1 Joint Standard on Outsourcing for Insurers Consultation Report November 2022

2

1. Purpose 1.1 Section 104 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) (FSR Act) states that with each regulatory instrument, the maker must publish a consultation report which must include: (a) a general account of the issues raised in the submissions made during the consultation; and (b) a response to the issues raised in the submissions. 1.2 The purpose of this document is to set out, as required in terms of section 104 of the FSR Act, a report on the consultation process undertaken in respect of the Joint Standard on Outsourcing for Insurers.
2. Summary of consultation process and general account of issues raised. 2.1 On 8 September 2021, the Financial Sector Conduct Authority and Prudential Authority (hereafter jointly referred to as “the Authorities”) published the following documents for public comment, with comments being due on 26 October 2021: (a) Notice inviting submissions in relation to the draft Joint Standard (Joint Standard); (b) draft Statement explaining the need for, intended operation and expected impact of the proposed Joint Standard; (c) the draft Joint Standard: Outsourcing by Insurers; (d) comments submission template; and (e) questionnaire on the Joint Standard. 2.2 The Authorities received over 100 comments from 12 respondents. Following the public consultation process, where appropriate, certain comments resulted in changes being made to the Joint Standard by the Authorities. The changes were not deemed to be material. 2.3 A general account of issues raised during the consultation process and the response of the Authorities are tabulated below: Area Summary of comment Response from the Authorities Commencement of the Joint Standard as well as the effective date. Concerns were raised in respect of the commencement date. The Joint Standard has been amended to provide that “an insurer must comply with this Joint Standard within six months from the commencement date…” Prior outsourcing arrangements Commentators were of the view that the requirement that any outsourcing arrangement entered into before this joint standard must comply with this is not practical and contrary to the general rules of interpretation. The Authorities noted the comments regarding prior outsourcing arrangements and agree with comments. Accordingly, the Joint Standard has been amended to provide, “Any outsourcing arrangement entered into prior to the commencement date of this Joint Standard must be compliant: (a) within 24 months from effective date; or (b) upon renewal or renegotiation of the outsourcing arrangement, whichever comes first.”

3 Area Summary of comment Response from the Authorities The Authorities are of the view that the revised wording in paragraph 1.2 reflects to some extent the concerns that were expressed by industry in this regard and is akin to a grandfathering provision. Definition of service provider Commentators requested that it is made clear that the definition of “service provider” excludes intra-group outsourcing arrangements. A further concern was the definition differs from that provided in the Policyholder Protection Rules. The Authorities disagreed with this proposal. The definition of “service provider” has been deliberately crafted to account for and align with the Joint Standard’s broadened scope in recognizing the risk of all outsourcing arrangements which has the potential to exacerbate risk. The definition of “service provider” in the Joint Standard is broader and encompasses all outsourcing arrangements implemented by an insurer, which is not restricted to just marketing, distribution, administration or provisions of policies or related services. This definition is therefore expansive and aligned with the intent of the Joint Standard. Roles and responsibilities of the Board Commentators opined that this clause is considered too operational and particularly onerous for the Board if the expanded application of this standard to outsourced activities were to be retained, as it is not ordinarily the function of the board to review or approve terminations. The Authorities disagree with this view. The Board has always retained responsibility for outsourcing arrangements. The amendments merely seek to reinforce this responsibility through a granular principal exposition of what this responsibility entails. The amended provision is not intended to replace the onus on the control function to review material outsourcing. Remuneration must be reasonable and commensurate Commentators contended that the terminology ‘reasonable and commensurate’ in relation to remuneration, it would be useful for the Authorities to provide guidelines around this terminology, as it is clear that this potentially has different meanings to different people. The terminology must be read and understood in the context of the Joint Standard i.e. that remuneration must be reasonable and commensurate with the actual function outsourced; must result in efficiencies for the insurer; not impede the delivery of fair outcomes to policyholders, and not be linked to the monetary value of insurance claims repudiated, paid, not paid or partially paid. Essentially, it should be cheaper to outsource than to do the functions in-house or the outsourcing leads to better outcomes as the outsourced partner have unique

4 Area Summary of comment Response from the Authorities skills and knowledge that make them more efficient. Binder arrangements and intermediary services Commentators submitted that the term outsourcing should be clearly defined to avoid any uncertainty considering it should be distinguished from activities such as intermediary services and binder arrangements which adds to the complexity. Commentators contented that the scope should be aligned to the intention of the Joint Standard and that that the application should be limited to outsourcing arrangements involving contracting for the external provision of a service or activity, which would normally be performed by the insurer The Authorities appreciate the complexity of outsourcing arrangements. However, the intention of the Standard is that all material functions, whether core or non-core insurance activities, but material to the entity should be regulated under the outsourcing standard. Authorities are of the view that, although binder arrangements are a form of outsourcing, the functions performed by parties to a binder agreement and intermediary services are different from a material outsourcing arrangement. The Binder Regulations clearly and sufficiently deal with binder arrangements. Linked insurers Commentators submitted that this provision is problematic for linked insurers, many of whom outsource all their business functions and could place the linked insurer business model at risk. It was submitted that the wording should not be so prescriptive and that it should be more principle based for the Board to decide on. The Authorities acknowledge the comments, however, do not believe that there should be different rules for linked insurers. If an insurer has elected a highly outsourced model, then it must have the appropriate governance requirements in place to mitigate those risks effectively. If the Authorities have similar expectations of insurers with highly outsourced models and cell captives then it follows that a consistent approach with linked insurers, must be followed. As linked insurers are basically almost 100% outsourced, but they are therefore a higher risk and should do more monitoring than any other insurer and not be excluded from the operation of this Standard.

5 Joint Standard on Outsourcing for Insurers– Commentators and full set of comments SCHEDULE

Commentators Acronym

1. Association for Savings and Investment South Africa ASISA
2. Aurora Insurance Company Limited Aurora
3. Banking Association of South Africa BASA
4. Export Credit Insurance Corporation ECIC
5. Financial Intermediaries Association of Southern Africa FIA
6. Momentum Metropolitan Holdings Limited MMH
7. Munich Reinsurance Company of Africa Limited Munich RE
8. OUTsurance OUTsurance
9. PSG Konsult PSG
10. Standard Insurance Limited SIL
11. South African Insurance Association SAIA
12. Willis South Africa Willis

6 SECTION A - DETAILS OF COMMENTATORS SECTION B – COMMENT ON DRAFT JOINT STANDARD – OUTSOURCING BY INSURERS Item Commentator Paragraph of the Standard Comment Authorities’ Response

1. COMMENTS ON STANDARD
2. Commencement
3. ASISA 1.1 and 1.2 The effective date and commencement date appear to be used interchangeably. If the effective date is to be a separate date to commencement date a definition should be inserted to make the distinction clear. Comments noted. See comments below at item 2.
4. PSG 1.1, 1.2 and 1.3 What is the difference between commencement date and effective date? Is the effective date 6 months after the commencement date? See comments below at item 5. Joint Standard has been amended to “an insurer must comply with this Joint Standard within six months from the commencement date…”
5. OUTsurance 1.2 Should the comments noted below regarding: • the broaden scope due to the definition of outsourced arrangements coupled with the reference to “activities normally performed by an insurer” being omitted in the proposed Joint Standard [See comment under 4.1] • as well as additional requirements introduced around due diligence requirements proposed on all outsourcing arrangements [See comment under 6.3] not be accepted by the Authorities, which we strongly oppose due to the reasons set out below, it is our submission that the period of one year allowed for compliance of arrangements entered into prior to the effective date is not realistic considering that all arrangements would need to be reconsidered against the new requirements. Comments noted. Most of the requirements provided for in the Joint Standard are already applicable in terms of Prudential Standard GOI 5: Outsourcing by Insurers. Similarly, the Prudential Standard GOI5: Outsourcing by Insurers mirrored most of the requirements that were applicable in the now repealed Directive 159 made under the Short-term Insurance Act. Notwithstanding, the Joint Standard has been amended accordingly. See comments below at item 5. Comments noted. See comments below at item 4. Also please see comment above at item 2 on the compliance period of one year and further responses to 4.1 and 6.3 below at items 4 and 5.

7 Item Commentator Paragraph of the Standard Comment Authorities’ Response 4. SAIA 1.2 a) The rationale for requiring a Joint standard for only insurers is uncertain. Outsourcing in banks creates more significant risk due to macro￾prudential issues. The current Prudential Standard GOI 5 addresses the risks posed from outsourcing by insurers. Therefore, it is requested that harmonisation be undertaken across the financial sector, including other participants such as banks and not just insurers. b) Clarity is sought as to the effective date in 1.2 vs the commencement date referred to in 1.3. c) The requirement that any outsourcing arrangement entered into before this joint standard must comply with this is not practical and contrary to the general rules of interpretation. A more practical approach is for any new outsourcing arrangement or any outsourcing arrangement that is subject to renewal once the Joint Standard is in place to comply and existing arrangements are subject to the GOI5 until termination or renewal. The Authorities are cognisant of developments internationally in this regard and with specific reference to banks relating to outsourcing. The Authorities have detailed in the Statement of Need and expected Impact concerns that have arisen relative to the complexity of outsourcing arrangements where such complexity has the ability to exacerbate risk specifically where activities or functions are outsourced to service providers who may not be regulated. To this end the Authorities have highlighted the global financial crisis and the weakness inherent in the governance frameworks of financial institutions as backdrop to compliance failures in South Africa that have highlighted risks in business models of insurers where outsourcing of a significant portion of an insurer’s material functions is a key strategy. The Authorities have also noted the nuances in outsourcing arrangements between banks and insurers that import different risks to these institutions. The Authorities have furthermore specified the need in paragraph 3.4 of the Statement of need for and intended operation of the rationale for this Joint Standard i.e. …. “there is a need to expand the current outsourcing regulatory framework beyond GOI 5, in order to provide an appropriate and comprehensive regulatory framework governing outsourcing by insurers from both a prudential and conduct perspective.” The Joint Outsourcing Standard is therefore a stop gap measure that will be harmonised in the future and through additional planned regulatory

8 Item Commentator Paragraph of the Standard Comment Authorities’ Response instruments such as the Joint Governance Standard. See comments above at items 2 and 3. Agree with comments, Joint Standard has been amended to provide, “Any outsourcing arrangement entered into prior to the effective date of this Joint Standard must be compliant with this Joint Standard: (a) within 24 months from effective date; or (b) upon renewal or renegotiation; whichever comes first. See comment below on the impracticality of dual prudential standards in addition to paragraph 3.5 in the Statement of need and expected impact relating to the rationale for a single joint standard. To this end the Authorities have resolved to issue a joint standard against which outsourcing requirements can be applied uniformly in a single instrument. This approach ensures that each Authority may assess ongoing compliance with the joint outsourcing standard in pursuit of their own objectives as per the “twin peaks” regulatory regime. 5. FIA 1.2 Should this refer to ‘commencement date’ rather than ‘effective date’? If there is a distinction, please clarify. Comments noted, see item 2 and 4 above. The Joint Standard comes into effect 6 months from date of publication. Secondly, all prior arrangements must comply with the Joint Standard within the timeframes provided for in the Joint Standard.

9 Item Commentator Paragraph of the Standard Comment Authorities’ Response 6. PSG 1.2 Placing a requirement on existing outsourcing agreements to be renegotiated is very onerous and could create a systemic risk. It is recommended that application should be required upon renewal or renegotiation. If all existing outsourcing agreements need to comply, a substantially longer timeframe of 60 months should be provided. Agree, see items 4 and 5 above and amendments made to the Joint Standard. 7. Aurora 1.2 Kindly provide clarity herein – does this mean for example the Insurer will retrospectively need to submit a confirmation that the outsourcing arrangement is complaint with the insurers outsourcing policy and within the risk appetite set by the board and provide a report on the potential impact of entering into a multiple outsourcing arrangement with one service provider (e.g. 9.2 and 6.5 of this joint standard, respectively). The Joint Standard provides that prior to entering into any outsourcing arrangement an insurer should consider potential impact on various outsourcing arrangements and must forward confirmation that the said outsourcing arrangement is compliant with the insurer’s pre￾requisites. Also see comments above at items 4 and 5 The Joint Standard proposes to repeal, amongst others, the existing Prudential Standard on outsourcing. If the Joint Standard repeals the prudential standard and provides for a time period before the requirements in the Joint Standard takes effect, there is a risk that no requirements will apply in the interim. The intention was therefore that the requirements in the prudential standard must continue to apply up until such time as the Joint Standard is in full effect. Paragraph 1.2 address compliance with the Joint Outsourcing Standard where outsourcing arrangements entered into prior to the effective date are required to be in compliance with the Joint Standard within one year of the effective date. This provision essentially provides for a

10 Item Commentator Paragraph of the Standard Comment Authorities’ Response specified period for insurers to regularise outsourcing arrangement in accordance with this Joint Outsourcing Standard. This respective provision does not imply retrospective reporting (notification) as the arrangement would have been reported in terms of the reporting arrangements of GOI 5. The insurer in the process of regularising with the proposed Joint Standard is required to comply with the additional obligations imposed by the Joint Standard. 8. Aurora 1.2 Would the annual monitoring assessment going forward not address this compliance with the insurers outsourcing policy and whether same falls within its risk appetite. See comments above at item 7 9. Aurora 1.2 Further will the retrospective application of the policy not inundate and over burden the authorities in processing these notifications? See comments above at item 7. Paragraph 9.1 specifically makes provision that the insurer must notify the Authority within 30 days of entering into a proposed outsourcing agreement in the prescribed form and manner. The Authorities will in due course provided details regarding prescribed reporting. 10. BASA 1.2 and 1.3 In relation to sections 1.2 and 1.3, BASA seeks clarity as to what the effective date will be in 1.2 vs the commencement date referred to in 1.3. Depending on the response to the above, we request an opportunity to consider if the transitional periods provided will be sufficient for implementation of this Standard. See responses above at item 1 and 4. In order to address any unintended consequences regarding prior outsourcing arrangements, the Standard has been amended to make provision for transitional period of 24 months or upon renewal whichever comes first. 11. ASISA 1.2 and 1.3 There is a contradiction between the terms set out in 1.2. and 1.3. The use of the word “notwithstanding” in paragraph 1.3 appears to nullify the one-year transition period allowed for in 1.2, as it says that an insurer must Comments noted. Firstly, the effective date applies to prior arrangements. Secondly, an insurer has 6 months transitional period to

11 Item Commentator Paragraph of the Standard Comment Authorities’ Response notwithstanding the provisions of 1.1 and 1.2 comply within 6 months of the commencement date. It is requested that this is amended to make it clear that a one-year transition period will apply from the effective date of the Standard. comply with the Joint Standard. See also comments above at item 4 12. Aurora 1.3 Kindly clarify how this will work in practice if the above clause states any outsourcing arrangements entered into prior to this standard taking effect will need to comply within 1 year however this clause states 6 months. See comments above at items 4 and 11 13. PSG 1.3 With the current harmonisation projects there are various changes required to multiple systems and contracts. It is impossible to ensure that compliance is possible within 6 months without unintended risks within the rest of the systems. See comments above at items 4 and 12 14. SAIA 1.3 It is proposed that the timelines be aligned to the GOI 5 outsourcing of 2 years to allow for the changes to be made and embedded taking into consideration other premium collection requirements and creation of synergy/demarcation between outsourcing vs intermediary services. See comments above at item 12 2. Legislative authority No comments 3. Application 15. ASISA 3.1 For the sake of clarity, it is suggested that the footnote is rather included in paragraph three of the Joint Standard. Disagree, the provision is read with the footnote and will not make the application provisions any clearer. This is a drafting consideration related to articulating core principles in the body of the instrument and utilising footnotes for additional information that supplements the principles that

12 Item Commentator Paragraph of the Standard Comment Authorities’ Response have been espoused. This practice is consistent with other instruments as well. 16. Aurora 3.1 Kindly provide clarity on how this standard will have application to “designated groups”. Will this standard apply to all entities which fall within the designated insurance group or will same apply strictly to the insurance company, only? Please see Attachment 2. The Joint Standard applies to insurers as defined. 17. Munich RE 3.1 This Joint Standard applies to all insurers, including microinsurers (hereinafter collectively referred to as “insurers”), licensed under the Insurance Act, other than Lloyd’s and branches of foreign reinsurers. We recommend that subsidiaries of foreign reinsurers also be excluded from having to comply to this Joint Standard. Comments noted. The Joint Standard does not apply to branches of foreign reinsurers. 18. PSG 3.1 Does the joint standard apply to insurance groups and if yes, does it apply to non-insurance businesses within the group as well? The footnote on its applicability should be in the main standard and either state that it is applicable subject to the GOG or that outsourcing requirements for Insurance Groups will be set in the GOG. The FSCA has indicated that a harmonisation project will be implemented as phase 1 of the COFI process. We question whether a joint standard only applicable to insurers should be drafted and whether the standard shouldn’t from the start be applicable to the whole industry to ensure it is suitable for all sectors and properly harmonised. The Joint Standard specifically indicates that it applies to all insurers including micro-insurers other than Lloyds and branches of foreign insurers. If there are groups of entities that are insurers, the Joint Standard applies to insurance groups. Lloyds operate under special statutory dispensation in terms of section 24 of the Insurance Act. Please see consequential amendments to the GOL in attachment 2 of the Joint Standard.

13 Item Commentator Paragraph of the Standard Comment Authorities’ Response Why are Lloyd’s and foreign reinsurers excluded? Are the risks not the same? 19. Munich RE 3.2 Recommend that a section be included under application, addressing multinational insurers/reinsurers who have a parent company offshore. Parent companies in a different jurisdiction have local regulatory requirements that need to be complied such as German laws on Outsourcing and Fit and Proper (Key Persons) which is then implemented and require compliance by their subsidiaries and branches across the different geographical regions. It is not clear what the requirements would be for ‘insourcing’ arrangement. It is onerous to apply the requirements in a similar manner where services are provided by controlling company to a subsidiary. The Joint Standard clarifies that any arrangement for the service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter-related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. 4. Definitions and interpretation 20. Munich RE 4.1 “due diligence” Recommend that a definition be provided for “due diligence”. Disagree. Where a word has not been defined, the rules of interpretation apply i.e. the ordinary and grammatical meaning of due diligence will apply The Authorities cannot prescribe a precise definition for the process nor the parameters for a due diligence exercise. We have deliberately referenced appropriate due diligence in paragraph 6.3 to afford the insurer the flexibility to act within its own risk tolerances in assessing the level of due diligence that would need to be applied.

14 Item Commentator Paragraph of the Standard Comment Authorities’ Response 21. ASISA 4.1 “insurance business” Include definition of ‘insurance business’ It is suggested that a definition of “insurance business” is included to cater for the proposed amendments to the definition of “Material Function”: ‘insurance business’ shall have the meaning assigned to ‘insurance business’ in the Insurance Act. Suggest that the Authorities incorporate the following amendments to the definition of “Insurance Act” - means the Insurance Act, 2017 (Act No.18 of 2017) and any word or expression to which a meaning has been assigned in the Act shall have the meaning so assigned to it, unless a different meaning is assigned elsewhere in this Joint Standard. Agree, see amendments made to the Joint Standard. although the definition of “insurance business” is potentially restrictive and refers to life and non-life insurance business which will limit the scope of application of the Joint Standard as it is then circumscribed by the definition of life and non-life business which relate only to “insurance obligations” and not any other business that an insurer conducts i.e. in terms of section 5.4 of the Insurance Act, 2017 and that could be the subject of outsourcing arrangements. Please see comments in relation to core and non-core insurance business below in response to comments from Munich Re on material outsourcing below. 22. Munich RE 4.1 “material outsourcing” Recommend that a definition be provided for “material outsourcing”. There should be a clear distinction between outsourcing for non-insurance related activities such as IT and marketing and material outsourcing for activities which would generally be performed by the insurer/reinsurer (core insurance business). The Authorities are not in agreement with this proposal. The risk of an outsourcing arrangement it is submitted does not turn on nor is distinguished by “non-insurance related activities” and “core insurance business but rather on material functions (as defined in the Joint Standard) outsourced activities and that may import risk to the insurer. Such activities can be either core or non-core and may import risk where outsourcing arrangements are in place. We cannot pre-judge what the insurer’s risk appetite nor what its assessment of materiality will be as we are mindful that these factors will vary per insurer. 23. Aurora 4.1 “material function” Material functions – this definition is wide. Will it be a subjective test and will the insurer be required to The decision for assessing whether an insurer’s business activity or function is material rests with the insurer.

15 Item Commentator Paragraph of the Standard Comment Authorities’ Response demonstrate what outsourced functions it deems material? The definition of “material functions” must be read in this context with section 8 of the Joint Outsourcing Standards that identify objective criteria in assessing whether a function or activity is material. Adherence to these assessment criteria would be demonstrative to the Authorities of due consideration on the specific function or activity. 24. ASISA 4.1 “material function” An amendment to the definition to include the term “insurance business” is proposed as it is preferable to use the defined term, where possible. Please see the comment above about including the definition of “insurance business” in the Joint Standard”. It is also proposed that the definition refers to material function or activity to make it clear that the Joint Standard applies to the outsourcing of material functions or material activities as opposed to the outsourcing of all functions or activities. “material function” “means a material function or material activity relating to an insurer’s business the conduct of insurance business by the insurer that has the potential to have a significant impact on the insurer’s business operations of the insurer’s insurance business or its ability to manage risks effectively, should it be disrupted; In addition, it is proposed that wherever the Joint Standard refers to outsourcing it must say “of a material function” and that the defined term “material function” should be used in the Joint Standard instead of referring to “functions or activities” e.g. paragraph 7.2. Disagree. The definition of material function is a reflection of the intention of the draft Joint Outsourcing standard in that it references all functions or activities that may import risk to the insurer measured against a set of materiality criteria. This is the crux of the rationale behind the proposed joint outsourcing standard and the Authorities intention to broaden the scope of the Joint Standard relative to GOI 5.

16 Item Commentator Paragraph of the Standard Comment Authorities’ Response 25. Aurora 4.1 “material function” Currently the GOI’s note that the head functions are deemed material functions. Will the Authorities be providing a list of additional functions that they perceive to be material? See comments below at item 8 as well as paragraph 8 of the Joint Standard. Material function is defined in the Joint Standard as “function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s business operations or its ability to manage its risks effectively, should it be disrupted”. The Authority will not provide a list of additional functions perceived to be material as the responsibility for assessing whether a business activity or function is material rests with the insurer The definition of “material function” provides an implicit discretion for the insurer to determine what such a function is. This discretion is informed by objective criterion that have been referenced in section 8.1 of the Joint Standard. The Authorities do not intend to provide an exhaustive list of additional functions deemed to be material. Such a list will be impractical and may require review and amendment on an annual basis. Such an approach is counterintuitive to the principles-based approach to outsourcing as articulated in section 6 of the Joint Outsourcing Standard. 26. Aurora 4.1 “material function” Material functions – do the authorities deem intermediaries to be a material outsourced function? See comments below at item 27. Material function is defined in the Standard as “function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s business operations or its ability to

17 Item Commentator Paragraph of the Standard Comment Authorities’ Response manage its risks effectively, should it be disrupted.” The responsibility for assessing whether a business activity or function is material rests with the insurer. It should be noted that “outsourced” as defined in the LTI Policyholder Protection Rules excludes intermediary services. 27. MMH 4.1 “material function” “material function” We need more clarity on what constitutes outsourcing, e.g. emergency services provider or salvage provider? Material function is defined in the Joint Standard as “function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s business operations or its ability to manage its risks effectively, should it be disrupted.” Further, paragraph 8 of the Joint Standard provides what constitutes material outsourcing arrangements. The responsibility for assessing whether a business activity or function is material rests with the insurer. The Standard is principles based. The materiality assessment as specified in section 8 of the standard must be applied in determining the materiality of the function or activity. See comments above at item 26. 28. PSG 4.1 “material function” The definition of “material function” adds no clarity and at best leads to a result where an insurer’s assessment of materiality differs from that of the Regulator, who See comments above at item 27 as well as paragraph 8 of the Joint Standard. Material function is defined in the Joint Standard as “a function or activity relating to an insurer’s

18 Item Commentator Paragraph of the Standard Comment Authorities’ Response might only make that assessment after the event when the determination of materiality is moot. It is not clear whether materiality is limited to insurance functions only. Does it include functions such as marketing and intermediation as well? In an insurance group the functions being outsourced and the materiality could differ significantly. The kind of functions that could be deemed to be material that are being outsourced is vast. It is unclear if the joint standard is supposed to include all of these arrangements, such as IT, etc. It is recommended that the Regulator refers to core functions rather than material functions and list the intended functions or at least examples of such functions. We suggest that the requirements for outsourcing arrangements are divided between material outsourcing of core functions, non-material outsourcing of core functions, material outsourcing of non-core functions and non-material outsourcing of non-core functions. business that has the potential to have a significant impact on the insurer’s business operations or its ability to manage its risks effectively, should it be disrupted.” The Joint Standard and many other instruments are written in an outcome and principles based manner and are not designed to be prescriptive. The Joint Standard must be applied in accordance with the nature, size and complexity of an entity. In this light, the Authorities cannot provide a list of intended functions. This will be counter to the proportionate and principles￾based framework. The complexity of outsourcing arrangements also has the potential to exacerbate risk, and impact on the ability of a regulated financial institution to manage and monitor its own compliance with regulatory requirements. This is not necessarily restricted to core or non-core material functions or activities performed by the insurer. Core and non-core material functions are irrelevant descriptors in this context. What is relevant is the risk that is introduced by the outsourcing arrangement and the materiality of the risk as assessed in terms of section 8 to the outsourcing standard. 29. SAIA 4.1“material function” a) The industry is of the view that the definition of material function precludes/restricts the assessment that insurers carry out. It is therefore suggested that this definition be deleted, as Section 8 of the draft Standard provides adequate clarity on the application of the word “material”. By doing so, it becomes more prescriptive when The definition of “material function” and the assessment criteria in section 8 of the draft joint standard are interlinked. To this end the definition of “material function” sets out the inherent nature of a “material function” which materiality is subsequently assessed in terms of section 8 of the joint standard. The Authorities disagree with

19 Item Commentator Paragraph of the Standard Comment Authorities’ Response insurers assess the materiality of the function/ activity. Outsourced as defined in the LTI PPR excludes intermediary services. b) The (definition) fact that created the definition pulls a lot of the business activities or potential business activities into that definition, making those functions that we have not deemed material back into the definition. It has the potential of making a significant impact. The definition is wide enough to include those we have excluded. We are of the view that this contradicts the purpose of the standard because it effectively defines material functions. In contrast, the standard intends to empower insurers to define material functions for themselves. The provision appears to be more prescriptive, thus moving away from the intention of being more principles-based than rules-based in regulation. c) The definition also uses the word “significant”, thereby negating the value of the definition in providing additional clarity as to the meaning of “material”. In other words, the word “significant” equally requires clarification. It is proposed that the deletion of this definition from the standard to enables the insurer to decide for themselves in their businesses what constitutes a material function. the proposed deletion of the definition of “material function.” The definition of material function is integral to the materiality considerations and is the figurative “key” to the rational of the draft joint standard. The draft joint standard represents a shift away from the “one-dimensional” approach to outsourcing arrangements as circumscribed in GOI 5 and recognises the risk (conduct included) that is inherent potentially in all outsourcing arrangements. The materiality of such risk is then assessed in terms of section 8 of the Joint Standard. 30. Willis 4.1 “material function” Based on this new definition, What would happen to current outsourced arrangements that are in place where the outsourced activity or activities when assessed by the Insurer according to the principles The board approved policy in 6.1 in accordance with the Joint Standard will have to provide for the activity or function that is material.

20 Item Commentator Paragraph of the Standard Comment Authorities’ Response noted in Paragraph 6 are no longer deemed a material function? Please see Authorities comments to Aurora Life above re the compliance period specified in section 1.2 of the Joint Standard above. Paragraph 1.2 address compliance with the Joint Outsourcing Standard where outsourcing arrangements entered into prior to the effective date are required to be in compliance with the Joint Standard within one year of the effective date. This provision essentially provides for a period one year for insurers to regularise outsourcing arrangement in accordance with this Joint Outsourcing Standard. This respective provision does not imply retrospective reporting (notification) as the arrangement would have been reported in terms of the reporting arrangements of GOI 5. The insurer in the process of regularising with the proposed Joint Standard is required to comply with the additional obligations imposed by the Joint Standard. 31. BASA 4.1 “outsourcing” There is no definition of “outsourcing” provided. It is recommended that a definition be added to reference the definition of outsourcing in the Financial Sector Regulation Act 9 of 2017 (FSR Act) for alignment purposes. BASA therefore proposes the addition of the following definition: “outsourcing” refers to the definition of outsourcing in the Financial Sector Regulation Act 9 of 2017 (FSR Act)” Disagree, the Joint Standard provides that any word or expression to which a meaning has been assigned in the FSR Act shall have the meaning so assigned.

21 Item Commentator Paragraph of the Standard Comment Authorities’ Response 32. SAIA. 4.1 “outsourcing arrangement” a) The FSCA is requested to define what is deemed to be outsourcing and what constitutes outsourcing for multinationals. b) For the sake of completeness, we suggest that the following is included: "outsourcing arrangement" has the meaning assigned to such a term in defined under Section 1 of the Financial Sector Regulation Act. Similarly, “outsourcing” means an outsourcing arrangement as defined in section 1 of the Financial Sector Regulation Act. The Joint Standard clarifies that any arrangement for the service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter-related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. See comments above at item 31. 33. SAIA 4.1 “outsourcing” a) Considering the definition of outsourced arrangements, it does not appear to assist in limiting the application of the scope of the proposed Joint Standard. b) It is concerning how vast the application could be in the context of service providers used by IT, Marketing, procurement, finance, claims which service providers could all be “integral (vital/essential/important) to the nature of the service/product”. We note that this expansion would result in unintended consequences. Although we support the fact that material outsourced arrangements of functions generally performed by an insurer require high levels of governance and oversight by the insurer and the Authorities, we are of the view that this is not the case for functions not normally being performed by the insurer. It is our submission that the risks being managed would apply to the outsourcing arrangements related to the core insurance business. Please see the Authorities comments above at item 28. The complexity of outsourcing arrangements also has the potential to exacerbate risk, and impact on the ability of a regulated financial institution to manage and monitor its own compliance with regulatory requirements. This is not necessarily restricted to core or non-core material functions or activities performed by the insurer. Core and non-core material functions are irrelevant descriptors in this context. What is relevant is the risk that is introduced by the outsourcing arrangement and the materiality of the risk as assessed in terms of section 8 to the outsourcing standard. Please see Authorities response below at item 35 on rationale for the definition of “service provider”

22 Item Commentator Paragraph of the Standard Comment Authorities’ Response We recommend the replacement of “service provider” with “outsourced service provider”, as the terminology service provider applies to entities that provide services to the insurer. (also refer to 7.3 below). 34. OUTsurance 4.1 “outsourcing arrangement” We take note of the fact that any word or expression to which a meaning has been assigned in the Financial Sector Regulation Act shall have the meaning so assigned to it, unless a different meaning is assigned elsewhere in this Joint Standard. The definition of outsourcing arrangement is currently defined as follows in the Financial Sector Regulation Act: “outsourcing arrangement”, in relation to a financial institution, means an arrangement between a financial institution and another person for the provision to or for the financial institution of any of the following: (a) A control function; (b) a function that a financial sector law requires to be performed or requires to be performed in a particular way or by a particular person; and (c) a function that is integral to the nature of a financial product or financial service that the financial institution provides, or is integral to the nature of the market infrastructure, but does not include— See comments above at item 33.

23 Item Commentator Paragraph of the Standard Comment Authorities’ Response (i) a contract of employment between the financial institution and a person referred to in paragraph (a) or (b) of the definition of “staff member”; or (ii) an arrangement between a financial institution and a person for the person to act as a representative of the financial institution; If the above definition is unpacked it would appear as if the introduction of this definition read together with the omission of the clause 4.1 in GOI 5 which provides that an outsourcing arrangement involves contracting for the external provision of a service or activity, which would normally be performed by the insurer. We noted that the reference to the fact that outsourcing involves contracting for the external provision of a service or activity, which would normally be performed by the insurer, has been omitted. Our interpretation of this is that outsourcing would apply to any activity, which is material based on the prescribed criteria, even if it relates to an activity which would not normally be performed by the insurer itself. Based on our interpretation above, it appears that the scope of the Joint Standard has been widened. Considering the definition of outsourced arrangements, it does not appear to assist in limiting the application of the scope of the proposed Joint Standard. We are particularly concerned about how wide the application could be in the context of service providers used by IT, Marketing, procurement, finance, claims which service providers could all be “integral (vital/essential/important) to the nature of the service/product”. Agree with the comment. Agree with comment. Comments noted. The Authorities do not envisage that they will introduce requirements on service providers or 3rd parties that are not currently supervised by the Authorities and it should be noted that the onus is placed on the insurer to remain accountable and responsible for outsourcing to the third party or service provider.

24 Item Commentator Paragraph of the Standard Comment Authorities’ Response It is our submission that this expansion would result in unintended consequences. Although we support the fact that material outsourced arrangements of functions normally performed by an insurer require high levels of governance and oversight by the insurer and the Authorities, we are of the view that this is not the case for functions not normally being performed by the insurer. It is our submission that the risks being managed would apply to the outsourcing arrangements related to core insurance business. We foresee the following consequences should the Authorities proceed to omit this section for the proposed Joint Standard: • From a commercial perspective, this could make negotiations difficult in order to enter into these arrangements, due to the regulatory intrusiveness and would result in insurers being placed in a competitive disadvantaged position to obtain essential services required to run any business activities. Service providers are reluctant to agree to such intrusive terms on essential insurance activities, however can currently be explained due to insurance activities being highly regulated, it would be difficult to justify such intrusive contractual arrangements where the activities are not regulated by the Authorities. This would lead to insurers not being able to source the best providers to provide outsourced services. • The proposed requirements could have a significant impact on the time frames to negotiate and conclude these arrangements, which in turn will have a negative impact on customers. See Authorities response to SAIA comment above on the rationale for the expansion of GOI 5 at section 1.2 above. The Authorities cannot regulate every single entity that the insurer outsources to. As the choice to outsource, is the insurer’s business decision, it follows that an insurer must bear the obligation to exercise the necessary oversight. The intention of the Standard is that all material functions, whether core or non-core insurance activities, but material to the entity should be regulated under the outsourcing standard – like IT and Compliance. Comments noted, notwithstanding this concern the risk introduced by outsourcing and possible unfair outcomes to financial customers necessitate this Standard. The Authorities have to balance all these factors. The minimum requirements proposed by the Standard when outsourcing, are necessary to ensure that outsourcing does not impair the prudent management of insurers’ business. Comments noted, however for the reasons stated above, these requirements are necessary.

25 Item Commentator Paragraph of the Standard Comment Authorities’ Response • Management of the respective insurer might not be best positioned to manage and oversee functions not core to insurance business. Furthermore in terms of a risk-based approach it is our submission that the time and effort of management oversight should be directed and expended on material outsourcing activities affecting core insurance business. Should the scope be too broad it would result in Management time to oversee these arrangements increasing significantly, which would lead to a significant increase in Management costs and would inevitably negatively impact customers. • In many instances, specialised external providers can offer a level of service that insurers cannot provide internally. This is to the benefit of customers due to outsourcing being both cost effective and enhancing of quality of service. We foresee a challenge to enter into cost effective and commercially competitive arrangements considering all the additional costs that would be required in order to manage and oversee business activities not unique to insurers. • A key outcome of outsourcing is to ensure that an insurer retains responsibility for their regulatory obligations, regardless of whether or not an activity or function is being outsourced. It is our submission that the requirement for the scope of outsourcing to be extended to include non-regulatory activities would be beyond the scope of what the Authorities are mandated to oversee, as well as the intention of the outsourcing principles. It is however our submission that the term outsourcing should be clearly defined to avoid any uncertainty considering it should be distinguished from activities Comments noted, however as stated above, as the decision to outsource, is the insurer’s business decision, it follows that an insurer must bear the obligation to exercise the necessary oversight. Comments noted, the outcome of outsourcing should ideally result in lower costs to customers and better efficiencies. Comments noted, as stated above it is not the Authorities’ intention to regulate every single entity that the insurer’s outsources. The intention of the Standard is that all material functions, whether core or non-core insurance activities, but material to the entity should be regulated under the outsourcing standard.

26 Item Commentator Paragraph of the Standard Comment Authorities’ Response such as intermediary services and binder arrangements which adds to the complexity. The scope should be aligned to the intention of what the Joint Standard aims to achieve and therefore we suggest that the application should continue to be limited to outsourcing arrangements involving contracting for the external provision of a service or activity, which would normally be performed by the insurer as provided for in terms of the GOI 5. Furthermore, in terms of the Financial Sector Regulation Act financial institution is defined as follows: “financial institution” means any of the following, other than a representative: (a) A financial product provider; (b) a financial service provider; (c) a market infrastructure; (d) a holding company of a financial conglomerate; or (e) a person licensed or required to be licensed in terms of a financial sector law; If the definition of “outsourced arrangements” is included in the Joint Standard, as currently proposed, it would appear as if the Joint Standard would be made applicable not only to insurers, but also to Financial Services Providers, which is further contradictory to what is set out in clause 1.1 of the proposed Joint Standard. Comments noted, the functions performed by parties to a binder agreement and intermediary services arrangement are different from a material outsourcing arrangement. The Binder Regulations are clear and sufficiently deal with binder arrangements. Also see comments below at item 88. Comments noted, as stated above it is not the Authorities’ intention to regulate every single entity that the insurer’s outsources. The premise is that, owing to risks introduced by outsourcing arrangements, minimum governance and

27 Item Commentator Paragraph of the Standard Comment Authorities’ Response oversight requirements must be complied with when outsourcing. 35. ASISA 4.1“service provider” In line with the comment above it is requested that the defined term “material function” is used in this definition as shown below: “service provider” means a person that provides a material function or activity to or for an insurer in terms of an outsourcing arrangement.” It is requested that it is made clear that the definition of “service provider” excludes intra-group outsourcing arrangements for the reasons set out in the general comment below. Disagree. The definition of “service provider” has been deliberately crafted to account for and align with the Joint Standard’s broadened scope in recognizing the risk of all outsourcing arrangements which has the potential to exacerbate risk. 36. BASA 4.1 “service provider” We note that service provider is now defined. It is however, not defined in the current Standard GOI 5. The definition in S4.1 appears to be too wide, in that it is not limited to material functions or activities, as referenced in the Joint Communication 5 of 2021 (“The main objective of the draft Joint Standard is to set out the minimum requirements to be complied with by an insurer when outsourcing material business functions and activities to third-party service providers, to ensure that outsourcing does not impair the prudent management of an insurer's business.” . In addition, the definition refers to services provided “to” the insurers, whereas the intention may rather be to capture rendering of services “for or on behalf of” the insurer. The intention of the Standard is to cover material functions and activities that are outsourced, and in that regard, BASA recommends that the definition be amended to read as follows: Disagree. The definition of “service provider” has been deliberately crafted to account for and align with the Joint Standard’s broadened scope in recognizing the risk of all outsourcing arrangements which has the potential to exacerbate risk.

28 Item Commentator Paragraph of the Standard Comment Authorities’ Response “Service provider” means a person that provides a material function or activity to or on behalf of for an insurer in terms of an outsourcing arrangement.” 37. MMH 4.1 “service provider” Does the definition of “service provider” also take into account an Insurer performing outsourcing functions or activities on behalf of another Insurer? Yes, the definition of “service provider” accounts for insurers performing function or activities on behalf of another service provider. 38. PSG 4.1 “service provider” The definition of “service provider” differs from that in the Policyholder Protection Rules. Comments noted. Yes the definition contained in the PPR defines “service provider” as follows: means any person (weather or not that person is the agent of the insurer) with whom an insurer has an arrangement relating to the marketing, distribution, administration or provision of policies or related services; The definition of “service provider” in the Joint Standard is broader and encompasses all outsourcing arrangements implemented by an insurer, which is not restricted to just marketing, distribution, administration or provisions of policies or related services. This definition is therefore expansive and aligned with the intent of the Joint Standard. 39. SAIA 4.1 “service provider” a) This definition differs from the definitions in the LTI PPR, and the Authorities are requested to consider alignment to the LTI PPRs. We recommend that a definition be added to reference the definition of outsourcing in the FSR Act. The above will make it easier for the industry to identify there is a definition in the FSR Act It is noted that the reference to the fact that outsourcing involves See comments above at item 35 and 38.

29 Item Commentator Paragraph of the Standard Comment Authorities’ Response contracting for the external provision of a service or activity, which the insurer would normally perform, has been omitted. The interpretation is that outsourcing would apply to any activity, which is material based on the prescribed criteria, even if it relates to an activity that the insurer itself would not normally perform. b) The interpretation is that outsourcing would apply to any activity, which is material based on the prescribed criteria, even if it relates to an activity that the insurer itself would not normally perform. Also, it would appear as if the introduction of this definition read together with the omission of the clause 4.1 in GOI 5 which provides that an outsourcing arrangement involves contracting for the external provision of a service or activity, which would normally be performed by the insurer. Clarification is sort if it is the Authorities intention to broadening outsourcing to include non insurance relating activities e.g. IT, Marketing. This is the correct interpretation of the Joint Standard. See Authorities response to Munich Re on rationale for expanding GOI 5 at paragraph 3.1 above. Please also refer to paragraph 3.4 of the Statement of need for an intended operation which provides more detail for the expansion of the scope of GOI 5. The scope of the Joint Standard will include non￾insurance related activities subject to the materiality considerations of section 8. 40. SAIA 4.2 This should be aligned to the standard in any event. The interpretation section is not necessary and should be removed. This is also contrary to statutes' interpretation, which uses the "Preamble" and purpose to interpret the legislative document. This format is consistent with other regulatory standards that have been issued by the Authorities. The interpretation section to the joint standard sets out key concepts that ensure legal clarity in the body of the joint standard. The Authorities disagree with this proposal. 41. BASA General – more consistent use of definitions BASA recommends a more consistent use of definitions. In s4 “material function” is defined to mean a function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s See Authorities’ comments above to definition of “material function” at item 24.

30 Item Commentator Paragraph of the Standard Comment Authorities’ Response business operations or its ability to manage risks effectively, should it be disrupted; Definition of “material function” vs other wording used in the Standard, for example in: “11.8 Notwithstanding section 11.6, the notification referred to in section 11.6 must also – (a) explain how the function or activity will be performed following termination of the outsourcing arrangement;” We recommend as an example that 11.8(a) read as follows: (a) explain how the material function will be performed following termination of the outsourcing arrangement;” 5. Roles and responsibilities 42. SAIA 5.2 a) This clause is considered too operational and particularly onerous for the Board if the expanded application of this standard to outsourced activities (as commented for Section 4 above) were to be retained, as it is not ordinarily the function of the board to review or approve terminations. The board can remain accountable through notification; however, the responsibility of reviewing and approving terminations should be delegated to another appropriate body (e.g. a senior management committee) within the insurer. Clarity is sought as to: • Does this provision intend to replace the onus on the control function to review any material outsourcing? The Authorities disagree with this view. The Board has always retained responsibility for outsourcing arrangements. The amendments merely seek to reinforce this responsibility through a granular principle exposition of what this responsibility entails. The amended provision is not intended to replace the onus on the control function to review material outsourcing.

31 Item Commentator Paragraph of the Standard Comment Authorities’ Response • What was intended with "most appropriate" in (a) vs "appropriate" in (b) and (c)? A definition is requested on the right to terminate. 43. ASISA 5.2(a) Clarity is sought on what is meant by the “most appropriate control environment”. The Joint Standard imposes an obligation on an insurer to establish and maintain a most appropriate control function to review any proposed outsourcing of a material function. The “most appropriate control environments” relates to an environment that is most adept objectively in managing outsourcing risk through either single or multiple control functions, systems and processes. This relates to the insurers risk control environment. GOI 5 – see paragraph 2.2 – pulled through. Specific reference to internal audit or compliance or risk management. 44. Aurora 5.2(a) Kindly provide clarity on whether the authorities deem it sufficient for the compliance and risk function as the appropriate control environment or should same be an external supplier to ensure independence? The onus rests on the Board of Directors to consider what for its business is the most appropriate control environment be it the compliance and risk function or an external supplier. This must be determined by the insurer having regard to objective criteria on the efficiency and efficacy of the control function in managing the risks associated with the outsourcing arrangement.

32 Item Commentator Paragraph of the Standard Comment Authorities’ Response 45. PSG 5.2(a),(b) and (c) (a) refers to most appropriate, while (b) and (c) refers to appropriate? What is the time frame set to regular reviews? The time frame to be determined for regular reviews rests with the insurer as to what it considers to be “regular.” See response above at item 43 in relation to “most appropriate control environment”. The Authorities have been deliberate in not setting a time frame. A principle-based approach requires the insurer to determine the review intervals in line with the materiality of the outsourcing arrangement. 46. ASISA 5.2(b) Typing error- micro insurer should be microinsurer. Agree, see amendments made to the Standard. 47. Aurora 5.2(b) Kindly confirm if an annual review of compliance with the outsourced policy is deemed regular enough? If an insurer deems “regular” an annual review of compliance with the outsourced policy, the insurer must be able to demonstrate this. A principle-based approach requires the insurer to determine the review intervals of the policy. 48. MMH 5.2(b) is it to the discretion of the Insurer to determine what “regularly” entails in terms of conducting reviews? Yes see comments above at item 47 49. ASISA 5.3 Could the Authorities indicate when they may consider it necessary for the insurer’s external auditor to provide assurance that the insurer complies with the requirements of the Joint Standard? ASISA members request that the Joint Standard should specify that a minimum of 6 months’ notice is given to insurers where this is required, as time is needed for engagement with the auditor and planning and budgeting of unexpected audit fees. An external auditor is an independent body that, if so requested will compile a reassurance that is up to date, accurate and unbiased relating to compliance with the Joint Standard. The timeframes will be subject to the engagement between the Authorities and the relevant parties. Therefore, it will prescriptive and inflexible to determine such time frame in this Joint Standard. The authorities are averse to prescribing a notice period. Such assurance may be time sensitive given the nature of the outsourcing arrangement

33 Item Commentator Paragraph of the Standard Comment Authorities’ Response and the impact to the insurer. The request by the Authorities will form part of supervisory engagements and where concerns are noted in terms of outsourcing arrangements that may indicate weakness in the insurers outsourcing policies. Please see response below at item 50 50. Aurora 5.3 Kindly advise whether the internal auditors would be allowed to provide this independence assurance if so requested? As most of the internal auditors perform a review on the outsourcing arrangements and involving external audit to provide this assurance will create a duplication in work and an increase in costs. If the external auditors are to provide assurance for the internal audit function, this is accepted as there would obviously be a conflict – however please provide clarity on this position. The Authorities have reserved their supervisory prerogative to solicit combined assurance in respect of the requirements of the joint standard. This is a prerogative that will be exercised in exceptional circumstances. Internal Audit may be used – proportionality principle. 51. Munich RE 5.3 An insurer’s external auditor must, if so requested by the Authorities, provide assurance that the insurer complies with the requirements of this Joint Standard. The Prudential Authority should place reliance on the insurers/reinsurers Internal Audit Function, as this is an independent function. A request from the Prudential Authority will increase the complexity and costs incurred by the insurer/reinsurer. We recommend that this remains as “auditor” which allows for internal auditors where possible. Please see response above at item 50 in relation to combined assurance. The Authorities envisage this supervisory prerogative to be exercised in exceptional circumstances. No discomfort with internal auditors. Authorities may request someone independent. Discretion rests with the entity subject to Authorities’ oversight. 52. SAIA 5.3 a) Clarity is sought on why the word principle was removed in terms of 5.1 of GOI. There was a need to expand the current outsourcing regulatory framework beyond GO1 5 to provide an appropriate and comprehensive regulatory framework governing outsourcing by

34 Item Commentator Paragraph of the Standard Comment Authorities’ Response b) Clarity is to be provided on the reference of an external auditor. c) There is a cost implication when using the services of an external auditor. Therefore, it is suggested that this remains as the "auditor", which allows for use of internal auditors where possible. We subscribe to the King IV Report and Auditing Standards as the function is performed independently and should not pose a risk. The Authorities to elaborate on why this is now required. insurers from a prudential and conduct perspective. By virtue of section 108 of the Financial Sector Regulation Act, Authorities are empowered to include in a Joint Standard additional prerequisite which can include risk management and control. The cost implication is noted. Please refer to paragraph 5.3 which provides that “an insurer’s external auditor must, if so requested by the Authorities, provide assurance that the insurer complies with the requirements of the Joint Standard.” If so requested, it does not imply that this would be a request regularly with a further cost to the insurer. 6. Principles 53. ASISA 6 Insert proportionality principle ASISA members propose that a section dealing with proportionality is added. Given the shift to principles￾based regulation, it is important that the principle of proportionality is embedded in the Joint Standard. This is aligned with similar international regulatory measures (specifically in the EU) and allows for a risk￾based approach, with an insurer and the Authorities being able to focus efforts on those outsourcing Disagree with the comments. This principle is enshrined in the framework and informs and permeates the supervisory approach in any event. The Authorities application of the principle of proportionality relates primarily to supervision. The discretion in terms of the principles of proportionality resides with the supervisor and not the insurer. To hold otherwise would result in the weakening of the framework as a result of the inherent conflict in the insurer i.e. the insurer is subjected to a regulatory framework that it retains

35 Item Commentator Paragraph of the Standard Comment Authorities’ Response arrangements which pose significant risks. Proposed wording is as follows: Insurers and the Authorities should, when complying or supervising compliance with this Joint Standard, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the insurer, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. a discretion as to how the framework will apply. The Authorities are not in agreement with this proposal. 54. PSG 6.1 While 5.2 refers to material outsourcing, here reference is made to outsourcing. This is again extremely wide given all the functions within an insurer and insurance group that could be outsourced, most of whom is not core to the insurance business of the insurer or group. If the intention is to include all possible outsourcing arrangements, more clarity is required on the risk principles required to be considered in deciding what standards need to be applied to the specific arrangement. See comments above at item 53. Please refer to the Authorities responses on the application of the Joint Standard as well as to response above on core insurance activities and non-core activities above in response to PSG Consult in 4.1 above. The complexity of outsourcing arrangements also has the potential to exacerbate risk, and impact on the ability of a regulated financial institution to manage and monitor its own compliance with regulatory requirements. This is not necessarily restricted to core or non-core material functions or activities performed by the insurer. Core and non-core material functions are irrelevant descriptors in this context. What is relevant is the risk that is introduced by the outsourcing arrangement and the materiality of the risk as assessed in terms of section 8 to the outsourcing standard.

36 Item Commentator Paragraph of the Standard Comment Authorities’ Response 55. SAIA 6.1 Is this particular clause only applicable to material outsource functions or all/any outsource functions? This applies to material functions. 56. MMH 6.2 Will the due diligence required here be at the discretion of the board as per the Outsourcing policy or does the PA has guidelines as to what the due diligence should take into account? Should this also be submitted by the Insurer to the PA as part of the notification of a new outsourcing arrangement? The use of the word “appropriate” in paragraph 6.3 implies that this consideration rests with the Board. Appropriate implies what is suitable in respect of the business of the insurer. Also see item 59 below. 57. ASISA 6.2, 6.3, 6.4, 6.6 and 6.7 It is submitted that for clarity the defined term “outsourcing arrangement” should be used in paragraphs 6.2; 6.3; 6.4; 6.6 and 6.7 as follows: “6.2 An insurer must, when entering into any outsourcing arrangement any activity or function, identify and manage all risks introduced by the outsourcing arrangement. 6.3 An insurer must, in order to meet the requirement of section 6.2, undertake an appropriate due diligence for every outsourcing arrangement activity or function to be outsourced, prior to entering into an outsourcing arrangement. 6.4 An insurer may not enter into outsource a function or activity or maintain an outsourcing arrangement, if such outsourcing may - … 6.6 An insurer must, when entering into any outsourcing arrangement any function or activity avoid, and where avoidance is not possible mitigate, any conflicts of interest between the insurance business of the insurer, the interests of policyholders and the business of the service provider. Disagree, this term is referenced in primary legislation.

