Guidance Note for Licensed Insurers on Outsourcing

Guidance Note for Licensed Insurers on Outsourcing

1. The Finance Sector Code of Corporate Governance (Principle 16 of Appendix 3) states that an “insurer is required to retain at least the same degree of oversight of, and accountability for, any outsourced material activity or function (such as a control function) as applies to non-outsourced activities or functions.” This note provides guidance on the Commission’s expectations of licensed insurers in respect of outsourcing. Licensed insurers who fall within the definition of financial services business in paragraph 22 of Schedule 1 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 should also have regard to the rules and guidance the Commission has issued on outsourcing contained in the Handbook on Countering Financial Crime and Terrorist Financing. The guidance in this note does not alter or change the insurer’s obligations to ensure that it complies with the rules issued by the Commission on outsourcing to manage and mitigate money laundering and terrorist financing risks.
2. For the sake of clarity, it is the Commission’s expectation that the following guidance applies to any entity licensed under Insurance Business (Bailiwick of Guernsey) Law, 2002, as amended, (“the Law”) where functions are outsourced to either entities within the same group or third parties, both within the Bailiwick and outside the Bailiwick.
3. Outsourcing should not materially increase risk to the insurer or materially adversely affect the insurer’s ability to manage its risks and meet its legal and regulatory obligations.
4. The Board and where appropriate, Senior Management remain responsible in respect of functions or activities that are outsourced.
5. The Board should have review and approval processes for outsourcing of any material activity or function and to verify, before approving, that there was an appropriate assessment of the risks, as well as an assessment of the ability of the insurer’s risk management and internal controls to manage them effectively in respect of business continuity. The assessment should take into account to what extent the insurer’s risk profile and business continuity could be affected by the outsourcing arrangement.
6. Insurers which outsource any material activity or function should have in place an appropriate policy for this purpose, setting out the internal review and approvals required and providing guidance on the contractual and other risk issues to consider. This includes considering, given the size, nature and complexity of the insurer, the appropriateness of limits being placed on the overall level of outsourced activities and/or on the number of activities that should be outsourced to the same service provider.
7. Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties. When entering into or varying an outsourcing arrangement, the Board and where appropriate, Senior Management should consider, among other things:  how the insurer’s risk profile and business continuity will be affected by the outsourcing;

 the service provider’s governance, risk management and internal controls and its ability to comply with applicable laws and with regulations;  the service providers’ service capability and financial viability; and  succession issues to ensure a smooth transition when ending or varying an outsourcing arrangement. 8. In choosing an outsourcing provider, the Board or where appropriate, Senior Management should satisfy themselves as to the expertise, knowledge and skills of such provider. 9. Outsourcing arrangements should be subject to periodic reviews. Periodic reports should be made to - the Board and where appropriate, Senior Management. Published – 12 July 2018