REGULATORY STRATEGY CENTER for - Navigating the year ahead - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Navigating the year ahead
CENTER for
2018 insurance regulatory outlook
REGULATORY
United States STRATEGY
December 2017 AMERICAS
Insurance 2018 Regulatory Outlook
This publication is part of the Deloitte Center for Regulatory
Strategy, Americas’ cross-industry series on the year’s top
regulatory trends. This annual series provides a forward
look at some of the regulatory issues we anticipate will
have a significant impact on the market and our clients’
businesses in 2018. The issues outlined in each of the
reports provide a starting point for an important dialogue
about future regulatory challenges and opportunities to
help executives stay ahead of evolving requirements and
trends. For 2018, we provide our regulatory perspectives
on the following industries and sectors: banking, securities,
insurance, investment management, energy and resources,
life sciences, and health care. For a view of the other trends
impacting insurance in 2018, we encourage you to read the
Deloitte Center for Financial Services companion paper.
We hope you find this document to be helpful as you plan
for 2018 and the regulatory changes it may bring. Please
feel free to contact us with questions and feedback at
CenterRegulatoryStrategyAmericas@deloitte.com.
02Navigating the year ahead 2018 insurance regulatory outlook
Contents
Global foreword 2
Introduction6
Cyber regulation 8
What’s next in the march toward best-interest standards? 11
Big data: Big issues, big potential rewards 13
Enterprise risk management and Own Risk and Solvency
Assessment (ORSA) 15
Prepare for corporate governance disclosure 17
2018 market conduct environment 19
International regulatory change 21
Taking decisive action in uncertain times 22
1Theme Title regulatory outlook 2018 Global foreword Another year has passed, so what has changed? This time last year, we expected 2017 to be a period of uncertainty for financial services regulation. Financial services firms were challenged by the continuing lack of clarity over the final shape of post-crisis reforms, the implications of Brexit, and a new US political administration. We also saw significant pressures on the banking and life insurance sectors from sluggish economic growth and low interest rates in Europe and the US, as well as from competition from new entrants (particularly fintechs). Looking ahead to 2018, most of these challenges and uncertainties remain. Economic growth, but how robust? Global growth prospects improved through 2017 and continue to be broadly positive, albeit more subdued than in the period before the financial crisis. China, Europe, and Japan have all been outperforming expectations, and although India’s economy has slowed lately, the long-term outlook is upbeat. There are now signs that the extraordinary monetary easing of the last ten years is starting, slowly, to unwind in Europe and the US, although this stands in contrast to the situation in China and Japan. There are reasons for caution. Asset markets and prices have seemed impervious to the prospect of tighter monetary conditions and geopolitical tensions. This has left many commentators worrying that markets are in the grips of a bout of irrational exuberance. There are also signs of price bubbles in commercial and residential property markets, as well as leveraged finance markets, and of elevated levels of consumer indebtedness, particularly in the advanced economies. Supervisors across the globe are very alert to the financial stability risks posed by the political and economic climate, and we expect them to focus on the ability of financial institutions in all sectors to deal with the downside risks of an abrupt shift in market sentiment and any increase in asset price volatility, irrespective of the trigger. Boards are expected to keep their risk appetites under review and will also need to engage closely with stress testing, whether prompted by supervisors or carried out internally. What does this mean for the regulatory agenda? Last year we predicted that there would be no wholesale rolling back of the post-crisis regulatory framework, and this continues to be our view. The consensus in the US is that there will be some meaningful adjustments to the Dodd-Frank Act, but no large-scale repeal or rewrite. In the EU there remains a considerable volume of ongoing legislative work; and even where there is no new legislation, there is a great deal of “fine tuning” of existing rules. The Asia Pacific region faces a long tail of implementation work and must also deal with the impact of regulation from outside the region. At the international level, the Financial Stability Board (FSB) has shifted its primary focus toward a post- implementation evaluation framework, which will be “progressively applied” in the coming years. This is part of a rebalancing away from introducing new rules and toward assessing the effectiveness of what has been done over the past decade. Boards will need to be ready to demonstrate to supervisors that they have embedded change and that this is leading to the desired outcomes. 2
Navigating the year ahead 2018 insurance regulatory outlook
One major area where a number of significant unanswered questions remains is bank capital requirements.
Although the Basel Committee on Banking Supervision (BCBS) has until now been unable to complete the Basel III
package, final agreement on the open issues seems within reach. We do not see any major economies as being in a
hurry to introduce more legislation, and we also see those economies being more willing to depart from the letter of
global standards where they conclude it is in their interest to do so.
As a consequence, financial services firms need to be prepared to deal with the challenges of diverging regulatory
frameworks. At a minimum, they will need globally coordinated approaches to understand overlaps, incompatibilities,
and potential synergies.
Supervisors are turning more attention to long-term structural issues
Technological innovation, aging populations, and climate change have all caught the attention of the regulatory
and supervisory community as emerging risk areas. We expect some supervisors to begin to challenge boards, risk
committees, and senior management to demonstrate that they understand the impact on their customer bases,
business models, and risk profiles—and that they are set to take effective mitigating actions where needed.
•• Fintech: While new technologies present opportunities, regulators want to understand the potential risks and
the likely impact on incumbents’ business models. The FSB has a clear interest in the subject. The European
Commission is expected to deliver a fintech “action plan” in January. Similarly, US regulators are considering the
implications of new technologies, including third-party relationships among fintechs and banks. They’re even
exploring special purpose bank charters for fintechs.
