Outsourcing with Solvency II in mind
August 5, 2010
Where within banks the Basel II implementation projects come to an end, are European insurers burning the midnight oil to get Solvency II implemented before the end of 2012. The Solvency II legislation is aimed at improving risk management practices within insurance companies and providing better protection for policyholders. For this purpose, the legislation demands:
- the insurer to hold enough capital to survive a period of economic hardship (Pillar 1),
- adequate quality of internal controls and governance (Pillar 2) and
- greater transparency in communication with the regulator and market (Pillar 3).
These three topics have been translated into clauses that must be complied with. If the insurer has not outsourced any IT or business processes, it is sufficient for the insurer to translate the legislation into internal controls. If the insurer has however outsourced activities, then two activities are added to the project:
- Compliance with specific outsourcing requirements (in particular Article 49)
- Translating internal controls into a framework the supplier has to adhere to.
Specific requirements for outsourcing
Before discussing this topic any further, is important to note that currently only the top-level requirements have been published (known as level 1). These requirements are now being developed further into more detailed demands (level 2 to level 4). Ensure therefore to incorporate sufficient flexibility in new outsourcing contracts to cater for additional future requirements. Otherwise you might have to break open the contract and renegotiate parts of it.
At the highest detail level the specific requirements the insurer has to comply with related to outsourcing are:
- the insurer remains fully responsible for compliance with Solvency II. In short, the insurer does not get away with pointing its finger at the vendor if it does not comply with the legislation.
- The insurer must have written policies regarding outsourcing and adhere to them.
- Outsourcing should not adversely impact the quality of the governance system. In short: good control over the vendor is key.
- Outsourcing should not adversely affect operational risk. In short: define the operational risk profile before outsourcing and ensure that sufficient mechanisms are in place to manage the operational risk profile after outsourcing.
- Outsourcing should not adversely affect the ability of the regulator to check whether the insurer meets its obligations. This includes the requirement of the regulator to have access to the location of the supplier. In short, it is possible that a regulator wants to take a plane to India to audit a vendor.
- Outsourcing may not adversely affect the continuity and adequacy of services.
- The insurer will inform the supervisor prior to the outsourcing of critical or important functions or activities. In addition, the supervisor has to be informed in case of substantial changes to the contract.
It seems on first sight a relatively simple list, but demonstrating compliance to the regulator requires still some thought. In addition, not all (foreign) suppliers are eager to get a foreign regulator on its premises.
Translating internal controls.
When a (part of) a business process or IT systems is outsourced, it must continue to meet the requirements set by Solvency II. The easiest way is to impose the existing internal control framework on the vendor. This is also the most expensive solution, because the vendor would not be able to use its own processes and best practices regarding risk management. Using a standard SAS70 / ISAE 3402 as a compliance-cure will not do, because its scope does not match the specific demands posed by Solvency II.
Without going into too much detail, the following recommendations will guide you in the right direction:
- Define for the outsourced activities a “Solvency II risk profile”. Some activities and IT systems will hardly be affected by Solvency II, while other parts will be heavily impacted by Solvency II.
- Differentiate the design of the risk control framework based on the risk profile. Think of a ‘bronze’ approach for activities with a low risk and a silver and gold framework for critical processes.
- Translate the bronze, silver and gold profiles in specific control measurements and requirements the vendor has to comply with. Put relatively mild measures for bronze (e.g. reporting, due diligence on policies, relying on monitoring framework of vendor) and put heavier measures when outsourcing more risky activities (e.g. prescribing controls, third party audits, strict monitoring of vendor compliance ).
This approach allows for an optimal allocation of scarce time and resources to existing and planned outsourcing contracts in order to make them comply with Solvency II. It’s not rocket science, but especially translating an internal control framework into an adequate framework for the vendor requires some thought and attention.