Outsourcing to Cloud Computing Service Providers 

July, 2021 - Teresa Afonso, Margarida Ferraz de Oliveira, Paula Bento Neto

The European Insurance and Occupational Pensions Authority (“EIOPA”) is entrusted with 1 issuing guidelines and recommendations to Member States’ supervisory authorities on how insurance and reinsurance undertakings should apply the Solvency II Directive 2 in order to (i) establish consistent, efficient and effective supervisory practices and (ii) ensure the common, uniform and consistent application of Union law.

In th is context , the EIOPA guidelines on outsourcing to cloud computing service providers 3 (“Guidelines”) were published on 6 February 2020. On 1 January 2021, these guidelines began to apply to all outsourcing agreements made or amended on or after that date and they are intended to be implemented by 31 December 2022.

In turn, on 11 May 2021, the Portuguese Insurance and Pension Funds Supervisory Authority 4 (“ASF”) issued Circular 3/2021, in which it announced its intention to launch a public consultation on the draft Regulatory Standard that will incorporate these Guidelines. It will also address diagnostic questionnaires to the Portuguese insurance market to identify the experience of insurance companies regarding the digital innovations in question.

Regardless of the advances in terms of regulation by the ASF and of the date the Regulatory Standard is published, a brief analysis of the Guidelines already published by the EIOPA is urgently required. Insurance companies have been concerned about the adaptations the Portuguese regulator will require in terms of outsourcing processes.

1. Scope of application

The Guidelines apply to “services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 5.

However, the Guidelines only apply to outsourcing for the purposes of the Solvency II Directive and this is defined as: “an arrangement of any form between an insurance or reinsurance undertaking and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurance or reinsurance undertaking itself” 6.

Insurance undertakings will have to review current outsourcing arrangements relating to critical or important operational functions or activities and amend them in accordance with the Guidelines. If this review is not completed by 31 December 2022, insurance undertakings will be required to inform the ASF of this and tell it about the steps they have planned to complete the review and any exit strategy for those arrangements.

Read More

 

1 By virtue of Article 16 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010.

2 Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009.

3 EIOPA-BoS-20-002, available here.

4 Autoridade de Supervisão de Seguros e Fundos de Pensões.

5 See definition of “Cloud services”, paragraph 9 of the Guidelines.

6 See article 13(28) of the Solvency II Directive.

 



Link to article

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots