Instruction No. 2020-I-09 of July 8, 2020 amending Instruction No. 2019-I-06 regarding prior information to the ACPR in case of outsourcing of important or critical activities or functions

PRUDENTIAL SUPERVISION AND RESOLUTION AUTHORITY

Instruction No. 2020-I-09 amending Instruction No. 2019-I-06 of March 15, 2019 regarding prior information to the ACPR in case of outsourcing of important or critical activities or functions and significant changes thereto

The Prudential Supervision and Resolution Authority, Having regard to the Monetary and Financial Code, particularly Articles L. 612-2 and L. 612-24; Having regard to the guidelines of the European Insurance and Occupational Pensions Authority (EIOPA) on outsourcing to cloud service providers (EIOPA-BoS-20-002); Having regard to Instruction No. 2019-I-06 regarding prior information to the ACPR in case of outsourcing of important or critical activities or functions and significant changes thereto; Having regard to the opinion of the Consultative Commission on Prudential Affairs of July 1, 2020, DECIDES

Article 1: The annex to the aforementioned Instruction No. 2019-I-06 is replaced by the annex to this Instruction.

Article 2: This Instruction shall enter into application on January 1, 2021.

Paris, July 8, 2020 For the Sectoral Sub-Committee for Insurance The President, [Bernard DELAS]

2 Annex to Instruction No. 2020-I-09 Notification Form for an Outsourcing of an Important or Critical Activity or Function or a Significant Change Concerning Such Outsourcing

Date of notification:

Subject Entity Legal Name/Designation: SIREN Number: Person responsible for the notification: Title: Name: First Name: Title/Function: Phone: Email:

Information on the Outsourcing Agreement Type of outsourcing: ☐ Key Function ☐ Intra-group Outsourcing ☐ Outsourcing to a Cloud Service Provider ☐ Intra-group Outsourcing ☐ Other Critical or Important Activity

Additional Details: ☐ Intra-group Outsourcing ☐ Notification in the context of a significant change to the outsourcing? ☐ If checked, date of first notification: ………

Description of the outsourced activity and its critical or important nature: Reason for outsourcing (in relation to the entity's strategy, in particular): Date of internal validation of the decision within the entity: Decision-making body: Implementation date:

Applicable legislation to the subcontracting agreement: Registered office and other relevant contact details of the service provider, the country where subcontractors are registered, where the service will be performed, and, if applicable, where data is stored, as well as the name of its parent company (if applicable)

Last date of approval of the written policy on outsourcing: Next contract renewal date, end date, and/or notice periods for the cloud service provider and the entity:

3 Note: For the following sections, in the case of intra-group outsourcing within a dedicated group structure controlled by the entities using the services, the information related to assessment and documentation may be adapted after consultation with the supervisory team prior to the notification.

Outsourcing Service Provider Legal Name: SIREN: Country of registered office: Address: Name of parent company (if applicable): Sector of activity:

In the case of outsourcing of a key function, information on the person responsible within the service provider: Title: Name: First Name: Title/Function: Phone: Email:

• Result of the assessment of honorability and competence by the insurance entity:
• Methods for monitoring honorability and competence by the insurance entity:

Possibility for the service provider to use subcontractors: YES – NO

Cooperation of the service provider with the ACPR and access rights

• Contractual clause(s) on the cooperation of the service provider with the ACPR: YES – NO and description if applicable
• Rights and methods of access for the subject entity, its external auditor, and the ACPR to information related to outsourced functions and activities: YES – NO and description if applicable

Description of the internal control framework intended to govern the outsourcing The descriptions below may be subject to a separate note

• Summary of the assessment of risks related to outsourcing and date of the most recent assessment
• Governance and internal control framework of the outsourced activity:
• Summary of the Business Continuity Plan (BCP) related to the outsourcing:
• Service provider reporting methods (format, frequency, medium, …):
• Dates of the last audits and planned frequency of audits:
• Elements demonstrating that the outsourcing is not likely to seriously compromise the quality of the governance system:
• Elements demonstrating that the outsourcing is not likely to unduly increase operational risk:

4

• Elements demonstrating that the outsourcing is not likely to harm the continuous provision of a satisfactory level of service to policyholders, subscribers, and beneficiaries of contracts and reinsured entities:

Specific details for outsourcing to cloud service providers Cloud service and deployment models (i.e., public/private/hybrid/community cloud): Specific nature of the data retained and the locations (i.e., countries or regions) where this data will be stored: Results of the substitutability assessments (e.g., easy, difficult, or impossible) of the cloud service provider: Whether the outsourced important or critical operational activity supports or does not support economic activities subject to time-critical requirements for their operation: Estimated annual budgetary costs: Whether the entity has a withdrawal strategy in the event of termination by either party or in the event of service interruption by the cloud service provider: In the case of a group, the insurance or reinsurance entities and other entities falling within the scope of prudential consolidation that use cloud services;