Outsourcing

Regulatory framework

  1. Solvency II Law: Article 92 (outsourcing)
  2. Delegated Regulation 2015/35: Article 274
  3. Underlying thematic NBB Circular: Circular NBB_2020_18 on the recommendations of the Bank in relation to cloud outsourcing
  4. EIOPA Guidelines: Guidelines 60 to 64

Outsourcing, which is defined in Article 15, 54° of the Solvency II Law, is calling on third parties to exercise activities or implement procedures which (i) are specific to the insurance company  and (ii) are performed on a recurring or continual basis. The outsourcing can be for services rendered to insureds (call centres, etc.), or administrative work (bookkeeping, claims settlement, investment management, etc.) and specialist functions (IT, internal audit, data management, etc.).

7.1. General rules for outsourcing

7.1.1. Responsibility

The Solvency II Law requires all insurance companies that outsource functions, activities or operational tasks to remain fully responsible for discharging all of their obligations under that Law.

It is specified that the outsourcing of operational tasks shall not lead to any of the following:

  1. material impairment of the quality of the governance system of the insurance company;
  2. undue increase of the operational risk;
  3. impairment of the Bank’s ability to monitor compliance by the insurance company with the obligations laid down by or pursuant to the Solvency II Law;
  4. undermining of the continuous and satisfactory service to policy-holders, insureds and beneficiaries of insurance policies or the persons concerned by the execution of reinsurance policies.

7.1.2. Outsourcing policy

Delegated Regulation 2015/35 sets out that an insurance company intending to outsource must put an outsourcing policy in writing.  This policy shall be approved by the board of directors and takes into account the principles listed below as regards sound management.

In its outsourcing policy, the insurance company shall include the approach and processes that apply to the outsourcing for the entire term of the agreement, and especially:

  1. the process to determine whether a function or activity is a critical or important function or activity; It determines and documents this analysis by asking whether the function or activity concerned is crucial for the company’s operation, in the sense that the company would not be able to provide its services to policy-holders without this function or activity.
  2. the way in which the service provider is selected (due diligence process) and how, and with which frequency, the services and results are assessed (monitoring system), making a distinction based on whether it is a critical or important function or activity that is being outsourced;
  3. the internal competence for concluding outsourcing agreements and the details that must be included in the agreement in writing with the service provider, making a distinction based on whether it is a critical or important function or activity that is being outsourced;
  4. the rules as regards continuity plans[1].
  5. the rules as regards the processing of personal or confidential data (cf. the GDPR);
  6. the rules as regards documentation (outsourcing register) and reporting to the Bank.

7.1.3. Critical or important functions and activities

The company shall set out a process to determine whether a function or activity is a critical or important function or activity; It shall determine and document this analysis by asking whether the function or activity concerned is crucial for the company’s operation, in the sense that the company would not be able to provide its services to policy-holders without this function or activity. In other words, the critical or important functions or activities are those that are fundamental to the insurance business.

Examples of critical or important functions or activities are the design and pricing of insurance products, the conclusion of contracts, the investment of assets or portfolio management, the provision of computer data storage and the Own Risk and Solvency Assessment or ORSA (cf. the consultation report of EIOPA Guidelines 13/431, paragraph 5.174). Examples of non-critical or non-important functions or activities are legal advice, training of personnel, security of premises, purchase of standardised services, logistical support, the provision of elements of human resources support such as recruiting temporary employees (cf. the consultation report of EIOPA Guidelines 13/431, paragraph 5.175).

The independent control functions are also considered to be critical or important functions as compliance with the Solvency II Law is dependent on them.

The strictness of the rules on outsourcing shall depend on whether it is critical or important functions or activities being outsourced. Stricter rules shall apply to outsourcing critical or important functions or activities, than to outsourcing functions or activities that are not critical or important.

 

[1]   As regards continuity aspects, the company pays attention to ensuring that (i) the technology, systems, applications and instruments used are sufficiently customary and well-known, and that solutions that are less common or rely too much on the service provider are avoided; (ii) good, functional documentation of the systems used by the service providers is drawn up and updated; (iii) the necessary knowledge of the technical characteristics for the operation, organisation and management of the outsourced services is maintained; and (iv) all own data can be requested at any time in a workable format.

