IAC Forum
FCA Thematic Review
Delegated Authority: Outsourcing in
the General Insurance Market
Lloyd’s Old Library
25 September 2015
Delegated authority: Outsourcing in the
general insurance market
Thematic review and the role of risk,
audit and compliance
Joseph Smith, Manager
General Insurance Themes
• Delegation of authority is a key component of the UK general insurance market
• 12 insurers (including Lloyd’s insurers, companies and EEA passporting firms) and 20 intermediaries and TPAs
• Focused on delegated arrangements for UK retail and SME customers (75%:25%)
Insurers*
Intermediaries
Principle 2 – Due skill, care and diligencePrinciple 3 – Effective systems and controls Principle 6 – Fair treatment of customers
Principle 8 – Fair management of conflicts of interest
Permissions for…
• Effecting contracts of insurance • Carrying out contracts of insurance
Permissions for…
• Making arrangements and arranging deals • Assisting in administration and performance
SYSC 3 and 13
• Where outsourcing, the SYSC requirements apply
SYSC 4, 8 and 10
• Robust governance arrangements • Conflicts of interest
ICOBS 8.1
• Insurer is always responsible for the claims outcome
ICOBS 8.3
• General intermediary duties
Regulatory framework
*Insurers include EEA firms passporting on an establishment basis. EEA firms
5
• Delegating authority not always treated as outsourcing • Impact on customers
Outsourcing and due diligence
• What is product being underwritten and who’s responsible? • Is product designed to treat customers fairly?
Product design and review
• Choice of party to handle claims.
• Claims processes appropriately designed and implemented.
Claims handling
• Varied quality of oversight of outsourced functions.
• MI and monitoring rarely addressed customer outcomes.
Oversight and monitoring
• Who is doing what within the outsourced arrangements? • Is there effective communication to support good outcomes?
Allocation and communication
diligence
Risk appetite and approach
•Delegation of authority not always treated as outsourcing •Conduct focus and risk-based approach
Due diligence and controls around outsourcing
•Involvement of all stakeholders •Process flexed according to risks
Business model
•Consideration of customer needs and outcomes •Turnover in delegated arrangements
Product oversight and control
Product design, distribution and review
• Understanding and ownership of responsibilities • Clear customer focus
• Selection of distribution channel
Monitoring and MI
• Regular and appropriate MI on customer outcomes • Consistency of information
Analysis and response
• Sharing of information • Root cause analysis
Claims outsourcing - Due diligence and processes • Risk based due diligence considering capabilities
• Input to or review of claims processes Standards and outcomes
• Set expectations for how claims are handled • Reasons for declinature or repudiation
Conflicts of interest
• Consideration of incentives and conflicts of interest
Creation of an oversight framework
Information flows to the insurer
Review and analysis
Current role of audit
• Useful part of control framework • Reactive not proactive
Audit scope and output
• Breadth and resourcing • Conduct focus
• Issue identification and reporting • Follow-up
Complaint handling
Completeness of information
• Potential for complaints under-reporting • Lack of focus on non-reportable complaints
Consistency in approach
• Potential for different customer outcomes
Root cause analysis and follow-up actions
• Lack of central collation and analysis
The role of risk, audit
and compliance
The role of the risk function
How can risk help?
• Making the strategy and risk appetite real
• Identifying key risks of delegation
• Setting parameters for engagement – Who and
what?
The role of compliance
How can compliance help?
• Helping the business to understand
• Contribution to core processes
• Providing the voice of the customer
• Monitoring
The role of audit
How can audit help?
• Providing an independent view
• Focused and targeted review
• Challenging the processes
Effectiveness of control functions
What will help control functions deliver?
