Stormy outlook or a silver lining? EIOPA consults on principles for outsourcing to cloud service providers

The increasing threat that new market entrants might use technology to win a share of the insurance market has been forcing established insurers to assess the ways in which they might maintain their competitive advantage. These assessments can be difficult and have far-reaching consequences, with some insurers selling businesses to allow their systems to be streamlined and others announcing significant changes to their strategy.

Cognisant of changing market conditions, regulators are taking particular interest in the steps that insurers are taking to use technology in order to improve efficiency and to reshape their operations. More generally, regulators are considering how “operationally resilient” insurers (and other financial service companies) are, and how business models will fare when they are subjected to unexpected events.

Regulators (as well as legislators) are, however, also showing a willingness to facilitate the use of new technologies. The EU’s Digital Single Market Strategy is an important and widely publicised initiative from the EU Commission, and is being expressly recognised by regulators as they consider how best to engage with progress in technology.

EIOPA consultation

Against this background, EIOPA has decided to consult on whether its existing guidelines on outsourcing need to be amended or supplemented to reflect properly the challenges faced by insurers availing of the services of cloud service providers (CSPs). Its consultation paper sets out a number of policy questions on which EIOPA wants to engage. The paper also contains a series of draft guidelines that are similar to, but different from, EIOPA’s existing guidelines on outsourcing.

Many of the guidelines in EIOPA’s consultation paper will be familiar to seasoned compliance professionals. These include obligations to document matters appropriately, to give advance notice to regulators before implementing material outsourcing and to ensure that outsourcing is appropriately overseen on an ongoing basis, none of which is surprising to insurers that must already comply with Solvency II outsourcing rules

The consultation paper does, however, seek to engage on many issues that are specific to outsourcing with CSPs. For example, it invites insurers to consider whether their relationships with different types of CSPs (e.g. those that provide software as a service, those that provide insurers with a platform, and those that make infrastructure available) might need to be treated differently. EIOPA also highlights data protection, security issues, the location of data and concentration risks (particularly to large CSPs) as specific areas of concern.

Of these concerns, data protection and the risk of a cyber-breach will be all too familiar to insurers. The ICO’s recent announcements that it intends to fine British Airways (£189m) and the Marriot hotel group (£100m) will have ensured that there is no complacency now that GDPR implementation projects have finished.

Engaging with CSPs may, however, require insurers to consider location of data in a different way than in the past. CSPs can have servers in numerous locations, and this can give rise to some regulatory challenges. Even if all of these servers are in the EEA (which would side-step some otherwise difficult data-protection questions), financial regulators may need to be convinced that insurers can discharge their obligation under Solvency II to ensure that their regulators have effective access. Regulators may become particularly focussed on this if the data in question will be held on servers in remote and inaccessible locations.

Concentration risks may also require analysis that is more difficult to assess than more readily quantifiable risks. Establishing the operational risks posed by having a relationship with a CSP that is not readily substitutable, or having wide and varied relationships with a single CSP, will almost certainly involve a multi-disciplinary assessment of the insurer’s operational processes. Establishing and prioritising the operational risks arising from concentrations with any one CSP could prove difficult, particularly where the relationship with the CSP covers a number of businesses with operations in different countries.

Next steps

EIOPA has asked interested parties to respond to the consultation by 30 September 2019. Each insurer will need to consider how best to engage on the consultation.

Of wider import, however, is EIOPA’s expectation that new guidelines would apply from 1 July 2020 and that existing arrangements would comply with those guidelines by 1 July 2022. How significant this exercise is will clearly depend on the extent to which an insurer expects to rely on CSPs by 2020 or 2022, respectively. For some, this can be expected to be a reasonably onerous exercise. While EIOPA indicates that some flexibility may be forthcoming in respect of the 2022 deadline, a given insurer can expect leniency to be dependent upon there having been adequate engagement on the issue before then.


Barnaby Hinnigan
Barnaby Hinnigan
Partner, London
+44 20 7466 2816
Grant Murtagh
Grant Murtagh
Of Counsel, London
+44 20 7466 2158
Alison Matthews
Alison Matthews
Consultant, London
+44 20 7466 2765


FCA calls for input on proposed cross-sector sandbox

New technologies, such as artificial intelligence (“AI”) and distributed ledger technology (“DLT”), continue to have a significant impact on the way in which firms, customers and regulators interact.  Firms introducing innovative business models whose products or services fall under the jurisdiction of different sectoral regulators can find themselves having to address competing regulatory expectations.

As these new innovative technologies and cross-sector business models begin to emerge, regulators have recognised a need to:

  • create a safe and encouraging environment for firms to develop positive innovations, while continuing to provide regulatory certainty;
  • ensure that consumers are protected from new technologies still under development; and
  • ensure that efficient and cost saving new technologies are made available to the public in a timely manner.

On 29 May 2019, the FCA issued a Call for Input seeking views on whether a single point of entry cross-sectoral sandbox would be useful in achieving these goals.  This is the first cross-sector sandbox proposed by a global regulator and reflects the UK’s desire to be perceived as a key centre for innovation and a thought leader on technology.

In a nutshell, the proposed cross-sector sandbox will allow firms to test innovative products, services and business models in a live market environment. Firms whose business spans different sectors (e.g. telecommunications, public utilities and banking) will be able to use this opportunity to obtain informal regulator input and guidance.  Products will be tested on a small scale and appropriate safeguards would be put in place to protect test participants.  The deadline for submissions to the FCA is 30 August 2019.

