| 1. | The Risk Governance System must, at a minimum, provide for the following with respect to Outsourcing:
| a. | A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or the risk/audit committee of the Board;
| | b. | Policies and procedures to ensure that potential Conflicts of Interest are identified, managed and appropriately mitigated, or avoided;
| | c. | Policies and procedures that clearly identify and assign to the Company's departments, committees, Internal Controls functions, and other individuals, the roles and responsibilities with regard to Outsourcing and determine in which cases and at which stage, they must be involved;
| | d. | Policies and procedures to ensure that all material risks related to Outsourcing are identified, assessed, measured, monitored, controlled, mitigated, and reported to the Board in a timely and comprehensive manner;
| | e. | Ensure that any outsourced critical business functions are covered in their disaster recovery and business continuity plans, that Outsourcing service providers are fully prepared to implement them and that Outsourcing service providers have their own disaster recovery and business continuity plans to resolve disruptions at their end.
|
|
| 2. | All outsourced activity must be governed by written contracts that state the parties' rights and obligations. The Board and Senior Management must consider the effects on the Company's Risk Profile, and assess the service provider's expertise, knowledge, governance, Risk Management, Internal Controls, and financial viability along with the succession issues upon the ending of the contractual relationship with the service provider. The Company must conduct the following:| a. | Perform a detailed examination to ensure that the potential service provider has the ability, the capacity and any authorisation required by law to deliver the required functions or activities satisfactorily, taking into account the Company's objectives and needs;
| | b. | Ensure The service provider has adopted all means to ensure that no explicit or potential Conflict of Interests jeopardise the fulfilment of the deliverables of the outsourcing Company;
| | c. | Execute a written contract with the service provider which clearly defines the respective rights and obligations of the Company and the service provider;
| | d. | Ensure that the general terms and conditions of the outsourcing contract are clearly explained to the Company's Board and authorised by them;
| | e. | Ensure that the outsourcing agreement does not entail the breaching of any law in particular with regard to rules on data protection; and
| | f. | Ensure that the service provider is subject to the same provisions on the safety and confidentiality of information relating to the Company or to its policyholders or beneficiaries that are applicable to the Company.
|
|
| 3. | A Company must have an outsourcing register that contains key information for each Outsourcing arrangement, and includes at a minimum:| a. | Key non-risk related data, such as the details of the Outsourcing service provider, start and end date of the arrangement, and a brief description of the services being provided.
| | b. | Whether the Outsourcing arrangement involves any Confidential Data; and
| | c. | Whether the Outsourcing arrangement is considered Material Business Activity.
|
|
| 4. | a. Companies must ensure compliance with all the applicable State legislation and regulations in managing and processing data, when using Outsourcing services.
| b. | Companies must ensure that they retain ownership of all data provided to an Outsourcing service provider, and that their customers retain ownership of their data, including but not limited to, Confidential Data, and can effectively exercise their rights and duties in this regard.
| | c. | Where the Outsourcing service provider subcontracts elements of the service which involve Confidential Data, Companies must ensure that the subcontractor fully complies with the applicable requirements as established by law and under this and other applicable regulations.
| | d. | Companies must ensure their data is secured from unauthorised access, including unauthorised access and/or use by the Outsourcing service provider or its Staff.
|
|
| 5. | a. Outsourcing agreements must ensure that the Company has unfettered access to all of its data for the duration of the contract, including upon termination of the contract.
| b. | Outsourcing agreements must include appropriate provisions to protect a Company's data, including non-disclosure agreements and provisions related to the destruction of the data and/or transfer to the Company upon termination of the agreement.
| | c. | Outsourcing agreements must specifically establish standards for data protection, including any nationally recognised information assurance and/or data protection and confidentiality of information requirements in the State.
| | d. | Outsourcing agreements must specifically establish that the Outsourcing service provider, or any of its subcontractors must not provide any other party with access to Confidential Data without first obtaining the specific authorisation of the Company, or the customer, as the case may be.
| | e. | Outsourcing agreements must specify to what extent subcontracting is allowed and under what conditions.
| | f. | Outsourcing agreements must include an explicit provision giving the Central Bank, and any agent appointed by the Central Bank, access to the Outsourcing service provider. This provision must include the right to conduct on-site visits at the Outsourcing service provider, if deemed necessary by the Central Bank and require the Outsourcing service provider to provide the Central Bank, or its appointed agent, any data or information required for supervisory purposes.
| | g. | Outsourcing agreements must include an obligation for the Outsourcing service provider to notify the Company without undue delay of any breach of the Company's data and in particular, breaches of Confidential Data.
|
|
| 6. | When Outsourcing outside of the State:
| a. | Any Outsourcing agreement with a party located outside of the State, must stipulate that the Company and the customer retain ownership of the data at all times, and that the Central Bank can access the Company's data upon request.
| | b. | A Company must explicitly consider the possibility that changes in economic, political, social, legal or regulatory conditions may affect the ability of a service provider outside of the State to fulfil the terms of the agreement. This risk must be managed by a careful selection of service providers and jurisdictions, adequate contractual and practical arrangements, and appropriate business continuity planning.
| | c. | A Company must explicitly consider any other relevant risks arising when the service provider is located outside of the State. These must include, but are not limited to:| 1. | Higher levels of operational risk due to poor infrastructure in another jurisdiction;
| | 2. | Legal risk due to differing laws and possible shortcomings in the legal system in the countries where the service is provided; and
| | 3. | Reputational risk due to the breach of the service agreement by the service provider.
|
| | d. | A Company must ensure compliance with all relevant personal data protection legislation and regulations prior to entering into an Outsourcing agreement with an Outsourcing service provider or third party outside of the State.
| | e. | A Company must establish policies, processes and procedures regarding controls and monitoring activities specifically addressing the business relationship of the Company with an Outsourcing service provider, which includes the sharing of Confidential Data outside of the State.
| | f. | For each of its business relationships a Company holds with an Outsourcing service provider, which includes the sharing of Confidential Data outside of the State, the Company must define concrete security requirements and must ensure that its Staff are sufficiently trained in respect of these requirements.
| | g. | Companies must ensure that third parties implement and maintain the appropriate level of information security and service delivery.
| | h. | With regard to Outsourcing service providers located outside of the State, the Central Bank may exercise its powers through collaboration with the relevant authorities of any relevant jurisdiction.
|
|
| 7. | Prior to Outsourcing any material activity, including to any related party, Companies must obtain a prior notice of non-objection from the Central Bank. When requesting the non-objection, Companies must provide the Central Bank with the following at a minimum:
| a. | A brief explanation of the business activity to be outsourced;
| | b. | A summary of the materiality assessment;
| | c. | A summary of the risk assessment;
| | d. | A summary of the due diligence performed and its outcome;
| | e. | A confirmation of the agreement of the internal audit function and the compliance function;
| | f. | An overview of any closely related outsourcing agreements;
| | g. | Confirmation of compliance with the requirements of the Risk Management and Internal Controls Regulation for Insurance Companies and these Standards.
| | h. | Evidence of the approval of the proposed Outsourcing by the Board or Board committee.
|
|
| | The Central Bank will either grant the non-objection, request further information, or decline the request. Companies are encouraged to discuss their material Outsourcing plans early and coordinate with the Central Bank to avoid the non-objection process delaying the Outsourcing.
|
| 8. | Although all requests for non-objection will be considered on their individual merits, the Central Bank, will in general, not permit the Outsourcing of core insurance activities, and key management and Control Functions, including but not limited to Senior Management oversight and internal audit. The Central Bank may determine adding further requirements in this regard, from time to time.
|