7.2. Requirements of sound management for cases of outsourcing of functions or activities that are not critical or important

For the outsourcing of functions or activities not considered critical or important, the insurance company shall take the following into account:

  1. the decision to outsource is based on an in-depth analysis which at least contains a detailed description of the functions or activities to be outsourced, of the expected consequences of the outsourcing, of compliance with the rules in the outsourcing policy and of an estimation of the risks in the proposal;
  2. in the procedure for selecting the service provider, the necessary diligence and caution is employed and account is taken of the service provider’s financial health, reputation and technical and management skills [2];
  3. this outsourcing is laid down in an agreement in writing with the service provider, which takes into account the management principles explained in the outsourcing policy and explains the method and frequency for the assessment of the performance and results of the service provider;
  4. particular attention is paid to continuity aspects.

 

[2] The selection process should be laid down in the outsourcing policy. As regards the criteria for technical and management skills, the company should (i) take into account the service provider’s capacity to provide the service in a satisfactory manner so as to adequately cover the operational risks and reimburse any damage, (ii) assess to what extent the service provider has adequate contingency plans and check these plans against its own continuity requirements, and (iii) take the precautions necessary to be able to adequately transfer the outsourced services to another service provider or manage them itself whenever the continuity or the quality of the services provided could be compromised.

7.3. Requirements of sound management for cases of outsourcing critical or important functions or activities

7.3.1. Pre-contractual stage: verifications to be conducted before entering into an outsourcing agreement

Before entering into an outsourcing agreement with regard to a critical or important function or activity, insurance companies shall:

assess whether the outsourcing authorization conditions are met;
conduct the necessary verifications with regard to the service provider;
identify and assess all relevant risks of the outsourcing arrangement; and
identify and assess the conflicts of interest that could arise from the outsourcing (cf. section 9.5. of this Circular).

§1. Authorization conditions

Insurance companies ensure that activities or functions are only outsourced to a service provider located in Belgium or in a Member State of the European Economic Area (EEA), insofar as the performance of this function or activity requires an authorisation or registration by a competent authority of the Member State in which they are authorised, if one of the following conditions is met:

a. the service provider has been authorised or registered by a competent authority to perform these activities or functions;

b. the service provider is allowed to perform these activities or functions in accordance with the applicable national legal framework.

If the service provider is located in a third country, the conditions specified in § 2 of section 7.4.3. should be met.

§2. Appropriate due diligence

Before selecting a service provider for critical or important functions or activities, the management committee of the insurance company shall carry out an appropriate enhanced due diligence process and thus ensure that:

an in-depth investigation is carried out to establish whether the potential service provider has the capacity suitability required to satisfactorily carry out the required functions or activities, taking into account the company’s objectives and needs;
the service provider has the necessary financial resources to perform the additional tasks in a proper and reliable way, and that all staff of this service provider who will be involved in providing the outsourced functions or activities are sufficiently qualified and reliable;

(c)   the service provider has done everything possible to prevent actual or potential conflicts of interest compromising the contracting company’s needs;

(d)   an agreement in writing is entered into between the company and the service provider, clearly explaining the respective rights and obligations of both parties;

(e)   the general conditions of the outsourcing agreement are clearly explained to the company’s board of directors and management committee, which agrees thereto;

(f)    the outsourcing does not breach any legal text, especially the legislation and regulations on data protection;

(g)   the service provider is subject to the same rules regarding security and confidentiality of information on the insurance company or the policy-holders or beneficiaries thereof as those that apply to the insurance company.

§3. Assessment of risks related to the outsourcing arrangement

Before entering into a critical or important outsourcing arrangement, insurance companies should, taking into account the principle of proportionality, identify, assess and manage all risks to which they are or could be exposed in the context of outsourcing agreements (loss of control, concentration risk, conflicts of interest, lock-in risk, etc.).

Specifically, insurance companies should perform an assessment of the risks related to the outsourcing.

This risk assessment should comprise scenarios of possible risk events, including high-severity operational risk events. As part of the scenario analysis, insurance companies should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, persons or external events. Taking into account the principle of proportionality, insurance companies should document the analysis performed and its results and estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk.

