Part

Conditions Governing Business

Chapter

Outsourcing

Printed on: 19/04/2025

Rulebook at: 08/04/2025

7

Outsourcing

7.1

If a firm outsources a function or any insurance or reinsurance activity, it remains fully responsible for discharging all of its obligations under the PRA rules, FSMA and any other laws, rules, regulations and administrative provisions deriving from FSMA that apply to UK Solvency II firms.

[Note: Art. 49(1) of the Solvency II Directive]

  • 31/12/2024

7.1A

A firm which outsources or proposes to outsource a function or an insurance or reinsurance activity to a service provider must establish a written outsourcing policy which takes into account the impact of outsourcing on its business and the reporting and monitoring arrangements to be implemented in cases of outsourcing.

  • 31/12/2024

7.2

A firm must not outsource a critical or important operational function or activity in such a way as to lead to any of the following:

  1. (1) materially impairing the quality of the firm’s system of governance;
  2. (2) unduly increasing the operational risk;
  3. (3) impairing the ability of the supervisory authorities to monitor the firm’s compliance with its obligations; or
  4. (4) undermining continuous and satisfactory service to policyholders.

[Note: Art. 49(2) of the Solvency II Directive]

  • 31/12/2024

7.2A

Where the firm and the service provider are members of the same group, the firm must, when outsourcing any critical or important operational functions or activities, take into account the extent to which the firm controls the service provider or has the ability to influence its actions.

  • 31/12/2024

7.3

A firm must, in a timely manner, notify the PRA prior to the outsourcing of critical or important functions or activities as well as of any subsequent material developments with respect to those functions or activities.

[Note: Art. 49(3) of the Solvency II Directive]

  • 01/01/2016

7.4

Without prejudice to 7.1 to 7.3, a firm outsourcing a function or an insurance or reinsurance activity must take the necessary steps to ensure that the following conditions are satisfied:

  1. (1) the service provider must co-operate with the PRA and, where relevant, any other supervisory authority of the firm in connection with the function or activity that is the subject of the outsourcing;
  2. (2) the firm, its auditors, the PRA and, where relevant, any other supervisory authority of the firm must have effective access to data related to the functions or activities that are the subject of the outsourcing; and
  3. (3) the PRA and, where relevant, any other supervisory authority of the firm must have effective access to the business premises of the service provider and must be able to exercise those rights of access.

[Note: Art. 38(1) of the Solvency II Directive]

  • 01/01/2016

7.5

When choosing a service provider for any critical or important operational functions or activities, a firm must ensure that:

  1. (1) a detailed examination is performed to ensure that the potential service provider has the ability, capacity, and any authorisation required by law to deliver the required functions or activities satisfactorily, taking into account the firm's objectives and needs;
  2. (2) the service provider has adopted all means to ensure that no actual or potential conflict of interests jeopardizes the fulfilment of the needs of the firm;
  3. (3) a written agreement is entered into between the firm and the service provider which clearly defines the respective rights and obligations of that firm and the service provider;
  4. (4) the general terms and conditions of the outsourcing agreement are clearly explained to, and authorised by, the firm's governing body;
  5. (5) the outsourcing does not entail the breaching of any applicable laws or regulatory requirements, in particular with regard to data protection; and
  6. (6) the service provider is subject to the same conditions on the safety and confidentiality of information relating to the firm or to its policyholders that are applicable to that firm.
  • 31/12/2024

7.6

A firm must ensure that the terms and conditions of the written agreement referred to in 7.5(3) are consistent with the firm’s obligations as provided for in 7.1, 7.2 and 7.2A.

  • 31/12/2024

7.7

The written agreement referred to in 7.5(3) must clearly state all of the following requirements:

  1. (1) the duties and responsibilities of both parties involved;
  2. (2) the service provider’s commitment to comply with all applicable laws, regulatory requirements and guidance, as well as policies approved by the firm, and to co-operate with the PRA with regard to the outsourced function or activity;
  3. (3) the service provider’s obligation to disclose any development which may have a material impact on its ability to carry out the outsourced functions and activities effectively and in compliance with applicable laws and regulatory requirements;
  4. (4) a notice period for the termination of the contract by the service provider which is long enough to enable the firm to find an alternative solution;
  5. (5) that the firm is able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of services to policyholders;
  6. (6) that the firm reserves the right to be informed about the outsourced functions and activities and their performance by the services provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what has to be taken into account when performing the outsourced functionsor activities;
  7. (7) that the service provider must protect any confidential information relating to the firm and its policyholders, employees, contracting parties and all other persons;
  8. (8) that the firm, its external auditor and the PRA have effective access to all information relating to the outsourced functionsand activities including carrying out on-site inspections of the business premises of the service provider;
  9. (9) that, where appropriate and necessary for the purposes of supervision, the PRA may address questions directly to the service provider to which the service provider must reply;
  10. (10) that the firm may obtain information about the outsourced activities and may issue instructions concerning the outsourced activities and functions;
  11. (11) the terms and conditions, where applicable, under which the service provider may sub-outsource any of the outsourced functionsand activities; and
  12. (12) that the service provider’s duties and responsibilities deriving from its written agreement with the firm must remain unaffected by any sub-outsourcing taking place.
  • 31/12/2024

7.8

A firm that is outsourcing critical or important operational functions or activities must fulfil all of the following requirements:

  1. (1) ensure that relevant aspects of the service provider’s risk-management and internal control systems are adequate to ensure compliance with 7.2(1) and (2);
  2. (2) adequately take account of the outsourced activities in its risk-management and internal control systems to ensure compliance with 7.2(1) and (2);
  3. (3) verify that the service provider has the necessary financial resources to perform the additional tasks in a proper and reliable way, and that all personnel of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable; and
  4. (4) ensure that the service provider has adequate contingency plans in place to deal with emergency situations or business disruptions and periodically tests backup facilities where necessary, taking into account the outsourced functions and activities.
  • 31/12/2024