Stormy outlook or a silver lining? EIOPA consults on principles for outsourcing to cloud service providers

The increasing threat that new market entrants might use technology to win a share of the insurance market has been forcing established insurers to assess the ways in which they might maintain their competitive advantage. These assessments can be difficult and have far-reaching consequences, with some insurers selling businesses to allow their systems to be streamlined and others announcing significant changes to their strategy.

Cognisant of changing market conditions, regulators are taking particular interest in the steps that insurers are taking to use technology in order to improve efficiency and to reshape their operations. More generally, regulators are considering how “operationally resilient” insurers (and other financial service companies) are, and how business models will fare when they are subjected to unexpected events.

Regulators (as well as legislators) are, however, also showing a willingness to facilitate the use of new technologies. The EU’s Digital Single Market Strategy is an important and widely publicised initiative from the EU Commission, and is being expressly recognised by regulators as they consider how best to engage with progress in technology.

EIOPA consultation

Against this background, EIOPA has decided to consult on whether its existing guidelines on outsourcing need to be amended or supplemented to reflect properly the challenges faced by insurers availing of the services of cloud service providers (CSPs). Its consultation paper sets out a number of policy questions on which EIOPA wants to engage. The paper also contains a series of draft guidelines that are similar to, but different from, EIOPA’s existing guidelines on outsourcing.

Many of the guidelines in EIOPA’s consultation paper will be familiar to seasoned compliance professionals. These include obligations to document matters appropriately, to give advance notice to regulators before implementing material outsourcing and to ensure that outsourcing is appropriately overseen on an ongoing basis, none of which is surprising to insurers that must already comply with Solvency II outsourcing rules

The consultation paper does, however, seek to engage on many issues that are specific to outsourcing with CSPs. For example, it invites insurers to consider whether their relationships with different types of CSPs (e.g. those that provide software as a service, those that provide insurers with a platform, and those that make infrastructure available) might need to be treated differently. EIOPA also highlights data protection, security issues, the location of data and concentration risks (particularly to large CSPs) as specific areas of concern.

Of these concerns, data protection and the risk of a cyber-breach will be all too familiar to insurers. The ICO’s recent announcements that it intends to fine British Airways (£189m) and the Marriot hotel group (£100m) will have ensured that there is no complacency now that GDPR implementation projects have finished.

Engaging with CSPs may, however, require insurers to consider location of data in a different way than in the past. CSPs can have servers in numerous locations, and this can give rise to some regulatory challenges. Even if all of these servers are in the EEA (which would side-step some otherwise difficult data-protection questions), financial regulators may need to be convinced that insurers can discharge their obligation under Solvency II to ensure that their regulators have effective access. Regulators may become particularly focussed on this if the data in question will be held on servers in remote and inaccessible locations.

Concentration risks may also require analysis that is more difficult to assess than more readily quantifiable risks. Establishing the operational risks posed by having a relationship with a CSP that is not readily substitutable, or having wide and varied relationships with a single CSP, will almost certainly involve a multi-disciplinary assessment of the insurer’s operational processes. Establishing and prioritising the operational risks arising from concentrations with any one CSP could prove difficult, particularly where the relationship with the CSP covers a number of businesses with operations in different countries.

Next steps

EIOPA has asked interested parties to respond to the consultation by 30 September 2019. Each insurer will need to consider how best to engage on the consultation.

Of wider import, however, is EIOPA’s expectation that new guidelines would apply from 1 July 2020 and that existing arrangements would comply with those guidelines by 1 July 2022. How significant this exercise is will clearly depend on the extent to which an insurer expects to rely on CSPs by 2020 or 2022, respectively. For some, this can be expected to be a reasonably onerous exercise. While EIOPA indicates that some flexibility may be forthcoming in respect of the 2022 deadline, a given insurer can expect leniency to be dependent upon there having been adequate engagement on the issue before then.


Barnaby Hinnigan
Barnaby Hinnigan
Partner, London
+44 20 7466 2816
Grant Murtagh
Grant Murtagh
Of Counsel, London
+44 20 7466 2158
Alison Matthews
Alison Matthews
Consultant, London
+44 20 7466 2765


FCA Brexit guidance – too little, too late?

With a month to go until the UK is due to leave the EU, FCA guidance published yesterday is too late for most UK insurers and intermediaries to change their plans.  Understandably, the FCA has waited for views to be expressed by EIOPA before commenting itself on the position for insurers and brokers.  It took until last week, though, for that EIOPA guidance to be published (see our previous comments).   The FCA’s guidance adds little, if anything, to what was said by EIOPA.  For brokers, in particular, the FCA acknowledges that this is “a complex area” and advises firms to contact local EEA regulators and seek legal advice.

