1 Introduction

Despite certain legal restrictions of the objective scope of outsourced activities and liability of the insurance undertaking for the data provided within the framework of an outsourcing contract, such undertakings decide to outsource to external entities an increasing amount of activities. The EU legislator strives to adjust legislation to the evolving business reality, which is evident in the increasingly precise legal regimes of outsourcing, especially in EIOPA Guidelines. A major role in the process of concluding outsourcing agreements is played by supervisory authorities, which monitor the outsourcing process and anticipate possible negative results.

This study is a contribution intended to further investigations on outsourcing as well as subsequent research and discussion. It must be pointed out that many practically important questions, such as the relation between outsourcing and the regime of insurance secrecy or personal data protection, fall beyond the scope of this chapter.

2 Definitions of Outsourcing

The name outsourcing is a contraction of three English words: ‘outside resource using’—meaning the use of external resources.Footnote 1 This is an institution very gladly used in the processes of managing enterprises and human resources, and in those areas it is generally understood as business strategy through which a part of work of a given organisation is delegated to external entities.Footnote 2 For that purpose, there are exceptionally numerous publications on outsourcing in the area of management. I could not omit that thread, and many definitions which I present below were developed in sciences relating to management.

In the European Union legislation, one can encounter legal definitions of the term ‘outsourcing’. However, the Commission Directive 2006/73/EC of 10 August 2006 implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that DirectiveFootnote 3 and the Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II),Footnote 4 which handle that issue, limit the objective scope of their definitions of outsourcing exclusively to contracts in which one of the parties is respectively: investment firm or insurance undertaking or reinsurance undertaking. Because of the clearly limited subjective scope of the definitions of outsourcing offered in the abovementioned legislative acts and their clearly sectional nature, defining the term ‘outsourcing’ only for the purpose of a specific regime, in this part of the considerations, I would like to point to a more universal definition of outsourcing, relating to business activity in general.

Similarly, in the Polish legal system, there is no general definition of the term ‘outsourcing’ even though that term appears on several occasions. In the Act on insurance and reinsurance activities, we can find a provision under which outsourcing means a ‘a contract between the insurance undertaking or reinsurance undertaking and the service provider under which the service provider performs a process, service or activity which would be otherwise performed by the insurance undertaking or reinsurance undertaking, including contracts under which the service provider delegates the performance of such process, service or activity to other entities through which the service provider performs the given process, service or activity’.Footnote 5 It can be easily noticed that the definition was drafted similarly to the abovementioned examples from European Union law and applies only to a narrow scope covered by the statutory framework of the Act. Consequently, it may not be treated as a general definition of outsourcing in the Polish legal system.Footnote 6

There is no single universal definition of outsourcing, therefore it seems necessary to outline its conceptions as developed in the literature of the subject (mainly economic sciences).Footnote 7 Certain authors define outsourcing as taking advantage by an organisation—recipient of services—of services of an external service provider, from outside the ordering firm’s organisational structure. Such services are to consist in performance by the service provider of the ordering firm’s tasks on the latter’s behalf.Footnote 8 Other researchers are of the opinion that outsourcing means delegation, on contractual basis, of material, human or technological resources to another entity along with the transfer to that entity of decision-making competences corresponding to the delegated means.Footnote 9

In the widest sense, outsourcing is viewed as a restructuring project intended to bring more flexibility in the operation of an organisation by reducing the organisational structure through cutting down on the number of units, organisational positions or management levels, which relates to the lean management conception.Footnote 10

Outsourcing may be approached as manifestation of business management. As a result of the development, progress and changes in market economy, entrepreneurs are searching for new management applications to increase their competitiveness, since competitiveness is a necessary precondition to the existence and development of businesses. Outsourcing is also a consequence of the progressing globalisation, whose scope covers all countries and societies and, directly or indirectly, relates to economic operators. An effect of the ongoing globalisation processes is a growth of competitiveness, more efficient operation of markets and improvement of consumers’ position.Footnote 11 Enterprises approach the institution of outsourcing as a tool for the optimisation of their activities intended to achieve their strategic goals. In the light of the above, when an entrepreneur concentrates on its principal activity, in which it has a market advantage, the areas amounting to the entrepreneur’s auxiliary or incidental objects are delegated outside. The rule of thumb is that the strong points of an enterprise must always remain within its organisation.Footnote 12

When discussing insurance outsourcing, it is worth paying attention to offshoring (offshore outsourcing, international outsourcing). From the perspective of theory and practice of management, it consists in delegation of a part of services for rendition by foreign entities—in countries where labour costs are lower or intellectual capital resources are richer. In literature, it is indicated that this relates predominantly to business, IT and research and development services.Footnote 13 In this respect, in the case of internationally operating insurance conglomerates, international outsourcing may apply.

