In 2018 the Prudential Authority issued the well-known Prudential Standards regulating several aspects of insurance business, including outsourcing material business activities. In line with a growing trend of joint and collaborative regulation across regulators, in May 2024 the Prudential Authority and Financial Sector Conduct Authority issued Joint Standard 1 of 2024 on Outsourcing by Insurers, replacing the existing Prudential Standard GOI 5. The Joint Standard commences on 1 December 2024.

The Joint Standard introduces changes to services that an insurer is entitled to outsource. The most important changes are that:

  1. The Joint Standard only applies to the outsourcing of “material functions”. Many other contracts with service providers are, sensibly, no longer subject to the outsourcing standard.
  2. Notification is now made to both the Prudential Authority and Financial Sector Conduct Authority.

Insurers must bring existing material outsourcing arrangements within the requirements of the Joint Standard either when renewing or renegotiating the outsourcing arrangement or within 24 months from 1 December 2024, whichever is sooner. Micro-insurers are no longer dealt with separately under section 9 of Prudential Standard GOM but are subject to all the provisions of the Joint Standard. There is no practical difference because the Joint Standard continues to allow the board of directors of a micro-insurer to delegate the task of reviewing an outsourcing arrangement either to the most appropriate control function or to senior management. Insurance groups remain separately dealt with in terms of GOG (Governance and Operational Standard for Groups).

Internal governance structures.


The Joint Standard introduces a new requirement for insurance companies to create and maintain the most appropriate “control environment” to review an outsourcing arrangement. Although no further context is given regarding a “control environment”, the Joint Standard clearly emphasises proper oversight over where material functions are outsourced. It now falls to the most appropriate control function, instead of the compliance function, to regularly review and report to the insurer’s board of directors or audit committee regarding compliance with the insurer’s outsourcing policy and the Joint Standard.


Conducting an appropriate due diligence.

Prudential Standard GOI 5 required insurers, in their notification to the Prudential Authority, to demonstrate that various assessments were conducted, and other procedures and contingency plans were adopted before entering into an outsourcing arrangement. The Joint Standard requires insurers instead to perform an “appropriate due diligence” for every activity or function to be outsourced prior to entering into the outsourcing arrangement.

As part of the overall assessment and due diligence performed, an insurer must consider:
• The potential impact of entering into a further outsourcing arrangement with a service provider already.
• subject to multiple outsourcing arrangements with that or another insurer or other parties.
• The costs, benefits and potential risk of the proposed outsourcing arrangement. The benefits must outweigh the costs and potential risks.
• Whether the proposed outsourcing arrangement creates any actual or potential conflicts of interest.
• Whether the service provider meets several criteria including in relation to the service provider’s controls, operational and financial capabilities, contingency plans and key persons.

Remuneration.

The principles dealing with remuneration paid for outsourcing are similar under the new Joint Standard. Remuneration must be reasonable and commensurate with the actual function or activity outsourced but insurers must specifically consider the actual cost of performing the outsourced function taking into account the nature of the function and the resources, skills and competencies reasonably required to perform the function.

Notification of an outsourcing arrangement must include details regarding the proposed remuneration or the basis on which remuneration will be calculated.

Notifications.

Additional detail is required by the Joint Standard where notification is made of termination of the outsourcing arrangement. The notification must include detail regarding when the outsourcing arrangement was terminated, proof that the insurer approved termination, any outstanding issues which could impact policyholders and how these issues will be managed, and any outstanding fees and how these will be paid. The Joint Standard includes a specific obligation to assess the potential impact, consequences and risks, to policyholders and the insurer’s business, of terminating the outsourcing arrangement, and a report must be made to the insurer’s board of directors.

Measures to achieve compliance with Joint Standard 1 of 2024

Insurers will have 6 months from 1 December 2024 to comply with the provisions of the Joint Standard, other than for existing outsourcing arrangements, and must continue to comply with GOI 5 until then. Outsourcing policies will need to be updated to include the additional risks required to be assessed, monitored and managed including credit risk and conduct risk not addressed under GOI 5. Existing outsourcing arrangements must be carefully reviewed on renewal or renegotiation, and outsourcing contracts should deal with sub-contracting, in line with the principles set out in the Joint Standard, instead of sub-outsourcing.