Hyderabad, the 20th April, 2017
Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian
Insurers) Regulations, 2017
F. No. IR DAI/Reg/5/142/2017.In exercise of the powers conferred under Section 1 14A (2) (zd) of the Insurance Act 1938 and Section 14(2)(e) of the IRDA Act 1999 read with Section 26 of the IRDA Act 1999 and in consultation with the Insurance Advisory Committee, the Authority hereby makes the following regulations, namely:
1. SHORT TITLE AND COMMENCEMENT
(i) These Regulations may be called IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017.
(ii) They shall come into force from the date of their publication in the Official Gazette of the Government of India and supersede the Guidelines issued in this regard vide Reference: IRDA/Life/CIR/GLD/0 13/02/2011 dated 01-02-2011 and any clarification circulars issued in this regard.
(i) These Regulations are applicable to all Insurers registered with the Insurance Regulatory and Development Authority of India excluding those engaged in reinsurance business. If an Insurer is engaged in both direct Insurance as well as Reinsurance business, these regulations are applicable only in respect of direct Insurance business of such Insurers.
(iii) These Regulations are applicable to outsourcing arrangements entered into by an Insurer with an outsourcing service provider located in India or outside India.
(i) To ensure that insurers follow prudent practices on management of risks arising out of outsourcing with a view to preventing negative systemic impact and to protectthe interests of the policyholders.
(ii) To ensure sound and responsive management practices for effective oversight and adequate due diligence with regard to outsourcing of activities by Insurers.
(i) In these Regulations, unless the context otherwise requires;
a) ‘Act’ means the Insurance Act, 1938;
b) ‘Authority’ or ‘IRDAI’ means the Insurance Regulatory and Development Authority of India established under sub section 1 of Section 3 of the IRDA Act 1999;
c) ‘Group’ means as defined in Reg. 2(g) of IRDAI(Investment) Regulations,2016
d) ‘Related Party’ means as defined under Section 2(76) of Companies’ Act, 2013
e) ‘Outsourcing’ is defined as the use of third party services by the Insurer to perform activities that would normally be undertaken by the Insurer, either now or in future, but does not include services which are generally not expected to be carried out internally by the insurers such as Legal services, Banking Services, Courier services, medical examination, forensic analysis.
f) ‘Outsourcing Service Provider’ means third party service provider who carry out the activities outsourced, for Insurers.
g) ‘Outsourcing Agreement’ means a written agreement entered into between the Insurer and outsourcing service provider outlining the terms and conditions for services which may be rendered by the Outsourcing service provider;
h) ‘Material Outsourcing’ means the utsourc ng arrangements which are assessed as material based on the factors described in Annexure I.
(ii) All words or expressions not defined in these Regulations but defined in the Insurance Act, 1938, Insurance Regulatory and Development Authority Act, 1999 or any Regulation issued by the Authority shall have the same meaning respectively assigned to them in those respective legislations.
5. ACTIVITIES PROHIBITED FROM OUTSOURCING
The Insurers are prohibited from outsourcing any of the following activities mentioned under (i to viii) in any manner:
i. Investment and related functions
ii. Fund Management Including NAV calculations
iii. Compliance with AML and KYC,
provided, KYC verification through third party service providers is allowed as per Clause 3.1.2 of IRDAI AML Master Circular dated 28th Sept 2015.
iv. Product designing, all actuarial functions and enterprise-wide risk management;
v. Decision making in Underwriting and Claims functions excluding procedural activities related to payment of Survival Benefit claims in Life Insurance;
vi. Policyholders Grievances Redressal;
vii. Decision to appoint Insurance Agents, Surveyors and Loss Assessors;
viii. Approving Advertisements
Provided that nothing contained in these Regulations shall be deemed to be in contravention of the provisions of the Regulations, Guidelines issued by the Authority in respect of the above activities.
6. OUTSOURCING ACTIVITIES SUPPORTING POLICY SERVICING
i. Though the policy servicing remains an integral activity for the Insurer who is totally responsible for the services rendered, the activities that support Policyholder servicing are allowed to be outsourced.
ii. Where collection of premiums is outsourced by the Insurer, it shall put in place procedures
and ensure issuance of premium acknowledgements to the policyholders at the point of collection of premiums through such outsourced Service providers.