In this assessment, insurance companies should also take account of the expected benefits and costs of the proposed outsourcing arrangement, in particular by weighing any risks that may be reduced or better managed against any risks that may arise from the proposed outsourcing arrangement, taking into consideration at least:

a. concentrations risks, including from: (i) outsourcing to a dominant service provider that is not easily substitutable and (ii) multiple outsourcing agreements with the same service provider or closely connected service providers;

b. the aggregated risks resulting from outsourcing several functions across the company;

c. in the case of significant companies, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and

d. the measures implemented by the company and by the service provider to manage and mitigate the risks.

7.3.2. Contractual stage: minimum content of the agreement in writing with the service provider

The rights and obligations of the insurance company and of the service provider should be clearly allocated and set out in an agreement in writing.

The general conditions of the agreement in writing should be clearly explained to the board of directors and to the management committee of the company and should be approved by them.

In accordance with Article 274 of Delegated Regulation 2015/35, the agreement in writing to be entered into by the insurance company and service provider for critical or important functions or activities in particular shall include a clear mention of the following points:

a. the tasks and responsibilities of both parties;

b. the service provider’s commitment to comply with all applicable legal and administrative rules and guidelines, as well as the policies approved by the insurance company, and to cooperate with the Bank as regards the outsourced activities or functions:

c. the service provider’s obligation to report any development that could be of material influence on its ability to conduct the outsourced activities or functions efficiently and with due regard to the applicable legal rules and regulatory requirements;

d. a notice period for the service provider to terminate the agreement that is long enough for the insurance company to find an alternative solution;

e. that the insurance company may, where necessary, terminate the outsourcing agreement with no negative consequences for the continuity and quality of its service to policy-holders; 

f. that the insurance company reserves the right to be informed on the outsourced functions and activities and the performance thereof by the service provider, as well as the right to give the service provider general guidelines or individual instructions on what needs to be taken into account in the performance of the outsourced functions or activities;

g. that the service provider must safeguard all confidential information on the insurance company and its policy-holders, beneficiaries, staff, contractual parties and all other persons;

h. that the insurance company, its statutory auditor and the Bank must have effective access to all information on the outsourced functions and activities as well as the service provider’s places of work to be able to conduct on-site audits/inspections;

i. that the Bank, where such is appropriate and necessary for supervisory purposes, may ask the service provider questions directly, which the service provider must answer;

j. that the insurance company may obtain information on the outsourced functions and activities and give instructions on the outsourced functions and activities;

k. the conditions under which the service provider may sub-outsource any outsourced functions and activities; 

l. that the obligations and responsibilities of the service provider by virtue of its contract with the insurance company remain unchanged by any sub-outsourcing in accordance with point k.

The Bank asks that insurance companies take particular care to ensure that the following 4 aspects are described accurately and clearly in the written outsourcing agreement:

a) sub-outsourcing: if sub-outsourcing is permitted, the agreement should (i) specify all types of activities that are excluded from sub-outsourcing; (ii) specify the conditions to be met in case of sub-outsourcing (including the obligations for the sub-contractor to comply with the applicable laws and regulatory requirements and to grant the same access and audit rights to the company); (iii) specify that the service provider is required to oversee the services it has itself outsourced; (iv) require the service provider to obtain prior specific or general written authorisation from the insurance company before sub-outsourcing data; (v) provide for the obligation for the service provider to inform the insurance company of any sub-outsourcing and any material changes thereof; (vi) ensure that the insurance company has the right to object to the intended sub-outsourcing or material change thereof; (vii) ensure that the insurance company has the contractual right to terminate the agreement in case of undue sub-outsourcing. Furthermore, additional information should be provided to the Bank in the context of the notification.

b) access, information and audit rights: the written agreement stipulates that the service provider grants the company’s internal audit function, the accredited statutory auditor and the Bank (i) full access to all relevant business premises and (ii) unrestricted rights of inspection and auditing related to the outsourcing arrangement.

c) security of data and systems: the written agreement stipulates that the service provider complies with appropriate IT norms.

d) termination rights: the written agreement stipulates that the insurance company can terminate the agreement when (i) the service provider is in breach of applicable legal, regulatory or contractual provisions, (ii) impediments capable of altering the performance of the outsourced function are identified, (iii) there are material changes affecting the outsourcing arrangement or the service provider, (iv) there are weaknesses regarding data management and security and (v) instructions to this effect are given by the Bank, e.g. when it can no longer effectively supervise the insurance company as a result of the outsourcing arrangement.