•• Climate change: The FSB has taken the lead internationally with its Task Force on Climate-Related Financial
Disclosures, which made its final recommendations in June 2017. Many regulators in the Asia Pacific region are
instituting policies to encourage green finance. The Bank of England (BoE) is also researching climate change, and
the EU recently proposed to integrate environmental risks into the mandates of the European Space Agency as
part of its action plan on sustainable and green finance.
•• Aging populations: Aging populations worldwide will create a widening pool of potentially vulnerable customers
and influence demand for different types of financial services. They will also affect how financial institutions engage
with their customers. At the international level, the International Organization of Securities Commissions (IOSCO) is
taking forward work on aging populations.
Leadership changes
Finally, we note that by the end of 2018, the most senior leadership of many of the world’s leading regulatory bodies
will be starkly different from what it has been for the majority of the post-crisis regulatory reform era. Mark Carney’s
term as chairman of the FSB has been extended through December 2018, lending some additional continuity to
reform efforts. But this will be his final year at the top of the FSB. We expect Stefan Ingves to stand down as chair
of the BCBS in the near future. There’s also a great deal of change in senior leadership across national and regional
regulatory bodies, particularly in the USA. It remains to be seen how far new leaders will uphold the key tenets of
the international supervisory agenda of the last decade, particularly its emphasis on cross-border coordination, or
whether supervisory priorities will tilt more toward promoting the competitiveness of individual jurisdictions.
3Navigating the year ahead 2018 insurance regulatory outlook
On balance, we think that these new leaders will emphasize practical supervisory initiatives over (new) rule making, as well as
the need for firms to demonstrate that they’re financially and operationally resilient to a range of threats, both old and new. New
leaders will be keen to consolidate the outcomes and achievements of the prudential policy agenda that has dominated the last
10 years and focus their tenures on continuing structural challenges as well as emerging risks and issues.
Acting in the face of uncertainty
While we expect some greater clarity about the regulatory outlook to emerge in 2018, the overriding challenge for firms remains
coping with uncertainty, including from the global impacts of Brexit and how markets in Europe and elsewhere will be reshaped
by Markets in Financial Instruments Directive (MiFID) II. This will put a premium on firms maintaining strategic flexibility, while
they also adopt new technologies to react to the threat from “challengers,” improve their customer service and outcomes,
better manage their risks, and help control costs. With yields, income levels, and return on capital still under severe pressure,
cost control will continue to be extremely important. Even though interest rate rises are underway, they will be neither quick
enough nor big enough to alleviate pressure on incumbents' business models.
David Strachan Kevin Nixon Chris Spoth
Centre for Regulatory Strategy, EMEA Centre for Regulatory Strategy, APAC Center for Regulatory Strategy, Americas
Deloitte UK Deloitte Australia Deloitte US
4Navigating the year ahead 2018 insurance regulatory outlook
5Navigating the year ahead 2018 insurance regulatory outlook
Introduction
Most insurers are moving ahead deliberately with their risk and
compliance initiatives, even as certain areas pose regulatory
uncertainty that will likely remain a significant and ongoing
challenge. Even if lawmakers and regulators make certain definitive
changes, insurance companies must continue to drive effectiveness
and efficiency of their risk and compliance programs so they meet
applicable laws, regulations, and supervisory expectations.
Many of the new state regulatory requirements are clear. But in
other areas, such as the Department of Labor’s (DOL) Fiduciary
Rule (Rule), companies don’t have the time or luxury of waiting
to see how things will shake out. Therefore, they’re planning
implementation based on available guidance.
Overall, many of the changes insurance organizations are making to
achieve compliance are useful improvements that are worth doing
from a risk and business perspective.
Here’s a look at the key regulatory trends insurers will likely need to
monitor and address in 2018. By embracing regulatory complexity
in 2018, organizations can accelerate performance and stay ahead
of changes so they can better navigate the regulatory landscape.
6Navigating the year ahead 2018 insurance regulatory outlook
7Navigating the year ahead 2018 insurance regulatory outlook
Cyber regulation
The insurance industry has seen a shift October 24, 2017. Although there are some necessary to respond to a cybersecurity
as the regulatory environment has driven differences between the two, the good event for at least three years. Any
organizations to take a serious yet fresh news for insurers is that, because there are information needed to reconstruct material
look at the state of their cybersecurity risk enough functional similarities, compliance financial transactions and obligations must
management programs. Institutions at with the New York regulation is considered be kept for five years. The system must
both the state and federal levels remain prima facie evidence of compliance with the also track and maintain data logging of all
committed to protecting insurance NAIC model. privileged authorized user access to critical
organizations from the influx of cyber systems.
threats and to raising the bar on cyber risk The NAIC model requires an annual
management and reporting. And all signs risk and safeguards assessment to be One development that holds promise—
point to this behavior continuing for the included in an insurer’s annual report especially for smaller companies that
foreseeable future. to regulators. Annual certification to may not view data security as one of their
regulators is required, and records core competencies—is the opportunity to
A report by the New York State Department supporting certification—or associated outsource data tracking and maintenance
of Financial Services (DFS) noted that with any cybersecurity events—need to be to a qualified entity. DFS’s regulation, for
“[c]yber attacks against financial services retained for five years. Also, cybersecurity example, allows insurers to use a qualified
institutions, including insurance companies, events must be reported within 72 hours outside service for their cyber program.