In insurance practice, there is sometimes a specific type of cooperation between insurers known as fronting. This is nothing more than full reinsurance, associated with the transfer of the entire insurance risk to the reinsurer. In practice, this means that the insurer only acts as a distributor of such insurance, while remaining a party to the concluded insurance contract and usually handling such insurance normally; however, the insurance risk is borne entirely by the reinsurer in a given case.Footnote 14

3 Outsourcing Types

According to the type of connections, we can distinguish capital and contractual outsourcing. In case of capital outsourcing, there are capital links between corporate partners. Capital outsourcing is one of possible methods of creating capital groups, consisting in severance from the parent company of a part of its activities and establishment a subsidiary with a view to its pursuance. On the other hand, contractual outsourcing is the case when the ordering party and the service provider are not related in capital terms but are separate entities bound by a contract for the performance of specific activities.Footnote 15

Outsourcing may also be divided according to its significance to the company. If the delegated activity provides benefits in a longer time perspective and its nature is of key importance to the enterprise, we can speak of strategic outsourcing. Decisions about its launch are made by top management, considering the critical success factors of the strategy’s implementation. If the timeframe is shorter and/or the significance of the delegated activities is lower, we have to do with tactical outsourcing.Footnote 16

Another criterion of outsourcing’s division is the distinction according to the scope of the severed business function. On that basis, three types of activity may be distinguished: (1) core business, constituting the essence of an enterprise’s operation. This is an area, within a company, which decides about the company’s competitive advantage and may be identified with the conception of key competences; (2) auxiliary activities (core related business) comprising strategically essential functions which are not of key importance to the organisation; (3) incidental activities (non-core related business), that is functions of little or minimum strategic importance. In commercial practice, the most commonly delegated functions are incidental and, to an increasing degree, auxiliary activities, which are not the company’s key asset.Footnote 17

In the 80s of the twentieth century, a rapid development of outsourcing started from delegating IT services to external entities. IT services were treated as support processes and most outsourcing contracts related to processes supporting the core activities: administration, logistics, purchases, etc. It was relatively late that business processes became implemented with the use of external entities. Following such sectoral division, one can distinguish between Information Technology Outsourcing (ITO) (St. Armant, 2010), consisting in the development of applications, maintenance of IT systems, manufacturing support, etc. The second rapidly growing type of outsourcing is Business Process Outsourcing (BPO) covering the operation of call-centres, management of human resources, accountancy, etc. (Deloite, 2013). From the technological point of view, outsourcing of technologies. In the opinion of Tower Group and FDIC (Federal Deposit Insurance Corporation, 2004), there are four different outsourcing models: direct captive (subsidiary company), joint venture, direct service provider, indirect service provider (sub-outsourcer).Footnote 18

Outsourcing may also be divided according to the scope of the delegated functions. Partial or selective outsourcing principally boils down to severance of a narrow area of the enterprise, leaving the rest inside the organisation. On the other hand, full or total outsourcing means that most areas of the enterprise organisation’s activity are outsourced to one or more providers for a period specified in the contract.Footnote 19

According to the option of using external entities’ services home or abroad, national outsourcing and cross-border outsourcing can be distinguished. Cross-border outsourcing (transnational outsourcing, offshore outsourcing) is usually used by companies from highly developed countries and consists in the establishment of outsourcing cooperation with foreign economic organisations in developing countries which, due to lower costs, make attractive business partners.Footnote 20

4 Outsourcing Management

Outsourcing is a complex conception and the discussion of the essence of that phenomenon on the borderline of economy and management calls for its wider presentation, allowing for multiple aspects, especially the following reasons for using outsourcing: (1) the ordering party’s decision whether to make or buy, (2) analysing on each occasion the main reasons for the outsourcing, (3) decision about the form of cooperation with a specific outsourcing partner.Footnote 21

Introduction of outsourcing as institution in economic practice calls for a dynamic, extended over time and procedural approach, allowing to take account of different conditions, particularly in management, economy and law, enabling to achieve the intended effects of reaching for external services.Footnote 22

When analysing particular stages of implementing outsourcing as an organisational solution in an enterprise, attention should be drawn to the fact that, as such, it is an interdisciplinary process, since its efficient implementation requires the use of different techniques and skills as well as different areas of expertise in law, organisation and management. Introduction of outsourcing is a strategic change for the enterprise, which is why outsourcing directly affects: strategy, organisational structure, economic and social conditions within the enterprise. Implementation of outsourcing in an enterprise allows to distinguish key phases and stages of the outsourcing process.Footnote 23 Management of the outsourcing process comprises at least the following stages:

  1. (1)

    designing (planning) outsourcing

  2. (2)

    choice of the outsourcing partner and signing the appropriate outsourcing agreement

  3. (3)

    management of performance of the outsourcing agreement and relations with the outsourcing partner until the end of cooperationFootnote 24

The first stage involves a preliminary analysis of the strategic conditions and assessment of liability of the enterprise’s specific areas to severance. This stage must include: the definition of the specific purposes of the outsourcing, analysis of costs and advantages of implementing that institution, analysis of chances and risks relating to the implementation of outsourcing. This phase relates to the enterprise’s strategic goals. It is also necessary to specify the scope of outsourcing and its role.