• Clarity of roles and responsibilities
• Empowered to contribute
17
Our expectations
Risk-based controls considering customers when outsourcing Appropriate oversight of outsourced activities and associated products
Meet responsibilities as product provider
© Lloyd’s 1
© Lloyd’s 1
NEIL GRIFFITHS
© Lloyd’s 2
© Lloyd’s 2
► Solvency II
© Lloyd’s 3
© Lloyd’s 3
► Internal model approval application (IMAP)
submitted to PRA
► Addresses over 300 Solvency II requirements whilst
articulating unique structure of Lloyd’s
► 7,417 pages including:
– Covering letter
– Overview documents describing Lloyd’s
– 102 IMAP documents¹
– 55 supporting documents²
¹ Provided to address specific IMAP requirements
© Lloyd’s 4
© Lloyd’s 4
► We expect ongoing discussions with the PRA but do
not expect a formal decision until end of 2015
► Lloyd’s will continue to work closely with PRA during
this period
► Around 20 IMAP firms (Lloyd’s counted as one) still
in the process
– Originally around 100 were involved
► PRA will advise all IMAP firms in December whether
or not they have got model approval
► Key areas where approach continues to
develop……..
– Model Change
© Lloyd’s 5
© Lloyd’s 5
► All major model changes require Lloyd’s approval in
readiness for a Solvency II live environment in 2016
► Enables Lloyd’s to continually monitor syndicate
internal models as they evolve
– Pre-approval of major model changes by the
Standards Assurance Group (SAG) ahead of implementation by the managing agent
– Links to the annual CPG process
– Major model changes reviewed by SAG, with
© Lloyd’s 6
© Lloyd’s 6
► For Lloyd’s to be able to meet its Pillar 3
requirements, all agents must be ready by end 2015
► Thematic review of agents’ readiness in Q3 2015,
taking into account:
– Compliance so far in dry runs and interim
reporting
– Review of agents’ Pillar 3 status reports
submitted on 30 June 2015
► Continual assessment of agents’ Solvency II
compliance
– Significant concerns over Pillar 3 may result in
agent being downgraded from green to red
© Lloyd’s 7
© Lloyd’s 7
► Solvency II
© Lloyd’s 8 © Lloyd’s 8 ► Lloyd’s Minimum Standards Framework now in place ► Solvency II requirements “baked in” to the new minimum standards
► A number of self
assessments
staggered over the course of 2015
► Market Oversight
© Lloyd’s 9
© Lloyd’s 9
► Lloyd’s keen to utilise planned Internal Audit reviews
to support minimum standards and other assessments
► Number of recent examples where Internal Audit
reviews have been used instead of specific Lloyd’s reviews
► Interaction with audit functions to increase in Q4
2015 to increase understanding of 2016 plans
► Recognise that we need to better flag potential IA
involvement
► Encourage agents to proactively send draft 2016
plans to Risk Assurance Account Manager to ensure any likely duplication in reviews can be flagged
PwC
LMA Internal Auditors Committee Forum
Senior Insurance Managers Regime
Update and key thoughts on implications for Internal Audit September 2015 LMA Internal Auditors Committee Forum September 2015
PwC PwC
•
Background
•
Key features
•
Implications & key areas for Internal Audit
PwC PwC
• Backdrop – Continuing focus on management; SII; Banking sector
• Extending individual accountability – broader reach through management
• Enhanced conduct standards for individuals
• New model for approvals / notifications – fitness & propriety assessments by firms
• Additional management arrangements
– responsibilities & accountabilities, governance
• Dual regulated firms – PRA + FCA regimes – co-ordinated; changes to FCA regime
3 Implementation 2016: • 1/1/16 PRA regime & transitional arrangements • 8/2/16 Grandfathering applications • 7/3/16 FCA regime;
PwC PwC
• All other employees
engaged in regulated activities
4
• Board & senior management • PRA Senior Insurance Manager
Functions
• FCA Significant Influence Functions
• Other “Key Functions” not otherwise a SIMF or SIF • Non Executive Directors
not otherwise a SIMF or SIF
• Employed in key functions but not the KFH
KFHs Notifiable NEDs Senior Management PRA SIMFs FCA SIFs Other
Key Function Holders Notifiable NEDs
Employees in Key Functions (not KFHs)
Other employees
• PRA & FCA regimes co-ordinated
- PRA Senior Insurance Managers Regime
- FCA reformed Approved Persons Regime
• Recognition – PRA & FCA overlap in some areas
- Different perspectives / concerns
• Subject to interpretation & ongoing policy developments
PwC
PwC 5
PRA SIMFs (Lloyd’s managing agent)
Senior Insurance Management Functions
Chief Executive Officer SIMF1 Chief Finance Officer SIMF2
Chief Risk Officer SIMF4
