In today’s European insurance landscape, outsourcing has evolved from a simple operational tool into a key pillar of corporate strategy. Outsourcing is regulated by a clear regulatory framework, that is based on the Solvency II Directive and the EU Delegated Regulation 2015/35, which both offer the possibility of delegating services and business functions to third parties, provided that the management of the company remains stable, secure and fully under control.
It is possible for insurance and reinsurance companies to outsource services and functions—as long as the overall governance and stability of the business are not compromised. To this end, the regulation requires companies to adopt a formal outsourcing policy and clearly define the procedures for delegating fundamental functions or activities to third parties.
As insurers increasingly rely on outsourcing of activities and business processes, IVASS—Italian Insurance Supervisory Authority—has set out its supervisory expectations, urging companies to carefully assess both the risks and opportunities tied to outsourcing essential activities and functions.
The message is clear: outsourcing is permitted, but never at the expense of control. Insurance companies must be capable of applying the same level of control and monitoring to outsourcers as they would to in-house operations. IVASS expects companies to put in place a governance and organizational control framework that ensures continuity, quality, and compliance—even when strategic processes are managed by third parties.
IVASS expects companies to evaluate the specific risks associated with each outsourced activity and to implement measures that guarantee the continuity of outsourced activity, even in the event of a disruption or a major performance failure of the service given by the provider.
Regarding ICT services, IVASS expects companies to fully align their internal control and management models with the requirements of the DORA Regulation, by adopting tailored strategies to manage cyber risks, along with a comprehensive policy governing the use of ICT services.