The second phase is the phase of introducing the outsourcing, involving the stages of selecting and acquiring the appropriate partner and signing the agreement. The purpose of that phase is to guarantee internal order during the implementation of the outsourcing by preparing an implementation schedule. At this stage, the agreement is finally signed, governing: the organisation, rights and obligations of the parties and all other cooperation areas. Such agreement is the outsourcing contract. When preparing and signing that type of document, it must be remembered that often the success of an external servicing process depends both on the construction, scope and specificity of its clauses. Provisions of each outsourcing agreement should be specifically negotiated and cover all legal aspects. In the process of preparing outsourcing agreements, an enterprise may hire external consultants.Footnote 25 The last phase of implementation is the operative stage, in which organisational relations taking place in the enterprise are subject to modification, and cooperation is established with the external service provider. The operative process should also cover, in the first place, control and monitoring of the contract’s performance, the aim of which must be to ensure that the actual activities performed as a part of external servicing are in line with the planned activities.

5 Legal Aspects of the Outsourcing Contract

Presentation of the legal framework of outsourcing is not an easy task. The basic difficulty follows from the fact that, in truth, it is difficult to talk about the ‘outsourcing contract’ even though the term is in widespread use. A closer analysis of both outsourcing practice and literature of that subject points to the conclusion that outsourcing means, in the first place, a certain method of organising business activity, consisting in the discussed ‘delegation outside’ of a part of the enterprise’s activities. Therefore, outsourcing is more of a mechanism in economy and management than any specific legal construction. This type of mechanism may use diverse legal instruments.Footnote 26

Outsourcing consists in the conclusion of a contract under which the ordering party delegates, as a part of the ordering party’s enterprise, specific services relating to the operation of the enterprise to an external entity, and the party undertaking to perform the services pledges to render them in exchange for remuneration.

The contract which forms the legal basis for outsourcing is a commercial contract sensu stricto (business-to-business) since both contractual parties are entrepreneurs. By its nature, it is a consensual, bilaterally binding, non-gratuitous and mutual agreement. Its parties may be referred to as the delegating party and the outsourcer.Footnote 27

In principle, the outsourcing contract does not require any specific form, however, the need for its written documentation may arise under the provisions on accounting or tax legislation.

The outsourcing agreement belongs to the category of empirical contracts. These contracts are formed as a result of mass conclusion of agreements of similar, analogous content and usually have specific names reflecting their general nature. Such contracts are governed directly by the norms on the general question of performing obligations and possibly, by analogia legis, by specific obligational law norms on nominate contracts insofar as one can speak of their similarity with those contracts. Currently, the operation of innominate contracts is a universal legal phenomenon.Footnote 28 This means that it is possible to establish a legal construction of a contract which does not correspond to any of the statutory contract types, whose obligational framework may lead to effective performance of the contract’s subject. The possibility of forming such contracts strictly relates to the principle of free formation of contracts.Footnote 29 The outsourcing contract (excluding, e.g., insurance outsourcing, as will be discussed in a further part of this study) is formed under the principle of the freedom of contract, which means that the parties concluding the contract may define the legal relationship in their discretion as far as its content or purpose is not contrary to the nature of the relationship, the law or the principles of social coexistence.

From the point of view of the classical civil law classification, the outsourcing contract may assume different nature. As such, this construction fits into the group of contracts for the provision of services. In certain situations, this may be a mandate contract, however, more frequently it may be a contract for the provision of services otherwise not regulated. Generally, when we have to do with multiple services rendered by the outsourcer, the purposes of outsourcing may also be achieved by applying the construction of a contract for a specific work, just as the agency, carriage, forwarding or storage contracts. In practice, complex economic relations force the formation of complex mixed contracts, comprising elements of different legal relationships.Footnote 30

In the context of the above, one must agree with the opinion of academic authors recognising outsourcing as a mechanism in the field of economy and economic processes, such as: business stimulation, optimum employment strategy, etc. On the other hand, it does not give rise or directly attach to any specific legal construction. In the preparation of outsourcing agreements, contracting parties use different obligational constructions to optimally adjust the legal terms to the economic requirements.Footnote 31

Since it is impossible to unambiguously indicate the contract type forming the basis for outsourcing, the final spectrum of the parties’ rights and obligations will depend on the final shape of the contract and understanding between the parties. Unless otherwise provided in the agreement, the rules on specific contracts type will come into play. The fact that, in a particular case, a given contract type becomes the basis for outsourcing has no principal importance from the point of view of the abovementioned rights and obligations. The principles of good faith and trust may, however, affect the performance of the parties’ obligations if they have both contemplated that a specific contractual agreement has the economic purpose of outsourcing.Footnote 32

Based on the analysis of outsourcing contracts concluded in the ordinary course of trade, one can distinguish the principal elements of that contract, i.e.: specification of the scope of works, agreement as to the level of the rendered service, remuneration, term of the agreement, terms of managing the process, rules on intellectual property, sectoral provisions, terms of terminating the contract, rules on subcontractors and court jurisdiction to resolve disputes.Footnote 33

In the outsourcing practice, an essential legal problem is protection of business secrets. In response to that question, it must be concluded that there are no specific rules governing outsourcing from that point of view. Consequently, the general rules on the protection of business secrets should apply. It must be reminded that business secrets may be protected by: (1) the duty of so-called professional secrecy; (2) rules on combatting unfair competition; (3) special contractual clauses.Footnote 34

An essential element of the outsourcing regulation is the supervision exercised over the phenomenon. The possibility of outsourcing tasks to another entity may, therefore, be subject to restrictions following from the legal regimes of pursuing certain types of activity. This problem is especially evident in the context of insurance activities.