7.3.3. Post-contractual stage: requirements to be met after entering into an outsourcing agreement

An insurance company that outsources important or critical functions, activities or operational tasks must also comply with the following requirements:

(a)   ensuring that the relevant aspects of the service provider’s risk management and internal control system are adequate enough to safeguard compliance with the following provisions of the Solvency II Law;

(b)   sufficiently taking into account the outsourced functions in its risk management and internal control system to safeguard compliance with the following provisions of the Solvency II Law;

(c)   implementing a system to monitor the outsourced functions or activities through regular monitoring of the performance of the service provider (e.g. using key performance indicators) according to a risk-based approach including in particular data integrity and security;

(d)   ensuring that the service provider has suitable contingency plans to deal with emergencies or business interruptions and conduct periodic tests and back-ups if necessary in light of the outsourced functions or activities;

(e)   having a documented exit strategy in accordance with its outsourcing policy and its business continuity plan, ensuring that withdrawal from an outsourcing agreement does not cause any disruption to its business operations.

7.4. Special cases of outsourcing

7.4.1. Entering into agreements

The company shall ensure that the activities of an insurance intermediary [3] who is not a member of staff of the insurance company and who is authorised to enter into agreements or settle claims in the name or on behalf of this insurance company, meet the outsourcing requirements above (with a distinction made based on whether this activity is considered critical or important or not).

§1. General rules

In principle, the same rules apply for outsourcing within a group[4] as for external outsourcing, irrespective of whether or not the outsourcing within the group relates to critical or important functions or activities.

Nevertheless, two special methods apply for the implementation of the aforementioned requirements on sound management:

in the context of the analyses that the insurance company must conduct before deciding to outsource (pre-contractual stage), it takes into account the degree of say it has over the service provider or the amount of influence it can exert on its actions (simplification of the appropriate due diligence process, possibility of using a centralised risk analysis, etc.); and
in the context of the implementation of the sound management requirements included above for the contractual and post-contractual stages, the framework agreement takes account of the fact that the service provider is subject to the same consolidated supervision as it is (simplification of the rules to be included in the written outsourcing agreement, possibility of implementing a centralised monitoring system, possibility of using a centralised exit plan, etc.).

Apart from the compliance with the rules on outsourcing that the insurance companies must follow individually, if critical or important functions or activities are outsourced within the group, the company responsible for the group must document which functions relate to which legal person. It shall also ensure that such rules do not breach the performance of those critical or important functions, activities or tasks at the level of the subsidiary.

If the outsourcing within the group relates to an independent control function, attention is drawn to the fact that the insurance company outsourcing this independent control function should always appoint an internal contact person responsible. All rules included in section 7.4.4. of this Circular shall apply in full.

§2. Outsourcing to a centralised services company within the group

A centralised services company is a company which – within a group – provides services to multiple entities of the group without being subject to prudential supervision or equivalent supervision and which is therefore considered unregulated.

When insurance companies outsource activities or functions to a centralised services company, the general proportionality rules for outsourcing within a group included in § 1 shall apply, but the insurance companies are also expected to comply with the following specific recommendations:

a. to ensure that there is a regular monitoring of the centralised services company by the group risk management function or by a dedicated team and that companies outsourcing a critical or important function or activity to this company receive, at least annually and upon request of the group risk management function or the dedicated team, reports containing at least a summary of the risk assessment and of the performance monitoring. Additionally, the insurance companies should also receive a summary of the relevant audit reports relating to the centralised services company[5];

b. to be informed of any relevant planned changes regarding the centralised services company that could impact the critical or important functions outsourced, including by way of a summary of the risk analysis relating in particular to legal risks, compliance with regulatory requirements and impact on service levels, in order for them to assess the impact of these changes;

c. when the choice of the centralised services company is based on a centralised risk assessment, to receive a summary of this assessment and ensure that it takes into account the specific structure and risks of the insurance company;

d. to have the complete list of all outsourcings performed by the centralised services company;

e. when they rely on a centralised exit plan with regard to the centralised services company to receive a copy of this plan and to ensure that it can be effectively executed.

7.4.3. Outsourcing outside the European Economic Area

§1. General rule for all cases of outsourcing

Functions or activities may be outsourced outside the European Economic Area (to third countries) provided that the insurance company can expressly guarantee that itself, its accredited statutory auditor and the Bank will be able to exercise and enforce their right of access and review, in accordance with Article 307 of the Solvency II Law.

