The role of the insurance compliance officer has evolved from a purely advisory role into a proactive one with internal audit characteristics in the last few years according to a white paper by Ethical Corporation, a global business publication.
The paper notes that whereas the typical job of the compliance officer used to consist of ensuring the smooth conduct of business matters through a mere “check-the-box” approach with little more than issuing policies, it now involves verifying the practical application of the control environment through numerous reviews against a broader set of law and regulations, and expressing an opinion on how well it is working.
There are many regulatory challenges facing insurance companies, and subsequently, their compliance officers.
A panoply of regulators
Insurance compliance officers, not unlike their counterparts in banks, have an increasing array of regulators at multiple levels they must report to. There are state regulators –or, state insurance commissioners– for each state where the insurance company conducts its activities, with the regulator of the “state of domicile” holding the primary supervisory role. The national association of insurance commissioners (NAIC), through its various working groups, focuses on key topics such as market conduct and financial regulations standards, and also acts as a forum that brings together the state commissioners to build a “coalition of states” in order to provide more consistency and streamlining of state laws and regulations. NAIC has, to a large extent, reduced frictions resulting from state-level regulation of interstate insurers.
The state regulators are complemented at the federal level by the Financial Industry Regulatory Authority (FINRA), the Securities and Exchange Commission (SEC), each with different areas of responsibilities. While the SEC issues rules on securities products of insurance companies such as annuities, FINRA oversees their distribution through brokers. The Federal Reserve Board has also been added to the list of regulators at the onset of the financial crisis with the Dodd-Frank Act, in response to the systemic risks that originated from nontraditional insurance activities, such as financial guarantees on structured financial products tied to subprime mortgages.
In fact, “the inclusion of the Federal Reserve as a new regulator of certain companies within the insurance industry has added an additional layer of complexity for the insurance companies,” said Ellen Walsh, a partner at the Regulatory Advisory Practice with PriceWaterhouseCoopers in an interview with Accelus Regulatory Intelligence of Thomson Reuters. “Unlike the state insurers that conduct periodic financial and market conduct examinations, the Fed conducts a continuous monitoring process related to several risk topics, resulting in an increased regulatory responsibility for how the compliance officer oversees and implements the company’s overall compliance risk management program,”added Walsh.
Navigating the uncharted regulatory waters
The compliance officer has to tackle the uncertainty that emerges from competition among the many regulators who exercise their respective points of views.
The new regulations may encourage new product and marketing opportunities, such as products that fit the new description of the “Qualified Longevity Annuity Contract” – covering annuity distributions after a certain age and being exempt from minimum distribution requirements. But the increasing tension between federal and state regulators, in particular between the new Federal Insurance Office (FIO) and the NAIC and state insurance commissioners, is more likely to catch insurance firms in the middle.
Consider the fiduciary standards as a case in point, where no less than three regulatory/governmental bodies — the NAIC, the FIO and the U.S. Department of Labor (DOL) — are trying to iron out their differences. DOL proposed, in April this year, a rule imposing stringent fiduciary standards on insurance agents who get paid for advice on retirement investment decisions. This would effectively subject them to the same disclosure and compliance requirements as investment advisors. The rule has not been finalized yet, but the uncertainty surrounding it already has implications for how products are to be marketed and sold, as well as advertisements and the training of sales teams.
The designation of certain companies as systemically important financial institution (SIFI) by the Financial Stability Oversight Council (FSOC) has not brought more clarity either. Even though the designations were originally announced in 2013 and continue to be updated, it remains unclear whether there will be additional regulatory expectations for SIFIs. A number of solvency and capital issues have been raised, especially regarding the use of captives by life insurance companies. Captives are subsidiaries of insurance companies created and wholly owned by one or more non-insurance companies to meet the risk-management needs of its owners, in particular to fulfill capital requirements. They essentially provide a form of self-insurance whereby the insurer is owned wholly by the insured.
Different issues for compliance
Issues that the compliance officers grapple with have also evolved, gradually becoming more holistic in nature. They are now increasingly related to effective communication with the board, and involve deeper interaction with business units through the transmission of sufficient information or via well-defined escalation processes. There is also the question of the level of awareness of the compliance environment among the officers.
In effect, the role of compliance officer has blurred the distinction among the traditional three lines of defense –business lines, compliance and audit, by expanding into other areas.
Furthermore, regulators have shifted the focus of their examination approach – at least for insurance companies that are designated as systemically important. They used to test business processes for compliance with specific regulations, whereas now they have increasingly sought proof that companies are not violating any regulation.
With the burden of proof, therefore, more heavily placed on insurance companies, a higher level of discipline among the ranks of compliance officers, and a heavier load of documentation needs to be provided to regulators.
More documentation
Until recently, internal reporting structures were not adequate to satisfy the increasing regulatory demands for information. Through heavy investment, insurance companies have been able to build advanced, integrated technology systems and processes to respond to various regulatory information requests. Their increased capacity allows senior management to have a more wholesome view of their organizational risk, and use a single set of tools for oversight and testing, and reporting purposes.
NAIC’s requirement to submit annual reports of their Own Risk and Solvency Assessment (ORSA) for insurance companies with more than $500 million in direct premium ($1 billion for insurance groups) has forced companies to expand the scope and detail of the data to be provided. Within the framework of the ORSA, insurance companies must provide quantitative methods they use to assess risks and the impact of these risks on their balance sheets, as well as submit a description of the company’s processes for model validation.
Here again, however, as with the continuous monitoring approach of the Federal Reserve examinations, NAIC’s annual ORSA requirements may become iterative. An insurance company must stand ready to provide robust data if an insurance commissioner were to request additional information on risks or how they are mitigated.
More documentation may also be needed in responding to increased data requests from the FIO, which has indicated interest in developing standards for personal lines insurance, such as governing pricing and rate regulation practices, or its consumer protection initiatives, such as the affordability of personal lines insurance in underserved communities.
Brave new regulatory world
In the brave new regulatory world, insurance compliance teams will increasingly need to hone in their global enterprise risk management capabilities, improve risk analyses, and keep their information systems up-to-date to better measure, monitor, and mitigate risk under various economic scenarios.
(This article was produced by Thomson Reuters Regulatory Intelligence. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @RiskMgment)