Annual Insurance Briefing - Sylvia Cronin, Director of Insurance Supervision

Opening Address at Annual Insurance Briefing in the Central Bank of Ireland

Good morning ladies and gentlemen. I extend a very warm welcome to you in our new campus here at North Wall Quay in Dublin and thank you for attending today’s Insurance Supervision Directorate’s annual industry event.

It is difficult to believe that it is already 12 months since our last address. That time has gone by very quickly, with a number of significant events, which have impacted the insurance industry. These events have ranged from the triggering of article 50 of the Lisbon Treaty on 29 March 2017, which initiated the Brexit process; to the first complete suite of annual reporting under Solvency II, Pillar III, which took place in May for the majority of undertakings.

My remarks today will focus on three main areas:

1. Brexit.
2. Supervisory convergence in Europe.
3. Areas of supervisory focus as result of changes in technology and under Solvency II.

Strategic: Brexit

The headline political change of the last 12 months has been Brexit, and the impact that has had, and will have, on insurance companies looking to relocate from the United Kingdom to other jurisdictions within the European Union. Of course, that has led to much debate and discussion in the media, and across European National Supervisory Authorities.

To foster collaboration in this area, the insurance directorate has been very open and transparent in our communications in relation to our authorisations process for new companies; and in our discussions assessing the risks and opportunities that this change may bring with existing incumbents.

With regard to companies seeking authorisation to operate in Ireland, we are, and will continue to be, open to engaging with companies and have conducted a number of pre meetings with various companies to talk through any core issues of concern at an early stage. From our supervisory perspective, the key issues under discussion have been reinsurance arrangements, governance structures and substance. Gaining insight into the business models being proposed by companies and how this will satisfy both our local regulatory requirements such as the Corporate Governance Code, as well as the Solvency II requirements. Areas of focus in these discussions have been the use of outsourcing and reinsurance arrangements.

With regard to existing incumbents, we are conscious that the interactions between the insurance industry in Ireland and the UK are many and varied. These can include the sale of insurance products, financial arrangements such as cross border reinsurance, and the use of outsourced service providers. We have engaged with you through our supervisory teams, to understand how you have assessed the potential impact large movements on exchange rates, or shifts in operating or business models may have on any entities within your group based in Ireland, or indeed across the group as a whole. We have also issued a ‘Dear CEO’ letter recently, highlighting the importance of contingency planning and scenario analysis as we navigate the waters of Brexit negotiations over the coming years. It is clear that some companies are more advanced than others in their post-Brexit strategy and planning, however, all companies need to be considering potential implications.

Increased collaboration of supervisors in the EU

In a time of uncertainties and unknowns, what we can say with certainty, is that we need to ensure that the European Insurance regulations, and the supervisory framework which underpins them, are implemented as intended. National supervisors and the industry need to work together to ensure that unintended consequences, or potential gaps in the framework are identified early and addressed swiftly.

EIOPA and national supervisors across Europe, have been working hard to build and embed this platform. This has led to the enhancement of the approach to authorisations, information sharing between home and host supervisors, and resolution and recovery planning in 2017. In addition, national supervisors have worked together to identify the key tenants of effective supervision, and establish the traits of a European wide supervisory culture.

General Protocol

Due to the internationalisation of the insurance market, there is an increased requirement for collaboration across supervisory authorities. In Europe, what is referred to as the ‘General Protocol’, will provide the foundations for increased, timely, qualitative and quantitative information sharing across home and host supervisors. This will largely focus on the business strategy and models of companies, as well as the health of the solvency position. Such collaboration will be facilitated through the EU supervisory college framework, information sharing platforms, as well as an EIOPA data hub.

Protocols such as this of course will only be effective in practice where there is an open and collaborative supervisory culture. Chapter Zero of the Supervisory Review Process handbook will be published shortly. However, the key underlying principle to this is the on-going efforts to build a more harmonised and embedded supervisory landscape. Maximum harmonisation of a European supervisory approach, and information sharing across borders in order to provide a complete and holistic view of the insurance undertakings operating across Europe. The benefits of which, should be felt by those in the industry across the EU.

Resolution and Recovery Planning

Looking to the future, the recently issued EIOPA opinion on the harmonisation of recovery and resolution frameworks for the insurance sector may be a landmark step for the insurance industry in implementing the G20’s 2011 commitment to end the ‘too big to fail’ possibilities in insurance. While this is still currently an opinion, this represents a clear strategic direction of travel for recovery and resolution frameworks in the EU, which to date remained a national matter. We will keep a watching brief on the developments in this area, and participate at European fora, as appropriate in discussing and shaping the changes that follow.

Strategic & Operational: Social change, digitalisation and technology

Aside from political disruption and the knock on impacts this has for the insurance industry, the ramifications of a technological disruption can be just as significant, if not more so. The increased use and reliance on technology by industry, and indeed society, has led to a number of challenges for insurance companies. I would like to touch on some of these challenges today.

The first being driven from the demand side. The consumers’ need for real time, easy-to-access, easy to understand, value for money, products and services. This has encouraged traditional insurers to explore the possibilities that innovative insurtech start-ups can offer. Such insurers have started to test the waters by building capabilities such as telematics, geo-location technology, encouraging the use of ‘fit bit’ technology, as well as developing an increased presence on social media and on the mobile devices of consumers. All of this with the aim of becoming more user friendly and attractive to consumers, but also, ultimately, to build a data repository on consumers collective and individual wants and needs.

While such innovation is essential for traditional insurers to survive, it brings heightened risks in a financial services world being rapidly reshaped by technology; this also brings with it, heightened risks. Therefore, insurers need to be mindful that their appetite to be innovative, and speed in gathering large masses of personal data, needs to be matched in their approach to risk management. Risk management across the board, and importantly IT risk management.

