guidelines for outsourcing to providers of existing and new cloud services

From 1 January 2021, insurance and reinsurance undertakings (‘Undertakings’) are subject to Guidelines for outsourcing to cloud service providers (‘Providers’). The Guidelines have been issued by EIOPA (‘Guidelines’). EIOPA is the European Supervisory Authority for Occupational Pensions and Insurance, an independent body that advises the European Commission, the European Parliament and the Council of Europe. These Guidelines are intended to assist firms in applying the outsourcing provisions of Directive 2009/138/EC (‘Solvency II Directive’).

DNB and supervision of outsourcing

The rules that already apply to the outsourcing of critical or important outsourcing by financial undertakings (including insurance companies) are included in Article 3.18 of the Financial Supervision Act, which implements Article 49 of the Solvency II Directive. IT or cloud outsourcing will almost always have to be qualified as critical outsourcing.  Financial undertakings operating in the Netherlands (supervised institutions) that outsource work to third parties remain responsible for compliance with the financial supervisory legislation relating to that work. A financial undertaking will not outsource if this may impede the exercise of adequate supervision by De Nederlandse Bank (‘DNB’).

This financial legislation allows financial undertakings to outsource to a service provider under certain conditions. The purpose of the conditions is to control the risks of outsourcing and to ensure that outsourcing does not hamper proper supervision. Part of the relevant conditions must be included in the contracts concluded with the outsourcing providers. In the so-called ‘Good practice outsourcing by insurers’, DNB has given recommendations for points of attention when insurers outsource. The EIOPA guidelines that will come into force will be applied by the DNB in the supervision of the financial legislation that applies to insurers where outsourcing to Providers is concerned. The previously mentioned ‘Good practice’ remains of significance for this specific form of outsourcing, namely for cloud services, in addition to the Guidelines.

Guidelines and the outsourcing agreement

The Guidelines apply as of 1 January 2021 to all outsourcing agreements (‘Agreements’) relating to cloud services that become effective on or after that date. Existing outsourcing agreements must also be reviewed or amended so that they comply with the Guidelines by 31 December 2022. If, for any reason, this does not succeed, the Company concerned must notify the regulator.

The Guidelines contain many points of interest such as:

  • the notification to the supervisors,
  • documentation requirements,
  • making an analysis prior to outsourcing,
  • an assessment of the critical or important operational functions and activities,
  • assessing the risks of outsourcing the cloud services, and
  • Due diligence on the cloud service provider.

Guideline 10 is relevant for the Agreement because it lists a number of topics, which it recommends be clearly delineated in a written agreement. Some of these topics are further elaborated in the Guidelines. Below we list the most important topics that, according to the Guidelines, should in any case be included in the Agreement. Incidentally, in many cases it is only about the topics that must be addressed, and the Guidelines do not express an opinion about the specific manner in which the topics should be regulated.

Scope (10a)

The Agreement should contain a clear description of the outsourced functions and activities, including the type of service provided. This sounds simpler than it is in practice. It often happens that the scope is clearly defined in an implementation plan to be worked out by the parties only after the Agreement has been signed.   

Duration of the agreement (10b)

A start date and an end date of the Agreement must be stated. Of course, this is not possible in all cases, because the Agreement may also be concluded for an indefinite period. In addition, this Guideline also states that a notice period must be included for both the Provider and the Company. For the Company, it is important that the notice period for the Provider is sufficiently long that the Company can switch to another provider or possibly take on the services itself again.

Financial obligations of the parties (10d)

There is no further explanation of this in this Guideline, so it is not entirely clear how extensively it should be included in the Agreement. It is advisable to have a separate financial attachment to the Agreement which includes all financial arangements. For the Company, one can of course think of the costs of an implementation, licence fees and fees for maintenance. For the Provider, it is more difficult to determine what the financial obligations might be. This could include any fines or bonuses.

Subcontracting (10e)

Providers not infrequently use subcontractors in the performance of work. The Contract should state whether further outsourcing of critical or important operational functions and activities is allowed and under what conditions. Guideline 13 elaborates on this with extensive conditions. The Provider should remain responsible at all times and should monitor and control the outsourced activities. Furthermore, it is important that the Company must be informed of, and be able to object to, significant changes to the subcontractors or the services to be performed by the subcontractors.

