For outsourcing of insurance activities, the IRDAI has issued the Regulations called IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017. The regulations dated April 20, but put on the Gazette of India on May 5, are aimed at ensuring that insurers follow prudent practises on management of risks arising out of outsourcing so as to prevent negative systemic impact on one hand and to protect the interests of the policyholders on the other. Regulations are applicable to all Insurers registered with the Insurance Regulatory and Development Authority of India excluding those engaged in reinsurance business. If an Insurer is engaged in both direct Insurance as well as Reinsurance business, these regulations are applicable only in respect of direct Insurance business of such Insurers. These Regulations are applicable to outsourcing arrangements entered into by an Insurer with an outsourcing service provider located in India or outside India. The object is to ensure that insurers follow prudent practices on management of risks arising out of outsourcing with a view to preventing negative systemic impact, to protect the interests of the policyholders, to ensure sound and responsive management practices for effective oversight and adequate due diligence with regard to outsourcing of activities by Insurers. The rules are primarily targeted to ensure that insurance firms comply with prudent practices on management of risks arising from outsourcing engagements. Ultimately, the goal is to prevent a negative systemic impact and protect the interest of policyholders. Insurers are not allowed to outsource core activities like investment, fund management, compliance with AML and KYC, product designing and policyholder grievances redressal. But while policy servicing remains a core activity for the insurer responsible for the services rendered, activities that support may be outsourced. Insurers are likewise told to set up procedures for issuance of premium acknowledgments instantaneously.
India continues to remain the world’s favourite when it comes to outsourcing. It has gained global confidence with major players such as Cisco, Oracle and Hewlett-Packard opting for India because they are confident of gaining access to superior talent, quality results, fast turnaround times and low costs. India is the hub of the world where the ICT sector is concerned. India also holds 65% of the global offshore outsourcing BPO market, making it the dominant leader in providing outsourcing services. For insurance, now Insurers will find it tougher to outsource activities as the IRDAI has set the tighten norms. In addition to approval of the policy, the board will also be responsible for clearing a framework to evaluate the risks and materiality of all existing and prospective outsourcing. This will include assessing management competencies for handling the outsourcing arrangements, given the nature, scope and complexity. Undertaking periodical review of outsourcing strategies and arrangements, and establishing a comprehensive risk management programme to cover the risks associated with the outsourced activities will also be the responsibility of the board. Outsourcing activities have to be distributed amongst a reasonable number of outsourcing agencies to ensure there is no concentration of risks. The regulations are to give a more structured and better shape to outsourcing activities by clearly defining core and non-core activities. The new norms will “positively” impact business processes and customer interests. A host of activities such as processing, premium collection and claim verifications are generally outsourced in both life and non-life insurance. These norms should bring in more accountability as outsourcing relationships will be governed by written outsourcing agreements that are legally binding for a specified period that clearly describe all material aspects of the outsourcing arrangement, including the rights and responsibilities of all parties. This is for the first time that comprehensive regulations governing outsourcing are rolled out.
WHAT IS OUTSOURCING?
‘Outsourcing’ is defined as the use of third party services by the Insurer to perform activities that would normally be undertaken by the Insurer, either now or in future, but does not include services which are generally not expected to be carried out internally by the insurers such as Legal services, Banking Services, Courier services, medical examination, forensic analysis. ‘Outsourcing Service Provider’ means third party service provider who carry out the activities outsourced, for Insurers. ‘Outsourcing Agreement’ means a written agreement entered into between the Insurer and outsourcing service provider outlining the terms and conditions for services which may be rendered by the Outsourcing service provider. Given that a lot of outsourced activities in the insurance industry are risk based and complex, the Regulation is a step towards ensuring that vendors comply with the much needed high standards while delivering these activities. The outsourcing policy will tighten processes and make sure companies engage with organizations that come with the right qualification needed for the insurance industry. All core activities related to underwriting of policies, product design, actuarial functions and risk management should not be outsourced. Investment related functions should also be handled by the insurance company itself – and the advice of a fund or wealth manager should not be sought for policyholders’ money. These norms are not applicable to re-insurers but are applicable to all insurers registered with the Insurance Regulatory and Development Authority.
ACTIVITIES PROHIBITED FROM OUTSOURCING:
One area of emerging concern is online issuance/payment of premium. Net banking services or an e-wallet are sometimes employed and there have been instances of delays or transaction failure with online payment. In such online payments, the generation of receipts should be instantaneous. With the growth of the online medium for insurance, the regulator is trying to ensure the policyholder’s rights. The Insurers are prohibited from outsourcing any of the following activities mentioned under (i to viii) in any manner:
- Investment and related functions
- Fund Management Including NAV calculations
iii. Compliance with AML and KYC, provided, KYC verification through third party service providers is allowed as per Clause 3.1.2 of IRDAI AML Master Circular of 28th Sept 2015.