37 Item Commentator Paragraph of the Standard Comment Authorities’ Response 6.7 Remuneration paid in respect of an outsourcing arrangement must –…” 58. ASISA 6.3 The view of ASISA members is that the intention is that the Joint Standard is applicable only to outsourcing of material functions. If this view is incorrect then it is submitted that it is overly burdensome to require that a comprehensive due diligence must be undertaken in respect of a non- material outsourcing activity or function. A general due diligence on non-material outsourced functions or activities should be sufficient. It is our understanding that this refers to new outsourcing arrangements of material functions and not existing ones. It is submitted that as a due diligence has already been done for existing arrangements it should not have to be done again. The requirements relating to ongoing monitoring should be sufficient. Disagree. This is an incorrect assertion. The Joint Standard is applicable to all outsourced functions or activities. Please take cognisance of the use of the word “appropriate due diligence” in paragraph 6.3 which implies a discretion on the part of the insurer in relation to the activity or function to be outsourced prior to the insurer entering into the outsourced function. The degree and manner of the due diligence is not akin to a one size fits all approach. Please take note of the commencement provisions of section 1 of the Joint Standard. It is envisaged that the insurer should at all times be satisfied with the service provider rendering the outsourced service. The insurer must apply its discretion in this regard during the monitoring exercise of service providers as to the emergence of any risk detected outside of the due diligence parameters. 59. Aurora 6.3 Will the authorities provide a template of the due diligence items that need to be investigated for an outsourced function? No. Appropriate implies that an insurer must consider what for its business is the most appropriate due diligence. The due diligence template will remain within the purview of the Insurer in accordance with its risk tolerances and other risk assessment criteria associated with a due diligence process. The

38 Item Commentator Paragraph of the Standard Comment Authorities’ Response Authorities do not intend to issue such a template. 60. BASA 6.3 Clause 6.3 requires appropriate due diligence on all outsourced arrangements. BASA seeks clarity on whether this will mean that the level of due diligence must correspond to the level of materiality of the arrangement. Appropriate implies that an insurer must consider what for its business is the most appropriate due diligence. The level of due diligence can only be deliberated once an insurer decides what matters to assess when conducting a due diligence and to further determine on what level each matter should be on. See Authorities response above at item 59. 61. MMH 6.3 Appropriate due diligence for every activity or function to be outsourced – need clarity, is it only material activities or functions or all Please refer to the definition of material function It does imply that it’s a material function or activity…” It is envisaged that a due diligence shall be conducted for every activity and or function. Degree and nature of the due diligence will differ i.e. it is not a one size fits all. 62. Munich RE 6.3 We note that there is no definition provided for “due diligence” and this principle requires due diligence to be completed for every activity or function to be outsourced which is onerous. The recommendation to include a definition for “material outsourcing” and that this requirement is limited to “material outsourcing” only as that would be more practical. Due diligence is more complex than merely identifying risks and the Comment noted. Refer to previous comment at item 59 above.

39 Item Commentator Paragraph of the Standard Comment Authorities’ Response insurer/reinsurer should be able to place reliance on internal/external audits. 63. OUTsurance 6.3 A new requirement is introduced in order to require insurers to conduct a due diligence when outsourcing any activity or function. Although we support a due diligence process, the introducing of this as an absolute requirement for every arrangement will add an additional layer of costs, which might be unnecessary. We would suggest a risk-based approach to only require this for material outsourcing. The requirement should therefore be proportionate to the risk and we therefore propose a risk based or tiered approach when due diligence is conducted. This will allow insurers to consider the amount of due diligence checks to be conducted for the specific arrangement, appropriately addressing the risk while limiting time and costs. Agree, that a risk-based approach when due diligence is conducted based on proportionality. To prescribe as an absolute requirement for every arrangement will be costly. Please take cognisance of the use of the word “appropriate due diligence” in paragraph 6.3 which implies a discretion on the part of the insurer in relation to the activity or function to be outsourced prior to the insurer entering into the outsourced function. This wording implies a risk￾based approach to any due diligence exercise being undertaken. 64. PSG 6.3 What is the nature of the due diligence to be performed? It seems to refer to the function itself and not the provider. More clarity is required on what appropriate would be. Appropriate implies that an insurer must consider what for its business is the most appropriate due diligence. Relates to the provider of the outsourcing arrangement and the function/activity provided by the service provider 65. SAIA 6.3 a) Clause 6.3 requires appropriate due diligence on all outsourced arrangements. Would this mean that the level of due diligence must be commensurate with the level of materiality of the arrangement? b) The draft Standard refers to outsourcing of a “material function”. This requirement applies to “all outsourcing”. Given that this Standard sets our various requirements for “material outsourcing” in Appropriate implies that an insurer must consider what for its business is the most appropriate due diligence. If this benchmark is utilised, then the insurer must be able to motivate such appropriateness.

40 Item Commentator Paragraph of the Standard Comment Authorities’ Response general, the application of the Standard to outsourcing therefore becomes unclear. It is recommended that this Joint Standard apply to the outsourcing of an “material function” only.” A new requirement is introduced to require insurers to conduct due diligence when outsourcing any activity or function which is outsourced. Although we support a due diligence process, introducing this as an absolute requirement for every arrangement will add layers of costs, which might be unnecessary. It is suggested that a risk-based approach only require this for material outsourcing. Therefore, the requirement should be proportionate to the risk and we therefore propose a risk-based or tiered approach when due diligence is conducted. This will allow insurers to consider the amount of due diligence checks for the specific arrangement, appropriately addressing the risk while limiting time and costs. The Joint Standard makes provision of an appropriate due diligence. The approach to due diligence viz. a risk-based approach is not prescribed Please take cognisance of the use of the word “appropriate due diligence” in paragraph 6.3 which implies a discretion on the part of the insurer in relation to the activity or function to be outsourced prior to the insurer entering into the outsourced function. This wording implies a risk￾based approach to any due diligence exercise being undertaken. 66. SIL 6.3 Clause 6.3 requires an appropriate due diligence on all outsourced arrangements. Would this mean that the level of due diligence must be commensurate with the level of materiality of the arrangement It should be noted that appropriate implies what is suitable in respect of the business of the insurer. If this benchmark is utilised, then the insurer must be able to motivate such appropriateness. Please see Authorities response above to Aurora Insurance in relation to the due diligence template. The due diligence template will remain within the purview of the Insurer in accordance with its risk tolerances and other risk assessment criteria associated with a due diligence process. The

41 Item Commentator Paragraph of the Standard Comment Authorities’ Response Authorities do not intend to issue such a template. 67. PSG 6.4 The clause refers to the maintenance of outsourcing arrangements but provides no guidance on what needs to happen if it is found that an existing outsourcing arrangement is materially increasing the risk. Should it immediately be ended or is corrective intervention acceptable? What is the timeline in which to manage this? Paragraph 1.2 of the Joint Standard that stipulates “any outsourcing arrangement entered into prior to the effective date of the Joint Standard, such arrangement (existing outsourcing arrangement) must comply with the requirements set out in the Joint Standard within one year. Section 6.4 is couched in peremptory terms and is explicit in its import on the maintenance of an outsourcing arrangement where certain criteria are met i.e. an insurer may not maintain an outsourcing arrangement under the specified criteria. The Authorities envision that the insurer will apply its discretion relative to its risk tolerances tempered with an assessment of the objective criteria that have been specified in section 6.4 and act accordingly in this regard. 68. SAIA 6.4 It is enquired if at a specific point of the relationship, a review in terms of this section is undertaken, and it is found that the relationship has materially increased our risk, what does the Authorities propose we do? See paragraph 11.3 of the Joint Standard that obliges insurers to develop and maintain appropriate contingency plans to ensure the continuous functioning of the insurance business. Please refer to comment above at item 67. 69. Willis South Africa 6.4 When conducting outsourced activities, as intermediaries we are equally committed to the fair treatment of policyholders. Comment noted. 70. ASISA 6.5(b) It is submitted that the potential impact should be considered at the “outsourced legal entity” level to Comment noted.

42 Item Commentator Paragraph of the Standard Comment Authorities’ Response avoid duplication, where for instance various agreements for different portfolios are managed by a single investment manager. 71. Aurora 6.5 Kindly provide clarity as to whether this impact assessment will need to be performed on the outsourcing arrangements already concluded and in place in light of clause 1.2 above. Paragraph 1.2 refers to any outsourcing agreement entered prior to the effective date of the Joint Standard. Paragraph 6.5 on the other hand specifically states that an insurer considers potential impact prior to entering an outsourcing and multiple outsourcing arrangements. The intent of paragraph 6.5 provides for new outsourcing arrangements. The insurer is expected to revisit the outsourcing arrangement and determine whether such arrangement has satisfied the impact analysis specified in section 6.5. This is a core provision of the Joint Standard. 72. BASA 6.5 (a) and (b) Due to confidentiality clauses and laws the Insurer may not be privy to information of other outsourcing arrangements of the service provider, and it is likely that the insurer will not be able to insist on having sight of same. BASA seeks clarity as to what the Regulator expects from Insurers to satisfy this requirement. Would the due diligence conducted, legal agreements, monitoring of SLA and annual review of the service provider, in respect of the intended service, be deemed sufficient mitigants to satisfy this requirement? Comment noted. Insurers should consider any criterion it deems appropriate relating to this particular arrangement. The Authorities have not suggested a transgression of confidentiality/competition laws but rather to consider the service provider in light of its industry exposure and stature. This could potentially take the form of an undertaking or

43 Item Commentator Paragraph of the Standard Comment Authorities’ Response disclosure by the service provider as to the number of outsourcing arrangements currently in force, the status of current capacity of the provider, the quality of service it is currently able to provide to its insurers. It is also expected that the insurer conduct a due diligence to satisfy itself, prior to contracting, that the third party has the necessary skills, capacity, systems and resources to effectively service it. Data privacy concerns withstanding this disclosure could be on a redacted basis. The criteria selected is ultimately at the discretion of the insurer, where the insurer is able to demonstrate objectively that multiple outsourcing arrangements will not lead to a consequence as specified in section 6.4. 73. MMH 6.5 Are there guidelines or considerations that the Insurer can indicate/ mention to provide assurance that multiple outsourcing arrangement will not increase the risk of the insurer? Or is this at the discretion of the Insurer and board? See comments above at item 72. 74. Munich RE 6.5 We seek clarity on how this clause would apply where subsidiaries and branches of a foreign insurer/reinsurer have outsourcing agreements in place with the parent company. The parent company in this instance would have multiple outsourcing arrangements in place. Insurers should consider any criterion they deem appropriate relating to this particular arrangement. Please see section 3 of the proposed Joint Standard: Application of the Joint Standard. This Joint Standard applies to all insurers, including microinsurers (hereinafter collectively referred to as “insurers”), licensed under the Insurance Act, other than Lloyd’s and branches of foreign reinsurers

44 Item Commentator Paragraph of the Standard Comment Authorities’ Response Please see paragraph 3.1 of the Joint Outsourcing Standard. Foreign branches of insurers are viewed as an extension of the insurer albeit falling under the supervisory purview of a foreign regulatory authority. Outsourcing arrangements entered into by the foreign branch of the insurer may inadvertently import risk to the insurer. 75. OUTsurance 6.5 In terms of the requirement for an insurer to consider the potential impact of an outsourcing arrangement with a service provider that has entered into multiple outsourcing arrangements with other insurers, we kindly require clarity of how in depth the information gathered should be. Although we support the fact that an insurer should be aware of services provided to other insurers by the service provider in order to consider any concentration risk, insurers should be cautious not to step into other competition issues in an attempt to adhere to these provisions. We therefore require some clarity on the Authorities’ expectation around these requirements. Insurers should manage concentration risk and consider any criterion it deems appropriate relating to this particular arrangement. The Authorities have not suggested a transgression of competition laws but rather to consider the service provider in light of its industry exposure and stature as an outsourced service provider. This could potentially take the form an undertaking or disclosure by the service provider. Although prescriptive requirements have not been set, an insurer must be able to demonstrate adherence and should be able to evidence this through ongoing monitoring. 78. PSG 6.5 Due to the confidential and the commercially sensitive nature of outsourcing arrangements with competitors, it would not be able to provide or receive the information required to determine whether a service provider’s multiple arrangements are likely to increase the risk. Would a confirmation by the provider that it can handle the multiple arrangements suffice, or would something else be required? Comment noted. Insurers should consider any criterion it deems appropriate relating to this proposal. If queried by the Authorities, the insurer must be able to demonstrate that this was considered and that it was successful. The risk when entering into such arrangement with one or two providers is with the insurer as

45 Item Commentator Paragraph of the Standard Comment Authorities’ Response How should cases be handled where there aren’t viable alternative outsourced providers and where the whole industry is reliant upon one or two providers? Can we accept that the Regulator will ensure that the risk is managed? contemplated in paragraph 8.4(a) of the Joint Standard. Please see comment above at item 78. The Authorities cannot manage the industry’s concentration risk associated with the service provider on behalf of the insurer. The insurer needs to consider this risk in terms of section 6.5 and be able to develop appropriate risk management controls in this regard. 79. SAIA 6.5 a) Suppose the Joint Standard is meant to govern arrangements in relation to insurance business. Why are the Authorities requesting an assessment of arrangements that the service provider has with "other parties" other than insurers? b) Due to confidentiality rules, the Insurer may not be privy to information of other outsourcing arrangements of the service provider. Furthermore, the OSP’s agreements with other insurers might be confidential/commercially sensitive information, and the OSP may not be prepared/able to disclose this information. The Authorities to clarify what is the purpose of the requirement and the insurers expectations to satisfy this requirement or can the Authorities address this requirements through other means. c) In terms of the requirement for an insurer to consider the potential impact of an outsourcing arrangement with a service provider that has entered into multiple outsourcing arrangements with other insurers, we kindly require clarity of how in-depth the information gathered should be. Although we support the fact that an insurer The Joint Standard defines “material function” as a function or activity relating to an insurer’s business. It does not specifically mention insurance business. Comment noted. Its purpose is that the insurers must consider the potential impact of outsourcing arrangements when provided by the same service provider or a service provider that has entered into multiple outsourcing arrangements with other insurers and/or parties. Insurers should consider any criterion it deems appropriate when considering the potential impact of such service providers. Insurers should consider any criterion it deems appropriate when considering the potential impact relating to an outsourcing arrangement as entered into in terms of Point 6.5.

46 Item Commentator Paragraph of the Standard Comment Authorities’ Response should be aware of services provided to other insurers by the service provider to consider any concentration risk, insurers should be cautious not to step into other competition issues to adhere to these provisions. We, therefore, require some clarity on the Authorities’ expectations around these requirements. d) Clarity is sought on outsource service providers, which poses a significant systemic/ concentration risk for the non-life insurers, can the Authorities guide the industry on how this risk should be managed if there is no alternative OSP. Would the Authorities prefer to be notified, or would an exemption be required if an insurer proceeds to enter into an arrangement as envisioned in this Joint Standard? Does this clause apply to activities which fall outside of insurance business, e.g. IT? See paragraph 3.1 of the Joint Standard that stipulates that the Joint Standard applies to all insurers. The Joint Standard defines “material function” as a function or activity relating to an insurer’s business. Point 8 of the Joint Standard provides factors for assessing whether a function or activity is material. If after considering such factors in Point 8, IT is assessed as a material function or activity in the business of the insurer, then Clause 6.5 will be applicable. (a) The Authorities wish to determine if there could potentially be capacity issues with a particular service provider that could potentially compromise the outsourcing arrangement with the insurer. Furthermore the Authorities wish to understand the concentration risk in the industry in relation to specific service providers and with specific reference to section 6.4 of the Joint Standard. This is in line with an intrusive supervisory approach to establish broader risks to insurers as a result of outsourcing arrangements to service providers. (b) Please see comment above. (c) The Authorities have prescribed a principles￾based approach in this regard. The insurer is accorded a wide discretionary berth in terms of section 6.5 read with section 6.4 below to

47 Item Commentator Paragraph of the Standard Comment Authorities’ Response make a determination of the impact on such an outsourcing arrangement. The Authorities have not advocated any activity geared to a breach of competition laws. (d) The Authorities have specified the rationale for requesting such information on service providers above. The management of concentration risk in relation to the OSP is the preserve of the insurer subject to its own risk management protocols. Yes. The application of clause 6.5 extends to activities that fall outside of insurance business, but that are material to activities performed by the insurer. IT might therefore in certain circumstances not be a core insurance function, but it could be material to the business of the insurer, where it might not be material to another insurer where the system is in-house for the group and they rely and shared function. 80. Willis South Africa 6.5 Does this mean that Insurers will be increasing their existing oversight /monitoring of service providers who have multiple outsource agreements with themselves and other insurers? Paragraph 6.5 of the Joint Standard stipulates that “an insurer should consider the potential insight prior to entering multiple outsourcing arrangements…” Existing oversight or monitoring implies after a multiple outsourcing agreement is entered into. The Authorities envisage that the insurer will as part of its enterprise risk management protocols maintain oversight of the OSP’s in accordance with section 6.5.