6 Outsourcing in Insurance Activities

Under the abovementioned Solvency II Directive, specific rules were introduced in the insurance law system on the entrusting by insurance and reinsurance undertakings of their own activities to external contractors, including requirements relating to the contents of contracts under which the outsourced activities are performed. Insurance undertakings, as public trust institutions, should perform their tasks properly and safely to customers, which is why requirements in respect of outsourcing of specific activities and functions constitute a material element of the system of governance in an insurance undertaking. Moreover, insurance outsourcing is subject to disclosure obligations and supervision by the Polish Financial Supervision Authority (KNF).

6.1 The Legal Regime and the Scope of Financial Outsourcing Under the Solvency II Directive

Under Art. 13(28) of the Solvency II Directive, ‘outsourcing’ means an arrangement of any form between an insurance or reinsurance undertaking and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurance or reinsurance undertaking itself.

Moreover, the EU legislator indicated, in Recital (37) of the Solvency II Directive, that: ‘[i]n order to ensure effective supervision of outsourced functions or activities, it is essential that the supervisory authorities of the outsourcing insurance or reinsurance undertaking have access to all relevant data held by the outsourcing service provider, regardless of whether the latter is a regulated or unregulated entity, as well as the right to conduct on-site inspections. To take account of market developments and to ensure that the conditions for outsourcing continue to be complied with, the supervisory authorities should be informed prior to the outsourcing of critical or important functions or activities’, which means that the role and importance of outsourcing was recognised for the proper management of an insurance undertaking.

The EU legal regime under the abovementioned Directive imposes the requirement of minimum harmonisation. Minimum harmonisation is the case when a directive imposes a set of minimum requirements to be implemented by EU Member States, which is often a consequence of recognising the fact that legal systems in certain EU Member States already provide for more stringent requirements. This allows Member States to introduce more far-reaching provisions than set out in the Directive.

Outsourcing of critical or important operational functions or activities may not be undertaken to: (1) materially deteriorate the quality of the governance system in a given undertaking; (2) excessively increase the operating risk; (3) impede the supervisory authority’s ability to monitor the compliance by the insurance undertaking with its obligations; (4) impair the provision of continuous and satisfactory services to policyholders.

Therefore, it is the duty of Member States to ensure that insurance undertakings and reinsurance undertakings assume full liability for the performance of all their obligations under the Directive in case of outsourcing their operational functions or insurance or reinsurance activities.Footnote 35

The Directive does not introduce any express prohibition of limiting liability for damages caused to an insurance undertaking’s customers because of non-performance or improper performance of the contract by the outsourcing service provider. However, more restrictive solutions in this regard may be introduced in the provisions implementing the rules of the Solvency II Directive into Member States’ legal systems.

The obligations of insurance undertakings include the preparation in writing—beside risk management terms, rules of internal control and internal audit—also of the operating terms of outsourcing—such terms are to be reviewed at least once a year and should be approved in advance by the supervisory authority. Insurance undertakings and reinsurance undertakings are obliged to notify the supervisory authority in good time about outsourcing of critical or important functions or activities and about all later significant changes to such functions or activities.

For that purpose, Member States of the EU should ensure that insurance undertakings and reinsurance undertakings entering into an outsourcing agreement with regard to a given function or insurance or reinsurance activity take necessary steps to guarantee the following conditions: (1) the outsourcing service provider must cooperate with the authorities supervising the insurance undertaking or reinsurance undertaking in relation to the outsourced function or activity; (2) insurance undertakings and reinsurance undertakings, their statutory auditors and supervision authorities must have an actual access to the data relating to the outsourced functions or activities; (3) supervisory authorities must have an actual access to the premises of the outsourcing service provider and must be able to enforce such access rights.

Additionally, the authorities supervising an insurance undertaking or reinsurance undertaking should be entitled to carry out—independently or through parties designated by such authorities—on-site inspections at the service provider’s premises. In case of cross-border outsourcing services being rendered in the EU, the competent supervisory authority of the home state of the insurance undertaking or reinsurance undertaking must notify the appropriate authority in the Member State of the outsourcing service provider before carrying out the on-site inspection. The Solvency II Directive requires as well that the supervisory entitlements relating to the right to information about the insurance undertaking’s situation or the right to impose administrative penalties that may be imposed on insurance undertakings and reinsurance undertakings should apply also in relation to the activities outsourced by insurance undertakings or reinsurance undertakings.Footnote 36

