LogoRegulatory Alerts
2024-12-06

Order on Outsourcing for Group 2 Insurance Undertakings, Labour Market Supplementary Pension and the Wage Earners' Price Compensation Fund

Issued by the Danish Ministry of Industry, Business and Financial Affairs and the Danish Financial Supervisory Authority, this Order establishes strict regulatory requirements for outsourcing critical or important operational functions by Group 2 insurance undertakings, the Labour Market Supplementary Pension scheme, and the Wage Earners' Price Compensation Fund. It mandates that these entities adopt a board-approved outsourcing policy, conduct rigorous due diligence on service providers, and execute comprehensive written agreements that ensure regulatory oversight, data protection, and business continuity. The regulation supersedes previous outsourcing rules and enters into force on January 1, 2025, with violations subject to fines and corporate criminal liability.

Finanstilsynet Denmark logo

Denmark

Finanstilsynet Denmark

Click to view thumbnail

Order on Outsourcing for Group 2 Insurance Undertakings, Labour Market Supplementary Pension and the Wage Earners' Price Compensation Fund

Pursuant to Section 134, paragraph 6, and Section 316, paragraph 1, of Act No. 718 of 13 June 2023 on Insurance Business, Section 23 c, paragraph 6, and Section 32 a, paragraph 2, of the Act on Labour Market Supplementary Pension, cf. Act Consolidation No. 1142 of 1 November 2024, Section 4 d, paragraph 6, and Section 14 a, paragraph 2, of the Act on the Wage Earners' Price Compensation Fund, cf. Act Consolidation No. 1109 of 9 October 2014, as amended by Act No. 641 of 19 May 2020, it is hereby ordered:

Chapter 1 Scope of Application

Section 1. This Order applies when the following entities engage in outsourcing:

  1. Group 2 insurance undertakings.
  2. The Wage Earners' Price Compensation Fund.
  3. Labour Market Supplementary Pension.

Chapter 2 Outsourcing Policy

Section 2. The outsourcing entity shall draw up a written outsourcing policy if the entity outsources or intends to outsource a function or activity subject to the supervision of the Danish Financial Supervisory Authority to a service provider. The policy shall take into account the impact of outsourcing on the entity and establish the reporting and monitoring systems to be introduced in connection with outsourcing.

Paragraph 2. The outsourcing policy shall be approved by the board of the outsourcing entity. The board shall continuously and at least once a year assess whether the policy is satisfactory in relation to the entity's business activities, organization, and resources.

Paragraph 3. The board shall continuously assess whether the outsourcing policy is complied with and whether the performance of tasks is satisfactory. The assessments shall be based on the reporting and monitoring of the outsourced activities introduced in connection with outsourcing.

Paragraph 4. The board's responsibilities and tasks under paragraphs 2 and 3 and Section 4 may not be outsourced.

Chapter 3 Critical or Important Outsourcing

Section 3. The outsourcing entity shall meet the following requirements when outsourcing critical or important operational functions or activities:

  1. The outsourcing entity shall ensure that the relevant aspects of the service provider's risk management and internal control systems are sufficient to ensure that the outsourcing does not lead to a significant deterioration in the quality of the management system or an unnecessary increase in the operational risk in the outsourcing entity.
  2. The outsourcing entity shall take due account of the outsourced functions or activities in its entity management to ensure that the outsourcing does not lead to a significant deterioration in the effectiveness of the internal control systems or an unnecessary increase in the operational risk in the outsourcing entity.
  3. The outsourcing entity shall ensure that the service provider has the necessary resources to perform the outsourced functions or activities correctly and reliably, and that all of the service provider's employees who are to be engaged with the outsourced functions or activities are qualified and reliable.
  4. The outsourcing entity shall ensure that the service provider has adequate contingency plans to handle emergencies or business disruptions, and regularly test backup functions where necessary, taking into account the outsourced functions and activities.

Section 4. The board of the outsourcing entity shall make the decision on outsourcing critical or important operational functions or activities.

