ARTICLE
25 July 2024

Strategic Shift: IRDAI Redefines Insurance Outsourcing Practices

TC
Tuli & Co

Contributor

Tuli & Co logo
Tuli & Co is an insurance-driven commercial litigation and regulatory practice established in 2000. With offices in New Delhi and Mumbai, we undertake work for a cross section of the Indian and international insurance and reinsurance market and work closely alongside Kennedys’ network of international offices
Explore
The Insurance Regulatory and Development Authority of India ("IRDAI") has introduced a new framework governing the outsourcing activities of Indian Insurance Companies...
India Insurance
Photo of Anuj Bahukhandi
Photo of Rohan Bangia
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Introduction

The Insurance Regulatory and Development Authority of India (“IRDAI”) has introduced a new framework governing the outsourcing activities of Indian Insurance Companies, replacing the previous regulations of 2017 and representing a shift towards a more principle-based approach to regulation in the Indian insurance sector. This article provides a detailed analysis of the key changes introduced by the new regulations. It examines the potential implications for Insurance Companies' outsourcing practices, governance structures, and compliance requirements.

Historically, the outsourcing of activities by Indian Insurance Companies has been governed by separate regulatory norms which, inter alia, prescribed guidance on activities permitted to be outsourced, due diligence and compliance and reporting requirements. However, in a move to streamline and consolidate regulations, the IRDAI had introduced the IRDAI (Protection of Policyholders' Interests, Operations and Allied Matters of Insurers) Regulations 2024 (“PPHI Regulations”), which, inter alia, repeals the earlier norms on outsourcing, ie the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017 (“Erstwhile Outsourcing Regulations”). This new regulatory framework brings permitted outsourcing of activities by an Insurance Company under a unified umbrella, aligning them more closely with broader policyholder protection objectives.

In furtherance of the PPHI Regulations, the IRDAI has also issued a Master Circular on “Operations and Allied Matters of Insurers” of 19 June 2024 (“OperationsMaster Circular”) which provides additional guidance in terms of various aspects set out in the PPHI Regulations.

Key Changes

A brief summary of the key changes introduced under the PPHI Regulations, and the Operations Master Circular are set out below:

  1. Activities prohibited from outsourcing: The Erstwhile Outsourcing Regulations prescribed a list of activities which Insurance Companies were prohibited from outsourcing in any manner1. While the Operations Master Circular prescribes a similar list of prohibited activities, the following changes have been introduced:
    1. For activities such as policyholders' grievance redressal, product designing, actuarial functions, and enterprise-wide risk management, the prohibition under the Operations Master Circular now applies specifically to ‘decision making' rather than the entire activity2.
    2. While decision-making in underwriting and claims functions remains prohibited from outsourcing3, the exclusion for procedural activities related to payment of survival benefit claims in life insurance policies has not been retained4.
    3. Certain activities, including the decision to appoint insurance agents, surveyors, loss assessors, and approving advertisements, are no longer expressly on the list of prohibited activities. However, it is possible that these activities are still subject to further operational guidance since the recently notified PPHI Regulations contain specific chapters on surveyor appointment and insurance advertisements. As such, we believe Insurance Companies should remain vigilant for any operational norms focused on policyholder protection.
  2. Outsourcing Committee: The PPHI Regulations continues to require the Insurance Company's Board to constitute an Outsourcing Committee, comprising of at least the Chief Risk Officer, Chief Financial Officer and Chief of Operations5. While the Erstwhile Outsourcing Regulations previously prescribed a list of responsibilities of the Outsourcing Committee, the PPHI Regulations sets out additional responsibilities, which, inter alia, include: (i) ensuring that outsourcing of activities do not prejudice the policyholders' interests in any way, and (ii) communicating information in relation to the risks associated with material activities to the Risk Management Committee, instead of the Board of Directors as previously required6.
  3. Outsourcing Policy and Board's Responsibilities: In relation to the Board, the PPHI Regulations continues to identify a similar set of responsibilities as earlier, such as: (i) putting in place a Board approved Outsourcing Policy (which may also be delegated to the Outsourcing Committee formed by the Board), and (ii) conducting annual reviews of a summary of outsourced activities and approving any changes to the Board policy. However, the requirement for a ‘Conflict management policy' has been replaced with a broader mandate for the Board to ensure no conflicts of interest with related parties of Insurance Companies and distribution channels7.
  4. Outsourcing Agreements: The Erstwhile Outsourcing Regulations prescribed a list of clauses that were mandatorily required to be included in a contract with an outsourcing service provider, such as information and asset ownership rights, information technology, data security and protection of confidential information8. Instead, the Operations Master Circular sets out a list of principles which are to be followed by Insurance Companies, which broadly align with the previous list under the Erstwhile Outsourcing Regulations9.
  5. Material Outsourcing and Due Diligence of Outsourcing Service Providers: The Erstwhile Outsourcing Regulations prescribed a set criteria that were needed to be considered in order to determine whether an outsourcing arrangement is ‘material' in nature10. For such material outsourcing agreements, Insurance Companies were required to evaluate certain key risks, such as reputation risk, exit strategy, concentration risk and information asymmetry risk11. However, the PPHI Regulations and the Operations Master Circular have not retained these stipulations and adopt a more principle-based approach to material outsourcing arrangements and due diligence. Insurance Companies are now required (i) identify material outsourcing agreements, (ii) evaluate risks and conduct due diligence for these agreements, and (iii) be aware of and effectively manage potential risks arising from material outsourcing agreements12.
  6. Internal Controls: Insurance Companies were previously required to ensure that outsourcing of its activities do not compromise or weaken their internal controls13. However, the PPHI Regulations now expressly require Insurance Companies to establish systems and effective internal controls in relation to outsourcing14, without expressly specifying the manner of implementation. Insurance Companies are required to take “appropriate steps” to establish systems and controls which, inter alia, protect Insurance Company's proprietary and customer related information15.
  7. Reporting Requirements: In contrast to the previous requirement under the Erstwhile Outsourcing Regulations16, the Operations Master Circular now requires Insurance Companies to report details of all outsourcing arrangements17, regardless of the annual pay-out being less than Rs. 1 crore (previously calculated on a per-outsourcing service provider basis or per-activity basis), and in the manner specified under the IRDAI's Master Circular on Submission of Returns of 14 June 2024.
  8. Inspection and Audit Requirements: While mandatory periodic inspections of outsourcing service providers are no longer required, Insurance Companies are now required to ensure that either they or their auditor(s) are in a position to promptly obtain information relevant to contractual or regulatory compliance18.
  9. Maintenance of Records: The Erstwhile Outsourcing Regulations previously required Insurance Companies to maintain records in support of various considerations/aspects (such as cost benefit analysis, due diligence reviews, pricing assessments etc). Such records were required to be maintained for a period of 5 years after the end of outsourcing agreement19. While the PPHI Regulations and the Operations Master Circular do not retain these considerations or the minimum period for their maintenance, we note that the requirement under the IRDAI (Minimum Information Required for Investigation and Inspection) Regulations 202020]] to maintain records in relation to all outsourcing activities continues to apply. The Outsourcing Committee is responsible for maintaining all ‘relevant' records in this regard21]].

