The compliance function in the insurance industry

Insurers are now operating in a complex and increasingly-regulated economic environment, requiring them to cope with new risks, make more substantial commitments, to innovate.

It is in this context that many safeguards have been put in place by the authorities. This is particularly true in the European countries where the rules of Solvency II that come into effect on 1 January 2016 impose a new set of obligations including the compliance function.

In an ever-changing world, insurers are constantly required by the authorities to maintain high standards in the governance of their companies. The recent resounding bankruptcies have pushed companies to exercise utmost caution and take appropriate measures to maintain solvency and insurance consumers’ confidence.

In most developing countries, efforts are also underway in this direction, with many regulations being enacted with reference to Solvency II. Insurance companies themselves have taken steps in establishing internal rules to ensure optimum safety of their customers and to maintain their image.

Risks jeopardizing insurers

Three major risk groups threaten insurers:

• Risks related to the insurance technique : technical management and in-time progress of an insurance contract, probability of occurrence of a loss, etc.
• Financial risks: return on equity, liquidity, credit, foreign exchange risks, etc.
• Operational risks: direct and indirect loss due to faulty procedures, human factor, inadequate systems, or external reasons.

Non-compliance risk relates in particular to operational risks, that is, those responsible for losses caused by internal procedure-related problems, staff breach of obligation, or failure of information systems. Poor advice, alone, may prove to be detrimental. Insurance companies and intermediaries can be held accountable for advice on the products sold. Moreover, an operational risk may in some cases have an origin foreign to the company.

Operational risks are therefore the result of inadequate procedures put in place with regard to legislative and regulatory framework. The risk of non-compliance is a subset of operational risks.

The risk of non-compliance

The risk of non-compliance may be defined as the risk of legal or regulatory sanctions, material financial losses or deterioration of the image that an insurer may sustain for non-compliance with laws, regulations and administrative provisions pertaining to the company’s operations.
Any deviation from this principle is liable to sanctions.

The identification and assessment of non-compliance risks

Even before the adoption of new regulations, insurers were endowed with some tools enabling them to assess the compliance of their activities with the objectives set forth. The compliance-checking function can therefore build on existing elements. It only needs to be provided with the means to extend its intervention scope through new bodies.

The compliance function enhances regulatory watch. It creates a device to detect non-compliance risks and inform all company’s levels of the evolution of the regulatory framework applicable to insurance. This task can be divided among different entities, with the legal department being entrusted with the monitoring of provisions, enforcement of embargoes, etc. The accounting department shall follow up the evolving requirements regarding the presentation of financial statements while the human resources department monitors the evolution of labor code.

Risk mapping

In order to sustain a sound activity and guard against sanctions, insurers are required to identify and evaluate all non-compliance risks. The purpose of the identification and evaluation is to confine the residual risk to an acceptable level for the insurer. This policy requires the establishment of a risk map which represents non-compliance risks according to their probability of occurrence and importance in a graphical fashion. This approach entails thorough knowledge of the company’s strategic profile and of the goals to achieve in terms of risk management.

Key features of compliance-checking function

Source: Optimind Winter

Monitoring non-compliance risk

Monitoring non-compliance risk is critical to promoting quality and effectiveness as it allows to correct the anomalies detected while coordinating the various services. This situation requires the company to be pro active. After detecting a failure, the insurer shall coordinate between all company’s entities that are likely to solve the identified problem. This is particularly evident for the monitoring of insured’ claims: is it a problem of lack of information in the contract? A problem of advice? How to solve the problem? Creating an “incident” oriented database often facilitates the identification of non-compliance risks.

Staff training is a key mission for compliance-checking function. It is designed to raise awareness of employees about non-compliance risks. Training workshops, information sessions are regularly organized by major insurance groups. Money laundering, corruption, compliance procedures and ethics have been among the recurrent topics.

Insurers subject to Solvency II

Since the inception of the Basel Committee (established in 1974), insurers have identified the same categories of operational risks as banks:

• losses accounted for by malfunction of the business, information systems, management processes, outsourcing tasks or achievement of a transaction,
• internal and external fraud including mainly anti-money laundering and the financing of prohibited persons / institutions,
• losses caused by fraudulent acts pertaining to health or safety in the workplace or during professional duty (discrimination, poor skills management),
• losses due to an unintentional mistake of an employee to an insured. Eventually, the requirements will be extended to a comprehensive protection of customers, protection of confidential data and to business practices,
• losses due to a natural catastrophe or a man-made act affecting employees or damaging assets of the insurance company.