Provisions of the Solvency II Directive are indistinct or constitute mere guidelines—indicating the goal that should be achieved by transposing specific provisions into national legal systems, which is characteristic of many directives. In this context, it is also worth pointing to the Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II)Footnote 37 or EIOPA Guidelines on system of governance.Footnote 38

6.2 Outsourcing Rules Applicable to Insurance Undertakings Under the Delegated Regulation

An insurance undertaking or reinsurance undertaking outsourcing or planning to outsource insurance or reinsurance functions or activities to a service provider, must introduce, in writing, the rules of outsourcing, taking into account the outsourcing’s impact on the activities of the undertaking and solutions in the area of reporting and monitoring, which should be implemented in case of the decision to outsource. The undertaking must guarantee compliance of the outsourcing agreement’s terms with the obligations of the undertaking under Art. 49 of the Directive Solvency II.

If the insurance undertaking or reinsurance undertaking and the outsourcing service provider belong to the same group, the undertaking outsourcing its critical or important operational functions or activities is obliged to consider the scope in which it controls the service provider or can influence the latter’s actions. When selecting the service provider mentioned above with regard to critical or important operational functions or activities, the administering, managing or supervising body must ensure: (a) a thorough analysis to guarantee that the potential service provider has the skills, capacities and, possibly, authorisations required under legal provisions, enabling the service provider to duly perform the outsourced functions or activities, taking into consideration the undertaking’s objects and needs; (b) taking by the outsourcing service provider of all measures to ensure that the fulfilment of the outsourcing undertaking’s needs is not threatened by any actual or potential conflict of interest; (c) conclusion between the insurance undertaking or reinsurance undertaking and the service provider of a written agreement specifying expressly the respective rights and obligations of the undertaking and of the service provider; (d) clarifying in intelligible terms the conditions of the outsourcing agreement to the administering, managing or supervising body and their approval by such body; (e) non-violation of law, especially provisions on data protection, in connection with the outsourcing; (f) subordination of the service provider to the same rules on information security and confidentiality relating to the insurance undertaking or reinsurance undertaking, their policyholders or beneficiaries, as applicable to the insurance undertaking or reinsurance undertaking.Footnote 39

In addition, the Delegated Regulation specifies the requirements that must be met by an outsourcing contract concluded by an insurance undertaking or reinsurance undertaking. Under that provision, the written agreement to be concluded between the insurance undertaking or reinsurance undertaking and service provider must specifically include the following express contents: (a) the duties and responsibilities of both parties involved; (b) the service provider’s commitment to comply with all applicable laws, regulatory requirements and guidelines as well as policies approved by the insurance or reinsurance undertaking and to cooperate with the undertaking’s supervisory authority with regard to the outsourced function or activity; (c) the service provider’s obligation to disclose any development which may have a material impact on its ability to carry out the outsourced functions and activities effectively and in compliance with applicable laws and regulatory requirements; (d) a notice period for the termination of the contract by the service provider which is long enough to enable the insurance or reinsurance undertaking to find an alternative solution; (e) that the insurance or reinsurance undertaking is able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of services to policyholders; (f) that the insurance or reinsurance undertaking reserves the right to be informed about the outsourced functions and activities and their performance by the services provider as well as a right to issue general guidelines and individual instructions at the address of the service provider, as to what must be considered when performing the outsourced functions or activities; (g) that the service provider shall protect any confidential information relating to the insurance or reinsurance undertaking and its policyholders, beneficiaries, employees, contracting parties and all other persons; (h) that the insurance or reinsurance undertaking, its external auditor and the supervisory authority have effective access to all information relating to the outsourced functions and activities including carrying out on-site inspections of the business premises of the service provider; (i) that, where appropriate and necessary for the purposes of supervision, the supervisory authority may address questions directly to the service provider to which the service provider shall reply; (j) that the insurance or reinsurance undertaking may obtain information about the outsourced activities and may issue instructions concerning the outsourced activities and functions; (k) the terms and conditions, where applicable, under which the service provider may sub-outsource any of the outsourced functions and activities; (l) that the service provider’s duties and responsibilities deriving from its agreement with the insurance or reinsurance undertaking shall remain unaffected by any sub-outsourcing taking place according to point (k).Footnote 40

6.3 EIOPA Guidelines on System of Governance

An important source in the context of guidelines delivered by supervisory authorities in respect of the organisation of outsourcing are EIOPA Guidelines on system of governance. EIOPA Guidelines are not a source of law, but mere recommendations addressed to national supervisors, suggesting a direction for the implementation of operating principles in the areas subject to supervision; however, they provide essential information about the desired direction of operating solutions in such areas.