are becoming increasingly frequent and to the appropriate domiciliary regulator
sophisticated. Insurance firms often and to any regulator where 250 or more Demonstrated compliance with leading
possess large amounts of personally consumers may be harmed (or where practices and cyber regulations may be
identifiable information (PII) and protected notice is provided to any other regulatory useful for insurers with both consumer
health information (PHI) … PII and PHI body). The NAIC will allow a one-year and investor stakeholders. To that
are becoming more valuable on the black implementation window for information end, the American Institute of Certified
market, which increases incentives for security programs. Public Accountants (AICPA) unveiled
cyber attacks.”1 a cybersecurity risk management
The DFS regulation similarly requires a attestation reporting framework. The
DFS may have been among the earliest risk assessment and annual certification. AICPA’s framework strives to expand cyber
state insurance regulators to recognize Unique to the DFS regulation, firms must risk reporting to address expectations
and seek to address the problem with have a chief information security officer of greater stakeholder transparency by
a cybersecurity regulation, but it’s not (CISO) and a written cybersecurity policy, providing a range of stakeholders, both
alone. Numerous regulatory agencies at and boards must receive reports and internal and external, with information
the federal level, as well as the National be involved in creating standards. Third- about an entity’s cyber risk management
Association of Insurance Commissioners party risk must be managed consistent program effectiveness.
(NAIC), have moved or are moving to with internal risk management, and any
establish regulations governing the conduct non-public data must be encrypted What has become clear from evaluating the
of insurers with respect to this significant and protected from alteration. Other requirements from the DFS and NAIC, as
operational risk. requirements include periodic penetration well as the guidance from the AICPA, is that
testing and vulnerability assessment, as a comprehensive cyber risk management
Major new cybersecurity regulations well as breach reporting. Audit trail data program needs active involvement and
affecting many insurers include DFS’s new must be preserved, and entities must oversight from the board. Such involvement
regulation, which became effective on track and maintain data that enables the and oversight can hold the organization
March 1, 2017, and the NAIC’s Insurance accurate reconstruction of all financial accountable and help shape and address
Data Security Model Law, adopted on transactions, along with any accounting expectations for improved cyber risk
8Insurance 2018 Regulatory Outlook
reporting that’s integral to the achievement These objectives translate to a focus on •• Being resilient means having the
of an organization’s business objectives. security, vigilance, and resilience as an capacity to rapidly contain the damage
approach to reduce an organization’s from an attack and to mobilize the
In an era where cyber criminals could vulnerability, while being prepared to diverse resources necessary to reduce
be state-sponsored, part of a political respond quickly and resume normal the broad impact—including direct
cooperative, or just after the money, how business. costs and business disruption, as well as
can boards and senior executives assess reputation and brand damage.
the soundness of their cybersecurity •• Being secure means focusing protection
programs? The banking network SWIFT around the risk-sensitive assets at the The number of cyberattacks—and the
articulated three overarching objectives: heart of the organization’s mission. associated costs—will likely continue to
•• Being vigilant means establishing threat rise, as will hackers’ sophistication. Much
•• “Secure your Environment” awareness throughout the organization of the new cyber regulation is designed to
•• "Know and Limit Access” and developing the capacity to detect encourage insurers to implement the right
•• "Detect and Respond” patterns of behavior that may indicate, level of security, vigilance, and resilience—
or even predict, compromise of critical along with sound governance—to form an
assets. effective defense.
9Navigating the year ahead 2018 insurance regulatory outlook
Information management, governance, and security: Lessons from DFS 500.13
The DFS’s newly effective cybersecurity compliance with this section of NY DFS risks at stake. The information
regulation contains even more will neither be simple nor quick. The governance model brings coordination
challenges for insurance companies than process by which a company locates all and oversight to that effort.
appear at first glance. Despite the title, the relevant Nonpublic Information (NPI)
these rules aren’t only about it’s keeping—as well as what it decides to In every organization—regardless of the
cybersecurity. Compliance with these do with that NPI—could require state of its information governance—
rules requires a commitment to attention, project management, Section 500.13 compliance requires its
strengthened information governance resources, and expertise beyond what own work stream, with dedicated
and records management, in addition to the organization is devoting to the resources supported by outside
better information security. information security aspects of these expertise, in addition to everything the
rules. Industry experience suggests that organization is otherwise doing to
DFS Section 500.13 requires that, as part adapting existing systems to enable comply with the DFS cybersecurity
of their cybersecurity programs, systematic records destruction will be a requirements. This work stream includes:
companies: major undertaking.
1. Identifying information systems and
… shall include policies and Organizations subject to the DFS applications, as well as the data they
procedures for the secure disposal regulations are likely to find that: contain
on a periodic basis of any
2. Finding the covered NPI in those
Nonpublic Information [as defined •• The risk assessment will identify the
systems and applications
by these rules] that is no longer volume of SSNs and other types of
necessary for business operations nonpublic information and the unlikely 3. Assessing the business value and
or other legitimate business places where they’re found. legal need to retain that information
purposes, except where such •• Knowledge of the company’s records
4. Determining if records retention
information is required to be retention schedule by the application
schedules are being applied to the
retained by law or regulation, or owners, as well as their use of and
data
where targeted disposal is not systematic destruction of records
containing nonpublic information, are 5. Developing retention decision
reasonably feasible due to the
inconsistent. criteria and justifications
manner in which the information
is maintained. •• In the absence of dedicated resources, 6. Assuring the appropriate input from
the assessment and remediation may the right sources into retention
DFS isn’t an outlier in this respect. The well take far longer than anticipated. decisions
Insurance Data Security Model Law 7. Creating the road map for
adopted by the NAIC provides that a Also, this isn’t a project just for the CISO
compliance
company’s information security program and IT. It requires a collective effort
involving the business and corporate 8. Executing the choices
shall be designed to, among other things,
“[d]efine and periodically reevaluate a users of the data (as well as the legal, 9. Documenting the decisions and their
schedule for the retention of Nonpublic compliance, and risk management justifications
Information and a mechanism for its teams; records management staff; and
Within an information governance
destruction when no longer needed.” The information security) to find the NPI,
framework, this work stream will be
Model Law further defines an assess the needs and risks for its
distinct—to make sure it gets done—but
“Information Security Program” as “the retention, and take actions in response.