Concluding Remarks

The implementation of the PPHI Regulations and the accompanying Operations Master Circular marks a significant shift in the regulatory approach to activities that may be outsourced to third-party entities by Indian Insurance Companies. This new framework moves away from prescriptive rules towards a more principle-based model, potentially offering Insurance Companies the opportunity to factor this in their business and strategy decisions.

Key changes include modifications to the list of prohibited outsourcing activities, expanded responsibilities for the Outsourcing Committee, and a shift towards risk-aware management of material outsourcing arrangements. The new regulations also place increased emphasis on internal controls and systems, while adjusting reporting and record-keeping requirements.

While the updated regulatory framework may allow greater flexibility, it also necessitates a thorough review and potential revision of existing practices and procedures. Insurance companies will need to carefully assess their current outsourcing arrangements, governance structures, and internal control mechanisms to ensure alignment with the new regulatory expectations.

Footnotes

1. R5 of the Erstwhile Outsourcing Regulations.

2. ¶21 under Chapter III of the Operations Master Circular.

3. ¶21.1(iv)(b) under Chapter III of the Operations Master Circular.

4. R5(v) of the Erstwhile Outsourcing Regulations.

5. R8 of the Erstwhile Outsourcing Regulations.

6. R48(2) of the PPHI Regulations.

7. R47(5) of the PPHI Regulations.

8. R11(ii) of the Erstwhile Outsourcing Regulations.

9. ¶22 under Chapter III of the Operations Master Circular.

10. R10(i) of the Erstwhile Outsourcing Regulations.

11. Annexure II of the Erstwhile Outsourcing Regulations.

12. ¶18.5 and ¶18.6 under Chapter III of the Operations Master Circular.

13. R14(i)(c) of the Erstwhile Outsourcing Regulations.

14. R52 of the PPHI Regulations.

15. ¶18.3 under Chapter III of the Operations Master Circular.

16. R21 of the Erstwhile Outsourcing Regulations.

17. ¶22 under Chapter III of the Operations Master Circular.

18. ¶18.7 under Chapter III of the Operations Master Circular.

19. R17 of the Erstwhile Outsourcing Regulations.

20. R7 of the IRDAI (Minimum Information Required for Investigation and Inspection) Regulations 2020.

21. ¶19 under Chapter III of the Operations Master Circular.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anuj Bahukhandi
Anuj Bahukhandi
Photo of Rohan Bangia
Rohan Bangia
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More