Head of Internal Audit SIMF5 Group Entity Senior Insurance Manager SIMF7
Chairman SIMF9 NED
Chairman - Risk Committee SIMF10 NED Chairman - Audit Committee SIMF11 NED Chairman - Remuneration Committee SIMF12 (NED) Senior Independent Director SIMF14 (NED)
Chief Actuary SIMF20
Chief Underwriting Officer (GI) SIMF22
FCA SIFS
Significant Influence Functions
Director (Exec) - not approved by PRA CF1
Compliance Oversight CF10 Systems and controls - not approved by PRA CF 28 Chair Nominations Committee (if applicable) CF7 (NED)
Significant Management - not approved by PRA CF 29 Actuarial Function in third country branch CF51
PwC
PwC 6
PRA SIMR prescribed responsibilities
1. Ensuring all individuals in key functions are fit & proper
One or more PRA SIMFs
or FCA SIFs 2. Leading the development of firm’s culture by governing body
3. Overseeing adoption of firm’s culture in day-to-management
4. Production & integrity of financial information & regulatory reporting 5. Managing allocation and maintenance of firm’s capital & liquidity
6. Development and maintenance offirm’s business model by the governing body 7. Performance of the firm’s ORSA
8. Effective policies & procedures for induction, training & development of governing body
9. Effective policies & procedures for induction, training & development of all other key function holders
10. Independence, autonomy & effectiveness of firm’s whistleblowing policies & procedures One or more NEDs 11. Developing & overseeing remuneration policies & practices
PwC
PwC 7
FCA Principles & Code
Core
• Integrity
• Skill,care & diligence
• Organised for effective control
• Regulatory compliance
• Market conduct
• Interests of customers – fair treatment
• Open & co-operative with regulator
Detailed practices - examples
• Delegation and oversight
• Appropriate disclosures to regulator
PRA Conduct Standards
Core
• Integrity
• Skill,care & diligence
• Organised for effective control
• Regulatory compliance
• Interests of customers
– provision to protect insured benefits
• Open & co-operative with regulator
Detailed standards - examples
• Delegation and oversight
• Appropriate disclosures to regulator
Separate and different articulation of regulatory standards for conduct of individuals
PwC
PwC 8
• Regulatory pre-approval by PRA & FCA
• Pre-application fitness & propriety assessment by firm
• Notification to PRA & FCA
• Pre-notification fitness & propriety assessment by firm
• PRA & FCA supervise assessments ex-post
• Not notifiable to PRA & FCA • Pre-appointment fitness &
propriety assessment by firm • PRA & FCA supervise
assessments arrangements
• General requirement for
effective systems and controls to maintain fitness and competence of all
management and staff (SYSC)
Senior Management
PRA SIMFs FCA SIFs
Key Function Holders Notifiable NEDs
Employees in Key Functions (not KFHs)
Other employees
• Individuals directly subject to
conduct rules / standards for PRA Senior Insurance Managers and FCA Approved Persons
• Firm required to ensure
individuals observe PRA conduct standards
• PRA / FCA do not take direct
regulatory action with individuals
• Not subject to specific SIMR /
APR conduct standards
• But general competence &
PwC PwC
• Level of scrutiny – continuing • Due Diligence vetting by firm
- Pre-application / notification
• Application processes – changing
- Forms – PRA & FCA combined - Pre-approval interviews – possible
PRA / FCA discretion
- Post-notification follow-up or interview – possible PRA / FCA discretion; Individuals or firms’ processes
• Transitional arrangements – grandfathering
- Equivalent functions; otherwise new applications
• Ongoing notifications & applications in response to changes
9
Application to perform controlled functions
Honesty, integrity & reputation
Employment history & references
Criminal record check (UK & overseas)
Financial history, civil proceedings
Regulatory history & references
Business history Personal
financial soundness
Financial history & status
Civil proceedings & arrangements Competence
& capability for role
Background & experience
Qualifications & training
PwC PwC
Oct 15 Nov 15 Dec 15 Jan 15 Feb 15 Mar 15
10
Gap analysis &
allocation of responsibilities Governance Map
Fitness & propriety assessments - New SIMFs / SIFs / KFHs - Grandfathering – review / refresh
- KF staff – assess / review
Fitness & Propriety assessment model Employment contracts, JDs, etc
Induction, training & development Statements of Responsibilities (SORs)
Governance oversight & review
SIMF, SIF & KFH Training
SIMF grandfathering applications New SIMF applications
Follow-ups / interviews?
