(a) Supervision and Enforcement
The Central Bank’s Strategic Plan 2016-2018 published in 2015 is now well underway. The Bank’s Mission Statement ‘Safeguarding Stability, Protecting Consumers’ remains at the heart of what it does and encapsulates the dual priorities for the Central Bank in delivering on its mandate. Regulation of financial institutions and markets is undertaken through risk-based supervision, which is underpinned by credible enforcement deterrents. This mandate is delivered through a range of tools which include:
- supervisory assessments of individual firms according to the engagement cycles set out under PRISM;
- monitoring of regulatory returns filed with the Bank;
- reactive supervisory work on foot of triggers including regulatory returns, market intelligence and whistleblowing complaints;
- approval of persons under the fitness and probity standards;
- processing of requests for authorisation and acquiring transactions; and
- enforcement actions.
The Central Bank has indicated that going forward it will enhance supervisory engagement, processes and tools in light of new powers, new mandates and upgraded international standards and use their enforcement powers effectively to achieve credible deterrence. It will continue to implement the Solvency II regulatory framework for insurance undertakings, and also plans to extend on-site inspection activities to further sectors of the insurance industry in 2017.
(b) Enhanced Engagement Model for Low Impact Companies
In early 2016, the Insurance Directorate introduced a new supervisory framework which involves an increased and more pro-active supervisory approach. The framework is intended to meet the recommendations of the International Monetary Fund's Report on the Observance of Standards and Codes and is based on an on-site and off-site approach as follows:
- Annual on-site inspections of 10% of the low impact companies by the on-site inspection team.
For an additional 10% of undertakings, the supervision team carries out the following:
- on-site quarterly targeted reviews involving the examination of relevant documentation as well as meetings with management; and
- annual off-site desk reviews of a specific topic selected each year.
As part of the new engagement model, the Central Bank's on-site inspection team and the supervision team carried out inspections across a number of low impact (re)insurance undertakings in the first half of 2016. The inspections focused specifically on corporate governance, risk management, internal controls, claims and reserving processes, reinsurance and other risk mitigating techniques, annual and quarterly return processes and the ORSA reports.
Some of the common findings of the Central Bank's inspections are outlined below:
In general, outsourcing agreements were found to be not fully compliant with Solvency II requirements. In the majority of the undertakings inspected, there were no agreements in place between the undertaking and the Group, where Group provided a critical or important service to the undertaking. Where agreements were in place, with a third party or with the Group, they failed to set out or establish the use of key performance indicators and key risk indicators in their outsourcing arrangements.
(ii) Risk Management
In most instances, risk management policies and sub policies were not adequately detailed to reflect the complexity of the undertakings. In particular the Central Bank found that Risk Appetite Statements did not adequately reflect undertakings' appetite for risk.
In general, the Central Bank found that identified risks were not subjected to a sufficiently wide range of stress tests or scenario analyses in order to provide an adequate basis for the assessment of the overall solvency needs.
The Boards of low impact (re)insurance undertakings should expect similar activity in 2017. Therefore to prepare appropriately boards should carry out their own review to ensure compliance with Solvency II and take whatever corrective measures are necessary.
(c) IT and Cyber Security
During 2016 the Central Bank has sharpened its focus on the risks associated with Information Technology (“IT”) in regulated firms. The risks associated with IT and cybersecurity are a key concern for the Central Bank given their potential to have serious implications for prudential soundness, consumer protection, financial stability and the reputation of the Irish financial system. Accordingly, the Central Bank expects that the boards and senior management of regulated firms (including issues and reissues) fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management and place these among their top priorities.
During 2016 there have been a range of reviews and inspections of regulated firms to assess the operations, governance and strategic risks related to cybersecurity and IT in regulated firms. These reviews and inspections are likely to become more frequent and widespread in the coming year. As an indication of the increasing importance of IT risk the Central Bank has recruited supervisory IT risk specialists to develop their expertise in this area and establish a new operational risk policy team.
Another example of the Central Bank’s increasing supervision in relation to IT risks in regulated firms came in September 2016, when the Central Bank produced guidance on how firms should approach their own IT risk strategy. The guidance outlines the Central Bank’s current thinking as to good practices that regulated firms should use to inform the development of effective IT and cybersecurity governance and risk management frameworks. The guidance will inform supervisors’ views as to the quality of IT related governance and risk management in regulated firms. Failings in respect of this guidance will inform Central Bank supervisory decisions, including those in respect of risk mitigation programmes. The Publication of the Central Banks Guidance was designed to operate as a catalyst for enhanced consideration and discussion of these and related issues, thereby indicating this is an area where the Central Bank intends to increase its focus in 2017. Furthermore, with the General Data Protection Regulation (2016/679) due to come in to force in 2018, data protection, IT and cyber security will be key points of interest for the Central Bank in 2017.