48 Item Commentator Paragraph of the Standard Comment Authorities’ Response 81. PSG 6.6 Does this requirement only refer to new conflicts that may be created by the outsourcing? Paragraph 6.6 refers to “ outsourcing any function or activity…, mitigate, any…” Any implies one of or all of and can refer to new. There is no election that is catered for i.e. conflict of interest is not distinguished by “old” and “new” as this would defeat the rationale for the standard. Please see the Authorities comments in respect of complying with this Joint Standard at section 1.2 above. 83. SAIA 6.6 The insertion of the word “avoid” suggests that there will be a need to prove inability to avoid. Therefore, we recommend the deletion of the word “avoid” to simplify the interpretation of the clause. Disagree. The wording of the clause does not suggest an onus of proof but merely confers an option where conflict of interest become apparent in the insurance business of the insurer, the interests of policyholders and the business of the service provider. 84. FIA 6.7(a) The terminology ‘reasonable and commensurate’ is again used in relation to remuneration. It would be useful for the Authority to provide guidelines around this terminology, as it is clear that this potentially has different meanings to different people. Comment noted. The terminology must be read and understood in the context of the Joint Standard i.e. that remuneration must be reasonable and commensurate with the actual function outsourced; must result in efficiencies for the insurer; not impede the delivery of fair outcomes to policyholders, and not be linked to the monetary value of insurance claims repudiated, paid, not paid or partially paid. Please also note that section 6(7) of the Joint Standard sets out the factors that must be considered when considering what constitutes ‘reasonable and commensurate’ remuneration. Essentially, – it should be cheaper to outsource than to do the functions in-house or the outsourcing leads to better outcomes as the

49 Item Commentator Paragraph of the Standard Comment Authorities’ Response outsourced partner have unique skills and knowledge that make them more efficient. 85. PSG Konsult 6.7(a) The principle of reasonable and commensurate requires further clarification. As indicated in previous submissions, an intent to base it on costs is counter￾productive as it disincentivises finding more effective and thus profitable ways of doing business. See comments below at item 86 86. PSG Konsult 6.7(b) Provision should be made to outsourcing arrangements where profit sharing is allowed. Authorities not in favour of this approach as it raises the conflict-of-interest risk which could lead to unfair policyholder outcomes. We do not agree with the comment. We currently have non￾mandated intermediaries (NMIs) that are potentially conflicted due to them having to service both the policyholder and the insurer, but they are remunerated by the insurers. We have specific notification requirements to the FSCA in the event that the NMI is remunerated for fees that are not catered for in current legislation. Further, the legislation caters for UMAs and certain cell captives to share in profits due to the specialised nature of the services they render to the insurers. No other profit sharing will be allowed 87. SAIA 6.7 a) The amendment to the outsourced function to: “6.7(c) not impede the delivery of fair outcomes to policyholders”. It is proposed that the change impede the delivery of fair outcomes to’ makes the process more restrictive. The previous wording allowed the insurer to apply a risk mitigation exercise. However, this change does not allow the insurer to apply the risk mitigation exercise. These will affect the roles of compliance officers to monitor whether this will impede fair outcomes.

50 Item Commentator Paragraph of the Standard Comment Authorities’ Response It is suggested that the wording in the GOI of “increase” is retained as used in the GOI rather than “impede”. 88. SAIA 6.7(d) Underwriting managers and cell captives should be excluded (carved out) from this provision as they do share in the profit of the schemes they act on, and this is permissible under the Binder Regulations, which is a sub-set of outsourcing. This provision needs to be consistent with the binder regulations Paragraph 3 of the Joint Standard provides that the Standard applies to all insurers and microinsurers. In as much as the Binder Regulations make allowance for certain profit sharing, they do not override the overarching principle that the binder arrangements need to result in fair outcomes for customers. The linking of the monetary value of insurance claims repudiated, paid, not paid or partially paid has the potential to result in unfair outcomes for customers. Thus, we do not view this requirement to be inconsistent with the binder regulations. 7. Outsourcing policy 89. ASISA 7.1 Suggest that the wording change as follows: An insurer must have an outsourcing policy that ensures compliance is aligned with this Joint Standard. Disagree. This wording is a direct transplant from the existing GOI 5. Alignment with the Joint Prudential Standard does not equate to compliance with the Joint Standard. The authorities expect the insurers outsourcing policy to comply with the Joint Standard. 90. ASISA 7.2 This provision is problematic for linked insurers, many of whom outsource all their business functions and could place the linked insurer business model at risk. ASISA members do not think this is the intention as the linked insurer business model and related outsourcing has been discussed in detail with the Authorities as part of the engagements on whether linked insurers should Comments noted. Authorities do not believe that there should be different rules for inked insurers. If an insurer has elected a highly outsourced model, then it must have the appropriate governance requirements in place to mitigate those risks effectively. If the Authorities have similar expectations of insurers with highly outsourced models and cell captives then it

51 Item Commentator Paragraph of the Standard Comment Authorities’ Response be designated as an Insurance Group. It is submitted that the wording should not be so prescriptive and that it should be more principle based for the Board to decide on. It is proposed that the wording of 7.2 should be amended as follows: “In addition to addressing the principles in section 6 above, and the matters identified in sections 8 to 11 below with respect to outsourcing of material functions, an insurer’s outsourcing policy must set should consider whether limits on the types and overall level of outsourced functions or activities by the insurer are required, as well as the extent to which functions or activities can be outsourced to the same person”. follows that a consistent approach with linked insurers, must be followed. As linked insurers are basically almost 100% outsourced, but they are therefore a higher risk and should do more monitoring than any other insurer and not be excluded from the operation of this Standard. 91. PSG Konsult 7.2 We believe the limits required does not add value as it differs from the type of function, the nature of the service provider and the alternatives available. The general principles of a risk-based approach should cover this sufficiently. RISK Appetite. Risk Tolerance. Disagree. Barring the linked insurer model which is by in large an outsourced model (see comments above), insurers must be acutely aware of the extent to which functions and activities are outsourced. The limits suggested by the section 7.2 of the Joint Standard have not been prescribed by the Authorities as this will fall within the insurers risk management thresholds. A limit on the types and level of outsourcing is potentially an additional risk mitigation tool given the inherent risk of outsourcing arrangements. 92. SAIA 7.2 Clarity is sought in terms of the limits to be placed on types of outsourcing functions. If each agreement is to be made on its own merits, this becomes contradicting. See comment above. Paragraph 7.4 provides that the outsourcing policy must provide guidance on, inter alia,

52 Item Commentator Paragraph of the Standard Comment Authorities’ Response Will this clause require insurers to establish appetite/threshold for types of outsourcing? Further, is concentration risk required to be observed and included as part of policy? concentration risk to be assessed, managed and monitored in outsourcing. In assessing any of the specified risks its tendency towards the risk (risk appetite – risk tolerance) and threshold (what the insurer will not accept the risk) will be considered. Section 7.2 is merely an expression of what the insurers risk management framework must assess, and the results of which (specifically in relation to the level and types of outsourcing arrangements) should be documented in the insurers outsourcing policy. 93. SAIA 7.3 It is proposed that “An insurer’s outsourcing policy must establish criteria and procedures for appointing and renewing service providers.” It should read: “An insurer’s outsourcing policy must establish criteria and procedures for appointing, renewing, and terminating service providers. – as there would be a gap should terminations not be addressed. It is suggested that by removing the word ‘outsource’, the Joint Standard is broadening the scope of what needs to be looked at when renewing the services rendered by OSPs. Service providers are not necessarily outsourced providers. It is suggested that terminology is used consistently to remove vagueness. (also refer to 4.1 “service provider” above) A risk-based approach relating to termination is provided for in paragraph 11.7. In addition, inter alia, the criteria and termination procedures are also provided for in paragraph11.8. Agree, with the comments. See amendments made to the Joint Standard. This addition of terminations to the section buttresses the provisions in section 11 as these relate to terminations. Please see Authorities response in this regard at section 4.1 response to SAIA on the definition of “service provider”. 94. PSG 7.4 Clarity is required on what is required to be verified within each risk and when a risk becomes a material risk. Attachment 1 provides explanations of the types of risks mentioned in paragraph 7.4

53 Item Commentator Paragraph of the Standard Comment Authorities’ Response A material risk are those risks that are recognised by the management of an insurer that can potentially impact the business of the insurer. Insurers to apply discretion to conduct the risk assessment. 95. FIA 7.4(b) The definition of credit risk on page 9 refers to “a counterparty to a derivatives transaction”. Is this appropriate for outsourcing as it would then apply to the credit risk involving a derivative trade only? Surely credit risk is wider than that, for example, where the outsource partner collects premium or has a claims float? Comments noted, however there is no need to expand the definition, as it is appropriate in this context. 96. SAIA 7.4 With the inclusion of credit risk, we aver that this is based on the dire financial situation entities find themselves in, which requires a greater focus on risks culminating from premium collection. The Authorities to clarify the intention for including credit risk. Although one factor relating to credit risk comes to mind, premium collection, it is the concern that the inclusion of this type of activity within the outsourced environment may affect business processes and again bring the industry into uncertainty as to the categorisation of premium collection as intermediary function vs outsourced function. Is the intention of the Authorities to bring premium collection as this may create instability in the financial sector with the reclassification of premium collections. Please see comments above.

54 Item Commentator Paragraph of the Standard Comment Authorities’ Response This is also currently governed by the regulations and would be contrary to current provisions. 8. Material outsourcing arrangements 97. ASISA General – material outsourcing It is unclear whether the Joint Standard applies only to outsourcing of material functions (and not non-material outsourcing) or whether parts of the Joint Standard apply to outsourcing of material functions and parts apply to all outsourcing arrangements. If the intention is that the whole Joint Standard only applies to outsourcing of material functions, it is recommended that wherever outsourcing is referenced it is followed by the words “of a material function” (refer to the proposed definition of “material function” above). If the intention is that certain parts of the Joint Standard apply to outsourcing of material functions and certain parts apply to all outsourcing, it is requested that this is made clear by use of the defined terms “material function” and “outsourcing arrangement” in the appropriate places to make the distinction clear. Please see Authorities response to ASISA comments on section 4.1 in respect of the application of the Joint Standard. 98. BASA General – material outsourcing. Material outsourcing arrangements with an entity within the same It is not specified what the requirements would be for ‘insourcing’ arrangements, and BASA advises that it would be quite onerous to apply the suggested requirements as they currently are where services are provided by an entity within the same group of companies as the insurer. The Joint Standard sets out minimum requirements for the outsourcing of material functions and activities by an insurer. The requirements are designed to ensure that outsourcing by an insurer does not impair the prudent management and conduct of an insurer’s business.

55 Item Commentator Paragraph of the Standard Comment Authorities’ Response group of companies Outsourcing encompasses insourcing. See also FSRA definition of Outsourcing arrangement. 99. BASA General – material outsourcing. Material outsourcing arrangements with an entity outside South Africa (‘offshoring’) It is not specified whether there are specific requirements for offshoring or whether offshoring arrangements would be treated the same as local arrangements? BASA will appreciate clarity in this regard. See paragraph 3 of the Standard that provides that the Joint applies to all insurers licensed under the Insurance Act in South Africa. Offshoring arrangements are encompassed by outsourcing requirements 100. ASISA 8.1 It is proposed that the following factor is added to 8.1 which link the principle of proportionality proposed in our comment above on part 6- • the size and complexity of any business area affected; The reason for this proposal is that the materiality of an outsourcing arrangement (which then makes it a notifiable arrangement) should consider the size and complexity of the business area affected (so as not to include those arrangements which are not likely to have a material impact on an insurer as a whole (but which may considerably affect a small business function within the insurer). Comments noted. Please see response to ASISA comments above at item 53 regarding section 6 on principles of proportionality and the Authorities view on the application of this principle.

56 Item Commentator Paragraph of the Standard Comment Authorities’ Response 101. Aurora 8.1 Will this also apply retrospectively as per clause 1.2 to any outsourcing arrangement concluded prior to the commencement of this standard. See comments above at items 4 and 5 and amendments made to the Joint Standard. Paragraph 1.2 of the Joint Standard has been amended to provide, “Any outsourcing arrangement entered into prior to the effective date of this Joint Standard must be compliant with this Joint Standard: (a) within 24 months from commencement date; or (b) upon renewal or renegotiation; whichever comes first. This implies that prior outsourcing arrangements entered prior to the effective date must comply with paragraph 8.1 and all provisions of the Joint Standard within 24 months or upon renewal or renegotiation whichever comes first. Paragraph 8.1 thus does not have retrospective application. 102. ASISA 8.1(e) It is not clear what “sensitive” customer information means. The Protection of Personal Information Act, 4 of 2013 (POPIA) distinguishes between personal information and special personal information, which is information about race, religion, health, criminal behaviour, trade union membership, political persuasion, and children. It is suggested that there should be alignment with the POPIA definitions and that the term “special personal information” is used. Disagree, the Authorities have referenced effectively securing data privacy to relevant privacy laws which it is submitted establishes an objective standard against which security measures can be assessed.

57 Item Commentator Paragraph of the Standard Comment Authorities’ Response It is also not clear what “effectively secure data privacy” means. Does this refer to information security measures to safeguard the integrity of the information or is it compliance with all the provisions of POPIA? It is submitted that it should be the former. In terms of POPIA the outsourcing of processing of personal information to a service provider (called an Operator) is regulated under sections 20 and 21 of POPIA and deals only with information security measures. The following change is suggested: “(e) sharing of sensitive special customer information as defined in POPIA and information about children, and the ability of the service provider to effectively secure the integrity and confidentiality of customer information data privacy, in accordance with relevant privacy laws; 103 PSG 8.1 Material outsourcing arrangements could refer to material arrangements for non-material functions. It is therefore recommended that a distinction is made between material outsource arrangements and core functions. It is suggested that higher requirements are set for material outsourcing of core functions and diminishing requirements for non-material core, material non-core and non-material non-core. See response above on material versus core outsourced functions. 104. SAIA 8.1 a) This may be interpreted as a contradiction that allows the insurer to assess whether a function is material or not, but a definition was already provided of what is deemed to be material. If this is not the intention, we reiterate the suggestion re: Disagree, insurers must make an assessment whether the related services are material activities or services and thus apply the requisite principles

58 Item Commentator Paragraph of the Standard Comment Authorities’ Response 4.1 above for the definition of material function to be removed. b) It is proposed that adding the Cloud Computing related services aspect to measuring or assessing the materiality of arrangements. Insurers would also recommend that the Joint Standard is explicit for vendors such as Actuarial services/Model Risk related arrangements to be key critical arrangements. c) It is not clear if the reference to a “material outsource arrangement” is, in fact, reference to an “outsourcing arrangement” in respect of a material function. Disagree: “material function” means a function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s business operations or its ability to manage risks effectively, should it be disrupted. Section 8.1 specifies the assessment criteria to be employed to determine if the function or activity is material and as such meets the definition of material function. How else would this be assessed if objective assessment criteria were not specified and reliance was placed on a broad definition? There is no contradiction inherent in what the authorities define as a material function versus how materiality is assessed. The authorities are of the view that the assessment criteria are sufficiently robust to provide an assessment framework on a principle basis to capture cloud computing services etc. 105. ASISA 8.2 The wording of this part seems to imply that any control function is a material function which we don’t think is the intention. It is requested that the current wording in the GOI5 (section 6.2) is retained. Section 6.2 of GOI 5 states that “For the purposes of this Standard, all functions of senior management and heads of control function as set out in the Governance and Operational Standards for Insurers are material business activities.” The wording of section 8.2 has remained in line with section 6.2 of GOI 5. 106. SAIA 8.2 The proposed change appears to require that all employees operating within control functions be dealt with independently. Was this the intention? We strongly See comments at item 105 above. The wording of section 8.2 has remained in line with section 6.2 of GOI 5.

59 Item Commentator Paragraph of the Standard Comment Authorities’ Response suggest that the wording as contained in the GOI5 (section 6.2) remain. 107. Aurora 8.3 Kindly advise how this will work in practice – will the authorities Liaise between themselves before making a determination or could the insurer find themselves in a position where the one authority confirms the outsourcing arrangement, and the other authority rejects the outsourcing arrangement? Furthermore, while this is currently a notification and not an application process, does the insurer have to wait for confirmation from the Authorities before the service provider can commence their services as it has been our experience that acknowledgment from the Authorities takes more than 30 days (usually a few months)? The Authorities already have procedures in place with regards to this process. The Authorities will provide further information in relation to how the backend system to process notifications will operate upon the commencement of the Joint Outsourcing Standard. The Authorities note the practical challenges highlighted by insurers. These challenges will not be exacerbated by the Joint Outsourcing Standard. 108. SAIA 8.3 This may create unnecessary delays with the processing/assessment of the outsourcing arrangement. It is suggested that Section 4 of the Memorandum of Understanding (“MOU”) entitled Information sharing between the PA and FSCA be relied upon iro this requirement. The insurer should not be required to notify both the PA and FSCA. This is further enhanced in Annexure 10: Minimising the duplication of effort and expense. This comment is noted. In areas of overlapping jurisdiction of Authorities, the Authorities issued this Joint Standard to avoid duplication of its regulatory regime and harmonise the outsourcing requirements for the insurance sector. The Authorities will provide further information in relation to how the backend system to process notifications will operate upon the commencement of the Joint Outsourcing Standard. The Authorities note the practical challenges highlighted by insurers. These challenges will not be exacerbated by the Joint Outsourcing Standard.