Paragraph 2. In selecting a service provider to perform a critical or important operational function or activity, the board shall ensure the following:

  1. A detailed investigation of the service provider has been carried out to ensure that the service provider has the ability, capacity, and any statutory authorization to deliver the necessary functions or activities satisfactorily, taking into account the outsourcing entity's objectives and needs.

  2. The service provider has taken all measures to ensure that no explicit or potential conflicts of interest will stand in the way of meeting the outsourcing entity's needs.

  3. There is a written agreement between the outsourcing entity and the service provider that clearly defines the rights and obligations of the outsourcing entity and the service provider.

  4. The general terms and conditions of the outsourcing agreement have been explained to and approved by the board.

  5. The outsourcing does not pose a risk of violating relevant legislation, particularly with regard to data protection rules.

  6. The service provider is subject to the same provisions on security and confidentiality regarding information about the outsourcing entity and its policyholders, members, customers, beneficiaries, etc., as apply to the outsourcing entity.

Paragraph 3. If the outsourcing entity and the service provider are part of the same group, the outsourcing entity, when deciding on outsourcing critical or important operational functions or activities, shall take into account the extent to which the outsourcing entity controls the service provider or has the possibility of influencing its actions.

Section 5. The outsourcing entity and the service provider shall enter into a written agreement that stipulates at least the following:

  1. The duties and areas of responsibility of the parties.
  2. The service provider's obligation to comply with a) all applicable laws, regulatory requirements, and guidelines, and b) the outsourcing entity's relevant and applicable policies.
  3. The service provider's obligation to cooperate with the Danish Financial Supervisory Authority regarding the outsourced function or activity.
  4. The service provider's obligation to inform the outsourcing entity of any incident that may have a significant impact on the service provider's ability to perform the outsourced functions or activities effectively and in accordance with applicable laws and regulatory requirements.
  5. A notice period for the service provider that is long enough for the outsourcing entity to find another way to perform the task in question.
  6. That the outsourcing entity may, if necessary, terminate the outsourcing agreement, and that the service provider is thereby obliged to fulfill the agreement loyally so that the termination does not interrupt or reduce the quality of the delivery of the outsourced function or activity.
  7. That the outsourcing entity has the right to obtain and be informed about the outsourced functions or activities and the service provider's performance thereof, and the right to issue general guidelines and individual instructions to the service provider regarding what should be taken into account during the performance of the outsourced functions or activities, insofar as this is not specified in the contract.
  8. That the service provider shall protect any confidential information and personal data regarding the outsourcing entity and its policyholders, members, customers, beneficiaries, etc.
  9. That the outsourcing entity, its external auditor, and the Danish Financial Supervisory Authority have effective access to all information about the outsourced functions and activities, e.g., to carry out inspections at the service provider's premises.
  10. That the Danish Financial Supervisory Authority, where relevant and necessary, may ask questions directly to the service provider, which the service provider is obliged to answer.
  11. Terms and conditions, where relevant, for the service provider's further outsourcing of the outsourced functions or activities.
  12. That the service provider's duties and areas of responsibility under the agreement with the outsourcing entity are not affected by the further outsourcing of the outsourced functions or activities.

Chapter 4 Exemptions

Section 6. The Danish Financial Supervisory Authority may, in special cases, grant exemptions from the provisions of this Order.

Chapter 5 Penalties

Section 7. Violation of Sections 2-5 is punishable by a fine.

Paragraph 2. Companies and other legal persons may be subject to criminal liability according to the rules in Chapter 5 of the Danish Criminal Code.

Chapter 6 Entry into Force

Section 8. This Order enters into force on 1 January 2025.

Paragraph 2. Order No. 723 of 28 May 2020 on Outsourcing for Group 2 Insurance Undertakings, Labour Market Supplementary Pension and the Wage Earners' Price Compensation Fund is repealed.

Ministry of Industry, Business and Financial Affairs, 6 December 2024 Morten Bødskov / Julie Sonne

6 December 2024. No. 1534. Danish Official Gazette A Published on 14 December 2024 6 December 2024. No. 1534. Ministry of Industry, Business and Financial Affairs, Danish Financial Supervisory Authority, file no. 24-019223 CQ003036

Share