Address by Director of Insurance Supervision, Sylvia Cronin, at KPMG Event
09 March 2017
Speech
'Towards certainty in uncertain times'
Good morning, ladies and gentlemen. I am very pleased to join you at this event today and would like to thank KPMG for the invitation to speak with you.
The introduction of the Solvency II regime just over a year ago, gives us all a new perspective through which we can review the current environment. As undertakings perform their Own Risk and Solvency Assessment in an uncertain environment, it is possible to see common themes emerging and discuss areas where some undertakings are more advanced in their analysis than their peers. Today, I would like to consider three themes, investment returns, Brexit and the area of IT and Cyber Risk.
Investment returns
Expected future investment returns and inflation rates are a key impact on many business models, true in particular for insurance undertakings. Divergences between countries persist in expectations of investment returns and inflation and those returns impact insurance company business models in many ways.
For many years now the key risk has been “low for long” when it comes to interest rates, but Markets are now expecting interest rates and inflation in the US to rise. However, the ECB’s most recent expectation for the Euro area is of continued low interest rates and low but rising inflation combined with asset purchases1. The Bank of England’s most recent announcements set out similar expectations for sterling2.
As the impact of these key business model drivers is assessed, I expect companies to use a range of stresses and scenarios to ensure that they have robust business models throughout a business cycle.
10 years ago, most undertakings would not have expected a period of extended low interest rates of close to zero and many would have adjusted their business model if they expected this to be the case.
Whilst you obviously need to prioritise and take a proportionate view of your stresses, you also need to challenge your thinking. You need to look at both sides of an issue or situation to see just how it might impact you, particularly as events change.
The Insurance Directorate is engaging in a stress testing exercise for the non-life market in 2017, which aims to test balance sheet resilience to a range of moderately severe events and to assess the realism of proposed management actions in the wake of a stress event. The events include an asset shock. This exercise was conceived and designed by the Central Bank and thus is not part of EIOPA stress testing.
Communication has taken place with the firms involved, with the aim of launching the tests with those firms in Q2. Results will be expected later in 2017.
IT and data
Solvency II requires the collection and submission of more regulatory data and more complex data than ever before. The practices introduced are robust and comprehensive and it heralds a new phase for the insurance industry. Supervisory authorities and the European insurance industry are finalising preparations for the first annual reporting under Solvency II.
We place particular significance on the governance and internal controls that surround regulatory reporting which should ensure the quality of data submitted to us. We would counsel that a major focus of the preparations for the first annual returns should be the accuracy of the information. The importance of the quality of this data cannot be overstated.
Boards are accountable for the accuracy of information submitted to supervisory authorities. Directors should not sign off on these submissions without thoroughly satisfying themselves as to the accuracy of the information and the effectiveness of the processes, systems and controls to ensure this accuracy.
As the information we receive drives our supervisory decision making, the Central Bank has invested significantly so as to ensure the quality of Solvency II data. In terms of how we assess the quality of data, we conduct taxonomy validations and automated checks of quality. Supervisors then sense check the overall returns to ensure alignment with their understanding of the business model and financial position of the firms.
Given the increase in the volume and complexity of information to be submitted in the annual returns, it is imperative that firms learn lessons from the quarterly reporting. In reflecting on the quality of Solvency II data submitted to date, there have been strengths and weaknesses in what we have observed, both in terms of the data being fit for purpose and right first time. In getting to the reasons behind these weaknesses, directors and senior executives must consider the controls in place, the validation of review and governance process and certainty around the integrity of the data. Confidence in the data submitted will better prepare us all for addressing the various sources of uncertainty we are faced with.
The theme of cybersecurity is very much linked to IT and data. Firms are submitting significant amounts of data to supervisory authorities, in addition to collecting more information from customers than ever before and through new and innovative channels. This has led to an increased focus on protecting that data. Given IT systems central role in the operation of insurance undertakings and the role of digitalisation in shaping the future of insurance, there is a heightened risk when it comes to IT systems failure and/or Cyber ‘trigger events’ e.g. data theft or destruction.
For the Central Bank of Ireland, the risks associated with IT and cybersecurity are a key concern. This is based on the potential implications for firms, consumer protection and financial stability more broadly. Accordingly, we have dedicated much effort to ensuring firms take action to manage these risks.
In September last year, we published Cross Industry Guidance on IT and Cybersecurity Risks. The Guidance is a clear statement of the standards and quality in this area that the Central Bank expects to see firms meeting. Within the Insurance Supervision Directorate, our supervisors have undergone training on IT and cybersecurity and this topic is increasingly being addressed as part of general engagement with firms.