it won’t be alone. Section 500.13
administrative, technical and physical
compliance will be an integral part of
safeguards [a company] uses to access, Compliance with these requirements
how an organization manages its critical
collect, distribute, process, protect, store, cries out for information governance—an
information assets—from creation,
use, transmit, dispose of, or otherwise approach that brings all the disparate
storage, and use to protection and
handle Nonpublic Information. stakeholders together to provide the
disposal.
needed authority, knowledge, and
Emphassis Added responsibility to make the right choices
While the concept is straightforward, and effectively manage the considerable
10Navigating the year ahead 2018 insurance regulatory outlook
What’s next in the march
toward best-interest
standards?
The DOL's Fiduciary Rule has already
significantly shifted the financial services
industry to operate more in the best
interest of the customer, specifically
retirement account investors and
policyholders. It has also prompted other
regulatory agencies to develop or propose
new regulations that are likely to be
enacted (or enter the rule-making process)
during 2018, thus creating a new patchwork
of state and federal regulations that might
not be completely aligned.
The US Securities and Exchange
Commission (SEC) is considering its own
fiduciary rule proposal that would require a
fiduciary standard of care when delivering
advice to retail investors. Also, at the
time of this writing, four states, including 84-24 for annuities. Under scaled-back including how to implement the rules and
Nevada, are planning to implement BICE compliance measures, effective June the need for increased information from
legislation related to providing advice to 2017, there are requirements to meet independent agents to enable companies
investors under a fiduciary standard that’s impartial conduct standards and provide to fulfill this duty.
expanding to include non-qualified as well limited disclosures. For other compliance
as qualified accounts. Meanwhile, the NAIC measures, the DOL delayed the full Reduction in product shelves and
is in the process of developing a “best applicably date from January 1, 2018 to July enhanced product due diligence. In
interest” standard for initial presentation at 1, 2019. response to the Rule, firms have reduced or
its fall 2017 meeting in December, with an consolidated product shelves—particularly
ambitious comment and adoption timeline Deloitte’s analysis and discussions related to mutual funds and annuities—as
that would allow the adoption of a model have identified a number of important part of the effort to enhance product due
regulation applicable to state-regulated market implications (some of which were diligence processes and compensation
annuity products in 2018. highlighted in a 2017 study that Deloitte requirements. At the same time, new
facilitated for the Securities Industry and products have been launched in the market
The DOL rule requires that investment Financial Markets Association (SIFMA)) :2 that are presumably less conflicted (e.g.,
advice given to qualified retirement clean shares and T shares mutual funds,
investors (including rollovers) must be NAIC best-interest standard. The fee-based annuities), but whose futures are
provided under a "fiduciary" standard. revisions to the annuity suitability rule are highly dependent on the developments in
Conflicts of interest are prohibited unless expected to introduce new and uncertain fiduciary space.
an exemption is used—such as the Best regulatory requirements for insurance
Interest Contract Exemption (BICE) or companies. This enhanced responsibility Movement to fee-based accounts for
Prohibited Transaction Exemption (PTE) will present a number of challenges, retirement investors. The trend toward
11Navigating the year ahead 2018 insurance regulatory outlook
fee-based accounts was accelerated by firms are making to achieve compliance.
the Rule, along with other industry factors. Product-related changes—as well as
Notably, this trend raises a concern that widespread revisions to incentives
while fee accounts address perceived programs (e.g., bonuses, sales contests)
conflicts that might exist with commission to minimize conflicts—have led advisers
product sales, they could also increase total to search for better opportunities in
client charges and reduce product access the industry. This issue is more critical
due to product or account minimums. Also, than ever as firms strive to retain their
the regulatory risk of reverse churning can’t best talent while adhering to shifting
be overlooked in this market shift. compensation schemes and regulatory
compliance requirements.
Enhanced rollover and due-diligence
processes. Virtually all SIFMA report The Rule continues to serve as a catalyst
participants indicated that they have for change across the financial services
revisited their firms’ policies and processes industry. Although implementation efforts
related to the rollover of client assets to achieve compliance have slowed, the
from retirement accounts, resulting industry continues to migrate toward a
in enhancements to rollover review fiduciary (or at least a “best interest”) model
processes, including increasing the size of for delivering advice to both retirement and
oversight teams and/or leveraging vendor non-retirement clients. This trend will likely
rollover review tools that are evolving to further accelerate in 2018 under a number
meet industry needs. of emerging scenarios, such as the DOL’s
Rule progression, the SEC drafting of a rule,
Advisers’ retention and incentive individual state legislation, and adoption
management. Advisers have been in of the NAIC model regulation by individual
a state of continuous flux over the past states.
18 months due to uncertainty around
outcomes of the Rule and related changes
The Rule continues to serve as a catalyst for
change across the financial services industry.