In case of delivery of guidelines by EIOPA to national supervisory authorities or directly to financial institutions, it must be emphasised that the national supervisory authority or financial institution is obliged to notify (within two months of the delivery of the guideline or recommendation) if it will comply or intends to comply with the given guideline or recommendation. If the national supervisory authority or the financial institution does not comply with the respective instrument or does not intend to do so, the national supervisory authority or financial institution is obliged to notify that fact to EIOPA, providing justification. As such, soft law instruments delivered by EIOPA are not legally binding on the national supervisory authorities, however, those authorities are obliged to answer EIOPA’s guidelines and recommendations addressed to them. Furthermore, EIOPA is obliged to publish information that a national supervisory authority does not comply or does not intend to comply with a given guideline or recommendation. EIOPA may also, in a specific situation, decide to publish the justification of non-compliance with a given guideline or recommendation, as provided by the respective national supervision authority. The national supervisory authority is notified in advance about such publication.Footnote 41

And so, in Guideline 1.7, it was laid down who, within the governance system of an insurance undertaking, may be considered the person responsible, performing a key function: ‘The notification requirements only apply to persons who effectively run the undertaking or are key function holders as opposed to persons who have or perform a key function. In case of outsourcing of a key function or outsourcing of a part of a function where this part is regarded as key, the person responsible is considered to be the one who has the oversight over the outsourcing at the undertaking’.

According to EIOPA Guideline 14, on outsourcing of key functions, the insurance undertaking should implement competence and reputation assessment procedures in relation to persons engaged by the service provider or sub-provider for purposes relating to the performance of the outsourced key functions. The undertaking should designate, out of its personnel, a person generally responsible for the outsourced key functions, who must have sufficient competences and reputation and have sufficient expertise and experience regarding the outsourced key function to be capable of verifying the level of its performance and the results achieved by the service provider. The designated person is deemed to be responsible for the key function and, as such, must be notified to the supervisory authority.Footnote 42

6.4 Insurance Outsourcing in Polish Law

The Act of 11 September 2015 on insurance and reinsurance activities (hereinafter: Polish Insurance Activities Act) includes provisions on outsourcing in insurance and reinsurance activities. Those provisions were adopted because of the need to implement the Solvency II Directive into the national legal system.

Under the legal definition expressed in Art. 3(1) item 27 of the Polish Insurance Activities Act, for the purposes of that act, the term outsourcing means: ‘a contract between the insurance undertaking or reinsurance undertaking and the service provider under which the service provider performs a process, service or activity which would be otherwise performed by the insurance undertaking or reinsurance undertaking, including contracts under which the service provider delegates the performance of such process, service or activity to other entities through which the service provider performs the given process, service or activity’.

The source of outsourcing in the understanding of the Polish Insurance Activities Act may be any contract, either nominate or innominate, as long as it relates to performance of a process, service or activity which would be otherwise performed by the insurance undertaking or reinsurance undertaking.Footnote 43

The possibility of entering into outsourcing contracts by insurance distributors in Poland will relate only to insurance or reinsurance undertakings since only such solution was provided for in the Polish Act on insurance and reinsurance activities.Footnote 44 Under Art. 3(1) item 27 of that Act, the Polish legislator introduced a broad definition of the outsourcing contract to subsequently narrow down the contract’s scope under Art. 73 only to certain insurance activities and to so-called functions within the governance system, whereby, in listed situations, outsourcing contractors are exempt from insurance secrecy.Footnote 45 Under Art. 73 of that Act:

  1. (1)

    the insurance undertaking may, by way of outsourcing, entrust in writing performance of the insurance activities referred to in Art. 4(7) item 3 and Art. 4(8) and (9)Footnote 46 of the Polish Insurance Activities Act

  2. (2)

    the insurance undertaking or reinsurance undertaking may, by way of outsourcing, entrust in writing performance of the activities referred to in Art. 4(2) item 2 and 4 and in Art 4(5)Footnote 47

  3. (3)

    the insurance undertaking or reinsurance undertaking may, by way of outsourcing, entrust in writing to other entities the performance of functions belonging to the governance systemFootnote 48

In addition, the Polish Insurance Activities Act does not preclude the possibility of subcontracting by the service provider of the undertaking’s activities or functions to another party (sub-outsourcer).Footnote 49

Under Art. 274(4) of the Delegated Regulation, a contract between the insurance undertaking or reinsurance undertaking and the external provider should specify the terms under which the provider may sub-outsource the outsourced functions and activities. The agreement should also include an obligation of the external provider under which the latter’s obligations and tasks under the contract with the insurance (reinsurance) undertaking should remain intact in case of possible sub-outsourcing. EIOPA also draws attention to the fact that if the sub-outsourcing involves further delegation of critical or important functions, this should be approved by the insurance undertaking or reinsurance undertaking.Footnote 50

The provision of Art. 73 of the Polish Insurance Activities Act lays down an exhaustive list of activities and functions that may be entrusted by an insurance undertaking to a service provider under an outsourcing contract. In that context, it is excluded that an insurance undertaking might entrust to a service provider, under an outsourcing contract, performance of any activities or functions other than expressly and directly listed in Art. 73 of that ActFootnote 51 (more on that in section 6 of this article).

