On 19 March 2024, the House of Representatives adopted bill no. 8184 , the main purpose of which is to implement the Directive (EU) 2021/2118 on motor liability insurance. The bill also includes provisions designed to make it easier for insurance companies to outsource.
Life insurers are faced with the problem that contracts concluded with their customers are generally for very long periods (lifetime, until retirement age, etc.) and that it is generally not possible (depending on the law applicable to the policy) to modify the contractual conditions agreed during the term of the contract.
However, the regulatory environment and techniques change over time, and it was clearly not possible to foresee, in the 1980s or 1990s, such fundamental developments as digitalisation, the extension of AML/FT obligations, new obligations in respect of unclaimed contracts, the communication of information to the tax authorities, etc.
All these developments involve processing, centralising and often sharing data about customers and their contracts. What’s more, insurance companies often have to outsource to specialist external service providers to meet all these new challenges.
Given that Luxembourg nevertheless has a very strict professional secrecy regime applicable to the insurance sector, an outsourcing of confidential data concerning customers and their contracts is prohibited in principle (Article 300 of the Law of 7 December 2015). Since the reform of the professional secrecy in 2018, outsourcing was supposed to be made easier. Very simplified one can say that it became possible to share confidential data:
However, in the case of previously concluded life insurance contracts (the stock), obtaining the customer’s agreement proved to be an extremely difficult exercise, given that it was necessary to contact all customers individually and obtain their explicit agreement to the terms and conditions of data sharing with third parties. Some people could not be found, others did not respond to requests, or even objected, which risked completely blocking projects involving outsourcing, digitisation, remediation, etc., important though they are and often required by regulation.
In addition, pursuant to Article 80 of the Law of 7 December 2015, Luxembourg companies must constantly keep their documents in the Grand Duchy of Luxembourg, either at their place of operation or at any other location duly notified to the CAA. From this provision, the CAA has traditionally derived the doctrine that in particular all computer data must be kept physically in Luxembourg (except in exceptional cases of storage in foreign data centres, in encrypted form, which can only be consulted and decrypted by the company in Luxembourg).
This legal framework is therefore a considerable brake on digitisation and the implementation of current regulatory requirements. In an attempt to break this deadlock, bill no. 8184 introduces two new provisions:
A new Article 181-2 is introduced in the Law of 7 December 2015 which provides for a procedure to be followed to obtain the customer’s (possibly presumed) consent to data sharing with third parties, pursuant to Article 300(2bis) paragraph 2 discussed above.
The scope of this new provision is limited to life insurance (branches I, III and VI of Annex II to the Law of 7 December 2015). For non-life insurance, the problem is not the same, given that these contracts are concluded for shorter periods and can be terminated annually, so that insurers have been able, over time, to adapt their contracts to the new realities and include the necessary clauses to allow recourse to outsourcing.
In terms of transitional law, the new provision only applies to insurance contracts concluded before the law comes into force. In other words, this new article 181-2 only allows the stock to be regularised, but cannot be invoked, in 5, 10 or 20 years’ time, to include new situation of outsourcing which would not have been envisaged today into contracts concluded after the entry into force of the law.
This raises the question of non-discrimination, given that it will still be possible, in 10 or 20 years’ time, to apply the Article 181-2 procedure a second, third, etc. time to notify new outsourcings under contracts concluded before 2024, whereas this will not be possible for contracts concluded after the law comes into force.
The procedure to be followed by insurers breaks down into 4 stages:
The procedure is fairly cumbersome and potentially takes a long time to complete (reasonably at least 8 to 9 months in practice), but it has the merit of being able to lead, at the end of the process, to a presumed agreement by all those who have not reacted.
It is, of course, strongly recommended that the searches undertaken to determine the policyholder’s current address (step 3) are well documented.
The law is silent on the content of the communication to the customer. It only specifies that the second registered letter must inform the policyholder of the request, the consequences of its silence and its right to object to the request. By combining the requirements of article 300(2bis) paragraph 2 and the new article 181-2, we can conclude that all communications to policyholders in this respect should ideally include:
Given that the aim is to anticipate possible future outsourcing, it is in the companies’ interest to formulate these requests in a broad manner, although it is therefore not out of the question to resort several times to the mechanism of article 181-2 and in particular to notify other outsourcings in the future in accordance with this procedure (but only for contracts concluded before the entry into force of the law, see above).
While the principle of conservation in Luxembourg provided for by Article 80 of the Law of 7 December 2015 is maintained, a new paragraph 3 is introduced into this Article to allow an exception to this principle.
It will now be possible to outsource the digital storage of documents and related data, as well as their processing, to a critical third-party ICT service provider subject to the supervision of a European Supervisory Authority pursuant to Article 31 of Regulation (EU) 2022/2554 , established in Luxembourg or in another EU Member State.
The new exception therefore covers:
However, it only applies if the service provider meets the conditions of a critical third-party ICT service provider within the meaning of the DORA regulation, whether it is located in Luxembourg or in another EU Member State.
The preparatory work specifies that this exception “must not impede the CAA’s tasks and its supervisory activities” and that insurers “must therefore remain able to provide the CAA on request and without delay with all documents and data that are useful and necessary for the exercise of the CAA’s supervision” (Draft Bill, Commentary on the Articles, p. 41).
[Updated and corrected on 11/06/2024] The preparatory works also mention that this new possibility also constitutes an exception to professional secrecy without requiring the consent of customers. Indeed, it is specified that “the secrecy obligation provided for in Article 300(1) of the LSA does not prevent the use of critical third-party ICT service providers in accordance with paragraph 2 of that Article”. In other words, the legislator’s intention is to bring the new Article 80 paragraph 3 within the general exception to professional secrecy provided for in Article 300(2) of the LSA (“The obligation of secrecy does not exist when disclosure of confidential information is authorised or imposed by or by virtue of a legal provision, even if it predates this law, or is necessary in the context of proper execution of the commitments arising from insurance contracts or to prevent and curb insurance fraud”). This general exception does not require any other form or procedure, and in particular does not require the policyholder’s consent.
Let us emphasize, with the Chamber of Commerce (Draft Bill, Opinion of the Chamber of Commerce, p. 8), that this is a new possibility of outsourcing, which is in addition to the existing possibilities under the former regime, and not a replacement or restriction of them.