Short Reads

DNB publishes guidelines for outsourcing notifications by insurers

DNB publishes guidelines for outsourcing notifications by insurers

DNB publishes guidelines for outsourcing notifications by insurers

04.12.2020 NL law

Requirements applicable to outsourcing (including intra-group arrangements as well as outsourcing to the cloud) under Dutch and EU financial regulatory regimes have become more stringent in recent years. Outsourcing has therefore been a priority on the Dutch regulators’ supervision agenda.

On 30 November 2020, the Dutch Central Bank (De Nederlandsche Bank, “DNB”) published new guidance with the aim of improving the quality of outsourcing notifications submitted by Dutch insurers.  On the same date, DNB issued a press release indicating that outsourcing contracts between various regulated undertakings and a large IT supplier are structurally non-compliant, for instance because a proper ‘right to audit’ or ‘right to examine’ was not appropriately catered for (link), alerting Dutch financial markets to the paramount importance of compliance with the applicable outsourcing requirements.

Outsourcing activities

The Solvency II Directive sets the requirements applicable to (cloud and non-cloud) outsourcing by insurers. The requirements state that DNB must be informed in a timely manner when a Dutch insurer decides to outsource activities to a third party. Importantly, outsourcing arrangements that qualify as ‘critical or important’ must be reported to DNB before the agreement with the third party to whom the services are outsourced takes effect, or the actual provision of services commences.

Points of attention

In its update, DNB notes that it will continue to focus on the quality of the outsourcing and the timely and correct notification of outsourcing arrangements to DNB. In order to improve the quality of outsourcing notifications, DNB recommends that insurers take the following points of attention into account:

  • In order to examine an outsourcing notification directly in the right context, DNB requests insurers include with their notification a full schematic overview of the outsourcing chain, including a detailed explanation.
  • DNB expects insurers to ensure that the scope and depth of the information they receive from third parties is sufficient to allow them to determine the outsourced parties’ standard of control. For an adequate evaluation of the risk that a service provider may not comply with the agreed quality standards, DNB asks insurers to use DNB’s template when preparing their risk analysis, as DNB states that assurance reports, certifications or in-house audits do not always provide sufficient assurance regarding the service provider's internal control. An ISO27001 certificate, for example, is by itself insufficient to demonstrate the effectiveness of control measures.
  • The rights to audit and examine, which are referred to in the 'outsourcing notification form', extend beyond the service provider with whom the agreement is concluded. DNB emphasises the need for these rights to cover all critical or important outsourced activities throughout the outsourcing chain. Recent cases have provided examples where the rights to audit and examine service providers were not provided for in the outsourcing agreement, meaning that insurers were non-compliant when entering into the outsourcing arrangement (and may remain non-compliant to the present date). These agreements must be updated and amended.

Finally, DNB reiterates that it is important to evaluate the extent to which outsourcing contracts meet the requirements set out in Article 274 of the Solvency II Regulation and the EIOPA Guidelines on outsourcing to cloud service providers.

Given the fact that outsourcing is a key point of supervision by the Dutch regulators, we recommend financial undertakings to ensure that they fully comply with the applicable outsourcing regulations and that they assess whether their outsourcing notifications to DNB comply with the above guidelines.

Team

Related news

12.03.2021 LU law
Stibbe Luxembourg lawyers co-author the SFDR Implementation Guide

Articles - Edouard d'Anterroches, Audrey Jarreton and Nicolas Pradel co-authored the SFDR Implementation Guide published on 9 March 2021 by the Association des Banques et Banquiers, Luxembourg (ABBL), the Association of the Luxembourg Fund Industry (ALFI) and the Association des Companies d’Assurances et de Réassurances (ACA) for the use of their members.

Read more

21.04.2021 NL law
The Sustainable Finance Package: a game changer in finance

Short Reads - Today’s publication of the Sustainable Finance Package will impact large corporates, as well as financial institutions, including asset managers, insurers and others. New rules on sustainability reporting, taxonomy, product governance and more are taking shape. This year and 2022 will require specific action from our clients to comply with the EC’s ambitious plans to green the EU economy. Read more below from Stibbe’s ESG team of specialists.

Read more

11.03.2021 NL law
Financial Regulatory – Update Q1 2021

Short Reads - Traditionally, 1 January (and 1 July) each year is a date on which new Dutch financial regulations enter into force. This year, the amendments to the Dutch Financial Supervision Act (Wet op het financieel toezicht – “Wft”) are relatively few, but other notable developments are worthy of attention.

Read more