It appears that technology companies, telecommunication companies, public utility providers and financial institutions will be the most likely users of the cross-sector sandbox. Possible use cases include the launch of Orange Bank by the French telecommunications company, the launch of Ant Financial by the Alibaba Group, and the introduction of other “hyper platform” models by technology companies such as Tencent and Baidu (Open Edge).

We consider the FCA’s proposed cross-sector sandbox in more detail below.


Traditional business models have largely been considered by regulators on an individual basis.  Where there have been areas of overlap, the FCA have relied on bilateral memoranda of understanding (“MoUs”) and existing fora to discuss cross-cutting issues.  However, there is currently no practical mechanism for multiple regulators to collaborate. With the development of more innovative and cross sectoral business models, regulators have recognised the need for a more focused and streamlined approach.  This is where the proposed cross-sector sandbox comes in.

The FCA’s suggestion of introducing a cross-sector regulatory sandbox is also consistent with the global trend of fostering innovation: at least 31 global financial services regulatory agencies now have a regulatory sandbox.  In addition, in January 2019, the FCA and 35 other financial organisations also launched the Global Financial Innovation Network (“GFIN”) to launch a cross-border testing pilot. The FCA’s current proposed cross-sector sandbox builds on the lessons learned from existing sandboxes and aims to leverage new opportunities brought by technological developments.

Key features of the FCA’s proposed cross-sector sandbox

Key features of the FCA’s proposed regulatory sandbox include the following:

  • Restricted authorisation – The FCA will have a tailored authorisation process for firms accepted into the sandbox. Any authorisation or registration will be restricted to allow firms to only test ideas as agreed with the FCA.
  • Individual guidance – The FCA will explain how it will interpret the requirements in the context of a specific test.
  • Informal steers – The FCA can provide views on the potential regulatory implications of an innovative product or business model that is at an early stage of development.
  • Waivers – The FCA may be able to waive or modify an unduly burdensome rule, for a test. However, the FCA will not able to waive national or international law.
  • No enforcement action letters –  If a firm deals with the FCA openly, keeps to the agreed testing parameters and treats customers fairly, the FCA accepts that unexpected issues may arise but it does not expect to take disciplinary action.

The FCA has said that it will oversee tests closely and set specific safeguards for consumers. Sandbox tests are expected to have a clear objective (e.g. reducing costs to consumers) and to be conducted on a small scale. Under the sandbox arrangement, firms will be able to test their innovations for a limited duration (up to 6 months) with a limited number of customers.

Perceived benefits

From a financial services perspective, the proposed cross-sector sandbox is expected to help:

  • Reduce time and cost of getting innovative ideas to the market (e.g. using DLT/ crypto assets as a payment mechanism for utility bills);
  • Facilitate access to finance and regulatory insight for innovators;
  • Enable products with potential or immediate cross-sector relevance to be tested and introduced to the market;
  • Ensure appropriate consumer protection safeguards are built into new products and services;
  • Allow regulators to share learnings from various tests and other sectors (e.g., on AI, DLT, Big Data and machine learning);
  • Allow regulators to create a common or harmonised regulatory and policy approach to the development and implementation of new technologies; and
  • Provide firms with complex new business models which span more than one regulator with a unique, coordinated single-point entry sandbox. Whilst the FCA has identified the possible use cases referred to above (Orange Bank, Ant Financial, Tencent and Open Edge), there will be greater use of more innovative business models as more and more technology and telecommunication firms diversify into traditional business areas, such as banking and public utilities, and vice versa.

Potential challenges

The FCA has also identified some of the potential challenges a prospective cross-sector sandbox could face. They include:

  • Lack of demand – It is difficult to predict how many firms would submit an application that meets the eligibility criteria set by participating regulators.
  • Misunderstanding about the purpose of a sandbox – The FCA expects that participating regulators will set eligibility criteria and only accept applications from firms who have shown a “need for testing”. This, the FCA believes, will separate these genuine cases from those which simply wish to gain a regulatory seal of approval.
  • Firms do not improve own in-house knowledge – Since regulatory feedback will be given, some firms (particularly smaller firms) may lose the incentive to develop in-house knowledge. As such, successful applicants to the cross-sector sandbox will need to show that they have an understanding of the regulatory framework in which they operate. Applicants will also need to provide reports of their findings and next steps.  Also, restrictions on firms will only be removed once the FCA is satisfied that a firm’s knowledge of the regulated market has sufficiently (i.e. when firms are able to operate without exposing markets and consumers to unacceptable harm).
  • Differing regulatory remits – As regulators have different mandates and objectives, they may arrive at different conclusions when looking at the same trial outcomes. Given different regulatory philosophies, there may also be situations where competing objectives conflict. For example, a new innovative business model that is prudentially sound may be approved by the PRA.  However, it may not receive the FCA’s blessing if it does not promote effective competition in the interests of consumers. However, the FCA is of the view that looking at tests concurrently with other regulators will help mitigate instances of uncertainty.  Although the sandbox should foster greater cooperation between regulatory bodies in the live testing environment, issues that are inherent in the various distinct regulatory frameworks may arise even after the product or offering has advanced into the formal marketplace. For example, a cross-sector product might fall within scope of several distinct dispute resolution mechanisms – different schemes, such as the Financial Ombudsman Service and the Energy Ombudsman, have different powers to, and parameters for, ordering redress and compensation.

HSF comment

The proposed cross-sector sandbox is a further evolution of the FCA’s commitment to fostering innovation, and recognises that, even where sectors remain distinct, user behaviours and expectations are driving increased interaction between regulated sectors.  Innovators from sectors other than the purely financial should be encouraged to respond to the call for evidence.


EIOPA Conference: The Main Themes

Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.

EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.

Continue reading