Implementation of Guideline on Outsourcing for the Insurance Sector in Macau

1. Scope of Application

The Guideline applies to all authorized institutions, including insurers, reinsurers, and pension fund management companies incorporated in Macao, as well as the Macao branches of foreign institutions.

2. Definition

Under the Guideline, outsourcing is defined as an arrangement pursuant to which a service provider undertakes to perform a service (including a business activity, function, or process) that would otherwise be carried out by the authorized institution itself.

The outsourcing herein includes cross-border outsourcing where services are provided outside Macao, and material outsourcing which involves critical functions.

Material outsourcing is defined as an outsourcing arrangement, which if disrupted or falls short of acceptable standards, would have the potential to significantly impact on an authorised institution’s financial position, business operation, reputation or its ability to meet obligations or provide adequate services to customers or to conform with legal and regulatory requirements.

Examples of outsourcing activities can be found in Appendix 1 of the Guideline.

3. Risk assessment

Prior to entering into any outsourcing arrangements that involve material business activities/functions, authorized institutions should conduct a comprehensive risk assessment.

The risk assessment should cover at a minimum the importance and criticality of the activities/functions to be outsourced; reasons for the outsourcing; impact on the authorized institution’s overall risk profile; adequacy and expertise of human resources and the appropriateness of procedures to manage the outsourcing arrangements; and the extent of overseas outsourcing involvement.

After authorised institutions have implemented an outsourcing arrangement, they should re-perform the risk assessment on a regular basis (at least annually) to ensure that the risks to the authorised institution have not materially changed, or if there is a change, risks identified have been addressed or mitigated.

4. Due Diligence

Before engaging in outsourcing arrangements, institutions must, at minimum, conduct due diligence on service providers by assessing: (vide paragraph 23 and 24 of the Guideline)

• Financial stability and past performance;
• Technical expertise and industry experience;
• Data security, compliance, and governance standards;
• Business continuity capabilities; and
• Reputation and regulatory track record etc.

5. Minimum Requirements for Outsourcing Agreements

The decision to outsource material activities/functions should be approved at the board level.

The Guideline also outlines a comprehensive list of minimum requirements for outsourcing agreements, which must be:

• Legally binding and in written form as well as being executed before the commencement of the outsourcing arrangement; and
• Governed by additional regulatory requirements, such as a data residency policy and AMCM’s right to access the service provider (vide paragraphs 25, 26, 33, 41, 45 and 46 of the Guideline)

6. Post Notification to AMCM

Furthermore, authorized institutions must notify AMCM within 30 days of entering into outsourcing agreements.

Notification must be submitted by an authorized representative using the designated form provided by AMCM, accompanied by all the information required in Appendix 2 of the Guideline – as attached.

Should any significant problems or deficiencies related to material outsourcing arrangements that have the potential to materially affect the business operations, profitability, or reputation, the authorised institution should notify AMCM promptly .

7. Internal Control Mechanism

A strong internal controls and sound administrative structures must be maintained even after the end of the outsourcing arrangement. Furthermore, it should be noted that outsourcing activities/functions to third parties does not exclude the legal and regulatory responsibilities of the Authorized Institutions under Macao’s Insurance Ordinance ("MIO") and other applicable laws. The ultimate responsibility for the outsourcing activities/functions remain with the Authorized Institution, as if the activities/functions were performed internally.

To ensure compliance with agreed-upon performance standards and regulatory requirements, the authorized institutions should:

• Develop an outsourcing policy outlining principles for managing outsourcing arrangements, procedures, and risk management strategies.  Such policy must be approved and reviewed regularly (e.g., annually) by the board to ensure compliance and relevance. Authorized institutions should have appropriate documentation of its outsourcing policy and ensure that procedures are in place such that all relevant staff of the insurer are fully aware of, and comply with, the outsourcing policy;
• Define the roles of the board and senior management in overseeing outsourcing arrangements; and
• Monitor and manage outsourcing risks continuously.

Authorized institutions should promptly notify the AMCM of any significant problems or deficiencies related to material outsourcing arrangements that have the potential to materially affect the business operations, profitability, or reputation of the authorized institution (example: material breaches of confidentiality of customer information; material financial losses; etc.).

Where an authorized institution terminates material outsourcing agreement, it should notify the AMCM as soon as practicable and provide a statement as to the transition arrangements and future strategies for carrying out the outsourced material business activity/function.

8. Compliance

Authorized institutions should ensure that the proposed outsourcing arrangement complies with the relevant statutory requirements related to customer confidentiality (e.g., the MIO and the Personal Data Protection Act).Furthermore, authorized institutions should ensure that with the outsourcing arrangements in place, any statutory requirements on anti-money laundering / combating the financing of terrorism (customer due diligence, reporting duties, record keeping, etc.) will continue to be met.

9. Contingency Planning 

Authorised institutions should develop and maintain a comprehensive business continuity plan (BCP) that addresses the potential disruptions to the outsourced function and should include:

• Identification of critical outsourced functions and the potential impact of disruptions ;
• Alternative service delivery options, such as backup service providers or the ability to bring the function back in-house ;
• Communication protocols with the service provider, customers, and regulators ; and
• Testing and review of the BCP on a regular basis.

10. Audit

Authorized institutions should ensure its internal or external audit function will review any proposed outsourcing of a material business activity / function, financial condition and risk profile of the service

11. Exit Strategy

Authorized institutions must also develop a documented exit strategy for material outsourcing arrangements, ensuring a smooth transition back in-house or to an alternative provider in cases of termination, service provider failure, or disruptions. The exit strategy should be tested periodically to ensure its effectiveness and feasibility.

Termination of material outsourcing agreements should be notified to AMCM and information transition arrangements for such services should be disclosed to the regulator.

12. Outsourcing to Related Parties

Authorized institutions must address all prudential issues when outsourcing to related parties, including parent companies and group entities, which requires conducting a comprehensive risk assessment at both the individual and group levels and ensuring that the service level agreement clearly defines the responsibilities of each party.

13. Subcontracting

Outsourcing agreements must explicitly prohibit service providers from further subcontracting functions without obtaining prior approval from the authorized institution.

To effectively manage subcontracting risks, agreements must incorporate the following controls:

• Liability and Indemnity: Service providers must be fully accountable for the performance and risk management of any subcontractors and must provide indemnity for subcontractor failures.
• Termination Rights: Authorized institutions must retain the right to terminate the agreement in the event of significant changes in subcontracting arrangements.
• Notification and Approval Procedures: Agreements must specify clear procedures for notifying the institution of any subcontractor changes involving material business functions, including defined timelines and approval processes.
• Ongoing Monitoring: Institutions must ensure continuous oversight to verify that subcontractors consistently meet service level and contractual obligations, particularly for critical business functions.

14. Date of Application

Authorized institutions must fully comply with the Guideline within 12 months of its issuance, i.e., by 1 May 2026.

Existing outsourcing arrangements entered into before the effective date will be grandfathered, provided they are reviewed for compliance with the key principles of the Guideline.

If the review of material operational outsourcing arrangements is not completed within the stipulated period, institutions must notify AMCM, outlining the planned measures or exit strategy, and may request an extension to complete the revision.