Provided, Insurers shall remain responsible for the acknowledgements issued and the date and time of such receipt shall be taken into account for considering the underlying benefits of an insurance contract.
7. RESPONSIBILITIES OF THE BOARD OF DIRECTORS
The Board of the Insurer shall be responsible for the following functions under these Regulations:
i. The Board of Directors shall approve and put in place an Outsourcing Policy. The Board of Directors, may delegate, the mandate of approving the outsourcing policy, to the Outsourcing Committee constituted under Regulation 8 of these Regulations. The outsourcing policy shall cover the following:
a) Framework for assessment of risks involved in outsourcing including the confidentiality of data, quality of services rendered under outsourcing contracts
b) Parameters for determining the cost-benefit analysis for each outsourced activity
c) Guiding principles for evaluation of the outsourced service provider including its ability and capability to provide the required services
d) Conflict management policy that ensures adherence to the provisions on related party transactions as envisaged in Companies Act,2013
e) Norms for implementation and review of the outsourcing policy, determining the management’s responsibility for approving, determining the consideration amount involved and monitoring the outsourcing arrangements , and delegation of authority within the Insurer’s hierarchy
f) The degree of due diligence required for other than-material outsourcing activities
ii. Annual review of the summary of the outsourced activities of the Insurer and approval of changes to the policy on the basis of review report.
iii. Constitution of an outsourcing committee comprising of key management persons and definition of the terms of reference of the committee
iv. Review of exceptions, if any, arising out of the annual review of outsourcing contracts by the outsourcing committee.
v. Ensuring that the pricing for outsourcing arrangements with related parties or group entities are consist ent with accepted arms’ length principles.
8. OUTSOURCING COMMITTEE
The Board of Directors of the Insurer shall constitute an Outsourcing Committee comprising of key management persons of the Insurer, and shall, at the minimum, include the Chief Risk Officer, Chief Financial Officer and Chief of Operations. The outsourcing committee shall inter-alia be responsible for:
i. Effective implementation of the Outsourcing policy as approved by the Board of Directors;
ii. Validating the Insurer’s need to perform the activities proposed for outsourcing. Evaluation of key risks associated with outsourcing contracts as envisaged in Annexure -II of these Regulations;
iii. Coverage of the scope of services within the objects’ clause of the Deed of constitution of the outsourcing service provider;
iv. Ensuring that the decision to outsource a material activity is supported by a sound business case taking into account the cost and the potential benefits of outsourcing against risks that may arise, having regard to all relevant prudential matters as well as short-term (e.g. temporary service disruptions) and long-term (e.g. impact on business continuity) implications.
v. Ensuring that the approval to the outsourcing arrangements entered into/proposed to be entered into by the Insurer is as per the Outsourcing Policy approved by the Board of Directors.
vi Annual performance evaluation of each of the outsourcing service providers and reporting exceptions to the Board of Directors.
vii. Communicating information pertaining to risks associated with material activities to the Board of Directors in a timely manner.
viii. Ensuring compliance with the Outsourcing Policy and applicable laws, Regulations
ix. Annual review of Policy and submit a review report recommending changes in the policy for board approval.
9. OUTSOURCING SERVICE PROVIDERS FOR MATERIAL ACTIVITIES:
No Insurer shall engage in India, an entity other than the following, as outsourcing service provider for the purpose of outsourcing where the activity outsourced is assessed as Material as per Annexure-I and keeping in view the risks as envisaged under Annexure-II.
a) Companies Registered under the relevant provisions of the Companies Act, 2013, or
b) Limited Liability Partnerships registered under the relevant provisions of the Limited Liability Partnership Act, 2008, or
c) Registered Cooperative Societies registered under the cooperative Societies Act, 1912 or
d) Partnership firms registered under the Indian Partnership Act, 1932 or
e) Entities formed under Public private partnership such as e-seva e-mitra, CSC.
f) Any other entity as may be approved by the Authority to act as Outsourcing Service Provider.
10. DUE DILIGENCE OF OUTSOURCING SERVICE PROVIDERS
Among other things, an outsourcing arrangement shall be considered material if the estimated annual expenditure under an outsourcing contract is likely to exceed 5 % of the total expenditure incurred during preceding financial year on all outsourcing activities. All insurers shall evaluate the outsourcing
arrangements based on the detailed parameters for materiality assessment outlined in Annexure I.