The capacity to restructure and liquidate the company in Belgium should also be guaranteed. The information needed for this purpose should be accessible at all times in Belgium.

§2. Additional rules for the outsourcing of critical or important functions or activities

In addition to the general rule described in §1, a critical function or activity may only be outsourced to a service provider located in a third country if the following conditions are met:

a. there is an appropriate cooperation agreement between the Bank and the prudential supervisory authority where the service provider is located or, if the service provider is part of a group that is subject to supervision at group level in accordance with Directive 2009/138/EC (Article 343 of the Solvency II Law), there is a coordination agreement for a college of supervision where the Bank and the prudential supervisory authority of the third country are part; and

b. the cooperation or coordination agreement referred to in point b ensures that the Bank is at least able to obtain, upon request, the information necessary to carry out its tasks, on the one hand, and obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of its supervisory powers.

However, these 2 conditions do not have to be met if the services concerned are performed in a subsidiary or branch located in the EEA of the service provider  and this notwithstanding the fact that the service provider is a legal person which is established in a third country.

7.4.4. Outsourcing of independent control functions

If an independent control function is outsourced, the company shall follow all the rules that apply in the case of outsourcing of critical or important functions or activities as referred to in point 7.2 above. Moreover, two additional rules should be complied with:

§1. Appointment of a contact person responsible

As stated in points 2.1 and 5.1.3 of this Circular, if the insurance company decides to outsource an independent control function, it shall appoint a person with overall responsibility for the outsourced independent control function (‘contact person responsible’) and oversees that this person possesses the requisite professional integrity and has sufficient knowledge of and experience with the outsourced function to put the performance and results of the service provider to the test.

§2. Reporting to management bodies

When outsourcing an independent control function, the Bank recommends having direct contact between the service provider performing this function and the company’s management bodies. Without prejudice to the role of the contact person responsible, whose primary task is to monitor the quality of the service provider’s performance, companies should avoid having the reporting of the outsourced control functions “filtered” through this contact person responsible. As a result, the Bank recommends having service providers responsible for an independent control function notify their activities and their observations directly to the board of directors or to one of its specialised sub-committees, such as the audit and risk committee. Naturally, the contact person responsible may attend these reportings and offer advice as person responsible for monitoring the quality of the service provider’s performance and as the person who is ultimately responsible for the outsourced independent control function.

7.4.5. Ban on ‘empty shells’

Insurance companies that intensively outsource their control activities and functions must always have one or more persons among their staff tasked with monitoring the outsourcing. The impact of outsourcing may not be of such a scale that the insurance company exhibits the characteristics of an empty shell that is no longer capable of complying with its conditions for authorisation and pursuit of business. Reference is also made to section 4.3. of this Circular on the rules to be complied with as regards central administration.

7.4.6. Supply of staff

In order to be valid under Belgian social law, supply of staff must meet strict conditions (cannot be a regular activity of the employer supplying employees, limited duration, written document, prior consent of the General Directorate for Supervision of Social Legislation (Algemene Directie Toezicht op de Sociale Wetten / Direction générale Contrôle des lois sociales), etc.). In a cross-border context, the supply of staff raises complex questions regarding international private law. The insurance company should verify whether the relevant rules of social law and international private law are complied with. For its part, the NBB considers that (i) from a prudential point of view, cases of supply of staff may be treated similarly to cases of outsourcing, with the regulated companies also being responsible for compliance with Belgian social law; and that (ii) all legal and regulatory prudential rules set out in this Chapter should be complied with.

7.4.7. Outsourcing to cloud service providers (cloud outsourcing)

The insurance company determines whether an arrangement entered into with a cloud service provider falls under the definition of outsourcing according to the Solvency II Law. If so, in addition to the general outsourcing requirements included in this chapter, the company should also comply with the specific recommendations for cloud outsourcing specified in Communication NBB_2012_11 and, from 1 January 2021, those set out in Circular NBB_2020_18 (cf. also Chapter 10 of this Circular. 

 

[3] ‘Insurance intermediary’ in the broad sense and not “ancillary insurance intermediary” within the meaning of Directive 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution.

[4] The rules for outsourcing within a group also apply to consortiums.

