Insurers' boards of directors and their senior management teams have significant responsibilities under the Solvency II governance requirements, including the responsibility for putting in place a robust system of governance. The past year has seen a number of regulatory developments which will have implications for those systems. Each insurers' board of directors and its senior management team will need to ensure that its governance system is adapted to the requirements of the rapidly changing regulatory landscape for insurers.
Overview of Solvency II
The Solvency II regulatory framework represents a quantum leap in insurance regulation. It consists of the level 1 framework Directive 2009/138/EC ("Solvency II"), level 2 measures, which take the form of delegated and implementing acts and binding technical standards as well as level 3 measures, which take the form of guidelines. EIOPA has issued two sets of guidelines directly relevant to Pillar 2 governance requirements, both of which have applied from 1 January 2016, namely:
- Guidelines on the system of governance; and
- Guidelines on own risk and solvency assessment (ORSA).
Solvency II has been transposed into Irish law by the European Union (Insurance and Reinsurance) Regulations 2015 ("Solvency II Regulations").
The Solvency II solvency and supervisory framework for insurers consists of three main thematic areas or "pillars" of regulation, which are designed to be mutually enforcing. Pillar 1 consists of the financial or quantitative requirements (ie how much capital an insurer should hold). Pillar 2 sets out requirements for the governance and risk management of insurers (eg qualitative requirements), as well as for the effective supervision of insurers. Pillar 3 focuses on supervisory reporting and transparency requirements.
Overview of the Solvency II Governance Requirements
Solvency II sees robust governance as a pre-requisite for an efficient solvency system and essential in addressing risks that cannot be adequately addressed through capital requirements. It also views governance as being critical to the effectiveness of the supervisory system. In the Solvency II context `governance' is used in a broad sense encompassing aspects of corporate governance as well as the concept of risk management.
Solvency II sets out a number of requirements regarding an insurers' system of governance, covering general governance, fitness and probity, key functions (risk-management, compliance, internal audit and actuarial) the Own Risk and Solvency Assessment (ORSA), and outsourcing. Solvency II also imposes requirements in relation to remuneration.
Overall, the aim of the governance system requirements is to ensure that each insurer's system of governance is based on an appropriate and transparent allocation of oversight and management responsibilities so as to ensure effective decision making, the prevention of conflicts of interest and the insurer's effective management.
The board of directors has ultimate responsibility for ensuring compliance with the Solvency II requirements including the requirement to establish and maintain an appropriate and compliant system of governance. It must ensure that the insurer can demonstrate that the governance system is effective and appropriate for its specific risk profile and that this can be reviewed by its supervisor.
EU Regulatory Developments
For the most part, the Solvency II regulatory framework entered into force on 1 January 2016, including the Pillar 2 governance requirements. Over the past few months, a number of key challenges have emerged for the governance system. This overview focuses on three of those challenges, namely, on-going legislative developments generally, specific developments relating to product governance and risk management.
Implementing Solvency II was a huge challenge for insurers. However, further implementation challenges will need to be confronted over the coming months and years and the system of governance will need to play a key role in this process. These implementation challenges include in particular:
- the Regulation for Packaged Retail and Insurance-based Investment Products 1286/2014 (the "PRIIPs Regulation"), including the Key Information Document (KID). The PRIIPs Regulation itself is due to apply from 31 December 2016, although there are growing calls for this date to be extended, particularly in light of the European Parliament's recent rejection of a European Commission draft delegated regulation on the KID. For further information on the PRIIPs Regulation see our briefing here.
- the Insurance Distribution Directive 2016/97 ("IDD"), which applies from February 2018, and its related delegated legislation. Among other things, manufacturers of insurance products, including insurance undertakings, will need to start drawing up a nonlife Insurance Product Information Document ("IPID"). The IPID's purpose is to ensure that key information about non-life insurance products is presented to the customer in a standardised format so that he or she can use the information to understand the product offered, and compare between different products.
- non-insurer specific legislation, including, for example, the Fourth Money-Laundering Directive 2015/849 (see our related briefing here), and, somewhat further down the line, the new EU Data Protection Regulation 2016/679 (see our related briefing here).
