Requirements applicable to outsourcing (including intra-group arrangements as well as outsourcing to the cloud) under Dutch and EU financial regulatory regimes have become more stringent in recent years. Outsourcing has therefore been a priority on the Dutch regulators’ supervision agenda.
On 30 November 2020, the Dutch Central Bank (De Nederlandsche Bank, “DNB”) published new guidance with the aim of improving the quality of outsourcing notifications submitted by Dutch insurers. On the same date, DNB issued a press release indicating that outsourcing contracts between various regulated undertakings and a large IT supplier are structurally non-compliant, for instance because a proper ‘right to audit’ or ‘right to examine’ was not appropriately catered for (link), alerting Dutch financial markets to the paramount importance of compliance with the applicable outsourcing requirements.
The Solvency II Directive sets the requirements applicable to (cloud and non-cloud) outsourcing by insurers. The requirements state that DNB must be informed in a timely manner when a Dutch insurer decides to outsource activities to a third party. Importantly, outsourcing arrangements that qualify as ‘critical or important’ must be reported to DNB before the agreement with the third party to whom the services are outsourced takes effect, or the actual provision of services commences.
Points of attention
In its update, DNB notes that it will continue to focus on the quality of the outsourcing and the timely and correct notification of outsourcing arrangements to DNB. In order to improve the quality of outsourcing notifications, DNB recommends that insurers take the following points of attention into account:
- In order to examine an outsourcing notification directly in the right context, DNB requests insurers include with their notification a full schematic overview of the outsourcing chain, including a detailed explanation.
- DNB expects insurers to ensure that the scope and depth of the information they receive from third parties is sufficient to allow them to determine the outsourced parties’ standard of control. For an adequate evaluation of the risk that a service provider may not comply with the agreed quality standards, DNB asks insurers to use DNB’s template when preparing their risk analysis, as DNB states that assurance reports, certifications or in-house audits do not always provide sufficient assurance regarding the service provider's internal control. An ISO27001 certificate, for example, is by itself insufficient to demonstrate the effectiveness of control measures.
- The rights to audit and examine, which are referred to in the 'outsourcing notification form', extend beyond the service provider with whom the agreement is concluded. DNB emphasises the need for these rights to cover all critical or important outsourced activities throughout the outsourcing chain. Recent cases have provided examples where the rights to audit and examine service providers were not provided for in the outsourcing agreement, meaning that insurers were non-compliant when entering into the outsourcing arrangement (and may remain non-compliant to the present date). These agreements must be updated and amended.
Finally, DNB reiterates that it is important to evaluate the extent to which outsourcing contracts meet the requirements set out in Article 274 of the Solvency II Regulation and the EIOPA Guidelines on outsourcing to cloud service providers.
Given the fact that outsourcing is a key point of supervision by the Dutch regulators, we recommend financial undertakings to ensure that they fully comply with the applicable outsourcing regulations and that they assess whether their outsourcing notifications to DNB comply with the above guidelines.