60 Item Commentator Paragraph of the Standard Comment Authorities’ Response 109. PSG 8.3 and 8.4 There is a difference between the outsource of a material function and a material outsourcing arrangement. For this reason, a differentiation is recommended between material and core. Disagree. See comments above in relation to core and non-core function. The comment is not understood relative to the ambit of the respective provisions. Section 8.3 of the Joint Standard accords the Authorities a right of objection in respect of any arrangement to outsource a material function that is inconsistent with the Joint Standard. Section 8.4 sets criteria for consideration prior to entering into a material outsourcing arrangement. 110. ASISA 8.4(a) It is submitted that the wording used is too prescriptive and restricts insurers from making business decisions and potentially inhibits innovation and competition and needs to be revised. The following points are relevant in this regard: Parties negotiate outsourcing at arms-length. The totality of the contract terms must be taken in assessing the cost and benefits. For instance, an outsourced provider that is a dominant player, and a specialist in the industry will use its power to carve out a better price and terms during the negotiations. In the end an outsourcing decision may be motivated by difficulties in the performance a function in-house. The outsourced provider may not necessarily be the cheapest but in the interest of policyholders the appointment may be beneficial. There are also other considerations that may need to be taken into account such as acting to advance transformation, for example investment manager incubation programmes. Disagree: Section 8.4 does not in any manner curtail the negotiation process inherent in the conclusion of an arm’s length outsourcing arrangement. The prescription in section 8.4 relates predominantly to ensuring that the insurer has given proper consideration to the costs benefit and risks to the insurance business. The use of the word “may” implies a discretion in the judgement to be exercised by the insurer in determining the benefits of the outsourcing arrangement relative to the costs. The section does not imply that cost is the overriding factor nor does the section intend to interfere in commercial negotiations.

61 Item Commentator Paragraph of the Standard Comment Authorities’ Response 111. Aurora 8.4 Will this also apply retrospectively as per clause 1.2 to any outsourcing arrangement concluded prior to the commencement of this standard. Will the authorities provide a template where the benefits, costs and risks of an outsourcing arrangement can be evaluated so that it can be determined that the benefits outweigh the costs and risks? See comments above at items 4, 5 and 101. Section 8.4 and all provisions in the Joint Standard do not have retrospective application in respect of prior arrangements. An outsourcing arrangement entered prior to the effective date of the Joint Standard needs to comply within the stipulated period of effective date as the case maybe. With regards to a template request, this will not be provided by the Authorities. It should be noted that with regard to outsourcing the insurer retains responsibility for all regulatory obligations which includes certain important considerations as contemplated in paragraph 8.4 Thus compliance with this requirement is borne by the insurer before entering into an outsourcing agreement i.e. new arrangements. Thus, the inclusion in paragraph 5.2 which stipulates that “an insurer’s board of directors must ensure that the most appropriate control environment is established and maintained to review any proposed outsourcing of a material function” Thus, this control environment however its structured will be in a position to evaluate the benefits, costs and risks of any outsourcing arrangement. These factors must be measured against the business of the insurer.

62 Item Commentator Paragraph of the Standard Comment Authorities’ Response This exercise is at the behest of the insurer. A template will not be provided. 112. PSG Konsult 8.4 The wording of 6.3 referred to a due diligence of the function and not the provider. What would be seen as evidence that the benefits outweigh the costs and potential risks? How is the internal risk of performing the function weighed against the outsource risk? See comments above at item 128. This exercise must be borne by the insurer. With its well￾established governance structures and control environment such matters can be evaluated as per its embedded processes and procedures. These are analytical financial enquiries conducted in terms of a specific due diligence methodology set by the insurer. The Authorities are not able to specify evidence indicative of benefits outweighing costs. This evidence will be bespoke to every insurer and inform the decision as whether an outsourcing arrangement is feasible in the circumstances. 113. SAIA 8.4 The proposal appears to restrict the insurers from making business decisions and potentially innovation and competition. We suggest that the wording as contained in the GOI5 (section 6.4) remain. Disagree, See response above at item 110. Section 8.4 does not in any manner curtail the negotiation process inherent in the conclusion of an arms length outsourcing arrangement. The prescription in section 8.4 relates predominantly to ensuring that the insurer has given proper consideration to the costs benefit and risks to the insurance business. The use of the word “may” implies a discretion in the judgement to be exercised by the insurer in determining the benefits of the outsourcing arrangement relative to the costs. The section does not imply that cost is the overriding factor nor does the section intend to interfere in commercial negotiations. Reference Innovation and Competition. 114. PSG 8.5(a) How intensive are these tests required to be? Paragraph 8.5(a) states that “An insurer may not enter into or maintain an outsourcing

63 Item Commentator Paragraph of the Standard Comment Authorities’ Response What is the difference between 8.5 and 11.4? arrangement relating to a material function unless the service provider has appropriate governance, risk management, internal controls and the ability to comply with applicable laws.” These are not tests but structures and controls that should be part of a company to ensure that efficient functioning of that company. The Authorities cannot prescribe the method that the insurer will employ to ascertain the service providers appropriate governance, risk management and, internal controls environments. Paragraph 8.5 prescribes governance and operational ability requirements that a service provider must have in place and paragraph 11.4 provides that an insurer must regularly assess the adequacy and effectiveness of these requirements. Section 8.5 details the process to be followed by an insurer prior to entering into an outsourcing arrangement. This section sets an objective assessment framework that focusses on key criteria that the Authorities except an insurer to consider prior to incepting such an outsourcing arrangement. Section 11.4 details the process for ongoing assessment of the service provider performing the outsourced function. This section articulates with more clarity the ongoing obligation of the

64 Item Commentator Paragraph of the Standard Comment Authorities’ Response insurer to assess the service provider in accordance with the specified criteria. The differences are nuanced but distinct. 115. PSG 8.5(b) What level of due diligence are required? Are audited financial statements sufficient? It is important to note that the Joint Standard prescribes an appropriate due diligence. It does not specify the specific level an insurer should conduct. Appropriate implies what is suitable to the business of the insurer. Please see Authorities response to Munich Re on a proposed definition of “due diligence” at section 4.1 above. 116. PSG 8.5(c) Contingency plans are by their nature confidential and commercially sensitive information. What level of insight into contingency plans are required and how often would they need to be reviewed? Do the contingency plans need to be tested? It is submitted that these requirements are too onerous. The confidential nature of the contingency plan is noted. Paragraph 11.4 provides that an insurer must regularly assess the contingency plan of the service provider. The discretion lies with the Insurer to determine what “regularly” and if its assessment will require that such plans need to be tested. The onus of this particular provision is for the insurer to obtain assurance that the service provide has developed contingency plans. There is no obligation that calls on testing of such contingency plans. Please see section 11.4 of the Joint Standard. General contingency plans referenced.

65 Item Commentator Paragraph of the Standard Comment Authorities’ Response 117. PSG 8.5(d) How does the principle of key persons apply to non￾FSP service providers? The commentator should take note of the definition of “service provider” in the Joint Standard which “means any person that provides a function or activity to or for an insurer in terms of an outsourcing agreement.” A key person whether an FSP or a non FSP “must meet the fit and proper requirements relating to competence and integrity as provided for in Prudential Standard GOI 4.” The onus is on the insurer to confirm – especially due to the important role this person would play and the impact it could have on their business. 118. ASISA 8.5(d) The practical application of this part to service providers that are not within the financial services sector can be difficult as they don’t have key persons as defined in the financial services sector. It would assist if this part could also refer to directors or senior managers for non-financial service providers. Paragraph 8.2 does however deem all functions of senior management and control functions, including heads of control functions (key persons) as material functions. Insurers outsourcing these functions to service providers will require the persons performing these functions to meet the fit and proper standards. This section may require further clarification to specify the context for fitness and propriety. Insurer’s obligation to establish fitness and propriety. Not bespoke to insurers. Insurers can develop their own template. The commentator should note that GOI 4 refers to a “key person’ as defined in the Insurance Act. We want insurers to assess the honesty and integrity of key persons of the entity that they are outsourcing material and control functions to.

66 Item Commentator Paragraph of the Standard Comment Authorities’ Response ‘Directors’ is the appropriate level and ‘directors’ are included in the definition of key persons: 119. MMH 8.5(d) Should competence measures of Insurers for key persons be required to apply to services providers who are not authorised as insurers (i.e., FSP’s and non￾FSP’s), if so, how can we measure key persons of the SP according to the competence requirements for key persons of Insurers? This is an over-reach on the part of the insurer and might be difficult to assess. It also goes against the presumption that a company has met its internal formalities when dealing with outside parties i.e. KIs and representatives of FSPs should be presumed to be fit and proper by virtue of them still holding such positions, same for key persons of another insurer and directors of a company. In addition, the extensive nature of the definition of key person might pose added admin difficulties and costs to do MIE checks, etc. in doing business, this impact might be lessened by a reference to directors, FAIS affected role players. Please see the response above at item 118. 120. Munich RE 8.5 (d) It is recommended that requirements of 8.5 (d) apply to service providers that are Financial Service Providers only. This requirement will pose challenges for services providers that are not Financial Service Providers since they are not required to be fit and proper due to the service being provided, it would be extremely onerous to require insurers/reinsurer to measure the outsourced Please see response above at item 118.

67 Item Commentator Paragraph of the Standard Comment Authorities’ Response service providers against the fit and proper requirements. Further where a Services Provider is a parent company in a foreign jurisdiction, local regulatory requirements will apply and reliance should be placed on same. 121. OUTsurance 8.5(d) Section 8.5(d) requires that the service provider’s key persons meet the fit and proper requirements set out in terms of GOI 4. It is our respectful submission that the term “key persons” and the fit and proper requirements relate to financial services entities. Should an outsourced service be provided by an entity which is not a financial services entity, since they are not required to be due to the service being provided, it would be extremely onerous to require insurers to measure these outsourced services providers against these standards. Please see response above at item 118. 122. SAIA 8.5 a) It is noted that there is an overlap/repetition of the requirements in section 8.5 and section 11.4 relating to an outsourcing arrangement of a material function. Therefore, it is suggested that these provisions are merged. b) Section 8.5(d) requires that the service provider’s key persons meet the fit and proper requirements set out in terms of GOI 4. The term “key persons” is proposed, and the fit and proper requirements relate to financial services entities. Should an outsourced service be provided by an entity which is not a financial services entity, since they are not required to be due to the service being provided, it Paragraph 8.5 prescribes governance and operational ability requirements that a service provider must have in place when the relationship is initiated and paragraph 11.4 refers to ongoing oversight and provides that an insurer regularly assess the adequacy and effectiveness of these requirements Please see Authorities response to ASISA above on section 8.5(d) and item 118 above. No guidelines will be provided.

68 Item Commentator Paragraph of the Standard Comment Authorities’ Response would be extremely onerous to require insurers to measure these outsourced services providers against these standards. Clarity is requested on whether guidelines will be provided for determining key persons for outsourcing providers that are not within the financial services sector and, therefore, would not be subject to the same standards as insurers or insurance groups are when determining key persons. 123. SAIA 8.5(d) Clarification is requested on whether this requirement applies to only financial institutions are defined in the FSR Act, 2017. It seems impractical to apply this requirement to service providers who are not already required by law to comply with the Fit and Proper requirements. For example, a company providing specialist information technology services are not subject to these fitness and proprietary checks and balances. It also impractical to have insurers conduct fitness and propriety checks on financial institutions are defined in the FSR Act, 2017 because these checks are already a regulatory requirement on the financial institution. Any similar checks come at a cost to the provider or insurer and potentially impact the outsourcing costs. We strongly recommend that insurers should instead place reliance on regulatory approvals. To be read with comments set out for paragraph 11.4(a). See comments above at item 122 124. ASISA 8.6 Clarity is sought on what type of procurement arrangements are envisaged and how this would differ from conducting a due diligence. In this context procurement is the process adopted when sourcing a service provider. Due diligence is an investigation or an assessment that is conducted by an insurer

69 Item Commentator Paragraph of the Standard Comment Authorities’ Response If the Joint Standard only applies to outsourcing outside of the group of which the insurer is a part, which it is submitted should be the case, this requirement could be met but it is not possible for intra-group outsourcing save perhaps for cost comparisons with other providers. Intra-group transaction must be at arm’s length and follow the same dd principles. before entering into an agreement or contract with a service provider. Sourcing a service provider is just one matter that an insurer can assess. The procurement processes envisaged in paragraph 8.6 is not akin to a due diligence process which it is submitted takes place after the fact i.e. once a service provider has been identified. The Authorities have not sought to prescribe these procurement processes as it is assumed that these processes would follow “arm’s length” commercial principles. 125. MMH 8.6 Will the insurer be required to provide its procurement processes and procedures relating to Outsourcing arrangements and will objectivity of such appointment and procedures be at the discretion of the board and/or a board delegated committee? In consideration of the procurement processes and procedures, will the insurer be required to also incorporate the Treating Suppliers Fairly Framework? The process should be made readily available if requested by the Authorities. This requirement can be implemented by governance structures of the insurer whether it’s the Board or a Board delegated committee. TCF principles must be implemented at all stages in the business of the insurer. Including when implementing paragraph 8.6. The Authorities have not requested the insurers procurement processes and procedures, and this is consequently not a requirement as envisaged by section 8.6. of the draft Joint Standard. 126. Munich RE 8.6 This requirement will not apply in instances of inter – company outsourcing. An exemption should be expressly included. It is also unclear what the rationale is for this requirement as there already other requirements which This is the process that is executed when sourcing a service provider. The Joint Standard does prescribe requirements that must be met prior to appointing a service provider as well as certain considerations/ or

70 Item Commentator Paragraph of the Standard Comment Authorities’ Response insurers must meet before appointing a service provider to provide a material function. guidelines when deciding to appoint a service provider. Inter-company outsourcing should be conducted at arm’s length given that the outsourcing arrangement is concluded between two distinct legal entities. This requirement has been included to mitigate the possibility of conflict of interest in the establishment of the outsourcing relationship. 127. PSG 8.6 The purpose of this clause is unclear. Please clarify. This is the process that is executed when sourcing a service provider. Please see the response to Munich re above. 128. SAIA 8.6 a) The rationale underpinning this requirement is unclear, considering other requirements that insurers must meet before appointing a service provider who will provide a material function. b) Clarity is sought as to the extent the procurement policy should be applied to the proposed material outsourcing. c) Clarity is sought as to how insurers will be expected to demonstrate this with regards to full binders which are deemed material. This is the process that is executed when sourcing a service provider. Please see the response to above at item 126. If a procurement policy is in place, then such policy should incorporate the process of sourcing a service provider. Also please see the response to above at item 124. The Authorities have not prescribed procurement principles nor the application thereof as these remain within the purview of the insurer. 9. Notification of an outsourcing arrangement to the Authorities 129. ASISA 9.1 While dual reporting is not ideal it should not pose too much of a hindrance provided there is just one prescribed notification form to both Authorities i.e. there shouldn’t be different forms for notification under the Comment noted. Please see Authorities comments to Aurora life on notifications at section 1.2.

71 Item Commentator Paragraph of the Standard Comment Authorities’ Response Joint Standard. The supporting document submissions are often large attachments, and the Authorities will need to have measures in place to be able to accept large electronic files on a secure mailing platform. 130. Aurora 9.1 Will the dual notification need to be submitted to separate portals or will the authorities have access to a joint portal? Furthermore, in the event that same needs to be submitted to two portals will there be dual costs involved to assess this outsourcing arrangement? The Authorities will in due course determine the manner, type of information and format of reporting. 131. BASA 9.1 For ease of use, concerning the notification to the Authorities, BASA recommends a single submission method using a joint email address for example. In addition, there is no draft notification form to the FSCA that accompanied this draft Joint Standard. Please clarify if the form used by the PA currently will be adopted for use under this Standard for dual notification purpose. Comment noted. See comments above at item 130. 132. FIA 9.1 Which of the Authorities should be notified? Would this be both the FSCA and PA, and if so, how will the process be managed? See comments above at item 130. 133. MMH 9.1 What is the stance on material outsourcing, where the one insurer cede/ assigns its responsibilities to another Insurer pursuant to applications in terms of section 50 and 51 of the Insurance Act? Will any of the Insurer’s be required to notify the PA. Paragraph 11.5 provides for notification of “any material developments” and prescribes “as soon as reasonably possible in a manner, form and containing the information determined by the Authorities.” Yes. Insurance obligations have been transferred between insurers and the OSP will essentially perform the outsourced arrangement

72 Item Commentator Paragraph of the Standard Comment Authorities’ Response for and on behalf of a new insurer. Novation Arrangements. 134. OUTsurance 9.1 We support a notification process to inform both Authorities. We however do urge the Authorities to ensure a single notification process via an electronic portal in a single form to avoid duplication. As set out in terms of the Memorandum of Understanding between the Authorities, the Authorities are committed to making an effort to minimise the duplication of effort and expense to perform their functions. This is an opportunity to collaborate and ensure a streamlined process. Noted. Please see Authorities’ comments on notifications at items 7 and 130 above. 135. PSG Konsult 9.1 Which Authority must be notified? A notification does not require approval, but please see the comments in 8.3 above. See comment above at item 130. 136. SAIA 9.1 a) A Joint Standard should be subject to a joint notification process by the Authorities. It is suggested that the requirement to notify Authorities is streamlined to form part of a joint process that caters for those mentioned above. b) Will the current Notification Form continue to be utilised by Insurers, or will the authorities issue a revised Joint Notification Form? It is proposed that a single form for notification and application be used This could potentially create unnecessary delays with the processing/assessment of the outsourcing arrangement. c) It is suggested that Section 4 of the Memorandum of Understanding entitled Information sharing See comment above at item 130.

