Enforcement insights: attitudes and behaviours - Derville Rowland, Director of Enforcement

22 June 2017 Speech

Central Bank of Ireland

Speech at Milliman seminar

Good afternoon ladies and gentlemen, I am very pleased to join you today and would like to thank Milliman for inviting me to speak with you.  As the Director of Enforcement in the Central Bank, I am responsible for enforcement investigations across all regulatory areas, including insurance, and for the development of Central Bank policy and strategy on the use of our enforcement powers.

This afternoon, I want to offer you some insights into the role of enforcement within financial services regulation; outline the diverse range of powers available to the Central Bank and then focus on some of the behaviours that have, and can, lead to enforcement action.  I hope the lessons learned from previous cases will resonate with you, insofar as I will emphasise the responsibility of  boards and senior management to not only ensure compliance with legislation and applicable guidelines, but also to demonstrate leadership by influencing the tone at the top and driving a culture of compliance. At its essence, this is about “doing the right thing” even when no-one is watching.

Enforcement is an integral part of the Central Bank’s approach to financial services regulation and contributes to our objectives of safeguarding stability and protecting consumers.  Effective governance of a financial system comprises three core components:  Regulation, Supervision and Enforcement.  It is essential that these components work in lock-step together to deliver on the Central Bank’s objectives.

Our Enforcement Directorate was established in 2010. We have concluded 109 administrative sanctions cases against firms and individuals operating across the regulated industry, and imposed €60.148m in monetary penalties.  Some 44 of these cases, or 40 per cent of these cases, concern participants in the insurance industry (both undertakings and intermediaries) with monetary penalties of over €21.5m imposed.

The Central Bank’s approach to the supervision of regulated firms is to challenge, judge and mitigate. This means we challenge firms, judge the risks they pose to the economy, the financial system and the consumer and seek to have firms mitigate the risks we judge to be unacceptable.  It is essential that, as supervisors, we keep abreast of current sectoral practices; and understand not only key risks but also the motivations behind poor practices. It is equally essential that you, as the individuals responsible for your business and your customers, also understand and mitigate against your key risks. Firms must place good governance, robust systems and controls, and ongoing regard to consumer interests at the heart of their business.

Trust and confidence in financial services, underpinned by high standards, with integrity at their core, are key objectives for industry as well as for regulators.

Where these standards are not achieved, the Central Bank will use its full array of powers to address bad practices and behaviours, including taking enforcement action.

Enforcement works in lock-step with supervision.  It is deployed to investigate if and why a breach has occurred, how it can be rectified and how to prevent it occurring in the future.  By taking enforcement action, we are seeking to identify bad actors and poor practices, ensure compliance and effect redress. We are also sending a very public signal to the firm and to all firms about the type of conduct which is, simply put, unacceptable in the financial services industry.

We believe that a transparent approach to enforcement is vital to the promotion of public trust and confidence in financial services. In this context, the Central Bank issues public statements at the conclusion of enforcement actions. These public statements inform the financial sector and consumers about the issues identified, how a firm or individual fell below the expected standard, why a particular regulatory response was adopted and what lessons can be learned from the particular case.

These public statements help to deter misconduct within the financial sector, signal to the market what practices and/or behaviours are not acceptable and highlight the consequences of breach. They also serve to inform the public and aim to build confidence in the effectiveness of regulatory actions.

Enforcement is one option available to the Central Bank where issues are identified and forms part of an overall escalation model.   When taking a case against a firm and/or an individual, we have a wide range of enforcement options available including:

  • Making a report to another agency (including Gardaí, Revenue Commissioners, The Competition and Consumer Protection Commission);
  • Issuing a Supervisory Warning;
  • Conducting a Fitness and Probity investigation;
  • Considering the refusal and/or revocation of an authorisation. We may also, in our work, consider the refusal of a proposed acquiring transaction;
  • Taking an administrative sanctions case (under Part IIIC of the Central Bank Act 1942, or separately under Securities and Markets Regulations); and
  • Criminal prosecution.