All outsourcing arrangements assessed as material shall be subject to evaluation of the risks envisaged under Annexure II and shall be subject to due diligence as per (i) &(ii) below. Insurers should consider the level of materiality associated with their outsourced activities and implement their enterprise risk management practices deemed as appropriate to the specific nature and circumstances of activities.
i. In considering or renewing an outsourcing arrangement, an insurer should subject the outsourcing service provider to appropriate due diligence which inter alia cover the following;
a) Where the outsourcing service provider is a Company registered under the Companies Act,2013, the objects of the Memorandum of Association of the company shall include the activities outsourced.
b) In case of other outsourcing service provider, there shall be a clause in the deeds or bye – laws enabling it to undertake the activities outsourced.
c) Existence of the outsourcing service provider as projected, its competence and experience to perform the activity proposed to be outsourced to it.
d) Assessing the capability of the outsourcing Service Provider to employ standards envisaged, while performing outsourced activities.
e) Its security and internal controls;
f) Business continuity management;
g) Where considered necessary, insurers shall obtain independent reviews and market feedback on the service provider to supplement its own findings;
ii. Due diligence undertaken during the selection process should be documented and evaluated at least annually as part of the monitoring and control process of outsourcing.
iii. The due diligence may be as specified in the Board approved Outsourcing Policy as per Regulation 7(i)(f) for activities other than material.
11. OUTSOURCING AGREEMENTS
i. Outsourcing arrangements shall be governed by written agreements that are legally binding for a specified period, subject to periodical renewals, if necessary, that clearly describe all important aspects of the outsourcing arrangement, including the rights and obligations of all parties.
ii. The outsourcing contracts, inter alia, shall have in place certain clauses or conditions listed
below, as may be applicable:
a) Information and asset ownership rights, information technology, data security and protection of confidential information
b) Guarantee or indemnity from the outsourcing service provider towards his commitment including liability for any failure
c) Contingency planning of the outsourcing service Provider to provide business continuity for the outsourced arrangements that are material
d) Express clause that the contract shall neither prevent nor impede Insurer from meeting its respective regulatory obligations, nor the IRDAI from exercising its regulatory powers of conducting inspection, investigation, obtaining information from either the Insurer or the outsourcing service provider
e) Contract termination clause specifying orderly handing over of data, assets etc.
iii. The Insurer shall ensure that the outsourcing service provider shall not sub-contract the whole or a substantial portion of the Outsourced activity. Where sub-contracting is allowed partially it should be with the prior consent of the Insurer and the additional risk which flows due to subcontracting shall be factored in at the time of due diligence.
12. CONFIDENTIALITY AND SECURITY
i. The insurer shall satisfy itself that the outsourcing service provider’s security policies, procedures and controls will enable the insurer to protect confidentiality and security of policyholders’ information even after the contract terminates.
ii. It shall be the responsibility of the insurer to ensure that the data or information parted to any outsourcing service provider under the outsourcing agreements remains confidential.
iii. An insurer shall take into account any legal or contractual obligations on the part of the outsourcing service provider to disclose the outsourcing arrangement and circumstances under which Insurer’s customer data may be disclosed. In the event of termination of the outsourcing agreement, the insurer should ensure that the customer data is retrieved from the service provider and ensure there is no further use of customer data by the service provider.
13. INSPECTION AND AUDIT BY THE INSURER
The insurer shall conduct periodic inspection or audit on the outsourcing service providers either by internal auditors or by Chartered Accountant firms appointed by the insurer to examine the compliance of the outsourcing agreement while carrying out the activities outsourced.
The outsourcing committee of the Insurer may decide on the periodicity andservice providers to be inspected taking into account the risks associated with the activity outsourced. Insurer shall ensure that enabling provisions for the Inspection by the Insurer shall be included in the Agreement with outsourcing service provider. Measures shall be taken to arrest the deficiencies noticed if any in the inspection or audit report.