73 Item Commentator Paragraph of the Standard Comment Authorities’ Response between the PA and FSCA be relied upon iro this requirement. The insurer should not be required to notify both the PA and FSCA for the same activity/ function. Alternatively, it is suggested that the reporting portals used by the authorities be synchronized so that one submission will be pushed/ submitted to both authorities. This is further enhanced in Annexure 10: Minimizing the duplication of effort and expense, which refers to establishing the ICT governance committee to serve as oversight for the implementation and operation of agreed shared technology platforms. d) The dual reporting could potentially create unnecessary delays with the processing/assessment of the outsourcing arrangement. We suggest that Section 4 of the MOU entitled Information sharing between the PA and FSCA be relied upon iro this requirement. The insurer should not be required to notify both the PA and FSCA. 137. FIA 9.2 Will a template or schedule of requirements be provided by the Authorities for this notification? See comments above at item 130. 138. Aurora 9.2 Kindly clarify whether this confirmation must be drawn up by an independent external party or whether the board can provide this confirmation? This must be decided upon by the insurer in terms of its respective governance structures viz. the Board or any Board subcommittee that will be responsible for the outsourcing arrangement. The Authorities are of the view that the confirmation referred to in section 9.2 may be

74 Item Commentator Paragraph of the Standard Comment Authorities’ Response discharged by the head of the appropriate control function. 139. OUTsurance 9.2(c) For clarity, we suggest that section 9(2)(c) should read as follows: “(c) the proposed remuneration payable for the outsourcing arrangement or if not determined on entering into the contract, the basis on which the remuneration or consideration payable will be calculated” We recommend this, since the actual amount is not always available at time of notification in which case the basis on which remuneration is payable should suffice. Comments noted, see amendments made to the Joint Standard. Authorities to consider this approach. Whilst the approach affords a degree of greater flexibility in the remuneration calculation. The calculation methodology should be clear. 140. PSG Konsult 9.2(c) What is the basis for this information? Would a formula for remuneration suffice? See comments below at item 141. See comment above. 141. SAIA 9.2 a) The submission of such notification detailing the proposed remuneration payable for the outsourcing arrangement to the Authorities is unclear. What are the Authorities intended outcomes after receiving such information? b) If Section 6.7 (a) requirement is reasonable and commensurate with the function or activity outsourced, would this not be a business decision? c) Will guidelines be provided for the payment of remuneration that the Authorities may deem to be See comments above at item 139. See paragraph 6.7 of the Joint Standard that prescribes the requirements in respect of remuneration. It enables the Authorities to determine if insurers are compliant with remuneration paid in respect of outsourcing arrangements in accordance with those pre￾requisites stipulated in paragraph 6.7. Avoid a situation where profit is transferred intra group i.e. skewed remuneration.

75 Item Commentator Paragraph of the Standard Comment Authorities’ Response reasonable and commensurate with the actual function or activity outsourced? d) For clarity, we suggest that section 9(2)(c) should read as follows: “(c) the proposed remuneration payable for the outsourcing arrangement or if not determined on entering into the contract, the basis on which the remuneration or consideration payable will be calculated”. We recommend this since the actual amount is not always available at the time of notification. The basis on which remuneration is payable should suffice. Yes, but the insurer must be able to show proof that it is. Remuneration must be reasonable and at arm’s length to the counterparty. The Authorities are not intending to publish guidelines on what constitutes reasonable and commensurate remuneration at this stage. See amendments made to the Joint Standard 10. Contractual requirements 142. 10.1(k) There should be strict provisions that reference either the domestic Protection of Personal Information Act or international data protection standards such as, General Data Protection Regulation (GDPR). It should be noted that the Joint Standard applies to all insurers, including microinsurers licenced under the Insurance Act and applies in addition to any other relevant laws including POPIA. Authorities to consider referencing relevant privacy laws in this section. 11. Management and review of outsourcing arrangements 143. PSG Konsult 11.1 – 11.6 It would seem that some of the requirements are only applicable to outsourcing arrangements for material functions. It is again suggested that the distinction between the four different types of arrangements is made and the requirements for each is set under that heading. The Joint Standard provides considerations relating to materiality and sets out requirements for the outsourcing of material functions. Please see Authorities response to PSG at 4.1 above on the distinction between core and non￾core functions replicated below.

76 Item Commentator Paragraph of the Standard Comment Authorities’ Response The complexity of outsourcing arrangements also has the potential to exacerbate risk, and impact on the ability of a regulated financial institution to manage and monitor its own compliance with regulatory requirements. This is not necessarily restricted to core or non-core material functions or activities performed by the insurer. Core and non-core material functions are irrelevant descriptors in this context. What is relevant is the risk that is introduced by the outsourcing arrangement and the materiality of the risk as assessed in terms of section 8 to the outsourcing standard. 144. SAIA 11.1-11.6 Section 11.1 to 11.6 specifically refer to material functions. However, it appears that this clause applies to all outsourcing arrangements; considering the requirement suggests board reporting, we recommended for this to also only apply to material outsourcing arrangements, alternatively only to potentially material adverse consequences and not all potentially adverse consequences. As a Joint Standard are for both the PA and the FSCA, the period of one week for notification of termination is inconsistent with the requirements of Regulation 6.6 which requires a 60-day notification of termination to the FSCA The Authorities are cognisant of the fact that an insurer may have multiple outsourcing arrangements in place, however the Authorities are specifically referring to outsourcing arrangements that the insurer has deemed material in terms of the materiality criteria as specified in section 8 of the Joint Standard. 145. SAIA 11.3 An annual/regular attestation from the Board/management that it has passed the metrics test suffice? Would this suffice, or would the Authorities require a deep dive into these contingency plans as this would be very onerous? Paragraph 11.3 provides that “an insurer must develop and maintain appropriate contingency plans…” If annual/regularly attestation is deemed regularly by the insurer, then this will suffice.

77 Item Commentator Paragraph of the Standard Comment Authorities’ Response How far must the insurer go in terms of assessing the OSP’s contingency plans put in place? If extensive, the skill set of resources required to do this will need to be appropriate to perform this function. The Authorities envisage that these contingency plans for outsource arrangements will be encapsulated by the broader Business Continuity Plans of the Insurer. Paragraph 11.3 provides that “an insurer must develop and maintain appropriate contingency plans…” If this proposal is deemed appropriate, then this will suffice. See comment above regarding assurance from the OSP on contingency plans. The due diligence exercise that an insurer conducts in the appointment of a service provider should in theory assess the business continuity plans of the OSP in order to satisfy itself that a contingency plan is adequate in the event of the service provider being unable to perform the outsourced service. 146. PSG Konsult 11.4 This requirement is extremely onerous and in certain cases rather impossible. More clarity will need to be provided on the requirements of regular service provider assessments. Where outsourcing is done to another FSP, to what level can we depend on the information provided by the Authorities? Can we e.g. assume an acceptable credit risk of another insurer if they are licensed? Comment noted. What entails “regularly” is at the discretion of the insurer. The Standard makes provision for requirements for an insurer to regularly assess the service provider’s nature of business to manage any risks associated with material outsourcing arrangements. Whatever risks that an insurer accept, such must not impair the ability of the insurer to manage this risk. In so doing an insurer is in addition obliged to meet its legal and regulatory obligations which will not be detrimental to the fair treatment of policyholders.

78 Item Commentator Paragraph of the Standard Comment Authorities’ Response Disagree. The assessment of the service provider in an outsourcing arrangement should be part and parcel of risk reviews in terms of the ERM framework of the insurer. The Authorities expect insurers to review material outsourcing arrangements given the inherent risks of such arrangements to the insurer. The insurer should seek independent assurance in the case of an FSP (as service provider) and without reliance on the Authorities. 147. SAIA 11.4(a) a) Authorities to clarify whether an annual attestation and testing report for assessing a service provider’s contingency plans will suffice? b) In the case of financial institutions, the fitness and proprietary checks are conducted by the regulator during the licensing and supervisory processes. For an Insurer to conduct further checks can be perceived as a form of over-regulation and, arguably, a duplication efforts. Additional practical considerations are the increased costs on insurers for additional checks and time allocated to processing the necessary documents. Further, the nature of the fit and proper checks are sensitive (police checks, credit checks, CVs). The unnecessary sharing or transfer of information increases the data protection risk exposure for Insurers and service providers. With that said, please elaborate on the purpose and intention behind these checks. c) Notwithstanding the above, if it is still deemed appropriate, fit and proper controls are necessary in this Joint Standard. We submit that fitness and proprietary controls should only apply to financial Paragraph 11.3 provides that “an insurer must develop and maintain appropriate contingency plans…” If this annual attestation and testing report is deemed to be “a regular assessment” by the insurer, then this will suffice. In some circumstances an annual attestation may not be adequate. In such circumstances it can supplement the process, but the insurer must conduct regular checks depending on the outsourcing risk presented by the third party. The Authorities have not specified the manner in which an insurer must assess the requirements of this provision. The insurer maintains a discretion as to how it will satisfy itself through objective assessment criteria of the requirements of this subsection. This approach is conducive to a principles-based application of the Joint Standard. Comments noted.

79 Item Commentator Paragraph of the Standard Comment Authorities’ Response institutions on the premise that not all companies are subject to the fit and proper checks as set out GOI 4. An example: a company providing specialist information technology services are not subject to GOI 4 fitness and proprietary checks and balances and would not be reasonable to conduct effective or meaningful checks on such a service provider. d) Guidance is sought on whether there is an implication on the fit and proper checks in terms of the FAIS Act is also applicable when applying this section The regular assessment of the service provider in terms of fit and proper standards assists the insurer to gauge whether that the material function or activity is soundly and prudently managed, directed and that none of its key persons could be a source of weakness. Agree the standard should be amended to reflect that the fitness and propriety assessment is in relation to the heads of control functions and senior management and does not extend to the management of the service provider performing the functions or activities as described in the comments. As part of the DD for the service providers the insurer should satisfy itself of key person within the service provider other than senior managers and heads of control. Clarity sought from FSCA. Comment noted. Regularly implies that these assessments should continue where an insurer would be able to take into account the service providers conduct of the business and compliance with all applicable laws. Noted. Please see comment above. Authorities to clarify positioning in respect of the service provider relative to GOI 4. Paragraph 11.4(a) does not make reference to fit and proper checks in accordance with the Financial Advisory and Intermediary Services

80 Item Commentator Paragraph of the Standard Comment Authorities’ Response Act, 37 of 2002. Insurer is still accountable for fit and proper assessment. 148. ASISA 11.5 The change of the notification period to "reasonably possible" as compared to the current "immediately" which is not always possible, is welcomed to ensure a practical application of the notice. Comment noted. 149. MMH 11.5 What is the criteria to be used by the PA to determine if the notification was done as “soon as reasonably possible”? Will the Insurer be required to advance reasons for notifying the PA of such material changes (i.e. 3 months after the effective date of the changes)? “Soon” implies in or after a short time and reasonably implies acceptable or fair as in this context. If the insurer deems that 3 months is a short time and fair to notify the Authorities of this material change, then this should suffice. Please refer to section 9.1 that references a notification period of 30 days for proposed outsourcing arrangements only. Authorities to consider amending section 9.1 to include material developments and thus synchronise the time periods in 11.5. Authorities to confirm whether the termination period should remain at one week or should be synchronise with a 30-day period. Authorities to consider removing as soon as is reasonably possible. 150. Export Credit Insurance Corporation 11.5 ECIC is a State-Owned entity which requires them to follow and comply to the National Procurement rules and regulations, in cases where we for some reason need to cancel and replace an outsourced control function, i.e. Internal Audit. We may find ourselves being non-compliant for a couple of months considering the process, time and period it takes and requires to be Comment noted. In instances of such processes at ECIC, ECIC should thus advise the Authorities of future non-compliance with this provision.

81 Item Commentator Paragraph of the Standard Comment Authorities’ Response complied with for the tender bidding process to be completed. 151. ASISA 11.5 and 11.6 The requirement in 11.6 requiring a further notification within a week of termination and the reasons for termination is problematic. 11.5 already requires reasons for the termination. We therefore propose that 11.6 is removed or reworded to avoid duplication. Comment noted. It should be noted pending termination is provided for as a material development in paragraph 11.5. The process (the time period, manner and the reasons) of notifying the Authorities of the termination is provided for in paragraph 11.6. The Authorities require notification with relative immediacy given the material nature of the outsourcing arrangement and the potential impact to the insurer on termination. 152. FIA 11.5 Will a template or schedule of requirements be provided by the Authorities for this notification? See comments above at item 130. As stated, the manner, form and information determined by the Authorities will be provided. The respective section states that the Authorities will determine the manner, form and information to be contained in the notification. On this basis further information will be provided by the Authorities through the appropriate regulatory instrument once the Joint Standard has been finalised. 153. MMH 11.5 The term material development is too broad and subjective as there is no proposed criteria to assess materiality in this context, which will lead to inconsistent application among industry players. To reduce the admin burden on the industry, the Authority should rather define the specific events or risk events that it is concerned with in this provision. For example should Comment noted. Note that the Authorities have illustrated what material developments could entail by illustrating pending termination, material non-performance and the like.

82 Item Commentator Paragraph of the Standard Comment Authorities’ Response the Authority be notified for material developments that are in favour of the policyholder? or just material developments that may prejudice the policyholder? It should be noted that the Standard refers to “any material development.” Which could be in favour or prejudice any impacted person/entity be it the policyholder, the business of the insurer, the insurer, the service provider, any process or procedure relating to an outsourcing arrangement for a material function. Material developments in this context refers to developments that may have the potential to affect the integrity of the outsourcing arrangement to a material function and as such change the risk profile of the insurer. Examples include change of name, change of ownership, change of functions offered, material developments that may prejudice policyholders, change of remuneration structures. 154. SAIA 11.5 The change of the notification period to "reasonably possible" compared to the current "immediately", which is not always possible, is welcomed to ensure a practical application of the notice. There is duplication in 11.5 and 11.6, requiring the Insurer to notify the regulator of pending terminations (ambiguous) and then again when terminated. This is not practical or reasonable, and the current process of notifying once of a termination to the PA is the preferred way to go. Comments noted. It should be noted pending termination is provided for as a material development in paragraph 11.5. The process (the time period, manner and the reasons) of notifying the Authorities of the termination is provided for in paragraph 11.6. See comment above on amalgamation of the respective clauses. 155. FIA 11.6 Will a template or schedule of requirements be provided by the Authorities for this notification? The respective paragraph states that the Authorities will determine the manner, form and information to be contained in the notification. On this basis further information will be provided by

83 Item Commentator Paragraph of the Standard Comment Authorities’ Response the Authorities through the appropriate regulatory instrument. 156. ASISA 11.6 If 11.6 is required it is requested that the Authorities change this notice period to 30 days after termination date. The reason for this is that termination discussions take place over a period of time, and once a decision is made to terminate, the actual agreement to terminate is back-dated. An insurer then notifies the regulator within one week of the decision to terminate, but the regulator then asks questions about the one week termination period which doesn’t line up with the contractual termination date. We submit that changing the notification period to 30 days does not introduce a material supervisory risk, especially when taking the additional management requirements introduced by this Joint Standard into consideration and the requirement in 11.5. Comment noted. See comments at item 151. 157. Munich RE 11.6 The one week period should be extended to “30 days or as soon as reasonably possible” as agreements have different termination periods and reasons for termination. See comment above. 158. SAIA 11.6 -11.8 a) It is proposed that it is not practical to submit this notification within one week considering the amount of information required and the new requirement to obtain approval. It also does not address the services that still need to be delivered due to the run-off scenario. b) It is noted that the notification to the Board could add additional delays to the termination period. We suggest that the Board be informed only where the insurer terminates the outsourcing arrangement. And this activity is delegated to the Please see comments above on the 30-day notification within the termination event and item 151. Authority for the approval can be decided upon by the insurer in terms of its respective governance structures viz. the Board or any Board subcommittee that will be responsible for the outsourcing arrangement.

84 Item Commentator Paragraph of the Standard Comment Authorities’ Response correct senior management area of the insurer. Approval of termination of an outsourcing arrangement is best placed with day-to-day management. In light of the frequency at which the board sits and the separation of roles and responsibilities of the management of an insurer (as compared to the Board), it is reasonable that this approval remains with the committee responsible for the operational management as the management committee. (also refer to 5.2 above) Guidance is sought on whether the authority for the approval can be sub-delegated. It is recommended that the following extract is deleted from paragraph 11.7: "where a potentially adverse consequence or risk has been identified". Structurally this reads better as the proposed termination must be reported to the Board in any event. Disagree. The board is ultimately responsible for the outsourcing arrangement. Delegation arrangement between the board and senior management remain with the preserve of the Turquand Rule (the rule of internal management). Agree, see amendments made to the Joint Standard. When terminating an outsourcing arrangement, an insurer must assess the potential impact, consequences and risks of the proposed termination to policyholders and the insurer’s business, and report to the board of directors to ensure that potential adverse consequences and risks that have been identified are managed accordingly, and that none of the risks might not have been addressed. 159. OUTsurance 11.7 Section 11.1 to 11.6 specifically refer to material functions however, it appears that this clause is applicable to all outsourcing arrangements, considering the requirement suggests board reporting we recommended for this to also only apply to material outsourcing arrangements, alternatively only to potentially material adverse consequences and not all potentially adverse consequences. Agree, see amendments made to the Joint Standard. Any potential adverse consequences are inherently material. 160. ASISA 11.8(c) The requirement to approve a termination of an outsourcing arrangement for a material function, is a function of senior management of an insurer and not Agree, see amendments made to the Joint Standard.

