just annually), via the NBB Supervision Platform (which replaced the eCorporate platform in October 2022).
These requirements are also described in detail in the NBB Governance Circular.
4. Special cases of outsourcing
In addition to the above rules, specific regulations apply to particular outsourcing scenarios, some of which are listed below.
a. Outsourcing outside the EEA
A special case of outsourcing occurs when a company outsources a function or activity to a service provider located outside the European Economic Area (a “third country”).
Functions or activities may be outsourced to third countries provided that the insurance company can explicitly guarantee that itself, its accredited statutory auditor and the NBB will be able to exercise and enforce their right of access and review. This assurance can be achieved by incorporating a strengthened clause regarding access, information and audit rights in the agreement with the service provider.
In addition, a CIFA may only be outsourced to a service provider located in a third country if there is an appropriate cooperation agreement between the NBB and the local prudential supervisory authority. If such an international cooperation agreement exists, it can be checked on the website of the NBB (Cooperation | nbb.be). This agreement must also ensure that the NBB, in the execution of its supervisory powers, can carry out its tasks and obtain the necessary access to any data, documents, premises or personnel in the third country.
The underlying reason for imposing this requirement is the fact that the NBB is responsible for overseeing insurance companies, but only has the authority to conduct inspections within jurisdictions inside the EEA (directly or indirectly). Outside the EEA, the NBB relies on bilateral agreements with local authorities.
b. Outsourcing to a cloud service provider
In case of an outsourcing arrangement with a cloud service provider, the insurance company must also comply with the specific NBB recommendations on outsourcing to cloud service providers dated 05/05/2020 (NBB Circular_2020_018). This applies whenever a service provider is responsible for delivering cloud services under an outsourcing arrangement. And even when the service providers are not cloud service providers but rely significantly on cloud infrastructure to deliver their services, the Cloud Recommendations remain mandatory.
In addition to the standard requirements, the outsourcing policy shall take into account considerations specific to cloud outsourcing . For instance, the company should also ensure that a copy of the data is stored in one or more secure locations outside the cloud service provider’s main office, at a sufficient distance from that office, or that the access of administrators of the cloud service provider is protected by robust authentication solutions.
c. Insurance documents
When the outsourced services involve data storage and include insurance documents, another regulation on archiving must be observed in addition to the general rules on outsourcing and, where applicable the Cloud Recommendations. When insurance documents are stored at a location other than at the registered office of the insurance company, the NBB and, where appropriate, the FSMA must give their prior approval .
Depending on whether the data is stored electronically or on paper and whether it will be relocated within or outside the EEA, either the simplified approval procedure, or the normal approval procedure has to be followed, involving the obligation to use required templates where applicable for the approval process.
In this respect, it should be noted that a recently approved project of law should repeal the provision requiring prior authorization from the FSMA, which should slightly simplify the procedure.