The Netherlands (and EU regulation)

Points of attention when notifying (cloud)outsourcing to DNB

The Dutch Central Bank (De Nederlandsche Bank, DNB) has indicated in a recent news item on its website that the quality of outsourcing notifications could be improved.

DNB notes that the Solvency II Directive requires insurers to notify DNB, in a timely manner, the (sub)outsourcing of activities to a third party. Where it concerns the outsourcing of critical or important activities for the insurer, a notification must be made before the outsourcing contract with third party concerned is concluded or the actual outsourcing arrangement takes effect. DNB lists a number of points it has identified following its assessment of outsourcing notifications:

DNB would like to receive a complete schematic overview of the outsourcing chain, including an explanation. This should allow DNB to assess the notification in the correct context without having to raise additional questions.
DNB requests parties to use the DNB template when drawing up the risk analysis. The risk that the service provider does not adhere to the agreed quality standards needs to be assessed. Where insurers list measures that are in place to mitigate this risk, DNB has found that the mentioned assurance reports, certifications or own audits do not always provide sufficient certainty with regard to the internal control mechanism of the service provider. An example of this is reference to an ISO27001 certificate, which in itself is insufficient to demonstrate the sound operation of control measures that are in place. DNB expects insurers to ensure that the scope and depth of the information received from third parties is sufficient to determine the control at the service providers.
The ‘outsourcing notification form’ that needs to be used when notifying DNB asks for information on the investigation and audit rights. DNB notes that these rights should extend beyond the service provider with whom the outsourcing contract is concluded. DNB expects these rights to extend to all critical or important outsourcing throughout the entire outsourcing chain. Recent case reviews have shown that the investigation and audit rights were not included in the outsourcing contract, as a result of which insurers were non-compliant from the moment they entered into the outsourcing relationship contracts must be adjusted accordingly.

DNB requests insurers to check to what extent outsourcing contracts meet the requirements laid down in Article 274 of the Solvency II regulation and the EIOPA Guidelines on outsourcing to cloud service providers and to amend outsourcing contracts in case of deficiencies.