Another crucial obligation is the requirement, provided in Art. 75(2) of the Polish Insurance Activities Act, to notify the supervisory authority at least 30 days ahead of the implementation of outsourcing in respect of functions belonging to the governance system or critical or important activities, and of any essential change to the outsourcing of such functions or activities. In the context of such notification, one should consider the EIOPA Guidelines.Footnote 52 It seems that the obligation to notify the supervisory authority about an essential change to the outsourcing covers not only planned changes in the contract with the external service provider. EIOPA points out that the notification obligation should also cover such situations as, for example, non-compliance by the external service provider with applicable legislation or material problems with access to data or information.Footnote 53 However, in such instances, the insurance (reinsurance) undertaking could not usually make the notification in advance. Therefore, it would be reasonable to assume that the obligation materialises only upon detection by the insurance undertaking of the existing irregularities possibly qualifying as an essential change to the outsourcing.Footnote 54

Art. 76 of the Polish Insurance Activities Act introduces a prohibition of any exclusion or limitation of the insurance undertaking’s liability for damages caused respectively to policyholders, insured parties or beneficiaries under insurance contracts.Footnote 55 Such liability may not be excluded or limited even if the insurer cannot be assigned culpa in eligendo. Also, the liability of an undertaking for damages caused to assignors in consequence of non-performance or improper performance of outsourcing may not be excluded or limited.Footnote 56

6.5 Outsourcing and Insurance Intermediation

Neither the Solvency II Directive nor the Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (IDD)Footnote 57 relates its provisions on outsourcing to the conclusion of legal acts by insurance intermediaries. In the discussed Guidelines, EIOPA postulates the principle that the competent national supervisory authorities should make sure that in case of an insurance intermediary, other than the undertaking’s employee, given authority to underwrite business or settle claims in the name and on account of an undertaking, the undertaking ensures that the activity of such intermediary is subject to the outsourcing requirements.Footnote 58

EIOPA’s Guidelines refer to situations in which the insurance intermediary renders to the insurance undertaking an entire service package, e.g., claim settlement, payment of benefits under contracts concluded both through that intermediary and other distributors, including directly with the insurance undertaking, services involving the intermediary’s possibility of independent assessment and assumption of insurance risk and not mere execution of the insurance undertaking’s instructions under the power of attorney to render insurance intermediation services.Footnote 59

Thus, it must be concluded that situations in which the insurance intermediary assuming the risk uses tools provided by the insurance undertaking are not examples of outsourcing.

On the other hand, in situations when the insurance intermediary, during insurance intermediation, uses his own tools intended for the assessment and acceptance of risk, one might speak of such activity’s outsourcing by the insurance undertaking and, in such event, this should be both reflected in the provisions of contracts concluded with such intermediary and allowed for in the outsourcing policy of the insurance undertaking. It must be noted that on such occasions the insurance undertaking is not exempt from its obligations relating to the outsourcer’s proper supervision, as discussed above.Footnote 60

7 EIOPA Guidelines on Outsourcing to Cloud Service Providers—Note

https://eiopa.europa.eu/Pages/News/EIOPA-consults-on-guidelines-on-outsourcing-to-cloud-service-providers.aspx.

On 6 February 2020, EIOPA published ‘Guidelines on outsourcing to cloud service providers’. Those are guidelines addressed to insurance undertakings and reinsurance undertakings concerning the application by such undertakings of the provisions on outsourcing of the Solvency II Directive and Commission delegated regulations in relation to outsourcing to cloud service providers. The Guidelines apply on the level of insurance or reinsurance undertaking and of a group. Insurance and reinsurance undertakings are required to ‘make every effort to comply’ with the Guidelines and to follow them in accordance with the regulatory framework.

Undertakings should revise and update their internal policies and processes within 1 January 2021 to adjust them to the said Guidelines.Footnote 61 The Guidelines apply to any arrangements relating to cloud outsourcing made by insurance and reinsurance undertakings; however, special emphasis is put on the outsourcing of critical or important operational functions or activities to cloud providers.

The critical matters relating to the adaptation of insurance undertakings to the discussed EIOPA Guidelines will be:

  1. (1)

    Documentation requirements (Guideline 5)—in this context, insurance undertakings and reinsurance undertakings should maintain a special register of their cloud outsourcing arrangements. The register should be regularly updated and provided to the supervisory authority upon the latter’s request. Moreover, insurance and reinsurance undertakings must ensure updates of all their internal outsourcing policies and procedures to reflect the new Guidelines.

  2. (2)

    Risk assessment of cloud outsourcing (Guideline 8), which should involve an approach proportional to the nature, scope and complexity of the risks inherent in the services outsourced to cloud service providers as incurred by insurance or reinsurance undertakings. This includes assessment of the potential impact of the cloud outsourcing on the undertaking’s operational and reputational risk.

  3. (3)

    Due diligence on cloud service provider (Guideline 9)—meaning that insurance and reinsurance undertakings should ensure, in their selection and evaluation processes, that the service provider is adequate according to the criteria specified in their written outsourcing policies. Due diligence concerning the cloud service provider’s choice must be carried out prior to outsourcing any operational function or activity.

  4. (4)

    Contractual requirements (Guideline 10)—this Guideline introduces certain clauses to be included in every outsourcing agreement covering critical or important cloud-based operational functions or activities concluded between the insurance or reinsurance undertaking and the cloud service provider.

