On 13 November 2024, the Italian insurance supervisory authority (IVASS) has launched a public consultation on a draft Letter to the Market on outsourcing, which contains the Italian regulator's supervisory expectations addressed to insurance companies in relation to the application of its Regulation No. 38/2018, to facilitate the uniform and correct application of the European and national regulatory framework.

The aim of the Letter to the Market

IVASS supervisory reviews have revealed a growing recourse to outsourcing of business activities and processes by insurance companies to specialised operators, including in innovative ways. IVASS monitors these developments in order to verify that the nature and extent of the outsourced activities or functions and the outsourcing arrangements do not cause a detriment to the corporate governance system or an appreciable increase in operational risk, and that an appropriate organisational structure is maintained at all times to prevent the insurance company from becoming an empty shell.

The purpose of the Letter to the Market is to draw the attention of companies both to the importance of a correct assessment of the risks and opportunities relating to the outsourcing of activities or functions that are crucial to the insurer's organisation, and to the correct identification of critical or important activities/services that are subject to prior notification to IVASS.

In light of the above, in order to encourage the development of best practices and uniform conduct by companies, IVASS has developed supervisory expectations which are deemed to appropriately implement the provisions already contained in its Regulation no. 38/2018 on the corporate governance system (which includes the applicable rules on outsourcing) and which must be declined by companies, in accordance with the principle of proportionality, based on their size, the riskiness and complexity of the business, the breadth and importance of the outsourced activities or functions, and the recourse to outsourcing to other group companies.

The expectations are intended to provide general indications on how IVASS expects the regulatory provisions on outsourcing to be complied with, thus they are not binding. However, if the measures taken by the company in relation to outsourcing are not effective and adequate to ensure compliance with the applicable rules, IVASS may, within the scope of its competences, take the supervisory measures provided for by law.

Scope of application

Expectations are addressed to (i) Italian insurance and reinsurance undertakings, (ii) Italian branches of non-EU undertakings and (iii) ultimate Italian parent companies as well as ultimate Italian parent companies of a national sub-group with a European ultimate parent company if IVASS decides to exercise supervision over that sub-group.

Supervisory expectations

Below are the supervisory expectations set out in the draft IVASS Letter to the Market:

• Governance and risk management aspects

IVASS reminds that the administrative body has the ultimate responsibility for the corporate governance system, as it directs strategic decisions and ensures continuous completeness and effectiveness, including for outsourced activities. In this regard, IVASS expects insurance companies to:

1. value the role of the administrative body in the decision-making process concerning the outsourcing of key functions and critical or important activities or functions in such a way as to allow it to be fully aware of the results of the agreements in place, the degree of the company's dependence on external parties and the related risks;
2. consider the choice of using suppliers, for the performance of key functions or critical or important activities or functions, as an integral part of the company strategies approved by the administrative body.

IVASS also reminds that in the case of outsourcing insurance companies shall appoint the persons in charge of the control activities on the critical or important outsourced functions or activities in a number proportionate to the nature and quantity thereof and the holder of the key function outsourced, who are required to meet specific suitability requirements and criteria. For the purposes of the outsourcing of critical or important activities or functions insurance undertakings shall, as part of their outsourcing policy, also define the analysis process to be carried out for the purpose of concluding the outsourcing agreement. In this regard, IVASS expects that insurers:

1. when assessing the adequacy of the structures and professionalism of the chosen supplier, evaluate the main types of outsourcing risks and at least those related to: operation, concentration, sub-outsourcing, legal, reputation, IT, lock-in (e.g. excessive dependence on a supplier);
2. take into account the outcome of the aforesaid analysis also in the definition of the measures required to ensure the continuity of the outsourced activities in the event of interruption or serious deterioration of the quality of the service rendered by the supplier, including adequate contingency plans or re-internalisation of the activities.

Pursuant to IVASS Regulation No 38/2018, the administrative body shall be regularly informed, at least once a year, about the results of outsourcing agreements of critical or important functions or activities, in the course of their performance. In this context, IVASS expects that:

1. the administrative body is presented with a report on the results of outsourcing agreements executed, in the course of their performance, highlighting any critical issues that have emerged.