Processing of (personal) data (10f and g)

This section requires provisions to be included in the Agreement:

  • Regarding the location (country or region) where (personal) data will be stored and processed (location of data centres), including the obligation to notify the Company if the Provider proposes to change the location. This section is relevant, from a privacy law perspective, if personal data is processed in a country outside the European Economic Area, which is subject to special rules under the General Data Protection Regulation (“GDPR”).
  • With regard to accessibility, availability, integrity, confidentiality and security of the (personal) data. For all these topics, further specifications are included in Article 12 of the Guidelines. However, these specifications mainly concern the standards that arise from the GDPR.

Partly in view of the above, it seems prudent to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of personal data as part of the outsourcing process and, if personal data are processed outside the European Economic Area, a Data Transfer Impact Assessment as well. A DPIA may not be mandatory (see Article 35 AVG) but it is important to identify any risks temporarily and to discuss them with the cloud service provider in a timely manner. The importance of a DTIA follows from the judgment of the European Court of Justice of 16 July 2020 (case C-311/18) in the Facebook and Schrems case.

Insurance (10k)

Liability and insurance is a topic that is unlikely to be absent from any Agreement. Nevertheless, Guideline 10 states that the Provider is obliged to insure itself against certain risks and, if applicable, the required level of insurance coverage. However, it does not say which risks are involved. This will leave much room for negotiation, as Providers are often unwilling to accept forms of indirect loss (also because this is often excluded in policy terms). However, the concept is not well-defined, so that the question is what the parties mean by it, and in practice this gives rise to much discussion.

Service levels, monitoring and reporting (10 h, i and j)

In the operational phase, the Company must have the right to monitor the Provider’s performance on a regular basis. Monitoring requires that the agreed service levels include precise quantitative and qualitative performance targets (“Service levels”). For this purpose, the Service Level Agreement (“SLA”) is used. This SLA is usually provided by the Provider. The Company will need to ensure that this SLA contains the intended performance targets. These must also be enforceable (i.e. in the form of guarantees or at least result obligations, possibly sanctioned by a penalty regime). The SLA will also have to provide for corrective measures in the event that the performance targets are not or cannot be met.

In that context, the Provider is expected to ensure adequate reporting, not only with regard to achieving the service levels, but also for other obligations from the Agreement. This may include reports on information security and other compliance obligations.

Monitoring and auditing, and further requirements for inclusion, are also set out in Guideline 14

Continuity (10 l and n)

Since this often involves very business-critical outsourcing, it is important that the Agreement contains provisions regarding continuity. In the first place, the Company will have to have a business continuity plan. The Guidelines do not say anything about what that plan should exactly entail. Furthermore, the Agreement will have to include that the Company can restore its data immediately in the event of insolvency, liquidation or discontinuation of the business activities of the Provider. This requires that the Provider has a (cloud) escrow arrangement or other provisions in place that guarantees the continuity of services (in addition to a good back-up provision in the SLA).

Audit and control (10m)  

The Provider has the obligation to :

  • Grant the Company and the relevant supervisory authorities a right of access to all business locations relevant to the outsourcing
  • Grant the Company and the relevant supervisory authorities an unrestricted right of examination and audit with respect to compliance with all aspects of the performance of the outsourcing agreement

This topic raises a lot of discussion with Providers, who are often critical of audit rights for the Company. An extensive further elaboration of access and audit rights is included in Guideline 11.

Termination right and exit strategies

While the recommendations for contract provisions are included in Guideline 10 (and some parts are further elaborated in the Guidelines that follow), there is an important topic that is only in Guideline 15, the exit.

The Agreement will need to include a clearly defined exit clause that ensures that the Company can terminate the Agreement without compromising the continuity and quality of service to policyholders.

Conclusion

The Guidelines contain in Guideline 10 (‘contract provisions’) various topics that require attention in an Agreement. This does not only apply to Agreements commencing on 1 January 2021, but also to already existing Agreements. These will have to be revised in the light of the Guidelines by 31 December 2022.

Although the Guidelines are recommendations, DNB will, in the context of supervisory practice, monitor the way in which the Guidelines are incorporated in the Agreement.  In addition, in the context of the mandatory notification to the DNB, the manner in which the Guidelines are incorporated in the Agreement will be critically examined.

What do the Guidelines mean in practice?

The Guidelines are of great importance to the outsourcing practice.

The Company will have to look critically at how the Guidelines are incorporated into the various agreements (whereby a complex outsourcing is an interplay of various agreements such as the implementation agreement, licence agreement, SLA and processor agreement).

Providers will need to be aware of the implications of the Guidelines on their services and on the Agreements they enter into with Companies. This requires knowledge of the Guidelines and the applicable financial regulations. For the Provider, it is important to find the right balance between its own interest and the interest of the Company in meeting the obligations under the financial regulations.

This site is registered on Toolset.com as a development site.