In February of this year, the European Insurance and Occupational Pensions Authority (EIOPA) published its final guidelines for insurers and reinsurers on outsourcing to cloud providers (Guidelines) (see here for our summary of the key aspects of the Guidelines). The Guidelines are due to come into effect on 1 January 2021, and apply to all outsourcing agreements entered into or amended after 1st January 2020, while all existing cloud outsourcing arrangements need to be updated to comply with the Guidelines by no later than 31st December 2022. In addition, the Guidelines also require firms’ outsourcing policies and internal processes to be updated by 1st January 2021.
The Financial Conduct Authority has recently informed EIOPA that the Guidelines will not apply to regulated activities carried out in the UK as the Guidelines are due to come into effect after the UK withdrawal transition period is due to end. Given the significant burden that compliance with the Guidelines would require for many firms (particularly in relation to renegotiation of existing outsourcing agreements), the news is likely to be welcomed both by the UK insurers and outsourcing providers to the UK insurance sector. UK insurers carrying on regulated activities in other parts of Europe will, of course, need to comply with the Guidelines (assuming that local regulators adopt them). In addition, UK insurers will need to continue to comply with the FCA’s own guidance on outsourcing to the cloud (and other third party services), which was published in 2016 and most recently updated in September of last year: FG16/5 Guidance.