Implementing regulatory change in insurance

Transcription

1 Implementing regulatory change in insurance Is a more strategic and integrated approach achievable? Since the financial crisis, regulators worldwide have taken a much more proactive and intrusive approach. Insurance regulation has been no exception to this trend, which has led to an unprecedented volume of new regulations that place huge demand on firms capacity to manage change and ongoing compliance. Against this backdrop, we pose the question of whether a more integrated and strategic approach to regulatory change is possible. While we think the answer is YES, we recognise that it is not easy and certain challenges will remain. Legislation has become increasingly complex (just look at Solvency II), more difficult to interpret and implement and, importantly, highly interlinked - regulations emanating from different regulators or with distinct overarching objectives that often affect common business processes. This means that firms can reap benefits by applying a more integrated implementation approach. The regulatory landscape

2 This shows a non-exhaustive list of regulatory changes taking place in the coming months and years. Within the EU, for example, 2018 will be a bumper year in terms of consumer protection regulations with the implementation of the Insurance Distribution Directive (IDD), the Packaged Retail and Insurance-based Investment Products (PRIIPs) and the General Data Protection Regulation (GDPR). In the UK, Brexit will become increasingly influential for the drivers and timelines of policy development, especially beyond March 2019 the two-year anniversary of the triggering of article 50. Clearly, not all firms will be impacted in the same way and at the same time. For instance, the UK senior manager s regime already applies to (re)insures and its extension will mainly affect the asset management arm of insurers, insurance intermediaries and brokers. However, all firms that distribute insurance products will need to implement some changes as a result of the IDD which comes into effect next February. Firms that control or process personal data, in all sectors, will have to make changes and adapt in response to the forthcoming GDPR. Commonly observed challenges As firms go about implementing these regulatory initiatives, it is important that they manage effectively the challenges commonly observed in large regulatory change programmes and learn from past experience. A key challenge is the multiplicity of stakeholders involved in the change process. On the one hand, firms need to engage with and influence local and regional regulators and policy makers, as well as standard setters. Inside firms, regulatory change is spread across many functions and all lines of defence. Hence, coordinating and managing highly multidisciplinary teams are particularly demanding and onerous activities. Policy uncertainty is also pervasive - how to deal with the known unknowns. Brexit, of course, is a prominent example. Since policy development happens in parallel to programme implementation, lack of clarity around the final policy details can lead to a wait and see approach and corporate paralysis. Then firms often find themselves having to play catch-up during the implementation phase. For example in the case of Solvency II (SII), the new prudential regime for (re)insurers that came into effect on 1 January 2016 after over ten years of development, firms had to start implementation in the context of significant policy uncertainty; in fact, the effective date of SII moved several times from the original date of November Another challenge is that different regulations can affect the same business process even though they are not synchronised. If interdependencies are not identified and addressed, a piecemeal approach to regulatory change may result in digging up the road multiple times in close succession. During SII implementation, for instance, many firms did not manage properly complex dependencies between the three pillars of SII. They focused on the quantitative aspects of capital requirements (Pillar 1) to

3 the detriment of risk and governance aspects (Pillar 2) and reporting requirements (Pillar 3), which left little time to get these right towards the end of the programme. Other frequent challenges relate to planning and execution stretch. Examples include the competition for adequate management attention and resources, the emergence of silo approaches due to lack of an overarching understanding of the regulatory landscape, and the bottlenecks due to limited availability of subject matter expertise (e.g. in the case of Solvency II, risk and actuarial) at critical times. These challenges are pervasive and unlikely to go away completely even when more optimised practices and approaches are used by firms. Rather, they must be continuously managed and mitigated. Towards an enhanced approach Despite these challenges, there are specific things firms can do to be more strategic and integrated in their approach to implementing regulatory change. The starting point is effective project and programme management, which defines a clear order of priorities based on a thorough understanding of the requirements and impact of new regulations. This requires timely identification and interpretation of the regulatory agenda, themes and objectives across multiple regulators, as well as good understanding of potential overlaps in the scope and requirements of different regulations. A pre-requisite for all of this is the ability to develop a longer term outlook and planning horizon which factors regulatory developments into the firm s business planning at early stages of the policy development process. Understanding the commercial and operational impact of new requirements is key to both influencing

4 effectively the policy making process and identifying likely adjustments that will need to be made to the firm s long-term strategy. The key to achieving effective regulatory change is robust governance structures with visible and engaged board-level sponsorship. The Board s role in change programmes must be clearly set out and supported by effective channels of communication, reporting and escalation. Good cross-functional coordination helps to avoid silo implementation and resource planning in turn helps identify and manage future spikes in resource demand, and enables the development of contingency plans to deal with the intrinsic uncertainty in the policy development process. Applying the enhanced toolkit Take thematic analysis as an example. The logic is that new regulations tend to be sequential but often seek similar objectives or touch upon common business processes and systems. Thus, understanding the key themes, regulatory objectives and outcomes being sought by the relevant regulators can help firms achieve synergies and cost-efficiencies across different aspects of their regulatory programmes. To do this, though, firms must develop a thorough understanding of the new regulations and legislation and their key themes in order to cluster them around the key business processes that are impacted by the changes. The IDD, GDPR and PRIIPs regulations include elements of product oversight and governance, thus ensuring that the interest of customers and end users are taken into account from inception and throughout the product lifecycle. According to IDD, for example, manufacturers should establish, document and regularly review product oversight and governance arrangements, and ensure that personnel involved in designing products have the necessary skills, knowledge and expertise. Product distributors are also in scope of the regulation and expected to establish, document and regularly review product distribution arrangements, and obtain all necessary information on the product and the target market from the manufacturer. When firms develop or update their product oversight and governance arrangements to comply with the IDD, they should factor in the GDPR s privacy by design requirements that come into effect in May Privacy by design means that data protection considerations must be considered from the inception of any new technology, product or service that involves the processing of personal data. There is also a requirement to conduct data protection impact assessments throughout the product life cycle, as appropriate. Whilst the PRIIPs regulation does not explicitly mention product oversight and governance firms should, as part of their product oversight and governance processes, consider the specific terms of existing and new products to determine whether a particular product falls into the category of a PRIIP.

5 Determining whether a product falls into a category is not straightforward but it can significantly impact the applicable product disclosure requirements, including the need to provide a Key Information Document (KID). The KID is aimed at improving investor or policyholder understanding of products and their ability to compare different PRIIPs in terms of the key features, risks, rewards and costs. Potential benefits The approach outlined above recognises that regulatory changes take place in the context of business strategy. In some cases, an evolving regulatory landscape will significantly affect strategic options available to firms and this analysis should be part of the strategy-setting process. An integrated approach to change also allows firms to reap the rewards of synergies when overlapping regulatory requirements affect the same business processes and systems. This means that the alignment of regulatory change projects can contribute to alleviating resources and time constraints by avoiding duplication, which in turn reduces execution risk and the need to retrofit solutions as an afterthought rather than by design. Of course, the extent to which these benefits and cost efficiencies are realised will ultimately depend on how well the whole process and underlying challenges are managed. It is important that firms put in place adequate and proportionate mitigants, where possible, so as to minimise programme risks and realise incremental benefits from implementing regulatory change in a strategic and integrated manner.