CAA specifies outsourcing requirements for the insurance sector

In CAA Circular letter 22/16 on the outsourcing of critical or important operational functions and activities ("Circular"), the Commissariat aux Assurances ("CAA"), the supervisor of the Luxembourg insurance sector, clarifies the requirements regarding the outsourcing of critical or important operational functions and activities in the insurance sector.

The Circular also includes requirements applicable to any outsourcing, other than IT outsourcing based on a cloud computing infrastructure, the latter being expressly excluded from the scope of the Circular (see also Article 81 Law of 7 December 2015 on the Insurance Sector, as amended ("LSA").

Content and structure The CAA sets out multiple requirements regarding outsourcing and offers guidance. It enumerates the elements of the required pre-outsourcing analysis, offers guidance on how to assess whether and to what extent the outsourcing agreement relates to a critical or important operational function or activity, indicates the steps to take to ensure compliance with the insurance secrecy rules of Article 300 of the LSA, and defines the documentation that should be kept by the insurance or reinsurance undertaking.

In addition, the Circular includes guidance on the required notification to the CAA with regard to the outsourcing of critical or important operational functions and activities: the CAA clarifies those cases where notification is required, particularly with regard to the timeframe and the manner of such notification.

Main practical impacts A form available on the CAA website should be used for the notifications. The CAA provided guidance on how to use this form in the Circular. This notification must be submitted at least one month before the intended outsourcing takes effect. Also, for each notified outsourcing of a critical or important activity or function, the compliance key function holder must assess and confirm in writing to the CAA, within two months of the signing of the outsourcing agreement, that the outsourcing complies with the applicable regulatory framework on multiple points.

The undertaking must keep a record of its outsourcing agreements.

On certain points, the CAA requires an analysis or evaluation to be documented, such as with respect to the evaluation of the critical or important character of an outsourcing and the analysis of the necessity to obtain prior approval of the policyholder pursuant to Article 300 of the LSA.

The undertaking should carry out a self-assessment, including a correlation table, on the compliance of the outsourcing agreement with the Circular, Article 274 of Delegated Regulation (EU) 2015/35, as amended and the EIOPA guidelines on system of governance.

Timeline and what to do next? The Circular applies as from 1 November 2022 to all outsourcing agreements concluded or amended from that date. In particular, covered entities must implement an outsourcing register, review existing outsourcing policies in view of the Circular, and make sure that all new or newly amended outsourcing arrangements comply with it.