Outsourcing

1. Any insurance or reinsurance undertaking which outsources or proposes to outsource functions or insurance or reinsurance activities to a service provider shall establish a written outsourcing policy which takes into account the impact of outsourcing on its business and the reporting and monitoring arrangements to be implemented in cases of outsourcing. The undertaking shall ensure that the terms and conditions of the outsourcing agreement are consistent with the undertaking's obligations as provided for in Article 49 of Directive 2009/138/EC.

2. Where the insurance or reinsurance undertaking and the service provider are members of the same group, the undertaking shall, when outsourcing critical or important operational functions or activities take into account the extent to which the undertaking controls the service provider or has the ability to influence its actions.

3. When choosing the service provider referred to in paragraph 1 for any critical or important operational functions or activities, the administrative, management or supervisory body shall ensure that:

(a) a detailed examination is performed to ensure that the potential service provider has the ability, the capacity and any authorisation required by law to deliver the required functions or activities satisfactorily, taking into account the undertaking's objectives and needs;

(b) the service provider has adopted all means to ensure that no explicit or potential conflict of interests jeopardize the fulfilment of the needs of the outsourcing undertaking;

(c) a written agreement is entered into between the insurance or reinsurance undertaking and the service provider which clearly defines the respective rights and obligations of the undertaking and the service provider;

(d) the general terms and conditions of the outsourcing agreement are clearly explained to the undertaking's administrative, management or supervisory body and authorised by them;

(e) the outsourcing does not entail the breaching of any law in particular with regard to rules on data protection;

(f) the service provider is subject to the same provisions on the safety and confidentiality of information relating to the insurance or reinsurance undertaking or to its policyholders or beneficiaries that are applicable to the insurance or reinsurance undertaking.

4. The written agreement referred to in paragraph 3 (c) to be concluded between the insurance or reinsurance undertaking and the service provider shall in particular clearly state all of the following requirements:

(a) the duties and responsibilities of both parties involved;

(b) the service provider's commitment to comply with all applicable laws, regulatory requirements and guidelines as well as policies approved by the insurance or reinsurance undertaking and to cooperate with the undertaking's supervisory authority with regard to the outsourced function or activity;

(c) the service provider's obligation to disclose any development which may have a material impact on its ability to carry out the outsourced functions and activities effectively and in compliance with applicable laws and regulatory requirements;

(d) a notice period for the termination of the contract by the service provider which is long enough to enable the insurance or reinsurance undertaking to find an alternative solution;

(e) that the insurance or reinsurance undertaking is able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of services to policyholders;

(f) that the insurance or reinsurance undertaking reserves the right to be informed about the outsourced functions and activities and their performance by the services provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what has to be taken into account when performing the outsourced functions or activities;

(g) that the service provider shall protect any confidential information relating to the insurance or reinsurance undertaking and its policyholders, beneficiaries, employees, contracting parties and all other persons;

(h) that the insurance or reinsurance undertaking, its external auditor and the supervisory authority have effective access to all information relating to the outsourced functions and activities including carrying out on-site inspections of the business premises of the service provider;

(i) that, where appropriate and necessary for the purposes of supervision, the supervisory authority may address questions directly to the service provider to which the service provider shall reply;

(j) that the insurance or reinsurance undertaking may obtain information about the outsourced activities and may issue instructions concerning the outsourced activities and functions;

(k) the terms and conditions, where applicable, under which the service provider may sub-outsource any of the outsourced functions and activities;

(l) that the service provider's duties and responsibilities deriving from its agreement with the insurance or reinsurance undertaking shall remain unaffected by any sub-outsourcing taking place according to point (k).

5. The insurance or reinsurance undertaking that is outsourcing critical or important operational functions or activities shall fulfil all of the following requirements:

(a) ensure that relevant aspects of the service provider's risk management and internal control systems are adequate to ensure compliance with Article 49(2)(a) and (b) of Directive 2009/138/EC;

(b) adequately take account of the outsourced activities in its risk management and internal control systems to ensure compliance with Article 49(2)(a) and (b) of Directive 2009/138/EC;

(c) verify that the service provider has the necessary financial resources to perform the additional tasks in a proper and reliable way, and that all staff of the service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable;

(d) ensure that the service provider has adequate contingency plans in place to deal with emergency situations or business disruptions and periodically tests backup facilities where necessary, taking into account the outsourced functions and activities.