The Enforcement Directorate is organised into multi-disciplinary teams made up of lawyers, accountants and investigative experts. When taking an enforcement case, our teams work closely with their supervisory colleagues to understand the firm and the issues identified, carefully scope the investigation, gather evidence and engage in a detailed review of that evidence. As an investigation progresses, more intrusive methods may be adopted. These can include interviewing witnesses, staff and those under investigation, forensically taking up hard copy and electronic records from a firm and/or an onsite inspection of a firm’s business.  As part of an investigation, we probe a firm’s systems, controls and culture.  Our aim is to seek to understand what has gone wrong and why.  

Such enforcement action exposes firms and individuals to the imposition of sanctions. The range of sanctions varies depending on the statutory regime used, but can include monetary penalties up to €10m or 10% or turnover for a firm or €1m for an individual, disqualification of individuals and/or suspension or revocation of a firm’s authorisation.

In using the tools available to us, we, as regulators, recognise that the provision of financial services, particularly within the EU, is not constrained by borders. Just like you, in dealing with your business, we too must also be able to deal effectively with issues that have multi-jurisdictional and cross-border impacts. One such example, from the banking sector, is the 2014 enforcement case taken against Ulster Bank Ireland Limited. As you may recall, Ulster Bank encountered serious governance failures resulting in an IT outage, which left 600,000 customers without essential banking services. This IT failure not only affected Ulster Bank customers in Ireland but also Royal Bank of Scotland customers in the UK. While I will deal with the facts of this case later, it is important to note that, as part of this case, the Central Bank engaged with the UK Financial Services Authority (as it then was) in relation to the resolution of the disruption and the scoping of an independent review to establish the causes, consequences and management of the IT incident. In addition, the Central Bank, the Financial Conduct Authority and the Prudential Regulatory Authority all took enforcement action arising from this incident. The Central Bank imposed a €3.5m fine on Ulster Bank and required it to put a redress scheme in place under which the firm has paid approximately €59m to affected customers. This case clearly demonstrates that enforcement in Ireland does not operate in isolation – where a firm operates cross-border and issues are identified we will work closely with our international colleagues to stop the harm, investigate suspected wrongdoing, effect redress and, where appropriate, impose sanctions.

While I have outlined the role of enforcement, I am conscious that the insurance industry has itself experienced significant regulatory change in recent times. 

There have been fundamental changes to the prudential framework with the introduction and implementation of Solvency II - a legislative reform aimed at: strengthening requirements around capital, governance and risk management in all EU authorised (re)insurance undertakings; reducing the likelihood of an insurer failing; and providing greater consumer protection by ensuring an enhanced level of policyholder protection across the EU.

There are also ongoing changes to consumer regulation, including the introduction of PRIIPs (Packaged Retail Investment and Insurance Products), the Insurance Distribution Directive (which will repeal and replace the Insurance Mediation Directive), and heightened requirements relating to Product Oversight and Governance.  These reforms are aimed at strengthening consumer protection by improving the quality of consumer information, ensuring a level playing field for all participants involved in the sale of insurance products, and, ensuring that products coming to market receive the appropriate level of scrutiny consistent with the risks attached to that product.

I recognise that these changes are taking place in a time of global political uncertainty. As you manage your businesses through this ambiguity, key business decisions will need to be made without certainty as to what the future holds. This is challenging, but it reinforces the need for every business to have solid foundations – a strong solvency position, a robust risk management framework, good governance and sound systems and controls. From these foundations, you can make measured business decisions and build strong and resilient businesses.

