1. INTRODUCTION 

     1.1 The Indian insurance laws permit insurance companies to outsource activities in accordance with the rules, regulations and directions issued by the Insurance Regulatory and Development Authority of India (“IRDAI”) including the IRDAI (Protection of Policyholders’ Interests, Operations and Allied Matters of Insurers) Regulations, 2024 read with the Master Circular on Operations and Allied Matters of Insurers, 2024 (together the “Outsourcing Framework”). The Outsourcing Framework is applicable to all insurers except those engaged in the reinsurance business. IRDAI has in the past penalised insurers for failure to adhere to norms relating to outsourcing.

     1.2 Previously, outsourcing arrangements were governed by the IRDAI (Outsourcing of Activities by Indian Insurers Regulations, 2017) (“Previous Regulations”) that have been superseded by the Outsourcing Framework. The Outsourcing Framework provides for certain relaxations from the Previous Regulations. This article captures the salient obligations and restrictions in relation to outsourcing by insurance companies and highlights key differences between the Previous Regulations and the Outsourcing Framework.

Key Takeaways

Insurers may outsource any activities which are not core activities. There are some relaxations from compliance requirements when compared to the previous regulations, but principles for outsourcing remain the same. Insurers must undertake adequate due diligence and monitoring of outsourcing service providers. Outsourcing to related parties must be done in a transparent manner without any conflict of interest.

2.KEY COMPLIANCE REQUIREMENTS FOR INSURANCE COMPANIES 

2.1 Restrictions on outsourcing of core activities 

     2.1.1 Insurers can outsource all activities except prescribed ‘core activities’. These include (i) investment and related functions; (ii) fund management including NAV calculations; and (iii) compliance with AML, KYC,^[1] etc. In contrast with the Previous Regulations which included activities such as policy servicing, approval of advertisements and decision to appoint insurance agents, surveyors, and loss assessors as core activities, the Operations Framework allows insurers more discretion with respect to the nature of activities outsourced.

     2.1.2 Additionally, no function involving decision making regarding (i) product designing, actuarial functions and enterprise-wide risk management; (ii) underwriting and claims functions; and (iii) policyholders’ grievance redressal and allied matters, may be outsourced. Under the Previous Regulations, these functions were treated as core activities. However, the Operations Framework offers a relaxation in this regard with the prohibition only extending to “decision making” regarding the same. It appears the procedural aspects of these activities can now be outsourced after the insurer takes the decisions on approach – however the IRDAI has not provided further guidance on this point.

2.2 Requirement for adequate due diligence and oversight 

     2.2.1 The Operations Framework requires that insurers enter into outsourcing arrangements only if it is absolutely necessary and if there is no adverse impact on policyholders. To ensure this they must have sound and responsive management practices for effective oversight and conduct adequate due diligence on their outsourcing service provider.

     2.2.2 Notably, the Previous Regulations had detailed provisions on the risks to be considered by the insurers before entering outsourcing agreements, including implications on business continuity (for material activities) and ability to exercise oversight on the service provider. In contrast, the Operations Framework requires insurance companies to generally evaluate the risks and conduct a cost-benefit analysis of the outsourcing agreements. It also mandates steps to ensure the continuity of services to the insurance company, but without detailing specific risks to be considered. In our view, the Operations Framework offers no relaxation in this regard. Instead, it is drafted on the understanding that insurers will consider risks outlined in the Previous Regulations, along with any additional risks pertinent to their business.

     2.2.3 The IRDAI Guidelines on Information and Cyber Security for Insurers, 2023 (“CS Guidelines”) also requires insurers to consider certain factors prior to outsourcing including an assessment of the reputation of the service provider, its level of competency, and level of diligence done by the service provider of its employees.

2.3 Outsourcing to related parties 

     2.3.1 Insurers may outsource activities to related parties or group companies only on an arm’s length basis and provided that there is no conflict of interest. Notably and in contrast to the Previous Regulations, there is no longer a requirement to generally avoid outsourcing to related parties and group companies and to get specific approval from the outsourcing committee for such outsourcing.

     2.3.2 Any payments made to related parties or group companies for outsourcing are likely to be thoroughly scrutinised by the IRDAI and insurers should exercise due caution in this regard. In a 2021 order against a life insurance company, the IRDAI observed that while it is permissible for  an insurer to share common facilities / resources (such as IT) with its group companies, this must be done in a transparent manner with appropriate cost sharing methods.

2.4 Requirements for the Outsourcing Agreement 

     2.4.1 The IRDAI prescribes that outsourcing agreements must include provisions relating to confidentiality, right of the IRDAI to access information, exit strategies of the insurer upon termination, compliance of the service provider with applicable laws and assessment thereof,  non-disclosure,  continuity of service and disaster recovery,  right of the insurer to conduct audits,  assurance regarding background checks of personnel employed by the service provider and adherence to information security requirements.

2.5 Restrictions in relation to data and employment 

     2.5.1 Any data transferred by an insurance company pursuant to an outsourcing agreement will need to adhere to the requirements under the CS Guidelines. These requirements differ basis the type of data being transferred (i.e. whether the information qualifies as personal information,^[2] sensitive personal information,^[3] confidential information or restricted information^[4]) and include: (i) encryption of confidential information during transfer or while stored by a third party, (ii) access to restricted information and sensitive personal information on a need to know basis and (iii) prior consent of information provider for transfer and disclosure of personal information and sensitive personal information outside of the insurance company.

     2.5.2  Generally, it is responsibility of the insurer to ensure that the service provider is compliant with all applicable laws. However, for employees of the service provider who qualify as contract labour, if the service provider fails to provide statutory benefits or make statutory payments, the insurance company will be required to do the same in accordance with applicable laws.

Authors: Deepa Christopher – Partner and Aanchal Kabra – Associate

Footnotes

¹ KYC verification through third party service providers is allowed.

² Personal Information refers to information capable of identifying a natural person.

³ Both the CS Guidelines and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) classify certain Personal Information as “Sensitive Personal Information”. Under the SPDI Rules, such information includes: (a) password; (b) financial information; (c) physical, physiological and mental health conditions; (d) sexual orientation; (e) medical records and history; and (f) biometric information. In addition to the above, the CS Guidelines classify (a) information received by the body corporate for processing or storage, which is processed under a lawful contract or otherwise and (b) call data records as sensitive personal information.

⁴ Information assets of an insurance company in India must be classified as (a) public, (b) internal, (c) restricted or (d) confidential in accordance with the CS Guidelines. The information owner (as designated by the insurer) is responsible for this classification and its periodic review.

Disclaimer: This alert only highlights key issues and is not intended to be comprehensive. The contents of this alert do not constitute any opinion or determination on, or certification in respect of, the application of Indian law by Talwar Thakore & Associates (“TT&A”). No part of this alert should be considered an advertisement or solicitation of TT&A’s professional services.