- Product designing, all actuarial functions and enterprise-wide risk management;
- Decision making in Underwriting and Claims functions excluding procedural activities related to payment of Survival Benefit claims in Life Insurance;
- Policyholders Grievances Redressal;
vii. Decision to appoint Insurance Agents, Surveyors and Loss Assessors;
viii. Approving Advertisements
Though the policy servicing remains an integral activity for the Insurer who is totally responsible for the services rendered, the activities that support Policyholder servicing are allowed to be outsourced. Where collection of premiums is outsourced by the Insurer, it shall put in place procedures and ensure issuance of premium acknowledgements to the policyholders at the point of collection of premiums through such outsourced Service providers. Insurers shall remain responsible for the acknowledgements issued and the date and time of such receipt shall be taken into account for considering the underlying benefits of an insurance contract. Bank reconciliations and redressal of policyholder grievances should also not be outsourced. Now, quite a few of the call centres handling customer complaints are outsourced to a third-party. It remains to be seen, how insurance companies will try to take this completely in house or if certain functions alone will be made in house. Approving advertisements and appointment of surveyors and loss assessors is also to be managed in house – as is compliance with AML, KYC norms. For verification and picking of KYC documents, many insurance agents and brokers employ sub-brokers, who operate without a license. This practise has anyway been frowned upon by the regulator. Now it will be spelt out it in black and white that third-parties cannot in any fashion be part of the admission procedure.
DUE DILIGENCE OF OUTSOURCING SERVICE PROVIDERS:
The new regulations also make it mandatory on the board of the insurer put in place an outsourcing policy and also set up an outsourcing committee comprising key management persons of the insurer, including the chief risk officer, chief financial officer and chief of operations. An outsourcing arrangement shall be considered material if the estimated annual expenditure under an outsourcing contract is likely to exceed 5 % of the total expenditure incurred during preceding financial year on all outsourcing activities. All insurers shall evaluate the outsourcing arrangements based on the detailed parameters for materiality assessment as outlined. All outsourcing arrangements assessed as material shall be subject to evaluation of the risks. Insurers should consider the level of materiality associated with their outsourced activities and implement their enterprise risk management practices deemed as appropriate to the specific nature and circumstances of activities. In considering or renewing an outsourcing arrangement, an insurer should subject the outsourcing service provider to appropriate due diligence which inter alia cover the following;
- a) Where the outsourcing service provider is a Company registered under the Companies Act, 2013, the objects of the Memorandum of Association of the company shall include the activities outsourced.
- b) In case of other outsourcing service provider, there shall be a clause in the deeds or bye -laws enabling it to undertake the activities outsourced.
- c) Existence of the outsourcing service provider as projected, its competence and experience to perform the activity proposed to be outsourced to it.
- d) Assessing the capability of the outsourcing Service Provider to employ standards envisaged, while performing outsourced activities.
- e) Its security and internal controls;
- f) Business continuity management;
- g) Where considered necessary, insurers shall obtain independent reviews and market feedback on the service provider to supplement its own findings;
- Due diligence undertaken during the selection process should be documented and evaluated at least annually as part of the monitoring and control process of outsourcing.
iii. The due diligence may be as specified in the Board approved Outsourcing Policy as per Regulation 7(i) (f) for activities other than material.
The insurers are also expected to establish and maintain adequate contingency plans. This includes disaster recovery plans and backup facilities to support the continuation of an outsourced activity with minimal business disruption in the event of reasonably foreseeable events that affect the ability of an Outsourcing Service Provider to continue providing the service.
CONFIDENTIALITY AND SECURITY:
The insurer is prohibited from outsourcing ‘core activities’ like investment, fund management, compliance with AML and KYC, and product designing and policyholder’s grievances redressal. While policy servicing remains a core activity for the Insurer who is totally responsible for the services rendered, however, “the activities that support policyholder servicing may be outsourced. The Regulation also provides that where collection of premium is outsourced, insurers should put in place procedures for issuance of premium acknowledgments instantaneously. It is expected that:
- The insurer shall satisfy itself that the outsourcing service provider’s security policies, procedures and controls will enable the insurer to protect confidentiality and security of policyholders’ information even after the contract terminates.
