Last week, the European Insurance and Occupational Pensions Authority (EIOPA) published its final report on outsourcing to cloud service providers.
With the increasing regulatory focus on outsourcing arrangements, insurers will be keenly aware of the growing body of regulatory guidance and rules. EIOPA’s report does, however, include plenty of good news for the insurance industry:
- Implementation: In response to concerns that the time granted to implement the guidelines was too stringent, EIOPA has moved back the date of application and prolonged the period for reviewing existing arrangements. The guidelines apply from 1 January 2021 and the deadline for reviewing the existing arrangements is 31 December 2022. Insurers will need to consider the implementation of the EIOPA guidelines for any new outsourcing arrangements and will need to put in place a review of all existing arrangements to ensure compliance.
- Regulatory harmonisation: The guidelines echo banking sector guidance promoting consistency between the banking and insurance sectors. In particular, the guidelines build on the European Banking Authority (EBA) recommendations on cloud outsourcing from 2017 and the EBA guidelines on outsourcing arrangements from 2019. One of the main objectives of the report is regulatory harmonisation relating to cloud outsourcing. As a result, EIOPA has reviewed the wording of its guidelines in order to ensure its alignment with the requirements set by the EBA. This is great news for the insurance industry as it helps to keep divergence of approach to a minimum and create a level playing field across sectors.
- Critical or important functions: EIOPA has streamlined the contents of the report to focus on outsourcing of critical or important operational functions to cloud service providers, as opposed to all outsourcing arrangements (which was the suggestion in the consultation). Again, this represents another pragmatic and helpful change by EIOPA and emphasises EIOPA’s focus on proportionality and risk-based review.
- Bargaining power: The guidelines are particularly helpful for insurers who are looking to negotiate their contracts with cloud providers. The guidelines give insurers a regulatory driver for why certain provisions need to be included in their outsourcing agreements. This in turn puts insurers in a stronger position when negotiating contracts with cloud providers. Cloud providers will either need to change their standard terms or be open to changes to their terms as a result of these new guidelines. Guideline 10 sets out prescriptive requirements for contracts.
Of the 16 guidelines, our top three for insurers to consider are:
- Outsourcing register – Guideline 5: Insurers should keep a record of its cloud outsourcing arrangements in the form of a dedicated register, which is kept up-to-date over time and which is made available to the supervisory authority on request. This aligns with the approach in the EBA guidelines and should promote effective supervision by the insurer and the regulators.
- Sub-outsourcing – Guideline 13: Sub-outsourcing arrangements are an increasing focus for regulators, particularly where service providers sub-outsource to a chain of third party service providers. This guideline includes an obligation for the cloud service provider to inform its clients of any planned significant changes to the sub-outsourcers services and a right for clients to object to such changes. As ever, the starting point for insurers should always be that a service provider must obtain its consent before any sub-outsourcing and this guideline helps to give a regulatory backdrop to the insurer’s request.
- Termination rights and exit strategy – Guideline 15: As cloud-based services become more critical to service delivery, regulators want to ensure that exit strategies are feasible without detriment to the continuity and quality of service. Whilst this principle is embedded within Solvency II and is therefore not new for insurers, the report gives additional context. Exit strategies should be achieved by developing exit plans, which are comprehensive, service-based, documented and sufficiently tested. We would suggest that it is the cloud service provider who is generally best placed to prepare a first draft of the plan.