Insurance is an international business, frequently carried out on a freedom of service and freedom of establishment basis, both into and out of Ireland.  The cross-border model benefits both insurers and customers who can benefit from competition and enjoy more choice. In this context, the Central Bank’s work with EIOPA is important. We work with EIOPA to develop a single rulebook and common supervisory culture and to seek to ensure a level playing field across Europe.  This work also seeks to prevent regulatory arbitrage and provide similar policyholder protection across the EU. We will continue to drive for supervisory convergence.  This work is supported by increasingly harmonised European regulations, which, whilst challenging, bring fragmented markets closer together, reduces information asymmetries, and assists in building public trust and confidence.

The foundation of the insurance business is trust. It is in the interest of industry to have stable and functioning economies, to produce products that meet the needs and desires of consumers and to operate in a culture that promotes public trust and confidence. In this way, while driven by different incentives, the interests of regulators and the interests of industry are aligned.  

Turning then to the insights I might offer you from an enforcement perspective. As I mentioned, we have concluded 44 cases against entities who participate in the insurance industry (both undertakings and intermediaries). Don’t worry – I won’t discuss all of them today! But I do hope to highlight a couple from which key insights may be gained.

In line with our transparent approach to enforcement, public statements have been published in respect of all of these cases. I would encourage you to read these statements as they offer critical information about what we expect. These cases cover a range of both prudential and conduct issues including:

  • The failure to properly manage technical reserves;
  • Breaches of solvency margins;
  • Failures in governance and internal controls, particularly around risk governance;
  • The failure to properly manage outsourcing arrangements;
  • The treatment of customers; and
  • Anti-money laundering compliance.

If you examine these cases by reference to the specific breaches uncovered and the sanctions imposed, however, you are looking at them through too narrow a lens. Instead, these cases offer insights into the type of conduct that warrants intervention by Central Bank enforcement, and highlight the attitudes and behaviours you can adopt to ensure against future enforcement action.  For example, looking at the theme of governance and systems of control: the cases taken to date clearly demonstrate that it is not enough for insurers to have procedures on paper. We have had cases where firms have had policies in place but where they did not ensure the implementation of, or compliance with, those policies. In fact, we have had more than one case dealing with governance concerns where the board was unaware of what was actually going on in the business.

The 2013 case against Quinn Insurance Limited (Under Administration) concerned the guaranteeing, by its subsidiaries, of up to €1.2 billion of Quinn Group debt. Of serious concern in this case was the fact that these guarantees had been effected without consultation with the full Board or the Investment Committee. It was also admitted that Quinn Insurance had failed to maintain a minimum solvency margin, which is a breach of a fundamental regulatory requirement. The Central Bank imposed a €5 million fine on Quinn Insurance, but collection of the fine was waived in circumstances where the firm was substantially reliant upon the funding from the Insurance Compensation Fund. As you will be aware, these failures contributed substantially to Quinn Insurance entering into administration in 2010. In summary, Quinn Insurance, through poor governance and controls, failed to ensure proper oversight of its subsidiaries. Quinn Insurance was blind to the guarantees; its Board never had an opportunity to consider them or their implications.

A board cannot be blind to what is happening in its organisation and cannot simply depend on those reporting to it for compliance. As board members, you must actively probe how controls are working and whether those controls are sufficiently aligned with business risks. You must ask the right questions, examine the responses, follow up with executive management and ensure action is taken to strengthen controls where appropriate.

While not concerning the insurance industry, the 2014 Ulster Bank case also offers key insights into the need to robust governance and oversight - most notably oversight of outsourcing arrangements.

For 28 days, approximately 600,000 Ulster Bank customers were deprived of essential and basic banking services including the ability to access cash through ATMs or pay for goods and services. Ulster Bank had entered into an outsourcing arrangement with Royal Bank of Scotland Group for its IT services. The case highlighted that Ulster Bank did not have a proper understanding of its own IT infrastructure, the risks associated with that infrastructure and the software it used. The Central Bank imposed a €3.5m fine on Ulster Bank and required it to put a redress scheme in place under which the firm has paid approximately €59m to affected customers. We recognise that IT outsourcing is a feature of modern business, but that is no defence to regulatory failings. A telling lesson from this case is that ultimate accountability for compliance remains with firms.  You can outsource activities but you must recognise, understand and manage the risks associated with these outsourced activities. You cannot delegate that responsibility.

