IT security as outsourcing according to MaGo and section 32 VAG
Outsourcing in accordance with outsourcing in the insurance industry. If a service provider employs another service provider to provide the outsourced processes, this is referred to as sub-delegation. According to section 7 no. 2 of the Insurance Supervision Act [VAG], outsourcing is defined by the fact that the respective process would usually be provided by the insurance company itself.
Reading Time: .
More information about Myra Security solutions for the insurance industry
- Central elements for outsourcing according to MaGo and section 32 VAG
- Important functions or insurance activities vs. other activities
- Key points in the outsourcing agreement
Central elements for outsourcing according to MaGo and section 32 VAG
Risk analysis as the basis of any outsourcing
The basis of any outsourcing is a risk analysis, which should clarify, among other things, whether the planned outsourcing falls within the definition of outsourcing and whether it is an important function or insurance activity. Risk considerations must play an appropriate role in the basic decision for or against outsourcing. The relevant risk categories include strategic, operational, or even reputational risks.
In principle, all processes within an insurance company can be outsourced, subject to compliance requirements – with the exception of original management tasks, including responsibility for setting up and developing the risk management system and the internal control system.
Responsibility and importance of the EEA
Despite outsourcing, the insurance company always remains responsible for compliance with all supervisory regulations and requirements. This requirement gives rise to further regulations with regard to the supervisory authority’s monitoring options. Thus, service providers outside the European Economic Area [EEA] must be subject to the same control framework as local providers. Moreover, the control options of the supervisory authority and the company itself must not be restricted by non-European supervisory authorities or local jurisdiction.
Categorization: Important function and insurance or other activity
When outsourcing, a distinction must generally be made independently between important functions and insurance activities on the one hand and other activities on the other. This applies to partial outsourcing as well, which can also be important in its own right. There are no general guidelines for this; the decision must be made in each individual case. The outsourcing of important functions and insurance activities must always receive prior approval from management.
Key functions and self-defined key tasks must always be classified as important. Furthermore, the following areas are for the most part considered important functions or insurance activities: sales, portfolio management, benefits processing, calculation of technical provisions in accordance with Solvency II [Solvabilität II] and the German Commercial Code [HGB], accounting, asset investment and management, electronic data processing with respect to their own important activities typically related to insurance.
Pursuant to section 47 no. 8 VAG, the outsourcing of key functions and insurance activities must be reported to the supervisory authorities together with the submission of the draft contract. The notification includes: the name of the service provider, the address of the service provider, a description of the scope of outsourcing, the reasons for outsourcing and, in the case of outsourcing a key function, particularly one of the strictly defined key functions (internal audit, compliance function, risk management function, actuarial function), the name of the person responsible for this at the service provider.
The outsourcing officer
It is at the discretion of the outsourcing company whether an outsourcing officer is appointed. However, the outsourcing of key functions and self-defined key tasks always requires an outsourcing officer, who must be reported to BaFin.
Outsourcing within insurance or corporate groups
Internal group or internal corporate group outsourcing must also adhere to the requirements described above. The same care and intensive monitoring must be carried out here as for conventional service providers. (However, relief is possible in individual cases, for example, in the form of SLAs that define the rights and obligations of both parties with regard to outsourcing. The review of an internal group service provider prior to outsourcing may also be less detailed.)
Intermediary matters (without acquisition or claims settlement authority) are not subject to outsourcing requirements. The transfer of these processes to insurance intermediaries, on the other hand, always represents the outsourcing of important functions or insurance activities – there is no individual assessment option on this point.
The outsourcing guidelines, which must be drawn up on a binding basis, set out all the necessary procedural and quality standards as well as reporting and monitoring obligations from the beginning to the end of the outsourcing. Possible effects on business operations must also be taken into account here.
The outsourcing guidelines also include a review process for the service provider that covers, at a minimum, the service provider’s financial capability, technical capability and capacity as well as the control framework and any conflicts of interest.
The guidelines must also define contingency plans and measures for exit management, a change of provider, or a return of outsourcing to the company in order to ensure the undiminished quality of the outsourced functions and insurance activities in these cases as well.
In general, sub-delegation is possible. The conditions for sub-delegation must also be defined in written guidelines. If sub-delegation involves an important function or insurance activity, it must be approved in advance by the entire management or by the responsible manager at a minimum.
Important functions or insurance activities vs. other activities
The categorization and differentiation of important functions or insurance activities as well as other activities are crucial for every company since they involve various regulatory obligations and regulations.
- Section 32 (3) VAG and likewise article 274 (5) DVO [implementing ordinance] only apply to the outsourcing of important functions or insurance activities. This is accompanied by special requirements including but not limited to a review of the service provider’s risk management system and contingency planning, a credit assessment of the service provider, a review of all employees with regard to professional suitability and reliability, and inclusion in the company’s own risk management.
- Outsourcing of important functions or insurance activities must be reported to BaFin, the German financial supervisory authority.
- Outsourcing of important functions or insurance activities requires management approval.
Key points in the outsourcing agreement
In the outsourcing contract or ‘outsourcing agreement,’ the regulatory requirements must be worded in a way that is binding and precise for both parties. The key topics here include:
- Designing the content to ensure that outsourcing does not restrict the proper execution of the outsourced processes, the management and control capabilities of the management board, or the audit and control rights of BaFin (section 32 (2) (1) VAG). For example, it must be ensured that there is full access to data for the insurance company itself, its auditors, and the supervisory authority. Furthermore, the service provider’s cooperation with the supervisory authority is mandatory, including the right of access to the service provider’s premises.
- Securing the required rights to information and instructions by contract.
- Clearly defining the duties and responsibilities of both parties involved. (Performance specifications do not have to be defined in the framework agreement itself but can also be provided in annexes.)
- The service provider’s immediate duty to communicate any developments that could lead to significant disruptions to the outsourced processes.
- Sufficiently dimensioned notice periods to enable a change of provider and alternative solutions.
- Extraordinary termination rights for good cause, such as termination of outsourcing at the request of BaFin.
- Furthermore, the permissibility of a sub-delegation must be clarified. If so, the duties and responsibilities of the service provider must remain unaffected by the sub-delegation.