14. LEGAL AND REGULATORY OBLIGATIONS
i. Insurers shall ensure that outsourcing arrangements do not,
a) diminish their ability to fulfil their obligations to Policyholders and the IRDAI
b) impede effective supervision by the IRDAI
c) result in their internal control, business conduct or reputation being compromised or weakened
ii. The Regulations apply irrespective of whether the outsourcing arrangements are entered into with an affiliated entity within the same group as the Insurer, or an outsourcing service Provider external to the group or the one who has been given sub-contract
iii. Outsourcing shall not diminish the obligations of an insurer and those of its Board and Senior Management to comply with the relevant law/s and regulations. The Insurer is ultimately accountable for all acts of commission and omission of the outsourcing service Providers. The Insurer’s liability shall not in any way be restricted or limited by way of outsourcing.
iv. All the outsourcing service providers engaged by insurers are subject to the provisions of the Insurance Act,1938, IRDA Act 1999, Rules, Regulations and any other orders issued thereunder.
v. The regulated activities of the Insurance Agents, Insurance Intermediaries including TPAs, Insurance Repositories and other regulated entities, as provided in the Insurance Act ,1938, IRDA Act 1999 and Regulations, guidelines made thereunder are not considered as outsourcing and therefore not covered by these Regulations.
vi. Subject to these Regulations, Insurance Agents, Insurance Intermediaries and other regulated entities of the Authority shall not be contracted for performing any activity other than those activities that are allowed under the respective regulations or guidelines notified by the Authority from time to time governing their registration or functioning.
a) Provided these provisions are not applicable in respect of entities regulated by RBI and Post Offices when they are engaged for premium collection and cheque pick- up activities.
b) Provided also that these provisions are not applicable to Insurer involving Senior Agents as faculty in the training sessions purely on honorarium basis.
c) Provided also that the services allowed to be outsourced to registered Insurance Repositories or other regulated entities by the respective regulations or guidelines will be governed by these regulations.
vii. The Authority may issue guidelines with regard to permitting or restricting outsourcing of specific activities to certain categories of unregulated entities.
15. PRINCIPLES TO BE FOLLOWED WHERE OUTSOURCING SERVICE PROVIDERS ARE RELATED PARTIES OR GROUP ENTITIES OF INSURERS OR INSURANCE INTERMEDIARIES
Insurers shall ensure compliance with the following additional principles where outsourcing service providers are the related parties or group entities of Insurers or Insurance Intermediaries registered with the Authority.
a) With the objective of avoiding potential conflict of interest, Insurers shall endeavor that the related Parties or group entities of Insurers or Insurance Intermediaries registered with the Authority shall ordinarily not be engaged for outsourcing any of the activities.
b) Insurers shall not outsource any activity that leads to potential conflict of interest with the functions of the Insurer or with the functions of Insurance Intermediaries.
c) Where it is considered necessary to outsource any activity to the related parties or group entities of the Insurers or related parties or group entities of the Insurance Intermediaries registered with the Authority who are working either with the Insurer who is proposing to outsource or with any other Insurers, there shall be a complete due diligence and the insurer shall be bound by the conflict management policy that is part of its outsourcing policy that ensures maintaining arm’s length distance.
d) Insurers shall ensure that in respect of all the activities outsourced to the related parties or group entities of the Insurer or related parties or group entities of Insurance Intermediaries; the consideration amount agreed upon and modifications thereon, if any, shall be subject to specific approval of the Outsourcing Committee of the Insurer.
Provided while determining the consideration amount the outsourcing committee of the Insurers shall take into consideration the outsourcing policy approved by the Board and the principles referred in 7(v) of these Regulations.
e) All the activities outsourced to the related parties or group entities referred here in shall be reported to the Authority within thirty days of date of outsourcing agreement.
f) Payments made in respect of (e) above, shall be reported separately to the Authority in accordance with the provisions of Regulation (21).
g) In case, any of the outsourcing service provider becomes a related party or a group entity of either the Insurer or Insurance Intermediaries the insurer shall report the fact to the Authority within 30 days of such an event.
h) Norms specified herein shall be followed where an Individual Insurance Agent of the Insurer is one of the promoters or one of the Directors of the outsourcing service provider.