• Safeguards adopted by the company on outsourced functions or activities

The applicable Regulation provides that the corporate governance system must ensure standardised controls on outsourced functions or activities, similar to those that would be implemented if they were performed directly by the company. In this regard, IVASS expects that:

1. as part of the periodic checks on outsourced functions or activities, a risk analysis similar to the one carried out when the agreement has been concluded is carried out, in order to verify that no changes have occurred that could affect the evaluation of the outsourced activity;
2. companies include in their agreements SLAs that define an adequate quality standard to which the supplier must adhere, the measurement of such standards through the identification of specific indicators (KPIs), as well as any penalties applicable to the supplier in the event of failure to achieve the agreed service levels;
3. companies adopt processes that make it possible to assess:

1. compliance with the SLAs;
2. the regular trend of KPIs;
3. the causes of any failure to comply with the KPIs and the levels of service provided to customers;
4. the measures taken by the supplier and the timing of their implementation to overcome any criticalities;
5. the possible application of the penalties provided for in the agreement;
6. adjustments, modifications and additions to the agreement, also taking into account the evolution of services;

4. companies do not lead to complex chains of sub-outsourcers that could affect the ability of the assigning companies to verify the proper performance of the outsourced activity or function.

• Outsourcing of ICT services

On 16 January 2023, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA Regulation") came into force and will be applicable as of 17 January 2025. The DORA Regulation aims, among other things, to strengthen the management of risks associated with the outsourcing of ICT services to third-party providers (including intra-group providers). In this regard, IVASS expects companies to:

1. proactively pursue the alignment of their management and control models with the DORA Regulation, with particular regard to the adoption of a dedicated IT risk strategy, based on the constant review of all third party dependencies in the ICT sector and including a policy for the use of ICT services to support critical or important functions provided by third party suppliers.

• Prior communications to IVASS relating to the outsourcing of critical or important activities or functions

As part of the supervision activity carried out, IVASS found a high heterogeneity of cases which were subject to prior notification pursuant to Article 67 of Regulation No. 38/2018.

IVASS expects that, as part of the process of identifying critical or important activities or functions by insurance companies, those relating to the following are presumed to be such and therefore subject to the obligation of prior communication:

• the design of insurance products with the relative definition of tariffs;
• the management of investments;
• the management and settlement of claims (including the use of call centres);
• the management of complaints;
• the regular and constant provision of support of an accounting nature;
• the provision of ICT services;
• the ORSA process.

The outsourcing of activities or functions that are different from or merely instrumental to those indicated above (e.g. mail sorting, e-mail management, document archiving and digitalisation, etc.) is not generally deemed to be subject to the obligation of prior notification set forth the applicable Regulation, without prejudice to the different assessment of the company that deems the characteristics of criticality or importance to be met.

• Communications to IVASS regarding relevant developments in the outsourcing agreement already entered into or its termination by entrusting it to another supplier

In relation to the abovementioned obligations under Article 67, paragraphs 6 and 7 of Regulation No. 38/2018, IVASS has observed a different communication approach with respect to similar cases. In some cases, in fact, the notifications at hand are made in advance of execution of the agreement, while in others the notification is made close to or concurrently with the effective date of the new agreement or when the contractual change is already effective.

In this context, IVASS expects that:

1. the assignment of the service to a new supplier is communicated to IVASS in advance;
2. sub-outsourcing is not communicated to IVASS in advance, since it is explicitly provided under the applicable regulation that the supplier may perform the outsourced activity, rather than directly, through sub-outsourcing, under the terms and conditions set out in the outsourcing agreement;
3. from the point of view of the contractual content, the inclusion in the outsourcing agreement of an additional service, in addition to the one initially agreed upon, which modifies the activity being outsourced, is communicated in advance to IVASS. This occurs, by way of example, in the case of the outsourcing of management phases concerning a different class of business with respect to the one to which the original outsourcing relates (e.g. the outsourcing of the management of general third party liability claims in addition to the management of motor liability claims already outsourced).

For the reasons set forth above, the extension of the contractual subject matter to services which, although additional to those set forth in the initial agreement, fall within the same type and/or nature of those already outsourced (e.g. with regard to investments, when the outsourcing scope is extended to additional assets other than those originally indicated) or when the new arrangement is in any case circumscribed within the sector subject to the initial supply (e.g. claims management activities extended also to other risks, provided that they are included in the class of business already covered by the supply) is not subject to prior notice to IVASS.

IVASS expects that:

1. the assignment to a new supplier of a critical or important function or activity following the natural expiry of the previous agreement is communicated in advance to IVASS, within the time limits provided for the applicable rules, as it represents a new outsourcing.

Lastly, IVASS clarifies that in the event of interruption or serious deterioration of the quality of the service rendered by the supplier that entails the activation of the emergency plans, the communication of the assignment to the new party is not subject to the terms for prior notification set forth by the applicable Regulation, also because compliance with said terms could jeopardise the proper function of the emergency plan. The above must be in any case communicated to IVASS in a timely manner.

Next steps

The public consultation will be open until 14 December 2024.

We are available to assist in providing a detailed analysis of the provisions contained in the draft Letter to the Market as well as in submitting specific comments to IVASS on topics of interest.

Authored by Silvia Lolli and Davide Valloni.