With regard to some of our high impact firms, we are utilising the auditor assurance framework to seek assurance on the governance arrangements in place around cybersecurity. These firms are required to prepare a report setting out a description of the internal governance arrangement performed by the board of directors and senior management. Their auditors must then undertake an examination and prepare reports to be submitted to the Central Bank later this year.
For lower impact firms, we have issued a questionnaire based on the Guidance published by the Central Bank and conducted an extensive review of the responses. Firms will receive feedback specific to them this month. I am glad to have the opportunity to share with you today for the first time some of the high-level insights afforded by our review.
We suspect that the findings from the lower impact firms may be at least partly indicative of the position across the wider insurance industry. The Central Bank is determining the wider industry position in Ireland through the auditor assurance exercise for high impact firms and general engagement with firms.
I would suggest that, when listening to these findings, you consider your own firm’s position.
The following are some of the particularly noteworthy findings from the responses received.
87% of undertakings claim that IT risks are identified and assessed as part of a regular review process, with an IT risk register maintained. While it is encouraging that generally IT risks are identified and assessed as part of a regular process, we cannot ignore that 13% do not have this basic process in place. Of further concern is the finding that standalone IT risk management frameworks are not in place for 50% of firms.
63% of undertakings do not have a board-approved IT and cybersecurity strategy. This is an unacceptably high figure for a fundamental aspect of the governance of IT and cyber risk. We found that 39% of firms do not regularly report IT and cyber risks to the board. In a similar vein, 57% of firms do not have a board-agreed programme in place for regular cyber risk assessments and vulnerability scanning.
As you can tell, the most pronounced deficiencies relate to the governance around IT and cybersecurity. These findings point to significant weaknesses in the IT and cyber risk culture within firms. I must emphasise how crucial board involvement is. The extent of board engagement with IT and cyber risk is an indicator of the priority accorded to such risk and the ability to manage it.
We acknowledge the efforts of firms who have risk processes, strategies etc. in place. However, it is evident that there is a requirement generally to enhance existing practices, initiate and embed constructive improvements and to support an improved control environment. These enhancements must be implemented with a real sense of urgency and genuine board engagement.
A theme across the various uncertainties associated with technological risk is the need for innovation and investment in systems. Digitalisation is a driver for efficiencies and firms therefore need to dedicate capital expenditure to facilitate digitalisation. I firmly believe that those who don’t will get left behind and that a sustainable business model is not possible without innovation. Of course, while the industry is innovating in the ways in which it provides services to consumers, the fundamentals of good underwriting discipline remain the same and firms must ensure they get underwriting right in a digitalisation context. On cyber, investment in systems will yield return in terms of resilience to attacks and the resultant management of reputational risk and retention of customers.
Brexit
The final theme I wish to talk to you about, is Brexit. Brexit is a major shift in direction, driven by the external environment. There is no road map as to how a country goes about exiting the European Union. The unprecedented nature of the event makes assessing the effects difficult and navigating a clear path challenging. Due to the restriction on any negotiations taking place before Article 50 is invoked, we know little for sure and even less in detail.
Many things will need to be discussed and resolved, such as future trading agreements, equivalence and the issue of ‘passporting’ on a cross border basis. The impact on capital flows and regulations will emerge over time.
There are some certainties associated with Brexit. The UK will not be seeking to remain a member of the single market but will seek access to that market. Brexit will directly impact the Irish industry, be it Irish firms selling cross border into the UK or UK firms selling into Ireland on a freedom of services or freedom of establishment basis. The Central Bank is committed to maintaining standards of transparency, consistency and predictability with regard to our regulatory and supervisory responsibilities so as to mitigate some of the Brexit-related uncertainties facing firms.
Moving into the future, I would expect the UK insurance regulatory regime will remain on par with Solvency II. And just as the PRA were at the forefront of driving many of the core aspects of Solvency II, I would foresee this continuing in the shaping and implementation of global regulatory standards in the future.
Much of the commentary on Brexit and the Irish insurance industry has focused on expectations regarding firms currently authorised in the UK seeking to establish in Ireland in order to maintain passporting rights. I want to share with you some information in relation to recent activity on applications for authorisations as insurance or reinsurance undertakings in Ireland.
Since November, we have received 5 applications for authorisation as insurance or reinsurance undertaking. A further 5 entities have signalled a firm intention to apply for such an authorisation. We have been contacted by approximately another 20 insurance entities to discuss authorisation. Unlike other financial sectors, insurance firms are not generally waiting for Article 50 to be triggered before implementing their strategies on location.