- It shall be the responsibility of the insurer to ensure that the data or information parted to any outsourcing service provider under the outsourcing agreements remains confidential.
iii. An insurer shall take into account any legal or contractual obligations on the part of the outsourcing service provider to disclose the outsourcing arrangement and circumstances under which Insurer’s customer data may be disclosed. In the event of termination of the outsourcing agreement, the insurer should ensure that the customer data is retrieved from the service provider and ensure there is no further use of customer data by the service.
An outsourcing arrangement shall be considered material if the estimated annual expenditure under an outsourcing contract is likely to exceed 5 % of the total expenditure incurred during preceding financial year on all outsourcing activities. It is material if its disruption has the potential to significantly impact an Insurer’s business operations, reputation or profitability. Without limiting their scope, the criteria for assessing the materiality of outsourcing arrangements should have regard to the following key factors:
- Significance of the activity being outsourced (e.g. in terms of contribution to revenue, capital allocations or importance to overall achievement of strategic and business objectives);
- Financial, reputational and operational impact on the Insurer of an Outsourcing Service provider’s failure to adequately perform the outsourced activity;
- Potential impact on the Insurer`s continuing ability to meet its obligations to its Policyholders in the event of disruption of services of an outsourcing Service Provider;
- Consequences of outsourcing the activity on the ability and capacity of the Insurer to maintain internal controls and meet current as well as future changes to regulatory requirements;
- Cost of the outsourcing arrangement in terms of contractual expenditures relative to the
Insurer’s net assets and annual operating expenditures;
- Interrelationship of the outsourced activity with other activities within the Insurer;
- Aggregate exposure to a particular outsourcing service provider where the Insurer outsources multiple activities to the same outsourcing service provider;
- Degree of difficulty and time required to replace the Outsourcing Service provider or if necessary to bring the activity in-house
- Availability of alternative outsourcing service provider in the market for the same service
- Any other factor
KEY RISKS IN OUTSOURCING CONTRACTS
The move is also to ensure sound and responsive management practices for effective oversight and adequate due diligence while outsourcing activities by insurers. Accordingly, the new regulations ban insurers from outsourcing investments and related functions to third parties, apart from not allowing fund management, including NAV calculations; compliance with AML and product design. Insurers are also expected to do all actuarial functions and enterprise-wide risk management in house, apart from decision making on underwriting and claims functions excluding procedural activities related to payment of survival benefit claims in life insurance; policyholders grievances redressal; decision to appoint insurance agents, surveyors; loss assessors and finally approving advertisements. The outsourcing committee (constituted under Regulation 8 of these Regulations) of the Insurer shall evaluate all the key risks associated with any material outsourcing contract, including, but not limited to, the following risks:
(a) Strategic Risk:
- Activities carried out by outsourcing service provider on its own behalf that are inconsistent with the overall strategic goals of the Insurer:
- Failure to implement appropriate oversight of outsourcing service provider
- Inadequate expertise to oversee outsourcing service provider
(b) Reputation Risk: Poor service by outsourcing service provider:
- Customer interaction that is inconsistent with Insurer’s standards
- Unethical practices of outsourcing service provider
(c) Compliance Risk: Prudential and market conduct regulations not complied with:
- Breach of obligation to preserve customer data confidentiality
- Changes in regulations not communicated to outsourcing service provider in a timely manner
(d) Operational Risk:
- Technology failure
- Inadequate financial capacity of outsourcing service provider to fulfil obligations or provide remedies/restitution
- Fraud or error
- Failure of insurers to undertake inspections of outsourcing service provider (e.g. due to practical difficulty or cost considerations)
(e) Exit strategy Risk:
- Over-reliance on one outsourcing service provider
- Loss of relevant skills or resources in the Insurer, preventing it from bringing an outsourced activity back in-house
- Contracts which make a speedy exit prohibitively expensive
(f) Contractual Risk:
- Inability to enforce contract
VOILATION OF OUTSOURCING NORMS:
There is a distinctive change in the Insurance segment globally and India is no exception. This is one of the major sectors that has witnessed strong growth and would see a continued growth momentum. It has becomes imperative for the players in this industry to capitalize on business opportunities, penetrate new markets, defy challenges, lessen risks, beat competition, as well as streamline business processes. A Business Process Services provider can enable organizations to bring about process improvements, cut costs, increase sales and market share and much more. Insurance sector regulator, IRDAI has slapped a penalty of Rs 55 lakh on Max Life Insurance Company for violating clauses under outsourcing guidelines. IRDAI penalised Max Life with Rs 50 lakh fine as it fixed a flat services fee for various activities to outsourced firm (or service provider) Diganta Multi Services, irrespective of premium size and without adopting risk management principles. The submissions of the life insurer that the service fee is based on the location vis-a-vis the ability of the service provider is not acceptable,…it is considered that service fee agreed and paid to service provider is disproportionate to the nature of services and the life insurer did not carry out any cost-benefit analysis. The regulator slapped another penalty of Rs 5 lakh as the outsourced party –Diganta Multi Services–to collect renewal premium did not comply with norms in outsourcing guidelines. The life insurer did not submit any reasons for not having specific mention in written agreement with service provider for collecting premiums. Allowing the service provider who is not complying with the prescribed requirements to collect the premiums is in violation…therefore a penalty of Rs 5 lakh is levied on the life insurer for the violation. It warned the company to insert the clause in agreement and advised to examine existing agreements and ensure they are in compliance with guidelines. IRDAI directed the company to ensure compliance by carrying out due diligence when entering into agreements with service providers while outsourcing any activity.