12Navigating the year ahead 2018 insurance regulatory outlook
Big data: Big issues, big
potential rewards
The potential benefits of analytics are structure for property & casualty insurers, women simply by examining a photo. What
undeniable. In fact, one can reasonably and declining penetration remains an issue if AI could determine with precision, simply
argue that as the use of analytics rises— for life insurers. by looking at a photo, the probability that a
and as the analysis becomes increasingly specific individual will develop a particular
precise and personal—insurers will be In this environment, the ability to use data illness? Should that information be usable?
able to offer more effective, customized and predictive analytics to accelerate How accurate does it need to be?
products to consumers with greater underwriting and reduce market friction
efficiency. The counterargument is that could be both a competitive advantage Regulators worldwide are moving to
the increasing availability of data—and the and market expander. The question address the issue. The NAIC has created
increasingly sophisticated ability to analyze regulators—and the industry—face is the Big Data Working Group to “[r]eview
and manage it—could enable insurers to where to draw the line. For example, the current regulatory frameworks used
micro segment the market to a point where value and validity of genetic information to oversee insurers' use of consumer
it undermines the fundamental concept of is indisputable, but should it be usable? A and non-insurance data. If appropriate,
risk pooling. In addition, while such data 2017 Stanford University study found that recommend modifications to model laws/
and analytics (e.g., telematics) are currently an artificial intelligence (AI) algorithm could regulations regarding marketing, rating,
used to offer lower prices, would regulators predict sexual orientation 81 percent of the underwriting and claims, regulation of data
object if prices to some consumers were to time for men and 74 percent of the time for vendors and brokers, regulatory reporting
rise as a disincentive to risky behavior?
Another issue is data ownership. If a
company collects data on an insured
person’s driving, who owns that data?
The company or the individual it insures?
Should the data go into a central repository,
as with credit ratings? And who should
control it—the insurer who first collected
the data, the central repository, or the
insured? What about the third-party
data used in predictive analytics? Who is
responsible for its accuracy?
None of this would matter if the use of big
data and analytics were not so filled with
potential for the industry. On the property
& casualty side, telematics already has
begun to demonstrate the utility of big
data. And the Internet of Things is poised
to provide more data than ever before
on habits both good and bad. Meanwhile,
the emergence of autonomous vehicles
is just one challenge facing the insurance
13Navigating the year ahead 2018 insurance regulatory outlook
requirements, and consumer disclosure for breaches can run as high as 4 percent of should ask—and be prepared to answer—
requirements.” annual global turnover or €20 million. the following questions about their data
and analytics, both for business reasons
Similarly, in the wake of some cyber This is in addition to concerns about and to reassure regulators:
breaches, Congress held hearings in late the accuracy of third-party data used in
2017 questioning the very business model analytics. Regulators that were skittish •• Is it accurate?
of some third-party data accumulation about the use of credit reports in •• Is it useful?
services. Also, the DFS has extended its underwriting or dynamic pricing models •• Is it discriminatory in effect?
supervision to include credit reporting might need to be convinced that the
Also, from a practical perspective, another
agencies providing data to insurers and underlying data used in an insurer’s
question about data and analytics might be
others. predictive analytics are accurate.
even more important:
According to a recent study of the
The EU’s General Data Protection accuracy of data provided by commercial •• Can we explain and defend it on the
Regulation (GDPR) applies extraterritorially data brokers, “More than two-thirds of evening news?
“not only to European companies, but also survey respondents stated that the third-
to foreign companies offering products and party data about them was only 0 to 50 The cold, hard truth is that insurers have
services to EU citizens, or monitoring their percent correct as a whole. One-third of no real alternative to increasing their use of
behavior. In other words, the same rules respondents perceived the information to big data and analytics. Any overly restrictive
will apply to all companies operating in the be 0 to 25 percent correct.” regulation on or retreat from the use of
EU regardless of where they come from …. data and advanced analytics by insurers
Big Data analytics does not always involve These challenges aren’t necessarily an only opens the door to external disruptors.
personal data. But, when it does, it should argument for caution but for rigorous What’s more, if properly used, data and
comply with the rules and principles of data preparation and risk management, advanced analytics could reduce costs and
protection.” The need to secure consumer including external review of data sources provide better products for consumers,
consent and reinforcement of the “right and usage, clear lines of accountability, and while expanding the universe of insurable
to be forgotten” are among the salient transparency. Involving regulators from risks for industry.
requirements contained in the GDPR. This the beginning in efforts to use advanced
data protection travels with the data. Fines analytics is a basic requirement. Insurers
The cold, hard truth is that insurers have
no real alternative to increasing their use
of big data and analytics.
14Navigating the year ahead 2018 insurance regulatory outlook
Enterprise risk management
and Own Risk and Solvency
Assessment (ORSA)
With the passing of the Risk Management The annual ORSA filing will be subject to •• Are the three lines of defense clear within
Own Risk and Solvency Assessment review by the lead state of domicile. This the organization, and does the company
Model Act #505, the NAIC paved the way review could take many months to complete know where responsibility for risk
for the formal requirement for insurance since companies often file at the same management resides?
companies to have a risk management time, creating a natural review backlog •• How can a risk-based culture and risk-
program and framework within their for regulators. In some cases, states have based decision making be demonstrated
organizations. The ORSA requirement chosen to outsource their ORSA reviews within the company’s governance
specifies a filing at least annually that sets to external third parties. Thus, in addition structure?