Ongoing applications & notifications
SIMR / APR framework & approach
Ongoing maintenance of Fitness & Propriety KFH notifications
Key function staff training Determination of
SIMFs / SIFs / KFHs & KF staff
Recruitment processes SIMR & APR administration
Ongoing maintenance of Governance Map & SORs
Key decisions – Gov structure & responsibilities Determine SIMFs, SIFs, KFHs
Ongoing review of SIMR & APR arrangements
Ongoing maintenance of SIMR & APR competence
Review & refresh – Gov policies & processes incl. Remuneration, Appointments, Succession
Ongoing oversight of conduct standards & controls
PwC PwC
• Direct regulatory requirements for IA management & staff
- Head Internal Audit – SIMF 5
- If part of wider Group IA function – potential SIMF 7 (Group Entity Senior Insurance Manger)
- Key Function staff – fitness & propriety; training
- Demonstrate adherence to Conduct Standards
11
• Oversight & assurance
– preparation & implementation
- Detailed requirements – interpretation - Determination of individuals
- Framework and processes
- Implementation and administration - Ownership & organisation
- Oversight of conduct standards - Links – performance & reward,
resourcing & succession planning, etc - Continuing regulatory developments - Material risk for IA oversight?
PwC PwC
•
New regulatory requirements – step change
•
Implementation – complex in practice
•
New administrative burden – initial and continuing
•
Impact on Internal Audit – function & oversight responsibilities
•
Timescales – challenging
•
Action – now
PwC PwC
• PwC Financial Services Risk and Regulatory practice
Alastair Noble alastair.n.noble@uk.pwc.com Lee Clarke, Partner lee.clarke@uk.pwc.com
Joel Ramsden joel.ramsden@uk.pwc.com Prince Moyo, Manager prince.moyo@uk.pwc.com
13
This material has been produced for the Lloyd’s Market Association. This material comprises generic regulatory information and does constitute any advice. PricewaterhouseCoopers LLP does not accept any duty or responsibility to any other person in respect of this material. © 2015 PricewaterhouseCoopers LLP
Alastair Noble, PwC
Alastair is a senior manager in PwC’s regulatory practice, specialising in regulatory compliance in the insurance sector. He has extensive
experience of working with Lloyd’s and London Market firms, with a strong focus on governance, risk and compliance management, and has worked with a wide range of insurance groups and international organisations.
As well as over 18 years specialising in regulatory consulting, Alastair has an industry background of 18 years in the insurance sector.
Joel Ramsden, PwC
Joel is a senior manager in our Insurance regulatory team, with 10 years experience of working on prudential and conduct regulatory issues. Joel joined PWC from the PRA where he managed the PRA’s supervisory framework team, having previously supervised a number of London Market firms, led the supervision team for a major Lloyd’s managing agent. Joel’s previous experience also includes representing the FSA at European and International supervisory colleges.