Two FCA statements are directed at insurers and insurance intermediaries:

Some key points are set out below.  A warning about the advice issued by FCA is, however, that much of the following is a matter of individual EEA state discretion.  It cannot be assumed, therefore, that the approach advocated by the FCA (and by EIOPA) will be adopted in all jurisdictions.  As is often the case for Brexit-related questions, the answer depends on taking local advice in the relevant EEA state.

The FCA has followed up today with the publication of near-final rules and guidance that will apply if the UK leaves the EU without a deal (see FCA PS19/5).  The PRA has also published an update to firms on its plans for Brexit, including near final materials (see PRA PS5/19).  Feedback from both regulators includes further details on use of the temporary transition power, through which they aim to ensure that firms and other regulated entities do not generally need to prepare now to meet new UK regulatory obligations.  In most cases, firms will be given a period of 15 months to adapt to these changes.

Continue reading

EIOPA issues Brexit advice – some good news for UK insurers and intermediaries?

Recommendations issued on Tuesday by EIOPA emphasise the importance of safeguarding policyholders in the event of a “no deal” Brexit.  Encouragement given to EEA states to help UK insurers meet their obligations to EEA policyholders is particularly welcome.

In some areas, EIOPA has provided explicit guidance on the approach it expects individual states to take.  For example, it is clear (and unsurprising) that UK insurers should not be allowed to write new contracts in the EEA without authorisation. In other areas, EIOPA has taken a “softer” approach.  Examples include that regulators:

  • should apply “a legal framework or mechanism to facilitate the orderly run-off” of business which becomes unauthorised as a consequence of Brexit; and
  • should not prejudice policyholders who have “an option or right in an existing insurance contract to realise their pension benefits“.

Overall, EIOPA’s announcement attempts to strike an appropriate balance, reflecting the considerable lobbying efforts by UK and EU27 trade bodies.  Its acknowledgement of individual state discretion in a number of key areas does, however, still leave uncertainty for UK firms planning for 29 March 2019.  There is also nothing in EIOPA’s recommendations that could not have been said many months (or even years) ago.  It is a pity that politics have prevented earlier publication of these recommendations, leaving industry to spend many millions on unnecessary legal advice and other contingency planning.

EIOPA has given national regulators 2 months to say if they comply with each recommendation, or explain non-compliance.

Continue reading

EIOPA Conference: The Main Themes

Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.

EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.

Continue reading

EIOPA issues second warning about the impact of Brexit on insurance contracts

EIOPA has published an opinion and FAQs emphasising the need for insurers and insurance intermediaries to explain to policyholders how Brexit will affect their insurance cover.

At first sight, EIOPA’s comments appear to reinforce concerns that political compromise cannot be expected on policies written (or performed) on a cross-border basis before the UK’s withdrawal from the EU (so-called “legacy contracts”). The particular issue for UK insurers is whether they will have the authorisation they need, post-Brexit, to continue to meet their obligations to EEA policyholders under these contracts. Closer examination of the words used by EIOPA may, however, mean that fewer policies are caught by this issue than has been assumed to date.

Our discussion of EIOPA’s latest opinion can be found here.

Continue reading

Solvency II trilogue discussions conclude – so what happens now?

Earlier today, it was announced that yesterday’s trilogue discussions on the Omnibus II Directive (Omnibus II) had finished in agreement.  The announcement puts to rest recent uncertainty about the future of the Solvency II Directive and sets in train a timetable bringing the new regime into force from the beginning of 2016.

Of more immediate concern, a consultation paper issued by the PRA (CP9/13) in October describes its approach to guidelines published by the European Insurance and Occupational Pensions Authority (EIOPA) that address Member State preparations for Solvency II (theGuidelines).

Continue reading

Solvency II – “an object lesson in how not to make law”?

Andrew Tyrie MP (Chairman of the Treasury Committee) recently described Solvency II as “an object lesson in how not to make law”.  In similar vein, Andrew Bailey of the PRA has said that Solvency II is “lost in detail” and “vastly expensive”.

Draft Guidelines issued by EIOPA in March aim to restore credibility to the Solvency II project and to reassure firms that vast sums spent by them in preparing for the new regime have not been wasted. However the introduction of compulsory reporting and ORSA requirements while Pillar 1 negotiations remain unresolved is controversial. Because the Guidelines have no legal force, there is also a danger that they will fail to secure a “consistent and convergent approach” to preparation for Solvency II. The Guidelines are open for consultation until 19 June.

Continue reading