16. CONTINGENCY PLANS
i. Insurers shall establish and maintain adequate contingency plans where the outsourced activity is material. These include disaster recovery plans and backup facilities to support the continuation of an outsourced activity with minimal business disruption in the event of reasonably foreseeable events that affect the ability of an outsourcing service provider to continue providing the service.
ii. The contingency plans should be appropriate to the potential consequences of a business disruption resulting from problems at the outsourcing service provider and should consider contingency plans maintained by the outsourcing service provider and their coordination with the Insurer’s own contingency arrangements. In particular, contingency plans should ensure that the Insurer can readily access all the records necessary to allow it to sustain business operations, meet statutory obligations, and provide any information relating to the outsourced activity as may be required by the IRDAI.
iii. Contingency plans should also be regularly reviewed and tested to ensure that they remain robust, particularly under changing operating conditions.
17. MAINTENANCE OF RECORDS
i. In respect of All outsourcing arrangements, Insurers shall ensure that adequate documentation is maintained to support the Insurer’s satisfaction of the expectations in these Regulations.
ii. The documentation shall support the following aspects:
a) Materiality assessments
b) Adherence to the Insurer’s outsourcing policy
c) Cost benefit analysis
d) Due diligence reviews
e) Pricing assessments; and
f) Risk evaluation
g) The basis used to determine arm’s length distance while arriving at the pricing of activities that involve outsourcing with related party or group entity of the insurer or insurance intermediaries.
h) Audit and Inspection reports as mentioned under Regulation (13).
iii. The documentation should be available for review by the Board and inspection by IRDAI as and when required.
iv. Such documentation shall be preserved for five years from the end of the outsourcing contract period by the Insurers.
18. REGULATORY ACCESS
i. Insurers shall, in all cases, obtain an undertaking from their outsourcing Service providers or include a provision within the outsourcing agreement, giving authorized representatives of the IRDAI the right to: –
a) examine the books, records, information, systems and the internal control environment in the outsourcing service provider (or sub-contractor as applicable), to the extent that they relate to the service being performed for the Insurer and
b) access any internal audit reports or external audit findings of the outsourcing service Provider that concern the service being performed for the Insurer.
ii. In cases where Insurer outsources to the service providers outside India, the Insurers shall ensure that the terms of the agreement are in compliance with respective local regulations governing the outsourcing service provider and laws of the country concerned and such laws and regulations do not impede the regulatory access and oversight by the Authority. All original policyholder records continue to be maintained in India.
19. APPLICABILITY TO EXISTING OUTSOURCING CONTRACTS
These Regulations shall be applicable to all outsourcing arrangements in force on the date of coming into effect of these Regulations. However, any existing outsourcing arrangement to which these Regulations become applicable, shall be appropriately amended to bring such arrangement in
compliance with these Regulations within 180 days from the date of coming into effect of these Regulations. Insurer shall ensure that all arrangements that do not comply with these Regulations within 180 days of the date of the Regulations coming into effect, shall be terminated and Insurer shall not avail such services thereafter.
These regulations shall not be construed to be authorizing any activity which otherwise is prohibited by any law or Regulation or Guidelines of the Authority for the time being in force.
21. REPORTING REQUIREMENTS
Insurers shall report all the outsourcing arrangements where annual pay-out either per outsourcing service provider or per activity is One Crore rupees or more, every year within 45 days from the close of the financial year. The format for reporting is given in Annexure III.
Notwithstanding the above threshold for periodic reporting, the Authority may call for details, cause inspection in respect of any outsourcing arrangements.
22. POWER OF THE CHAIRPERSON TO ISSUE CLARIFICATIONS
In order to remove any difficulties in the application or interpretation of these regulations, the Chairperson of the Authority may issue clarifications, direction or guidelines as deemed necessary.
T. S. VIJAYAN , Chairman
[ ADVT. III/4/Exty/52/17]
KEY FACTORS FOR DETERMINING THE MATERIALITY IN
(i) An outsourcing arrangement shall be considered material if the estimated annual expenditure under an outsourcing contract is likely to exceed 5 % of the total expenditure incurred during preceding financial year on all outsourcing activities.
(ii) Notwithstanding the above, an outsourcing arrangement shall be considered material if its disruption has the potential to significantly impact an Insurer’s business operations, reputation or profitability.