out: to receiving regulatory feedback in the •• While many companies now identify and
form of a scorecard with areas noted for prioritize their risks on both an inherent
•• The company’s risk management improvement, companies may also receive and residual basis, are the controls and
framework an invoice to pay for the cost of the review mitigation strategies truly effective? And
•• A stress testing requirement for the risks itself. At the time of passing, the ORSA could they be used in a time of stress?
the company faces requirements for a strict pass or fail weren’t •• How does the organization identify
•• A forward-looking projection of solvency explicit, but it’s clear that a company whose “unknown” risks and brainstorm about
ORSA and underlying risk and capital them to understand how well the business
Although insurance companies are naturally management processes aren’t adequate would respond if they were to occur?
in the business of managing risk, these new will have this fact communicated along with •• Through which lens does the
requirements have taken time and effort to expectations for improvement. Also, the organization view capital—and its capital
formally adopt. And they will continue to do ORSA and how it’s being applied within the requirements—and how robust is its
so for some time. business will be reviewed as part of the approach to stress testing key risks?
financial examination process, and the ORSA •• How is the company using the risk and
The reach of these ORSA requirements has requirements have been written into the capital management process to add value
been significant, spanning the life, property financial examiners handbook. to the business? Is it allocating resources
& casualty, and health insurance industries. efficiently to focus on specific areas of risk
The proportional nature of the requirements During the regulatory review process, a and opportunity?
means that larger companies will be held company might not be able to demonstrate
to a higher standard than will smaller that all the ORSA requirements are being The first-year pass is becoming part of
companies. At first, the ORSA was described met, but it can help its case by providing ORSA history, and regulatory expectations
as an evolution—not a revolution—but evidence that an effective ORSA process is in continue to rise as ORSA evolves. We expect
regulatory expectations have continued to place. Key questions to consider include: regulators to start communicating their
grow. What’s often described as a “first-year continued vision for ORSA, perhaps through
pass” for previous ORSA filings will now •• Should the organization have a formal an update to the NAIC’s ORSA Guidance
be tested and scored under the financial chief risk officer and a risk management Manual. Although improving the regulatory
examination process, with regulators function to manage the day-to-day risk assessment and examination outcome isn’t
wanting to see that ORSA is more than management processes? always easy, taking a few practical steps can
just a filing and that risk management and •• Does the board need a stand-alone certainly help.
the ORSA process are part of a company’s risk management committee, and how
business-as-usual practices and corporate is risk management handled within the
governance framework. corporate governance framework?
15Navigating the year ahead 2018 insurance regulatory outlook
"Core Principles" Report: Treasury Department's recommendations
On October 26, 2017, the Treasury action—may inform the regulatory and Recommendations for federal
Department released the third of four supervisory agendas of federal and state regulatory agencies and states
reports pursuant to President Trump’s insurance supervisors, and may also have
executive order setting forth the significant implications for the FSOC’s work •• Move away from entity-based systemic
Administration’s “Core Principles for going forward. risk evaluations of insurance companies,
regulating the US financial system. The and focus on risks arising from products
report covers the asset management Below are several of the report’s most and activities
and insurance industries, and offers significant recommendations: •• Continue engagement in international
recommendations across four broad forums, but promote the US insurance
categories: (1) systemic risk, stress testing, Recommendations for Congress industry and the US regulatory
and solvency, (2) efficient regulation, framework
(3) international engagement, and (4) • Clarify the “business of insurance” •• Re-example the DOL fiduciary rule
promoting economic growth and informed exception to ensure that the Consumer and delay full implementation until
choices. Financial Protection Bureau (CFPB) does the relevant issues are evaluated and
not engage in the oversight of activities addressed
Although the report provides President already monitored by state insurance •• Harmonize insurance capital initiatives
Trump’s nominees a roadmap for regulators by the NAIC, the states, and the FRB
enacting the Administration’s policy • Pass a law setting forth requirements for •• Eliminate or reduce the inconsistencies
priorities, it remains unclear which insurer data security (if adoption and between existing data calls concerning
of the recommendations will be implementation of the Insurance Data terrorism risk insurance
implemented, or how quickly. However, Security Model Law by the states does •• Adopt the NAIC Insurance Data Security
the recommendations—nearly all of which not result in uniform data security Model Law
would be enacted without Congressional regulation within five years) •• Improve information sharing within the
insurance industry
16Navigating the year ahead 2018 insurance regulatory outlook
Prepare for corporate
governance disclosure
Corporate governance disclosure may have All insurers, no matter their size, will be Insurers may for the first time be required to
been a quiet issue lately, but it’s one that required to file an annual CGAD. Insurers analyze and rationalize items that previously
most insurers will need to begin addressing that don’t file may be subject to a penalty. had been glossed over, such as the size,
soon. composition, and qualifications of the board
The CGAD must contain discussions of the of directors, as well as the standards for
The NAIC’s Corporate Governance Annual following: retaining key persons in control functions.
Disclosure (CGAD) Model Act and Regulation
were adopted in 2014 to provide regulators •• The insurer’s corporate governance For public companies, a significant section
with more details on insurers’ corporate framework and structure of the required disclosures may already
governance practices. Since then, states •• The policies and practices of its board be included in their proxy statements
have steadily adopted its provisions. By of directors and significant committees, and could be repurposed. However, some
July 2017, 18 states had adopted the model including information regarding board items, particularly those dealing with risk
act and 11 states had adopted the model member qualifications and independence and oversight, might need to be created.
regulation. •• The policies and practices directing senior For many insurers, preparation of these
management, including information disclosures should include a review of their
This trend should continue to accelerate, regarding significant compensation ORSAs—and should complement the ORSA
as the act is expected to become an NAIC programs process.
accreditation standard as early as 2020. •• The processes by which the board of
While much of the recent regulatory focus directors, its committees, and senior The model act requires detailed disclosure
has been on measures directly related to management ensure an appropriate of the corporate governance procedures. To
solvency, such as the ORSA, regulators level of oversight of the critical risk areas prepare, an insurer should evaluate:
regard the CGAD as integral to solvency impacting the insurer’s business activities
modernization. Regulated entities not
already reporting should begin preparing for
the process now.
