Michael Luderer

Member Article

Taking the regulatory bull by the horns

We may think the regulatory environment in the insurance sector is challenging enough already, but it’s going to get a whole lot tougher next year when the FSA splits into two.

So little is known about how the FCA and PRA are going to go about their business that it is almost impossible for risk and compliance specialists to hazard any kind of guess about the scale of additional reporting requirements they are likely to face. But think the worst and double it seems to be the consensus around the insurance industry.

The situation is bad enough already, of course. Even if you leave aside the long-rumbling issue of Solvency II, the regulators and Lloyds request data from so many different departments and functions, it’s hard to keep track. Even though most requests are typically channelled through compliance or risk specialists, too often the people involved are simply overwhelmed. They end up operating like postmen, furiously sending out regulators’ demands for information in the hope that the recipients will be in a position to handle them.

One thing that is certain about the upcoming formation of the FCA and PRA is that information sharing between the two bodies will be the norm. Of course, the insurance industry has to deal with regulators communicating with each other already, but this will increase significantly when the FCA and PRA come into being next spring. This will reinforce the imperative for absolute consistency when responding to information requests from the regulators. It will also demand a much more streamlined and coordinated approach to the way insurance companies manage both their internal communication and external interaction with the regulators.

Most companies currently deploy a reactive, de-centralised approach to respond to regulators’ data requests. This tends to involve risk or compliance managers, in particular, passing on these requests to the relevant department or specialist. This has seldom been a terribly satisfactory way of handling the process because it is prone to error, few have a ‘big picture view’ of what is going on and risk managers tend to be overwhelmed by what they see as a low-level administrative task.

With the arrival of the FCA and the PRA and a general stepping up of regulatory pressure on the insurance sector, there is a growing risk that under the current model of regulation management, sooner or later someone is going to make a big mistake. It could happen so easily. A slight miscommunication between the capital modelling team and someone in group finance about a regulator’s query into some financial data provided to them a couple of years earlier by an employee who has since left the company would be all it took. The wrong (or simply inconsistent) data is supplied, the regulator gets heavy and suddenly there’s trouble. And it could be big trouble in a highly competitive international market where no company can afford to gamble with its reputation. This is a genuine danger when responses to regulators are run through silos, rather than being properly managed and coordinated across the company.

But there are countless other risks with this post-room approach to regulator relationships and communications management. Good risk and compliance managers are hard to come by, and if they think they are spending their time farming out a seemingly never ending stream of information requests from regulators rather than actually doing their proper job of managing risk, then they are not likely to hang around for long. There is, of course, a world of difference between being compliant and managing risk.

There is also the problem of key people or teams having to drop what they are doing to deal with complex and sudden information requests from regulators. Sometimes the timing of these demands can be excruciatingly bad, such as a critical moment in a change management project, when a regulatory deadline looms or preparations for the year end are reaching their peak. With nobody in overall charge of the process or managing the day-to-day relationship with the regulators, there is little or no scope for negotiated flexibility and nobody is empowered to seek out an alternative source within the company to
respond to the regulator’s request.

The current ad-hoc approach to regulation management within the insurance industry is clearly fraught with potential operational problems and risks. It’s also inefficient and costly because there is no overall control over who is doing what and there will inevitably be duplication. Are the right people with the right skills and access to appropriate data being used? What about quality control? This is another problem area because compliance and risk specialists cannot possibly underwrite the quality of information they give to the regulators if they don’t fully understand the function where it came from or how precisely it was produced. And with the best will in the world, risk managers cannot have a detailed knowledge of all the activities within an insurance company that the regulators may want to probe.

And does anyone have a complete picture of all work in progress regarding responses to regulator information requests? Is there a project management system for keeping track of everything that’s going on? Probably not would be the answer to both questions.

So in a nutshell, this tactical, post-room approach to regulation interaction and compliance is expensive, inefficient, demotivating for key people, and distinctly risky. It also has the potential to damage an insurance company’s relationships with regulators, which would almost inevitably result in closer scrutiny, more demands, less flexibility and much more work and costs for anyone on the receiving end.

With regulation and the number of regulators bearing down on the insurance industry very likely to increase over the next decade, clear indications from the very top of the FSA that its style of engagement will change post-April, and the substantial requirements of Solvency II set to dominate the next few years, this current ad hoc approach is costly and unsustainable.

What’s needed is an alternative that can not only resolve all these issues, but would also give insurance companies the opportunity to build effective working relationships with multiple authorities, based on better day-to-day communications, mutual understanding and pragmatism.

This is the thinking behind the idea of a dedicated, centralised Regulatory Office (RO) to manage the corporate relationship with the authorities and at the same time control and supervise all responses to requests for information. The RO will project manage the delivery of data to the regulators and guarantee its quality, accuracy and consistency.

At the same time, the RO will be responsible for building a working relationship with all the regulators and developing a detailed understanding of the regulatory environment both now and into the future. Mutual understanding is a wonderful thing in this field: it opens the door to discreet compromises and pragmatic solutions to problems that might otherwise be closed.

Inside knowledge of what is really going on at the regulators is helpful too. It will allow the RO the opportunity to plan, to direct resources where they are likely to be most required and to work out the most cost effective way of delivering what the regulators will be demanding, not just today – but tomorrow. Importantly, it would also be able to manage the critical issue of training staff, both up and down the organisation, and identify and implement business process improvement initiatives.

The RO will also be in a strong position to de-risk the whole issue of regulator communications and management, which is quite impossible under the post-room approach. Enterprise risk management best practice, supporting technology, effective project management, underpinned by current regulatory intelligence would all play a part in driving cost efficiencies in the process. It would also create a robust platform to enable any insurance company to run its business as normal and focus on growth without sudden disruption, no matter what the regulators throw at them in the future. And let’s be clear: that could be a great deal.

Sounds expensive? Far from it, actually. Given the way most insurance companies currently run their regulatory interaction and responses, with its attendant duplication, misuse of valuable human resources and lack of planning, the return on investment through the creation of an RO will be fast and very transparent.

Nobody ever said that it’s easy dealing with regulators. They are powerful and in the ascendancy in the current climate. They too suffer from poor management sometimes and there always has been a high staff churn at many of them. And very often, even they cannot tell which way the regulatory wind is going to blow.

But the closer you get to them, the better you understand them and the way they work, particularly now they have publicly stated their intention to operate in a new way. This is crucial and it comes through intense, day-to-day relationship building between individuals; a very different proposition from the occasional back-slapping ‘Regulator Relations PR’ that many companies misconstrue as doing the same job.

A proper working relationship can really only be achieved by creating a centralised RO within your company. How else do you develop a proper knowledge base enabling you to make informed decisions about the most cost effective and efficient way of dealing with the regulators’ demands?

Leaving aside all the compelling financial and operational benefits of creating a centralised RO, there’s one final point worth making. What would your shareholders think if they knew the reputational risks you are taking by running a totally ad hoc, reactive, unmanaged approach to dealing with regulators? In the final analysis, this all boils down to shareholder value at risk because there is a vibrant relationship between an insurance company’s reputation and its share price.

This was posted in Bdaily's Members' News section by Severn Consulting .

Our Partners