IRDAI has also imposed Rs. 35 lakh fine on Bharti AXA General Insurance Co Ltd for violation of various norms including outsourcing activities and corporate governance guidelines. The fine is based on violation related with an inspection finding during December 2012 to March 2013. The insurer was making payments towards infrastructure expenses to corporate agents, making additional payout to licensed entities in the name of workshop, training, distribution of publicity material which were in violation of outsourcing guidelines.
India has now become one of the most popular destinations for off shoring insurance processes. These Regulations are applicable to all outsourcing arrangements in force on the date of coming into effect of these Regulations. However, any existing outsourcing arrangement to which these Regulations become applicable shall be appropriately amended to bring such arrangement in compliance with these Regulations within 180 days from the date of coming into effect of these Regulations. Insurer shall ensure that all arrangements that do not comply with these Regulations within 180 days of the date of the Regulations coming into effect shall be terminated and Insurer shall not avail such services thereafter. These regulations are not be construed to be authorizing any activity which otherwise is prohibited by any law or Regulation or Guidelines of the Authority for the time being in force. Insurers shall report all the outsourcing arrangements where annual pay-out either per outsourcing service provider or per activity is One Crore rupees or more, every year within 45 days from the close of the financial year. Regulations defines outsourcing as use of third-party services to perform activities that would normally be undertaken by the insurer but does not include services such as legal services, banking services, courier services, medical examination, and forensic analysis.
Insurers have to establish and maintain adequate contingency plans where the outsourced activity is material. These include disaster recovery plans and backup facilities to support the continuation of an outsourced activity with minimal business disruption in the event of reasonably foreseeable events that affect the ability of an outsourcing service provider to continue providing the service. The contingency plans should be appropriate to the potential consequences of a business disruption resulting from problems at the outsourcing service provider and should consider contingency plans maintained by the outsourcing service provider and their coordination with the Insurer’s own contingency arrangements. In particular, contingency plans should ensure that the Insurer can readily access all the records necessary to allow it to sustain business operations, meet statutory obligations, and provide any information relating to the outsourced activity as may be required by the Regulator. Contingency plans should also be regularly reviewed and tested to ensure that they remain robust, particularly under changing operating conditions. The outsourcing committee of the Insurer may decide on the periodicity and service providers to be inspected taking into account the risks associated with the activity outsourced. Insurer shall ensure that enabling provisions for the Inspection by the Insurer shall be included in the Agreement with outsourcing service provider. Outsourcing arrangements has to be governed by written agreements that are legally binding for a specified period, subject to periodical renewals, if necessary, that clearly describe all important aspects of the outsourcing arrangement, including the rights and obligations of all parties. The regulations are aimed at ensuring insurers follow prudent practices on management of risk arising out of outsourcing, so as to prevent negative systemic impact on one hand and to protect the interests of policyholders on the other.
About the Author
JAGENDRA KUMAR
Ex. CEO, Pearl Insurance Brokers
71/143, “Ramashram” Paramhans Marg,
Mansarovar, JAIPUR-302020
References:
- IRDA Annual Report 2015-16 ( Data contents)
- https://www.irdai.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo3149&flag=1
- http://celent.com/reports/insurance-business-process-outsourcing-global-view
- Outsourcing in Insurance Industry: Chetan Goenka
- Outsourcing introduction & issues: Nishant_ns
- http://www.thehindubusinessline.com/money-and-banking/outsourcing-norms-for-insurers
- http://indiatoday.intoday.in/story/irdai-issues-new-outsourcing-guidelines-for-insurers/1/947620.html
- Newspapers & Journals