Under the model act, a new CGAD must
be submitted by individual insurers no
later than June 1 of each calendar year.
However, if an insurer is part of a holding
company system, the top-level holding
company may submit a CGAD for the entire
insurance group. Submissions must be
made to the holding company system’s
lead state regulator as determined by the
NAIC’s Financial Analysis Handbook. But
disclosures may be required at the ultimate
controlling entity level, intermediate holding
company level, and/or individual legal entity
level. Unlike the ORSA, the CGAD does not
have an exemption for smaller insurers.
17Navigating the year ahead 2018 insurance regulatory outlook
•• Its corporate governance framework, communication process for critical risk
structure, and documentation
•• Policies and practices of its board of
areas that affect business activities,
including all communication up to the
Insurers may for
directors, as well as any significant
committees
board of directors and down from the
board of directors to management
the first time be
•• Board policies and practices that direct
senior management
•• Complete a gap analysis of policy,
procedures, and suitability documentation
required to analyze
•• Suitability standards used to select board
members and the CEO
for board members and implement
updates as needed
and rationalize items
•• Codes of conduct and ethics
•• Performance evaluation and
•• Review the suitability of current board
members and provide any needed training
that previously
compensation practices
•• Succession planning
•• Review all key conduct and ethics policies
for thoroughness and applicability and
had been glossed
•• Processes by which the board of directors,
its committees, and senior management
establish an annual review process, if
needed
over, such as the
conduct an appropriate level of oversight
to the critical risk areas impacting the
•• Review committee charters for the
audit, risk, and compliance committees
size, composition,
insurer's business activities for completeness, clear scope of
responsibilities, and authority
and qualifications
Insurers that haven’t yet submitted their
first CGAD should consider initiating a mock In light of these criteria—and given the lack
of the board of
CGAD disclosure filing to: of regulatory feedback in the early stages of
this process—companies that have already
directors, as well
•• Identify any gaps in the corporate
governance framework, structure, and
submitted their first CGAD might wish to
review and update their CGAD accordingly.
as the standards
oversight policies and procedures, so
that they can be updated as needed; if
While these actions might be difficult to
take, ultimately the CGAD must be certified
for retaining key
not already in place, an annual policy
and procedure review process should be
by the insurer and must be provided to the
board of directors or an appropriate board
persons in control
implemented
•• Identify key internal business contacts for
subcommittee.
functions.
all CGAD filing requirements, establishing With such high visibility for the CGAD, it
process ownership for the gathering of might be better for company management
materials for annual submission to err on the side of over- rather than under-
•• Complete a gap analysis on the compliance.
18Navigating the year ahead 2018 insurance regulatory outlook
2018 market conduct
environment
The NAIC and state Departments of use of big data, the states find themselves Key focus areas from NAIC fall national
Insurance (DOI) continue to focus trying to determine what safeguards are meeting
considerable resources to market required to protect against unfair and/or The NAIC's agenda for the fall national
conduct exams and analysis. While many discriminatory behavior. meeting held in early December contained
of the areas of focus aren’t new (claims, a number of key market conduct issues
underwriting, marketing material), some Areas of market conduct focus of the impacting insurers. The Innovation and
are more recent and gaining more attention NAIC and industry trends Technology (EX) Task force received
(big data, cyber security, vendor/third-party The NAIC continues to focus its attention reports from a number of working groups,
administrator (TPA) management). on key market conduct issues being most notably those focusing on big data,
addressed by the NAIC’s respective cybersecurity, and speed to market. The
In addition, many insurers are experiencing subcommittees, task forces, and working Long-Term Care Subgroup continues to
more frequent examinations, driven in part groups. Given the NAIC's processes for examine ways to break down regulatory
by heavier reliance on market analysis data adopting new model laws and regulations, barriers and find tangible solutions to
and greater activity on the part of state it's not unusual to see multiyear activity allow the private insurance market to play
regulators as the federal government has and evolving regulatory actions. The NAIC a larger role in financing long-term care
limited authority and inclination to increase continues to focus on certain insurance needs. The challenge for regulators is to
its presence. A recent analysis of publicly products, including lender placed find the right balance between allowing
available data from the NAIC's Insurance insurance, life insurance, and products for more innovation, while concurrently
Data Resources, Inc. (IDR) database primarily marketed to seniors such as long- protecting seniors who may be vulnerable
suggests a noticeable rise in the amount term care. In addition, regulators continue to improper sales activities.
of state-levied fines and penalties against to work with law enforcement agencies to
insurers over the past five or more years. grapple with the appropriate regulatory Likewise, the Senior Issues B Task Force
response to ensure sound cybersecurity continues to focus on issues relative to
Market conduct examinations and the practices and controls at insurers. long-term care and Medicare supplement
underlying laws and regulations are less insurance, including applicable solvency
uniform when compared to the financial The industry continues a trend toward concerns for writers of long-term care
solvency examination. In addition, each heavier reliance on outside vendors and/ insurance and improvements to the related
state makes decisions regarding the or TPAs to carry out a number of major rate stabilization standards.