  5. (5)

    Sub-outsourcing of critical or important cloud-based operational functions or activities (Guideline 13)—requirement imposed on cloud service providers to notify their customers of any planned significant changes to the subcontractor’s services. Customers of cloud service providers have the right to express their consent or object to such changes.

  6. (6)

    Termination rights (Guideline 15)—clear definition of exit strategies necessary to enable termination of contracts without detriment to the continuity or quality of services rendered to policyholders (insurance undertakings’ customers).Footnote 62

In addition, insurance undertakings and reinsurance undertakings must grant supervisory authorities the rights of access and audit of their CSPs (including the right of access to data centres, etc.).

A large part of the Guidelines concentrates on questions of safety and organisation and, on this occasion, it is necessary to engage governance/compliance teams and panels responsible for safety. In the context of the requirement to ensure information security, an interesting—and apparently having potentially significant practical impact—element are comments of the supervisory authorities on encryption and disclosure of information. As a rule, all data processed in cloud are to be encrypted in transit and at rest. Supervised entities may derogate from that rule when encryption is technically impossible or economically groundless.

8 Final Conclusions

The above investigations revealed that outsourcing means, in the first place, a certain method of organising business activities, consisting in the abovementioned ‘delegation’ of a part of the undertaking’s activities outside. Consequently, outsourcing is treated more as mechanism in economy and management than any specific legal construction. In fact, this type of mechanism may use different legal instruments.Footnote 63 The problems of outsourcing are of major importance for the operation of insurance undertakings and reinsurance undertakings. Therefore, it is extremely crucial to specify the legal framework for outsourcing because, in practice, almost every contract concluded by an insurance undertaking or reinsurance undertaking with an external provider should be analysed in the context of the abovementioned legal provisions.

The definition of outsourcing as included in the Solvency II Directive contains requirements and restrictions provided for activities of critical nature or important for the operation of a given insurance (reinsurance) undertaking or pertaining to functions of the governance system. Moreover, Solvency II creates a specific concept of insurance outsourcing, which shows features that distinguish it from the general approach to the outsourcing process. The minimal nature of the Directive allows Member States to specify such activities in national law. In Polish law the object of outsourcing may only be the activities indicated in Art. 73 of the Polish Insurance Activities Act. This means that insurance and reinsurance undertakings may not outsource any activities other than those expressly listed in the discussed provisions. As a result, it must be concluded that the applicable legislation imposes on insurance and reinsurance undertakings a restriction of the freedom to conclude contracts in respect of outsourcing.Footnote 64 In Polish law, the objective scope of regulation of the outsourcing contract is much wider in the banking market than in the insurance market since the Polish legislator allows payment institutions to outsource much more banking functions to the outsourcing contractor,Footnote 65 and introduces a prohibition of restricting or excluding its liability vis-a-vis the payment service provider. The legislator also introduced an exemption from the payment outsourcing regime in respect of services rendered by technical service providers as long as they do not enter into possession of the funds subject to the payment transaction.Footnote 66

There is a clear trend of expanding the insurance outsourcing regime to further performance of a process, service or activity by an insurance undertaking—an example is the EIOPA Guidelines on outsourcing to cloud service providers. Soon, one should expect expansion of the insurance outsourcing regime in respect of establishing cooperation between Insurtech companies and traditional insurance distributors. IDD does not point to the problem of outsourcing in its provisions. However, development of new technologies gives rise to the need for the legal regulation of outsourcing, especially in respect of regularising and harmonising the relevant legal regime in the entire internal financial market of the European Union. On the payment services market, tendencies may be observed of controlling the cooperation between payment institutions and Fintech companies—as evidenced by EBA Guidelines in this regard.Footnote 67

The absence of legislation on the EU level forces ESAs to search for appropriate and effective supervisory instruments in the solutions adopted in other countries of the world and in Europe for the development of Insurtech companies and their cooperation with traditional insurance distributors. New technologies pose new challenges to supervisory authorities, most serious ones after the global financial crisis of 2008. Finally, it would be impossible not to notice that the introduction of new technologies on the insurance market is based mainly on the market’s self-regulation through ‘soft law’ (guidelines and recommendations). An analysis of the current construction of guidelines and recommendations under the applicable EU legislation gives rise to the thesis that the legislator ‘reinforced’ the performance of such guidelines and recommendations by their addressees. They are binding on the addressees as far as fulfilment of their objectives is concerned, and non-binding in terms of the means leading to such ends. A disciplinary instrument in this construction is the possibility of disclosing (publishing) by the supervisory authority the received information relating to the refusal to adjust by the supervised entity to the issued guideline or recommendation. Due to all those solutions, introduction of new technologies on the insurance market may be based on the delivery of guidelines and recommendations, however, there is a need for appropriate legislative solutions in this regard on the European Union level. The construction of uniform insurance market of the EU implies that any activities in this regard should be compulsory, harmonised and consistent for the entire market and for particular Member States.Footnote 68