From 1 January 2013 authorised insurers in Hong Kong must comply with new guidelines issued by the Hong Kong Insurance Authority (the "HKIA") and obtain the approval of the HKIA if they wish to outsource certain of their functions to third party service providers.
Application of the guidelines
The guidelines apply to all arrangements under which a service provider (whether located in or outside of Hong Kong and whether or not an independent party or a related party of the insurer) undertakes to perform a service which the insurer would otherwise carry out itself. The guidelines set out some examples of what may be considered outsourcing for the purposes of the guidelines, including application and claims processing, policy administration, human resources management, marketing and research, IT systems management and risk management services.
The guidelines clarify that certain services are not outsourcing for the purposes of the guidelines, particularly sales of policies by insurance agents or brokers and medical examinations for assessing insurance claims. Common business services like banking, printing, mail and telecommunications services are also excluded.
An insurer should follow the guidelines to the extent necessary considering the materiality of the outsourcing. If an outsourcing is material to the insurer's business, all issues outlined in the guidelines must be addressed.
Key requirements of the guidelines
The guidelines set out requirements covering the following 10 areas:
- Materiality assessment: In line with its outsourcing policy, an insurer must have in place a framework to assess the materiality of a proposed outsourcing arrangement. The guidelines make clear that the assessment of the materiality of an outsourcing arrangement is qualitative and depends on the particular facts of the outsourcing. An insurer must continually monitor the materiality of its outsourcing arrangements.
- Risk assessment: Prior to entering into, renewing or renegotiating an outsourcing arrangement, an insurer must conduct a comprehensive risk assessment, including by assessing the financial, operational, legal and reputational risks involved in the outsourcing.
- Service provider: An insurer must conduct sufficient due diligence on the provider of a proposed outsourced service.
- Outsourcing agreement: The guidelines set out a number of provisions that an insurer should consider when negotiating an outsourcing services agreement, including about: (a) description of services; (b) service standards; (c) monitoring and reporting obligations; (d) restrictions on subcontracting; (e) business continuity and disaster recovery; (f) termination rights; and (g) audit rights. The guidelines state that all outsourcing agreements should preferably be governed by Hong Kong law.
- Information confidentiality: An insurer must ensure that its outsourcing arrangements comply with Hong Kong's data protection laws (ie the Personal Data (Privacy) Ordinance). An insurer must also ensure that it and its service provider have in place appropriate data security and confidentiality safeguards. Any breach of confidentiality or unauthorised access to data that affects the insurer or its customers must be notified to the HKIA.
- Monitoring and control: An insurer must have resources and processes in place to monitor and control its outsourcing arrangements. The guidelines are not exhaustive in explaining how this can be achieved, but do require an insurer, for example, to conduct regular reviews or audits of its outsourcing arrangements and to have in place escalation processes to expedite resolution of any issues in the outsourcing arrangements. Significant problems that may materially affect the insurer must be notified to the HKIA.
- Contingency planning: An insurer must have, and ensure that its outsourced service providers have, adequate business continuity and disaster recovery procedures in place. These procedures must be regularly reviewed and tested.
- Overseas outsourcing: If an insurer intends to outsource any of its functions to an overseas service provider, it must consider issues such as any country risks posed by the jurisdiction from where the services will be provided, confidentiality or data protection implications of transferring information to that jurisdiction and the extent to which the HKIA is able to continue to access information of the insurer to fulfil its statutory responsibilities.
- Sub-contracting: The guidelines do not prohibit an outsourced service provider from sub-contracting outsourced services, but responsibility is placed on the insurer to maintain control over any sub-contracting arrangements. If the service provider wishes to sub-contract, the insurer must ensure that the service provider complies with the guidelines as if it were the insurer and the sub-contractor were the outsourced service provider.
Notification and approval requirements
An insurer must notify the HKIA at least three months prior to entering into or significantly varying a material outsourcing arrangement to which the guidelines apply. The insurer must provide a copy of any outsourcing agreement with this notification.
Although the guidelines refer to this as a 'notification' requirement, it is effectively a requirement to obtain the HKIA's approval to a new or varied material outsourcing, as the HKIA may raise objections and require an insurer to remedy areas of concern about the outsourcing. The HKIA may also extend the three month 'notification period' if more time is needed to address these areas of concern to the HKIA's satisfaction. The notification regime does not apply to an outsourcing that is not material.
If the HKIA does not respond to the insurer within three months of it notifying the HKIA of the new or varied outsourcing arrangement, the HKIA is deemed to have approved the arrangement.
The guidelines introduce a transition period for those outsourcing arrangements (whether or not material) entered into prior to 1 January 2013 and that will not expire before April 2013. Under these transitional arrangements, the insurer must: (a) provide the HKIA with information about the outsourcing arrangement before 1 February 2013; (b) conduct materiality and risk assessments on the outsourcing arrangement before 1 April 2013; and (c) remedy any deficiencies in the outsourcing arrangement before 1 January 2014.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.