2024-2025 Global AI Trends Guide
IVASS published for public consultation a draft Letter to the Market on supervisory expectations regarding outsourcing by insurance companies. The expectations identify the ways in which IVASS expects companies to comply with the regulatory framework on outsourcing. IVASS also provides an indication of the methodologies adopted in the analysis and supervisory checks on some particularly important profiles. Expectations concern in particular: (i) governance and risk management aspects; (ii) the controls adopted by insurers on outsourced functions or activities; (iii) the outsourcing of Information and Communication Technologies (ICT) services; (iv) prior notifications concerning the outsourcing of critical or important activities or functions; and (v) notifications concerning relevant developments in the outsourcing agreement already signed or its termination with outsourcing to another supplier.
On 13 November 2024, the Italian insurance supervisory authority (IVASS) has launched a public consultation on a draft Letter to the Market on outsourcing, which contains the Italian regulator's supervisory expectations addressed to insurance companies in relation to the application of its Regulation No. 38/2018, to facilitate the uniform and correct application of the European and national regulatory framework.
IVASS supervisory reviews have revealed a growing recourse to outsourcing of business activities and processes by insurance companies to specialised operators, including in innovative ways. IVASS monitors these developments in order to verify that the nature and extent of the outsourced activities or functions and the outsourcing arrangements do not cause a detriment to the corporate governance system or an appreciable increase in operational risk, and that an appropriate organisational structure is maintained at all times to prevent the insurance company from becoming an empty shell.
The purpose of the Letter to the Market is to draw the attention of companies both to the importance of a correct assessment of the risks and opportunities relating to the outsourcing of activities or functions that are crucial to the insurer's organisation, and to the correct identification of critical or important activities/services that are subject to prior notification to IVASS.
In light of the above, in order to encourage the development of best practices and uniform conduct by companies, IVASS has developed supervisory expectations which are deemed to appropriately implement the provisions already contained in its Regulation no. 38/2018 on the corporate governance system (which includes the applicable rules on outsourcing) and which must be declined by companies, in accordance with the principle of proportionality, based on their size, the riskiness and complexity of the business, the breadth and importance of the outsourced activities or functions, and the recourse to outsourcing to other group companies.
The expectations are intended to provide general indications on how IVASS expects the regulatory provisions on outsourcing to be complied with, thus they are not binding. However, if the measures taken by the company in relation to outsourcing are not effective and adequate to ensure compliance with the applicable rules, IVASS may, within the scope of its competences, take the supervisory measures provided for by law.
Expectations are addressed to (i) Italian insurance and reinsurance undertakings, (ii) Italian branches of non-EU undertakings and (iii) ultimate Italian parent companies as well as ultimate Italian parent companies of a national sub-group with a European ultimate parent company if IVASS decides to exercise supervision over that sub-group.
Below are the supervisory expectations set out in the draft IVASS Letter to the Market:
IVASS reminds that the administrative body has the ultimate responsibility for the corporate governance system, as it directs strategic decisions and ensures continuous completeness and effectiveness, including for outsourced activities. In this regard, IVASS expects insurance companies to:
IVASS also reminds that in the case of outsourcing insurance companies shall appoint the persons in charge of the control activities on the critical or important outsourced functions or activities in a number proportionate to the nature and quantity thereof and the holder of the key function outsourced, who are required to meet specific suitability requirements and criteria. For the purposes of the outsourcing of critical or important activities or functions insurance undertakings shall, as part of their outsourcing policy, also define the analysis process to be carried out for the purpose of concluding the outsourcing agreement. In this regard, IVASS expects that insurers:
Pursuant to IVASS Regulation No 38/2018, the administrative body shall be regularly informed, at least once a year, about the results of outsourcing agreements of critical or important functions or activities, in the course of their performance. In this context, IVASS expects that:
The applicable Regulation provides that the corporate governance system must ensure standardised controls on outsourced functions or activities, similar to those that would be implemented if they were performed directly by the company. In this regard, IVASS expects that:
On 16 January 2023, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA Regulation") came into force and will be applicable as of 17 January 2025. The DORA Regulation aims, among other things, to strengthen the management of risks associated with the outsourcing of ICT services to third-party providers (including intra-group providers). In this regard, IVASS expects companies to:
As part of the supervision activity carried out, IVASS found a high heterogeneity of cases which were subject to prior notification pursuant to Article 67 of Regulation No. 38/2018.
IVASS expects that, as part of the process of identifying critical or important activities or functions by insurance companies, those relating to the following are presumed to be such and therefore subject to the obligation of prior communication:
The outsourcing of activities or functions that are different from or merely instrumental to those indicated above (e.g. mail sorting, e-mail management, document archiving and digitalisation, etc.) is not generally deemed to be subject to the obligation of prior notification set forth the applicable Regulation, without prejudice to the different assessment of the company that deems the characteristics of criticality or importance to be met.
In relation to the abovementioned obligations under Article 67, paragraphs 6 and 7 of Regulation No. 38/2018, IVASS has observed a different communication approach with respect to similar cases. In some cases, in fact, the notifications at hand are made in advance of execution of the agreement, while in others the notification is made close to or concurrently with the effective date of the new agreement or when the contractual change is already effective.
In this context, IVASS expects that:
For the reasons set forth above, the extension of the contractual subject matter to services which, although additional to those set forth in the initial agreement, fall within the same type and/or nature of those already outsourced (e.g. with regard to investments, when the outsourcing scope is extended to additional assets other than those originally indicated) or when the new arrangement is in any case circumscribed within the sector subject to the initial supply (e.g. claims management activities extended also to other risks, provided that they are included in the class of business already covered by the supply) is not subject to prior notice to IVASS.
IVASS expects that:
Lastly, IVASS clarifies that in the event of interruption or serious deterioration of the quality of the service rendered by the supplier that entails the activation of the emergency plans, the communication of the assignment to the new party is not subject to the terms for prior notification set forth by the applicable Regulation, also because compliance with said terms could jeopardise the proper function of the emergency plan. The above must be in any case communicated to IVASS in a timely manner.
Next steps
The public consultation will be open until 14 December 2024.
We are available to assist in providing a detailed analysis of the provisions contained in the draft Letter to the Market as well as in submitting specific comments to IVASS on topics of interest.