85 Item Commentator Paragraph of the Standard Comment Authorities’ Response the board of directors. The Authorities are requested to reconsider this requirement. In terms of the required board approved outsourcing policy, the board mandates / delegates approvals to a suitable management committee overseeing the arrangement. We request that the paragraph be reworded to read: “(c) include proof that the insurer approved the termination;”. If the Authorities are of the view that it should remain, it is proposed that this function should be delegated to a Management Committee. It will be overly burdensome and cause delays for a board to approve terminations as boards generally meet on a quarterly basis. Swift and expedient action may be necessary. 161. MMH 11.8(c) Will the Board be able to delegate this operational task to a committee? In the case of insurance groups this might be too bureaucratic and lead to reduced decision-making speeds, which might at times prejudice policyholders where termination need to be done urgently to protect policyholders or insurance business. This could be a decision for “senior management” See comments above at item 160. 162. SAIA 11.8(c) It is suggested that the requirement to have a board approve an OSP termination is not practical. It would make the board more operational, and a board only convenes quarterly so the insurer could be stuck with the OSP for at least three months. The Board should See comments above at item 160.

86 Item Commentator Paragraph of the Standard Comment Authorities’ Response not be notified of the termination as the board can delegate this responsibility to the management team. 163. BASA 11.8(a),(b) and (c) In reference specifically to s11.8(c) – BASA recommends that terminations be managed by senior management (as defined) and not the board, as company boards may only convene on a quarterly basis. Comment noted. Please see comment above at item 160. 164. ASISA 11.8 (e) Outstanding fees and how such fees will be paid are part of the contractual issues between an insurer and a service provider and it is not understood why it is necessary to notify the Authorities about these. Please could the Authorities explain the purpose for requiring this information. These considerations should be disclosed by an insurer so that the Authorities can determine that when a material outsourcing arrangement is terminated, risks to policyholders should be mitigated and that they are not negatively impacted. Implications for policyholders where fees are outstanding should be taken into account. Double dipping where policyholder may end up paying twice should be prevented. 165. Munich RE 11.8 We seek clarity on the reason for “proof that the board of directors approved the termination”. Obtaining board approvals would delay the termination as generally boards only convene annually, biannually or quarterly. Approval of termination of an outsourcing arrangement is best placed with day-to-day management. See comments above at item 160. 166. OUTsurance 11.8 It is our submission that the decision of terminating outsourced arrangements is within the realm of executive management due to it being a Management activity which the Board should not be involved in. When a material outsourcing arrangement is entered into no Board approval is required, which is in line with the functions of the Board and executive management in terms of good governance. We are therefore of the See comments above at item 160.

87 Item Commentator Paragraph of the Standard Comment Authorities’ Response view that Board approval at termination should also not be required, since it would hinder management to act swiftly and take appropriate management actions when required. Furthermore, this requirement does not specify that it is only applicable to material outsourcing arrangements. In line with the comments above we would recommend for this to only apply to material outsourcing arrangements. It is further highly unlikely that the required proof to submit such notification will be readily available within one week and we further recommend that this period be extended to accommodate time to gather all supporting information to at least a period of a month. 167. SAIA 11.8 a) Outstanding fees and how such fees will be paid are part of the contractual issues between an insurer and a service provider. Please could the Authorities explain the purpose for requiring this information? b) The wording of this section refers to instances where it is identified that the termination may result in a potentially adverse consequence or risk for the insurer. Will it be safe to imply that requirement 11.8 (c) will only apply in those instances, should the requirement for Board review/approval of termination be maintained? It has been our experience that where fees are outstanding and communication breaks down between the parties, it can result in negative outcomes for policyholders, such as servicing issues and claims delays. These considerations should be disclosed by an insurer so that the Authorities can determine that when a material outsourcing arrangement is terminated, risks to policyholders should be mitigated and that they are not negatively impacted. This point provides that the notification of the termination “must include proof that the board of directors approved the termination.” Disagree. Any termination requires Board approval. 12. Short title 13. Amendment of other regulatory instruments

88 Item Commentator Paragraph of the Standard Comment Authorities’ Response 168. ASISA All terms defined in Attachment 1 Consider replacing “other person” with “service provider” or “contracting party” Recommendation noted. 169. BASA 13 Clarity is sought on when GOI 5 will be repealed – will it be on the commencement date or on the effective date of this joint standard? A definition, or specific wording in respect of effective and commencement date would be beneficial. As provided for in the Joint Standard on Point 13 “This Joint Standard repeals Prudential Standard GOI 5: Outsourcing by Insurers and amends the regulatory instruments referred to in Annexure 2 below to the extend provided in the Attachment.” 170. ASISA Attachment 1 Concentration or systemic risk This comment is a minority view from members: According to the IAIS, concentration risk is defined as "The risk of adverse changes in the value of capital resources due to the lack of diversification in the risk exposures." The risk being articulated lends itself more towards avoiding vendor lock-in. Perhaps that is what may need to be defined instead. The use of the term person alters the definition and, in this context, unintentionally amounts to "key man risk" and not concentration or systemic risk. Consider suggestion to replace the term as per above. Comments noted. Noted. The IAIS definition takes a generic approach to concentration or systemic risk. The applicable definition in this Joint Standard is aligned to a single service provider as counterparty in multiple outsourcing arrangements. Person relates to a juristic person as well. This is not a case of vendor lock-in as these arrangements can be terminated, but rather the ability and capacity of the service provider to perform its obligations in terms of the outsourcing agreement. 171. ASISA Attachment 1 Reputation Risk This comment is a minority view from members: An alternate definition, as per IAIS, is proposed: "The risk of potential negative publicity regarding an insurer’s business practices will cause a decline in the customer base or brand value, costly litigation, or revenue reductions". Comments noted.

89 Item Commentator Paragraph of the Standard Comment Authorities’ Response 172 ASISA Attachment 2 Drafting comments: As the intention is for insurers to report to both the PA and the FSCA consider deleting the reference to Prudential Authority and replacing it with the Authority in the following: • GOB 8.2-8.4, • GOG, 8.2; • GOL, 8.2-8.4; • GOI 1 8.2-8.4. Add definition of Authority therein. Delete material business activities, wherever it occurs in Prudential Standards under the Outsourcing provisions and replace it with Material Function as defined in the Joint Standard. For example • GOB 8.5 • GOL 8.5 Comments noted. Noted. Amendments made. Noted. 2. GENERAL COMMENTS 173. Aurora General What is the expected turnaround time for an insurer to receive feedback from the Authorities in respect of the notification of an outsourcing arrangement? The Authorities will provide further feedback on turnaround times once the reporting protocols have been finalised. 174. Munich RE General Section 4.6 of GOI 5 has not been carried through into this Joint Standard. Confirmation of our understanding is that the removal of this provision implies that the current/existing outsourcing arrangements which were regarded as material will now not need to comply with the Joint Standard. It is suggested that an exemption be provided for outsourcing arrangements with Paragraph 1.1 provides that “any outsourcing arrangement entered into prior to the effective date of this Joint Standard must comply with this Joint Standard within one year from the effective date.” The Standard thus clarifies that any arrangement for a service/activity done by an insurer’s controlling company, its subsidiaries, or a related

90 Item Commentator Paragraph of the Standard Comment Authorities’ Response insurer’s/reinsurers controlling company and subsidiaries. or inter-related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. 175. ASISA General – intra￾group outsourcing We note that paragraph 4.6 of GOI 5 has not been included in the Joint Standard. Confirmation is requested that the Joint Standard does not apply to intra-group outsourcing arrangements. This approach is supported as there is already a robust governance framework in place and if they are not an insurer they are still regulated entities by the Authorities. The Standard thus clarifies that any arrangement for a service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter-related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. 176. OUTsurance Section omitted from the new Standard (Section 4.9 in Old Standard) GOI 5 provides for a general section stating the following: “With the exception of section 5 below, the remainder of this Standard applies to the outsourcing of a material business activity as defined by this Standard (see section 6 below) only.” The implication of the proposed change is that the proposed standard is made applicable to all outsourcing activities unless specified otherwise in a particular section. The current standard makes certain provisions only applicable to the outsourcing of a Noted. See comments on the application of the Joint Standard above.

91 Item Commentator Paragraph of the Standard Comment Authorities’ Response material function. In the proposed Joint Standard in most instances of the proposed Draft Standard, materiality has been indicated, however on some sections such as 11.7 and 11.8 this has been excluded where we deem it to be appropriate to only apply to material outsourced activities or functions. We therefore kindly request the Authorities to ensure that the Joint Standard makes it clear in all instances which requirements are applicable to all outsourcing arrangements and which requirements are only applicable to material outsourcing arrangements. Based on our interpretation of the statement of need document it is the intention of the Joint Standard to only apply to material functions, we are however of the view that the current proposed Joint Standard does not align to the statement of need. 178. ASISA General – GOI 5 item 4.1 GOI 5 item 4.1 clarified that outsourcing principles only apply where the entity contracts with a service provider for a service that would normally be performed by the entity itself. This clarification is not present in the Joint Standard, and creates the perception that outsourcing principles also apply where the entity contracts with a service provider for a service that the entity would never be able to perform itself (due to the nature of the activity requiring that it be performed by an independent party – e.g. trustee or custodian). Is this the intention? Please clarify. Disagree. The Joint Standard applies to all outsourcing arrangements. Refer to the definition of “material function” which means “a function or activity relating to an insurer’s business that has the potential to have a significant impact on the insurer’s business that has the potential to have a significant impact on the insurer’s business operations or the ability to manage risks effectively, should it be disrupted.” In accordance with the definition of material function, an insurer must ensure that the function or activity of a trustee or custodian meets this definition.

92 Item Commentator Paragraph of the Standard Comment Authorities’ Response 179. ASISA General – Premium collection The Authorities have indicated that the intention is that the Regulations under the Long -Term Insurance Act are going to be changed fairly soon and that as part of RDR developments, premium collections will no longer be an intermediary service but an outsourced service. ASISA members will need to consider possible impacts of these changes once they are published as it is likely that some time will be needed if some of these arrangements need to comply with the Joint Standard. Comments noted. 180. BASA General FIC PCC 12A BASA notes that the FIC has previously issued a Public Compliance Communication 12A, dealing with “Guidance on outsourcing of compliance activities to third-party service providers”, which specifically speaks to the outsourcing of FIC Act related functions. Clarity is sought on whether this will also be covered by the new Standard or if it is only related to business functions? BASA recommends that this Standard ensure there is alignment with the FIC’s guidance and interpretation as evidenced in the PCC (where applicable). Comment noted. The commentator should note that Public Compliance Communication 12A PCC applies to the interpretation and application of the Financial Intelligence Centre Act requirements and does not apply to the interpretation of other regulatory requirements like this Joint Standard issued by other regulatory or supervisory bodies. In addition PCC does not define outsourcing, material function etc for purposes of application of other requirements issued by the above￾mentioned bodies. 181. OUTsurance General Various sections The term service provider appears in various sections of the document. We kindly request that the word “outsourced” be added in conjunction with the word service provider to read, “outsourced service provider” throughout the document. Insurers make use of other service providers as well and would therefore like to ensure that there is no ambiguity. Comment noted. See comments above regarding service providers. 182. SAIA General The Credit Risk definition refers to the risk of a financial loss if a counterparty to a derivatives transaction does not fulfil its financial obligations on time. This definition Comment noted.

93 Item Commentator Paragraph of the Standard Comment Authorities’ Response may be too broad and may not be more aligned with insurance activities. 183. SAIA General 4.6 GOI 5 We noted that this provision was removed. We request confirmation of our understanding that this removal implies that the current/ existing relationships which were regarded as material will now need to be terminated/ cancelled. It is suggested that the Authorities provide a blanket exemption for outsourcing by the insurers’ controlling company, subsidiary, etc. Comment noted. Paragraph 1.1 provides that “any outsourcing arrangement entered into prior to the effective date of this Joint Standard must comply with this Joint Standard within one year from the effective date.” The Standard clarifies that any arrangement for a service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter￾related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. 184. SAIA General Authorities are requested to provide guidance on the intention and what they are trying to achieve. This Proposed Standard is widening the scope of what would be deemed material outsourcing and will create a significant amount of arbitrage, impacting governance, monitoring, and oversight. Insurers should be permitted to make risk-based decisions based on their respective businesses' nature, scale, and complexity. This seems to propose a one size fits all approach which is not acceptable. The objective is to harmonise outsourcing requirements for the insurance sector and to enhance oversight by the Authorities. Please see the comments above for extending scope of GOI 5. Principle based approach. 185. SAIA General Overall, we welcome the enhancements in respect of ongoing – Comment noted.

94 Item Commentator Paragraph of the Standard Comment Authorities’ Response

• due diligence
• maintenance
• responsibility And accountability of the insurer when outsourcing activities.

186. SAIA General Material outsourcing arrangements with an entity within the same group of companies It is not specified what the requirements would be for ‘insourcing’ arrangements. It would be onerous to apply the requirements exactly where services are provided by an entity within the same group of companies as the insurer. The Standard clarifies that any arrangement for a service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter￾related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. Applies equally to intra-group arrangements i.e. apply arms-length principle.
187. SAIA General Material outsourcing arrangements with an entity outside South Africa (‘offshoring’) It is not specified whether there are specific requirements for offshoring or whether offshoring arrangements would be treated the same as local arrangements. The Standard clarifies that any arrangement for a service/activity done by an insurer’s controlling company, its subsidiaries, or a related or inter￾related party is an outsourcing arrangement. The governance arrangements should ensure that the decisions of the affiliated entities do not impair the ability of the insurer to manage its risk, meet its legal and regulatory obligations and are not detrimental to the fair treatment of policyholders. Theoretically there should be no distinction for outsourcing arrangements that are offshored. The Authorities have not made specific provision for offshoring and such outsourcing

95 Item Commentator Paragraph of the Standard Comment Authorities’ Response arrangements should be treated the same as local arrangements. 188. SAIA General Definition of “material function” vs other concepts used in the Standard Please see word highlight in bold as an example of where “function” and “activity” is used rather than “material function”: “11.8 Notwithstanding section 11.6, the notification referred to in section 11.6 must also – (a) explain how the function or activity will be performed following termination of the outsourcing arrangement;” Comment noted. 189. SAIA General The regulator should be mindful of being rule-based as opposed to a principle-based approach. The legislation is prescriptive to the extent that rules are imposed as opposed to setting out a principle-based framework. The latter supports a risk-based approach which is up to the insurer to identify and manage risks appropriately. Comment noted. Disagree. The Joint Standard follows the philosophy of a principles-based approach to the regulation of outsourcing arrangements. 190. SAIA General In the ordinary course of business, the cost of compliance is passed onto the policyholder. If the cost is too high and not maintained, then the impediment is that the cost of the insurance product increases with a resultant barrier of access to financial services. The interests of the insured and insurer must be balanced equitably with the objectives of the fair treatment and protection of financial customers and financial inclusion. Comment noted. The Authorities are cognisant of this fact and the impact on policyholders. To this end the Authorities have reconsidered the inherent risks of outsourcing from a conduct perspective and have balanced this risk against considerations related to the costs of compliance.

96 Item Commentator Paragraph of the Standard Comment Authorities’ Response 191. SAIA General Section omitted from the new Standard (Section 4.9 in Old Standard) GOI 5 provides for a general section stating the following: “With the exception of section 5 below, the remainder of this Standard applies to the outsourcing of a material business activity as defined by this Standard (see section 6 below) only.” The proposed change implies that the proposed standard applies to all outsourcing activities unless specified otherwise in a particular section. The current standard makes specific provisions only apply to the outsourcing of a material function. In most instances of the proposed Draft Standard, materiality has been indicated in the proposed Joint Standard. However, on some sections such as 11.7 and 11.8, this has been excluded where we deem it appropriate to only apply to material outsourced activities or functions. Therefore, we kindly request the Authorities to ensure that the Joint Standard clarifies in all instances which requirements apply to all outsourcing arrangements and which requirements are only applicable to material outsourcing arrangements. Based on our interpretation of the statement of need document, the Joint Standard intends to only apply to material functions. However, the view is that the current proposed Joint Standard does not align with the need statement. Comment noted. The comment is not understood. The Joint Standard is a direct expression of the principles enshrined in the statement of need. 192. SAIA General Various sections The term service provider appears in various sections of the document. We kindly request that the word “outsourced” be added in conjunction with the word service provider to read, “outsourced service provider” throughout the document. Insurers use other service Comment noted. See Authorities response to PSG on the definition of “service provider”

97 Item Commentator Paragraph of the Standard Comment Authorities’ Response providers as well and would therefore like to ensure that there is no ambiguity. 193. Standard Insurance Limited Credit Risk Definition The Credit Risk definition refers to the risk that a financial loss will be incurred if a counterparty to a derivatives transaction does not fulfil its financial obligations in a timely manner. This definition may be too narrow and may not be completely aligned with insurance activities. Proposed definition: Credit Risk is incurred whenever an entity is exposed to loss if a counterparty fails to perform its contractual obligations including failure to perform them in a timely manner. This proposed definition is broad enough that it covers insurance, banking or other credit arrangements. Comment noted. Agreed. Amendment effected.