We are open to discussion and engagement with any applicant. Our website contains extensive information on our approach to authorisations. A firm will not be authorised unless it demonstrates compliance with the requirements specified in law. In determining an application for authorisation, we follow clear, published rules and processes derived from EU law, and are guided by our mandate to protect consumers. Our European counterparts assess applications for authorisations using the same rules. There is a collective commitment of supervisors in the EU to safeguard the integrity and the homogeneity of rules and our determination to avoid regulatory arbitrage.
A key requirement for authorisation is substance in Ireland. The applicant must demonstrate to us that the business will be run from Ireland and that decision-making happens here. When reviewing applications, we need to be satisfied that there is substantive presence here; that the decision-making happens here. Having the appropriate level and profile of staffing in Ireland is a major indicator that the business is run from Ireland.
We also need to have comfort that the firm is actively engaged in managing the risks it faces, as well as ensuring that the customers interests are central to the business proposition, from the suitability of products to the treatment of claims. Firms with appropriate business models, with convincing risk identification and management, focus on consumer needs, suitable products, sound finances, strong boards and executives, can be expected to be approved, whether or not such business models already exist in Ireland.
Some business models are more risky than others and require more safeguards - for instance, models underwriting foreign risks throughout Europe require deep knowledge and expertise of those markets. Business models can be ill-conceived, such as taking on far-flung risks in foreign jurisdictions on an Irish balance sheet, or selling products widely seen as unsuitable.
If an institution satisfies our expectations and is successful in its submission, then they will be subject to the same regulations and supervision activities that apply currently to existing firms. It is important to note that Brexit will not just result in authorisations for the sake of authorisations, we will ensure that any business seeking to establish here is of suitable standard and quality.
The Central Bank does not have any difficulty per se with outsourcing and/or insourcing up to an appropriate point. Such approaches form a part of many business models and should not be considered problematic in themselves. Our focus in this regard will be on ensuring that they are done well and in line with sound practices. In particular, we will be focused closely on the principle enshrined in Solvency II that while an activity may be outsourced, responsibility for it may not. We will always want to see that there is the level of expertise and seniority within the entity to effectively oversee and manage such outsourcing. A firm may not outsource to the extent that it is effectively hollowing out an important part of the regulated activity.
The Insurance Supervision Directorate has considerable experience in authorising firms, as evidenced by the approximately 200 insurance entities on the register of authorised undertakings. The staff complement reflects the additional resources needed to deal with applications that have come and will come our way, and we have built in contingency should the need arise. These factors combined mean we are well-equipped for the expected authorisations activity and consequent oversight of new companies.
It’s important to note that the Central Bank no longer has a mandate to promote the development of financial services in Ireland. We did have such a mandate in the past and it was judged that this compromised our authorisation and supervisory stance. There is good reason this has been removed from the Act that defines our role. Rather, we have a clear mandate to promote stability and protect consumers.
Closing remarks
To conclude, in order to work towards certainty, it is crucial that themes of uncertainty and risk are properly addressed through the ORSA. The process prompts firms to reflect on the future environment, stresses to apply and actions to be taken. We need to be vigilant to the risks posed by the evolving and often volatile environment we operate in.
Significant global developments may be outside of firms’ direct control but firms can control their approach to uncertainty. We all must be proactive in addressing uncertainty. The various sources of uncertainty cannot distract firms from treating the customer fairly, maintaining an effective risk culture and a focus on providing quality products at a reasonable price. The expectations I have set out to today can help ensure sustainable business models in the face of current uncertainties.
Supervision can offer certainty at this challenging time. Solvency II is embedded and the regulatory framework will continue to evolve, keeping pace with developments in the market. EIOPA’s work on supervisory convergence through the supervisory handbook and peer reviews helps ensure a certain and consistent supervisory approach across the EU. The industry and regulatory community can overcome this uncertainty in a cohesive way and apply the lessons learned during this period.
Interesting and challenging times lie ahead; of this, we can be certain.
I am grateful to Miriam Brosnan for her contribution to this speech.
________________________________
1 European Central Bank (2017) Monetary Policy Decisions [press release], 19 January, https://www.ecb.europa.eu/press/pr/date/2017/html/pr170119.en.html; European Central Bank (2017) Inflation forecasts [online], https://www.ecb.europa.eu/stats/prices/indic/forecast/html/table_hist_hicp.en.html
2 Bank of England (2017) Monetary policy summary, 2 February, http://www.bankofengland.co.uk/publications/minutes/Documents/mpc/mps/2017/mpsfeb.pdf