allocation of resources and prioritization of operational areas traditionally handled
insurers to be examined. This has resulted by the carriers themselves. This has given Voluntary market regulation
in some states reevaluating how they rise to an increase in regulation and more certification program
determine which companies to examine, focus on how insurers manage their vendor NAIC’s Market Regulation Certification
the frequency of exams, and the extent to relationships. (D) Working Group has been developing
which examiners need to be on-site at the a formal certification program for market
insurer's home office. As the industry continues to refine its conduct examinations and oversight. The
use of big data and other tools to assist working group is focused on developing
With continuing data breaches that in underwriting, pricing, claims, and certification standards as well as a process
impact customer PII, the NAIC and states other areas, the NAIC and the DOI will designed to allow for state-by-state
are continuing to focus on appropriate be monitoring these developments and implementation of the program. In addition,
measures and the controls insurers considering whether enhanced laws and the regulators are considering the proper
should have in place to protect sensitive regulations may be required. process for gauging states' compliance
policyholder information. Likewise, as with the standards and program. Finally,
carriers get more sophisticated in their a process will be proposed that deals
19Navigating the year ahead 2018 insurance regulatory outlook
with future changes to the standards and activity of the Market Actions Working Summary
how to best help the various state DOIs Group (MAWG). In addition to multistate Insurers should continue to enhance
achieve certification. The working group coordination, the NAIC has recently their controls in key areas of market
continues to review the pilot program in provided additional guidance promoting conduct exams with a focused review on
which approximately 14 states were tapped the expanded use of standardized data regulatory areas that are still evolving, such
to be part of the certification program as it requests during examinations. Greater as big data, cybersecurity, and vendor/
evolves. standardization is expected to improve the TPA management. These new areas will
consistency and effectiveness of exams be challenging for insurers as regulators
Outlook on state insurance and analysis going forward. In general, further enhance their tools and expand
department market conduct we’re seeing states move toward a more their analysis of company data and use
capabilities data-driven and analytical approach to of specialized third-party examiners to
Recent analysis of NAIC’s IDR database market conduct, leveraging information focus on these and other areas. This will
suggests that market conduct exams and from financial statements, rate and form be a particular challenge with regard to
related regulatory penalties are on the filings, and information from other state protecting customer PII and PHI data and
rise. We believe that one important driver and federal regulators. In addition, the potential unfair trade practice abuses,
of these trends is the enhancements that Market Analysis Prioritization Tool (MAPT) including sales practices. Investments
DOIs continue to make to their market continues to be used by states to narrow in enhanced compliance, analytics to
conduct capabilities. Such enhancements the focus to companies with potential proactively identify risks, and controls
include expanded use of market analysis, issue areas by applying a scoring system should pay off in the long term as insurers
greater access to data and shared that analyzes any complaints, regulatory attempt to mitigate the increasing risk
publications, and enhanced coordination actions, and exam histories, among other potential of fines, consent orders, and
between states. We’re seeing the improved data points. adverse publicity.
coordination evidenced through increased
In general, we're seeing states move toward a more data-
driven and analytical approach to market conduct, leveraging
information from financial statements, rate and form filings, and
information from other state and federal regulators.
20Navigating the year ahead 2018 insurance regulatory outlook
International
regulatory change
Regulatory change continues to pervade landscape, driving companies to reconsider
the insurance industry, and international how their business operates and how it will
regulatory change is no exception. The be structured within the European Union.
international regulatory environment Also, the UK financial services regulators—
is significant even for US-only industry the Prudential Regulatory Authority (PRA)
participants because of the direct and and Financial Conduct Authority (FCA)—will
trickle-down impacts of globally accepted need to revisit their rules and guidance in
changes. The International Association the context of being outside of European
of Insurance Supervisors (IAIS), which is Union law.
the standard-setting body for insurance
supervision, comprises more than 140 Brexit is just one example of the many
different jurisdictions and 190 different country- and region-specific changes that
insurance regulators. The IAIS not only are currently taking place. European capital
supports standard setting for regulators standards under Solvency II are currently
themselves, but it also responds to the being reviewed, with the review results
needs of governments through the G20 due in 2018. At the same time, countries
and the FSB. in Asia and Latin America are looking to
enhance their current capital regimes. The
Standards set by the IAIS take a development of the Insurance Capital
number of forms. Establishment of the Standard (ICS) by the IAIS is seen by some
Insurance Core Principles (ICPs) and then countries as a key input to their local capital
implementation of those principles in standard considerations. Meanwhile,
local jurisdictions lead to a harmonization regulators continue to enhance their local
of supervisory standards across the regimes in both prudential and market
globe. Also, implementation monitoring conduct. Also under consideration are
and peer review are performed. The many emerging issues, such as:
work of the IAIS focuses on prudential
standards of solvency; risk management •• How insurance can respond to consumer
and governance; and, increasingly, market needs
conduct issues. The agenda and timeline •• How insurance can support in-country
for these existing and new proposed development, such as infrastructure
standards stretch out for many years, projects
creating significant uncertainty in the •• How regulation should respond to
industry. emerging issues and trends, such as
cybersecurity and fintech
Local country-based change is also
creating uncertainty, with socio-economic Against this backdrop, both US domestic
and political change driving significant and international insurers would be well-
regulatory adjustments within individual advised to stay on top of global regulatory
countries. For example, the political shift developments and continuously assess the
within the UK to exit the European Union potential impact on their business models.
has direct implications for the regulatory
21You can also read