(iii) Without limiting their scope, the criteria for assessing the materiality of outsourcing
arrangements should have regard to the following key factors:
a) significance of the activity being outsourced (e.g. in terms of contribution to revenue, capital allocations or importance to overall achievement of strategic and business objectives);
b) financial, reputational and operational impact on the Insurer of an Outsourcing Service provider’s failure to adequately perform the outsourced activity;
c) potential impact on the Insurer`s continuing ability to meet its obligations to its Policyholders in the event of disruption of services of an outsourcing Service Provider;
d) consequences of outsourcing the activity on the ability and capacity of the Insurer to maintain internal controls and meet current as well as future changes to regulatory requirements;
e) cost of the outsourcing arrangement in terms of contractual expenditures relative to the Insurer’s net assets and annual operating expenditures;
f) interrelationship of the outsourced activity with other activities within the Insurer;
g) aggregate exposure to a particular outsourcing service provider where the Insurer outsources multiple activities to the same outsourcing service provider;
h) degree of difficulty and time required to replace the Outsourcing Service provider or if necessary to bring the activity in-house
i) Availability of alternative outsourcing service provider in the market for the same service
j) Any other factor which will have a significant impact on the Insurer or the Policyholders not covered above.
KEY RISKS IN OUTSOURCING CONTRACTS
i. The outsourcing committee (constituted under Regulation 8 of these Regulations) of the Insurer shall evaluate all the key risks associated with any material outsourcing contract, including, but not limited to, the following risks:
(a) Strategic Risk:
- Activities carried out by outsourcing service provider on its own behalf that are inconsistent with the overall strategic goals of the Insurer:
- Failure to implement appropriate oversight of outsourcing service provider
- Inadequate expertise to oversee outsourcing service provider
(b) Reputation Risk: Poor service by outsourcing service provider:
- Customer interaction that is inconsistent with Insurer’s standards
- Unethical practices of outsourcing service provider
(c) Compliance Risk: Prudential and market conduct regulations not complied with:
- Breach of obligation to preserve customer data confidentiality
- Changes in regulations not communicated to outsourcing service provider in a timely manner
(d) Operational Risk:
- Technology failure
- Inadequate financial capacity of outsourcing service provider to fulfil obligations or provide remedies/restitution
- Fraud or error
- Failure of insurers to undertake inspections of outsourcing service provider (e.g. due to practical difficulty or cost considerations)
(e) Exit strategy Risk:
- Over-reliance on one outsourcing service provider
- Loss of relevant skills or resources in the Insurer, preventing it from bringing an outsourced activity back in-house
- Contracts which make a speedy exit prohibitively expensive
(f) Contractual Risk:
- Inability to enforce contract
(g) Information Risk:
- Reliance on information by outsourcing service provider that may be materially inaccurate
- Delay in providing timely data and information to Insurer or regulator.
- Confidentiality of commercially sensitive/customer information may be compromised
(h) Concentration Risk:
- Reliance on one outsourcing service provider for multiple activities.
ii. A summary of the material risks arising out of outsourcing contracts shall be reviewed by the Risk Management Committee at least once a year.
(OUTSOURCING REPORTING FORMAT)
I. Total of payouts for the Reporting year (including those below Rs 1 Cr.)
|SR No.||Particulars||Total of payouts |
( Rs in Lacs)
|1||On all Outsourcing activities|
|3||To related parties or group entities of the insurer or Insurance intermediaries on all outsourcing activities of |
|4||To Outsourcing Service Providers located or operating from outside India of (1) above|
II. All Outsourcing arrangements as per Regulation 21:
|SR No||Particulars of activity |
|Name and Address of |
|Amount paid for the reporting |
year (Rs in lacs)
|Amount paid for |
the preceding year
(Rs in lacs)
III. Outsourcing with Related Parties or Group entities of Insurer or Insurance Intermediaries out of II above.
|Sr No||Particulars of activity |
|Name and Address of |
|Amount paid for the reporting year (Rs. in lacs)||Amount paid for |
the preceding year
(Rs. in lacs)
IV. Outsourcing to entities located or operating from outside India out of II above:
|Sr No||Particulars of activity |
|Name and Address of the |
|Amount paid for the reporting year (Rs in lacs)||Amount paid for |
the preceding year
(Rs in lacs)