In its last quarterly Insurance Newsletter of 2024, the Central Bank of Ireland (Central Bank) provided an update that it has revised its Notification Guidance for (Re)insurance Undertakings when Outsourcing Critical or Important Functions or Activities (CIFA) under Solvency II (Guidance). The existing Guidance had been in place since the advent of Solvency II in 2016. The updated Guidance addresses the expectations that the Central Bank has in relation to the content, form and timing of notifications and sets out information on the due diligence that (re)insurance firms are expected to carry out before outsourcing CIFAs.

The Central Bank emphasises that the steps for notifying a CIFA to the Central Bank are unchanged, with notifications expected to be provided at least 6 weeks before the outsourcing is due to come into effect, and in the format set out in the Guidance. The Guidance also reminds firms that subsequent material developments that are relevant for supervisory purposes must be notified to the Central Bank including (but not limited to) any new sub-outsourcings; new service providers; and/or any major issues with the performance of existing service providers.

The Guidance also clarifies (see below) some key elements following developments in outsourcing regulation and guidance since 2016, most notably the publication of the Central Bank Cross Industry Guidance on Outsourcing (December 2021) (CBI Outsourcing Guidance).

Interplay with the Outsourcing Guidance

Importantly, the Central Bank has clarified that firms are only required to address the notification requirements laid out in the Guidance. This is supported by the CBI Outsourcing Guidance which provides that if sectoral guidance is more prescriptive than the CBI Outsourcing Guidance, then the sectoral guidance will take precedence in that regard.

Due Diligence

The Central Bank emphasises its expectation that (re)insurance firms undertake detailed due diligence, in order to ensure that the outsourced service provider has the requisite ability to carry out the function or activity. The Central Bank also expects the undertaking to take account of the impact of the outsourcing on the operations of the undertaking. It is important to note that the Central Bank may request evidence of these assessments after receipt of the Notification Letter from the undertaking. To assist firms in conducting this due diligence, the Central Bank has also published separate Notification Templates to be completed (where relevant to the outsourcing in question)

• notification guidance when outsourcing CIFAs under Solvency II;
• notification guidance when outsourcing CIFAs to cloud service providers; and
• notification guidance for (re)insurance firms when outsourcing ICT services and ICT systems.

Withdrawal of Previously Published Guidelines

It is worth noting that the European Insurance and Occupational Pensions Authority (EIOPA) has recently withdrawn two previously published guidelines in order to avoid duplications and overlaps with the Digital Operational Resilience Act (DORA):

• the “Guidelines on information communication technology security and governance” issued in the context of Solvency II; and
• the “Guidelines on outsourcing to cloud service providers” issued in the context of Solvency II.

It remains to be seen how the withdrawal of these guidelines by EIOPA will affect the Central Bank outsourcing notification process for (re)insurers as they are specifically addressed in the Notification Templates referenced above.

If you have any queries related to the above update or on outsourcing matters in general, please contact John O’Connor, Eoin Caulfield or your usual William Fry contact.