Turning now to a final insurance case on governance – the 2012 case against Alico Life International Limited, concerning it securities lending activities.  Alico had entered into an agreement whereby it loaned securities to various borrowers through an investment agent. Worryingly, the Investment Committee’s approval was not obtained prior to entering this agreement. The Board was not aware of the investments for a year, by which time significant unrealised losses had already accrued. In addition, the receipts generated from the loan of the securities were not attributed back to the life assurance fund. The Central Bank imposed a monetary penalty of €3.2m on Alico and, as a result of the losses, Alico needed a capital contribution of approximately €50m from its parent. Yet again, this case highlights the potentially catastrophic consequences of poor governance and of significant decisions being made without a board or relevant sub-committee’s knowledge.  

Insurers must safeguard policyholder assets. Core elements in the protection of these assets are the establishment, monitoring and continued compliance with robust policies and procedures. This must, however, be accompanied by effective governance and oversight by senior management and, particularly, the board of directors.  Ask yourself - how do you satisfy yourself that the internal governance framework is, both in design and operation, effective?  Who is responsible for making key business decisions, including investment decisions? Are these lines of accountability and ownership clearly documented? Are they actually adhered to in the day-to-day business? Remember, responsibility for how your business operates rests with you.

Another theme I want to focus on is putting consumer protection at the heart of your business model. In this context, I would like, in particular, to draw attention to the 2011 case taken against Combined Insurance Company of Europe Limited. In that case, the remuneration framework adopted by the firm for its tied agent network, and partly for those responsible for overseeing the tied agents, was driven by sales volumes. This led to a highly pressurised sales environment and to seriously poor behaviour among certain tied agents. There were 28 breaches across Combined’s consumer facing operations.

The case highlighted that certain of Combined’s tied agents were engaging in dishonest, reckless or misleading practices and, fundamentally, were not acting in the best interests of customers. In addition, there were instances where the firm did not follow the standard claims procedures or properly adjudicate claims. There were issues with getting to the root cause of why customers were cancelling policies and in relation to complaints handling. On top of all of this, there were breaches connected to over-insuring customers, the suitability of products for consumers, unsolicited contact of consumers by tied agents, record keeping, instruction processing, contingent sales and the provision of information to the Central Bank.  The Central Bank imposed a fine of €3.35m and the firm carried out a significant customer restitution exercise.  At the time the case concluded, it was estimated that Combined would have to pay out over €2.15m in respect of 7,917 policies. The firm ceased selling new business in 2011 and shortly thereafter its authorisation was revoked.

Consumer protection is not a procedures document, it is an actual outcome, a living, breathing part of a firm’s business model and culture. This includes an appropriate rewards model.

Could this happen in your business?  You might ask yourself - do you understand what is going on in your business?  If so, is it operating as you expect?  What are your expectations, and have they been clearly communicated to your staff?  If you sit on a board or sub-committee, are you getting all of the information that you need?  Is that information current and easily accessible?  Are you probing that information, are you regularly following up to ensure that compliance with internal controls is “part and parcel” of everyday life in your organisation and not just a “tick box” exercise?

The culture within your organisation is a key determinant in how your business operates. It is the way we think, act, speak to each other and make decisions.  It is the consequence of our attitudes and behaviours. Good culture is built around the idea of “doing the right thing”, even when nobody is looking. I appreciate that while this sounds simple, conscious and continuous effort is required to move a culture in a positive direction - perhaps this is reflective of the fact that it takes longer to build trust, than it does to destroy it.  

The errors of the past offer key lessons for the future; lessons which I encourage you to use to be a driver for positive culture change in your organisation, shaping attitudes and behaviours from the boardroom to frontline staff.