As is clear from Solvency II, the Board of Directors has ultimate responsibility for ensuring that the relevant insurer complies with all relevant laws. In addition, it must ensure that the relevant insurer's policies and processes are reviewed and updated as appropriate to reflect the changing legislative environment.
Product Governance has been a key focus for EIOPA over the past months, not least because of the IDD's publication in the EU's Official Journal in January last. In April, EIOPA published its Final Report on Public Consultation on Preparatory Guidelines on product oversight and governance arrangements by insurance undertakings and insurance distributors. The Preparatory Guidelines provide early guidance and support national authorities and market participants with the implementation of product oversight and governance ("POG") requirements in preparation for the formal requirements set out in the IDD.
Among other things, the Preparatory Guidelines place obligations on manufacturers of insurance products, including insurance undertakings. They include requirements designed to ensure that appropriate steps are taken to identify the group of consumers for whom the manufacturer is designing the product (the "target market"), to align this product with the relevant interests and objectives of the target market and to ensure the usage of appropriate distribution channels. Manufacturers are expected to properly test the product before selling it to customers and to take appropriate action to mitigate unforeseen risks that subsequently arise during the lifetime of the product. They must also strengthen the control processes they follow before bringing their products to the market.
According to EIOPA:
Due to their purpose and objectives the organisational arrangements as outlined in the Guidelines have a substantial link to the system of governance under the Solvency II framework, requiring firms to have a sound and prudent management of the business under a risk-based approach including an appropriate risk management system. Organisational arrangements which aim to ensure a correct design of the insurance products fall within the system of governance of the insurance undertaking.
Boards and senior management will be expected to take increased responsibility for ensuring their products are only sold to those for whom they are designed. In particular, the board should ensure that
conduct of business concerns are fully integrated in the institutional governance arrangements so that it can reliably reassure supervisors that the insurer is placing customers' interests at the heart of its business.
Risk Management Requirements and the ORSA
Risk management requirements are an essential feature of Solvency II and, in particular, the ORSA, which is essentially a set of processes constituting a tool for decision-making and strategic analysis. Among other things, the ORSA report should include all material risks to which the insurer is exposed or may be exposed in the future.
The main purpose of the ORSA is to help the board make sound strategic decisions, to define the value created, to set up a strong risk culture and to embed risk awareness in the relevant insurer's dayto-day operations. According to EIOPA's Chair, Gabriel Bernardino, in a speech on 3 March 2016, the board of directors must set the tone to ensure that risk management requirements and specifically the ORSA are not taken as a compliance exercise. EIOPA expects:
Boards of insurance companies to set, communicate and enforce a risk culture that consistently enforces, directs and aligns with the strategy and objectives of the business and thereby supports the embedding of its risk management framework and processes.
The board of directors needs to ensure that it is kept fully informed of emerging and evolving risks and that these are appropriately reflected in its risk management structures and in the ORSA.
IT and Cyber Security are widely identified as a key source of risk across the financial sector. In September 2015, the Central Bank of Ireland highlighted that the boards of insurers were not always considering cyber security as one of the significant operational risks facing insurers. It also indicated that it would scrutinise cyber risk in the ORSA review of insurance firms and as part of its supervisory engagement with firms. This scrutiny is continuing to evolve in a Solvency II context in 2016.
The Central Bank has recently published Cross Industry Guidance in Respect of Information Technology and Cyber security Risk. According to that Guidance, the Central Bank expects boards and senior management of regulated firms to fully recognise their responsibilities for these issues and to put them among their top priorities. Among other things each board needs to have sufficient knowledge and understanding of IT related risks to be able to effectively challenge senior management on risk management. Boards should understand what the relevant insurer's critical assets are, how they are shared with external parties and the potential damage to the firm in the event of a data or systems breach.
While by now all insurers should have in place Solvency II compliant governance systems, boards and senior managers must continue to focus on maintaining the suitability of those systems in light of new legislative measures, the increasing regulatory focus on POG requirements and emerging and evolving risks. This places a considerable burden and responsibility on the board and senior management who are ultimately responsible for all elements of the overall system of governance as well as for setting "tone at the top" and embedding an appropriate risk culture.