[5]  If the internal audit function is itself outsourced to the service company, a report from an external independent company is a recommended alternative.

7.5 Monitoring by Internal Audit and Compliance Functions

The activities of the internal audit and compliance functions should cover, following a risk-based approach, the independent review of outsourced activities or functions.

7.5.1. Internal audit

The audit plan and programme should include, in particular, the review of the outsourcing arrangements of critical or important functions. With regard to the outsourcing process, the internal audit function should at least ascertain:

a. that the insurance company’s framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulations, the risk strategy and the decisions of the management bodies;
b. the adequacy, quality and effectiveness of the assessment of the criticality or importance of the functions or activities concerned;
c. the adequacy, quality and effectiveness of the risk assessment for critical or important outsourcing arrangements and that the risks remain in line with the company’s risk strategy;
d. the appropriate involvement of governance bodies; and
e. the appropriate monitoring and management of outsourcing arrangements.

7.5.2. Compliance function

The compliance function is tasked with ex ante monitoring of critical or important outsourcings. Thus, for each new critical or important outsourcing, the Bank asks the compliance function to at least verify:

a. Compliance with the general governance requirements relating to the outsourcing and its different stages: pre-contractual stage, contractual stage[1] and post-contractual stage (cf. sections 7.3.1 to 7.3.3 above); and
Compliance with requirements for documentation and reporting to the Bank (cf. section 7.6).

b. This ex ante monitoring[2] will take the form of the issuance, for each file for notifying the Bank of the outsourcing of a critical or important activity or function, of an opinion of the compliance function on this case of outsourcing (cf. section 7.6.2 below). The Bank asks that the content of this opinion be in compliance with the standard form included in Annex 4 of this Circular.

The specific outsourcing monitoring task assigned to the compliance function is without prejudice to the duties and obligations of the insurance company’s governing bodies and first-line operational services.

[1] For compliance with the requirements relating to the contractual stage, the compliance function can, where appropriate, rely on the work of the legal department.

[2] For the monitoring of the post-contractual stage, the compliance function is expected to ensure that the necessary framework is in place.

7.6 Documentation and Reporting to the Bank

Outsourcing insurance companies are advised to keep a register with information on all outsourcing arrangements across the company, distinguishing between the outsourcing of critical or important functions or activities and the outsourcing of non-critical or non-important functions or activities.

For reporting to the Bank, outsourcing obligations are twofold:

  1. the reporting of a part of the outsourcing register, namely the list of outsourcings of critical or important functions or activities, to be submitted through the eCorporate platform (reporting B.9. included in the eCorporate Communication NBB_2019_22); and
  2. the notification to the Bank of planned outsourcings of critical or important functions or activities.

7.6.1. List of critical or important outsourcings

The Bank expects the list of outsourcings of critical or important functions or activities, which is to be submitted through the eCorporate platform, to include at least the following information:

  1. start and end dates of the outsourcing agreement;
  2. brief description of the outsourced function or activity;
  3. brief description of the reason why the function or activity is considered critical;
  4. name of the service provider;
  5. country where the service is to be performed (including the location of the data);
  6. where appropriate, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the sub-contractor is registered.

7.6.2. Notification to the Bank

In accordance with the Solvency II Law, insurance companies shall inform the Bank promptly, before outsourcing critical or important functions or activities or independent control functions (i) of their intention to do so as well as (ii) later important developments as regards these functions or activities (including the decision to end the outsourcing of a function or activity).

Specifically, the Bank asks insurance companies to provide it within a reasonable period of time (in principle 6 weeks before the outsourcing enters into force at the latest, barring any duly justified specific derogation) with a file in accordance with the standard notification form included in Annex 3 of this Circular. This standard notification form is the same for all cases of outsourcing (within a group, externally, outsourcing of an independent control function, cloud outsourcing, etc.) but the annexes to be enclosed differ depending on the case.

The notification file should systematically be accompanied by an opinion of the person responsible for the compliance function in accordance with Annex 4 of this Circular, confirming point by point (i) compliance with the requirements relating to the different stages of the outsourcing (i.e. points 7.3.1 to 7.3.3, supplemented where appropriate with 7.4) and (ii) the completeness of the file provided[1].

[1] Statement to be submitted in all cases of outsourcing except when relating to the compliance function.