The Central Bank of Ireland (the “Central Bank”) views the management of outsourcing risk as key from both a Prudential and Consumer Protection perspective. Regulated financial service providers in Ireland (“regulated firms”) are expected to have effective governance, risk management and business continuity processes in place in relation to outsourcing, to mitigate potential risks of financial instability and consumer detriment.
In December 2021, the Central Bank published the Cross-Industry Guidance on Outsourcing (the “Guidance”), which applies to all regulated firms, including (re)insurers and (re)insurance intermediaries. The Guidance was designed to assist regulated firms in developing their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks, and they are expected to adhere to and implement the Guidance.
Over the last year, (re)insurers have reviewed their outsourcing risk management frameworks with reference to the Guidance. Outsourcing policies and strategies were re-defined; onboarding, oversight and governance processes and controls were strengthened; in some cases, organisational changes were made. However, challenges remain.
During 2022, the Central Bank conducted a thematic inspection of governance and oversight controls in relation to insurers’ use of underwriting Managing General Agents (“MGAs”), which is regarded as the outsourcing of a ‘critical or important’ function or activity. The Central Bank found that the outsourcing procedures applied in respect of underwriting MGAs were below the required standard. For example, in some cases, the risk arising from delegating underwriting authority to MGAs is not separately identified in the Risk Appetite Statement or ORSA; the roles and responsibilities in relation to onboarding and ongoing MGA due diligence is not adequately documented; and it wasn’t clear whether the MGA’s reputation and culture was assessed as part of the onboarding due diligence or how MGAs are monitored on an ongoing basis.
Additionally, the Central Bank noted on its Insurance Newsletter of December 2022, that during its risk assessment and scanning process of 2022, one of the key sectoral risks for (re)insurers in Ireland it identified was operational risk, including outsourcing risks arising from a significant reliance by some insurers on third-party or group support for key activities. The Central Bank noted that risks are exacerbated by a lack of appropriate governance and oversight arrangements in place to monitor the activities of outsourced service providers.
The Central Bank found that the outsourcing procedures applied in respect of underwriting MGAs were below the required standard.
Summary of Expectations
How the Central Bank expects firms to effectively manage outsourcing risks can be summarised as follows:
- Firms are expected to have a defined methodology for determining the ‘Criticality or Importance’ of a function or activity being outsourced.
- Intragroup outsourcing arrangements are to be treated the same as external third-party providers when conducting outsourcing risk assessments.
- “Delegation” and “Outsourcing” are not considered to be different concepts and delegated arrangements are to be treated with the same onerous due diligence, oversight and monitoring as for other outsourcing arrangements.
- Boards and Senior Management are expected to be heavily involved in the governance of outsourcing arrangements and to have well defined roles and responsibilities to evidence this.
- All firms must have a documented Outsourcing Strategy and Outsourcing Policy which is aligned to their business strategy, business model, risk appetite and risk management framework.
- An Outsourcing Register should be created and maintained by all firms to enable centralised oversight and management of all outsourcing arrangements. All regulated firms with a PRISM impact rating of Medium Low or above (or its equivalent) are required to submit their completed Outsourcing Register reporting template to the Central Bank via the Online Reporting System.
- Firm’s existing risk management frameworks should appropriately consider and capture all outsourcing risks associated with proposed or existing outsourcing arrangements. Outsourcing Risk Assessments must be conducted for any proposed outsourcing arrangement and tailored to take account of all relevant outsourcing risks.
- Due diligence must be completed both prior to the appointment of third-party or intra-group providers and periodically throughout the lifecycle of a contract.
- All arrangements must be governed by Contractual Arrangements which are supported by Service Level Agreements (SLAs). The contractual agreement should include termination rights as well as access, information and audit rights.
- All firms should have appropriate mechanisms in place to enable ongoing monitoring (by the first line of defence) and oversight (by the second line of defence) of the appropriateness and performance of their outsourcing arrangements, as well Internal Audit reviews and, where appropriate, independent third-party reviews.
- Disaster Recovery and Business Continuity Management should be considered and defined for all outsourced arrangements. A viable and tested exit strategy should also be in place for all existing outsourced providers, in the event of an unexpected termination of the arrangement.
- Firms must notify the Central Bank of proposed critical or important outsourced arrangements and of any material changes to existing critical or important outsourcing arrangements.
How we can help
KPMG have a dedicated Insurance Regulatory team with deep sector knowledge and experience reviewing the Outsourcing Risk Management frameworks of Low to High Impact life and non-life (re)insurance firms. The Insurance Regulatory team has access to the expertise and support of KPMG Subject Matter Experts on ESG, data protection, information technology, cyber security, antimoney laundering, financial and conduct risks.
We can help as follows:
- Examine your outsourcing framework to ensure it is operating effectively and in line with your outsourcing strategy, policy and risk appetite, as well as regulatory requirements and expectations.
- Review all your outsourcing arrangements to ensure they have been correctly classified in line of the firm’s methodology for the assessment of “criticality and importance”.
- Review the accuracy and currency of your outsourcing register, as well as the procedures in place to ensure it is being appropriately maintained.
- Review and comment on the adequacy and appropriateness of the firm’s outsourcing risk assessment and how it is being applied to specific outsourcing arrangements.
- Examine the effectiveness of the oversight and direction of the board, senior management and any relevant committees in respect of outsourcing.
- Examine the effectiveness of the firm’s ongoing management and monitoring of the firm’s outsourcing arrangements.
Get in touch
If you have any queries on outsourcing risk for your company, please contact our team below. We'd be delighted to hear from you.
Brian Morrissey
Partner, Head of Insurance & Actuarial
KPMG in Ireland
John O'Donnell
Director
KPMG in Ireland