Under Solvency II, governance becomes the way to ensure prudent and efficient conduct of business. The insurer is required to establish a sound management system to control the execution of tasks in compliance with the legal framework and other obligations. This system involves:

• a device for the proper dissemination of information,
• a business structure where responsibilities are clearly defined,
• a good risk management,
• a system of internal control that is continuous, efficient, and suitable for all levels of the company.

In terms of internal control, Solvency II requirements are very high. Insurers must, through other controls, check the performance of continuous internal control.

Compliance-checking function is a key element of the internal control process, ranking in the second level of the governance and analysis tools.

The “periodic control" and "permanent control" model

Source: AG2R La mondiale

Non-compliance sanctions

In emerging countries, non-compliance risk is most often penalized by the insurance supervisory authorities.

In European Union sanctions may come from:

• the supervisory authority,
• the authorities of Brussels,
• the prudential control authority,
• the National Commission on Informatics and Liberty,
• advocates of consumer rights,
• the competition authority,
• anti-fraud departments,
• the stock exchange authorities.

Non-compliance in emerging countries

© Andrew Le Sueur, CC BY-SA 3.0

Even if they do not have control system as binding as those in force in the European Union, the supervisory authorities of emerging countries are getting closer to the international standards and to the criteria imposed by Solvency II where anti-money laundering is found in most legislation.

In Saudi Arabia, SAMA requires binding control standards. Insurers are required to define a control policy and to effectively combat money laundering. The regulations therefore require insurance companies to establish appropriate internal controls and procedures enabling them to check their compliance with the requirements of the regulatory framework. Furthermore, insurance companies are required to hold records demonstrating compliance of their transactions with the insurance legislation particularly in terms of risk management strategy and organization.

In practical terms, Saudi insurers have established a charter of quality and compliance that defines the:

• organizational chart of the company with reference to the position of the compliance officer,
• customer approach,
• confidentiality of information processed,
• information provided by the insured,
• information contained in the insurance policy,
• claims management policy,
• grievances management policy.

In Morocco, like the obligations introduced by Solvency II, the market’s supervisory authority, the Direction des Assurances et de la Prévoyance) (DAPS), has been working since 2008 on the internal control and risk management project. The establishment of structures for measuring and managing internal risks (financial, technical, operational risks, etc.) has been tested. The companies were tasked with working on the development of risk mapping and on the elaboration of an internal control device. They were asked to establish and monitor administrative and accounting procedures and to set up a reporting on internal control.

The organization of the compliance function

The compliance function is an internal control function that complements those already existing in insurance companies: actuarial function, internal audit, and risk management.

It may be exercised by a person, a team, a committee. It ensures compliance with:

• concrete governance tasks,
• internal rules of procedures,
• guidelines imposed by regulators,
• good professional practice,
• ethics,
• the image of the company.

Sanctions for failure vary depending on the nature of the faults and their severity. They can range from a simple fine, to disciplinary or administrative sanction. They can also result in criminal prosecution.

Once non-compliance risks have been identified and assessed, insurers are required to report them to the different structures of the company. Exchange with all governing bodies and management structures are then needed to fight against the identified risks, target the impact of changes and provide consultancy to management.

To carry out this task effectively, insurers are required to have an independent team endowed with decent resources and skills. Full powers and unlimited access to internal data (including subsidiaries) shall be granted to members of compliance control department. This mission can be fulfilled even within the company or in a decentralized fashion.

With a view to rationalizing costs, insurers may resort to outsourcing all or part of the tasks. Another option is to connect the function to already existing departments. Under Solvency II, the compliance-checking function can be attached to the audit department which is required to remain independent. Alternatively the insurer may appoint a committee composed of staff in charge of auditing compliance or deliver this power to internal management.

The job of compliance officer: origin and development

The function of compliance officer appeared in the Anglo-Saxon countries in the mid 1990s. It is in regulated industries such as banks, specialized investment funds (hedge funds) and in certain industries (pharmaceutical, energy) that it started out. This new function is then gradually opened to other sectors such as insurance.

it is mainly following the financial scandals of Enron in 2001, WorldCom in 2002, Parmalat in 2003 and AIG in 2008, that function was definitely imposed and its role was confirmed. Nowadays risk anticipation has become a critical issue for all companies. In addition, the multitude of regulations has led legislators to impose more and more drastic rules regarding internal control and compliance with the guidelines in force. For example, the staff members entrusted with compliance control tasks have increased from 160% to 300% in some Swiss institutions.

Compliance officer’s duties

Within an insurance company, the compliance officer must verify in particular that:

• the company is operating according to the standards required,
• the company provides quality services to clients,
• policyholders and the public in general get clear and accurate information,
• documents issued to policyholders are complete, well written, consistent with the insurance Code and the regulation,
• claims are paid on time,
• all comments made by policyholders and victims are taken into account.