This brings me to a second challenge technology brings, Cyber Risk. I have heard in the past that there are only two types of companies out there when it comes to cyber risk; those that have had a cyber-attack and know it, and those who have had a cyber-attack and do not. As insurance companies are increasingly becoming the custodians of personal data, the expectations around how these companies protect that data are increasing. As you are all too keenly aware, the requirements of such will be reflected in increased regulation through the General Data Protection Regulations due to become live in 2018. Therefore, it is essential that companies have a robust approach to protecting themselves against cyber-attacks and remaining compliant with regulatory requirements.

Of course, a company also needs to protect itself against cyber-attacks for operational purposes. In today’s operating environment the end-to-end value chain of companies is much more complex than in the past, and there are more interdependencies within groups, and with external third parties. As a result there is the potential for more gaps, more entry points for malicious attacks. Such attacks can cause business interruption, such as ransomware attacks similar to ‘WannaCry’ this year, but some of these attacks can also be much more subtle such as ‘phising’.

As our supervisory approach has begun to incorporate a technology strand over the last couple of years, we have observed that ‘phising’ attacks are becoming more commonplace and more sophisticated. These are often aimed at Chief Financial Officers (CFOs) for financial gain. We have seen that these appear in the guise of requests to approve payments and transfers of funds. This can lead to financial loss for companies. What this highlights also is the potential for human error. It is crucial that you continue to raise awareness across your organisations from the CFO to the employees on the front line.

While I have touched on what may seem, the more recent and headline end of technology, in speaking about innovation and cybercrime; it would be remiss not to mention that there is another third area of technology risk in the insurance industry in Ireland. It is the mundane reality of legacy systems. Systems onto which products such as life insurance policies, were written up to over 20 years ago and continue to run off today. Systems, which over time a business accumulated, due to merger or new business acquisitions, and have not been integrated. Without exaggeration, sometimes systems where there is only a limited number of people in the world that can still use and service them. Such legacy systems also carry risks for companies and need to be addressed, and this remains a challenge for companies.

What are we are supervisors seeking to do in this area? At a European level EIOPA is developing an InsurTech Task Force which will be responsible for the implementation of EIOPA’s core digitalisation activities, such as a thematic reviews on the use of Big Data by insurers, assessment of barriers to financial innovation and cyber risk. We will work with our European supervisory colleagues on this.

Here at home, the Central Bank of Ireland, has and will continue to increase our focus on this area. As you will be aware, to date, our Policy and Risk division has issued cross industry guidance on IT and cyber security risks last year. In the Insurance Directorate we have focused our energies on thematic reviews across the industry through the use of the Auditor Assurance tool and self-assessment questionnaires. During 2017 we have also started to focus on how companies approach IT management as a component of some of our on-site inspections. It is likely that you will see increased activity through the supervisory and inspection teams in this area over the coming years.

Regulatory & Operational: Solvency II

Regulatory change is another source of risk for insurance companies today. Such change has dominated the insurance supervision agenda for the past number of years with the implementation of Solvency II. We are cognisant that regulatory change will continue over the foreseeable future for the insurance industry. Looking ahead there is the impending implementation of Packaged Retail and Insurance-based Investment Products and the new General Data Protection Regulations requirements due in 2018, but change will continue right out to the IFRS 17 ‘go live’ date of January 2021.

We understand that continuous change such as this has a real cost for the industry in terms of time, effort and money. Therefore, I would like to take a moment to acknowledge the efforts that industry has made over the past number of years to prepare for and implement Solvency II, as well as all other regulatory requirements.

It is almost two years since the implementation of Solvency II, and looking back over that time I believe that the Central Bank’s implementation of this regime, has been robust but proportionate, in line with our statutory objectives.

I would now like to look back briefly, on the approach we took to the implementation of the Solvency II framework in 2017. The approach this year was two pronged. Firstly there was one of the biggest milestones left outstanding, the receipt of the first round of annual results and disclosures under Solvency II; and secondly, the challenge of Solvency II becoming Business As Usual.

Regulatory Reporting & Data Quality

Allan will speak in more detail shortly to the challenges of regulatory reporting and data quality under Solvency II. However, the receipt of this information in 2017 was a significant milestone. Such reporting included for the first time a broad suite of qualitative and quantitative information.

There has been much discussion in relation to the ‘burden’ of reporting requirements. The quantity of data undertakings must report, and the compressed timetables for doing so. It is of course true that the volume of reporting for undertakings under Solvency II is far greater than the previous regime.

However, we view this reporting as a significant improvement, which will enable better delivery of the Central Bank’s mission of safeguarding stability and protecting consumers. Such disclosure is also core to delivering on one of the key principles of Solvency II - transparency.

The submission of the Regular Supervisor Report (RSR), the Quantitative Reporting Templates (QRTs) and the National Specific Templates (NSTs) to supervisors, will significantly increase the level of analysis and insight that we can perform. The publication of the Solvency and Financial Condition Report (SFCR) will enhance transparency of the industry for consumers.

Solvency II: Business As Usual (BAU)

Although the annual reporting deadlines during 2017 were the last significant ‘first time’ milestone as part of Solvency II implementation, many elements of the Solvency II regime began to move into the business as usual space during 2017. At the outset of the year we asked ourselves, now that Solvency II has been applied how do we take it forward?

In planning this approach, we applied a risk based mind-set, assessing where we saw some of the elevated risks for each of the sectors. This is in keeping with our supervisory framework. Although our supervisors would have investigated many areas during 2017, two areas I would like to call out are: the on-going monitoring of capital across all sectors and oversight of outsourcing arrangements.

Capital

In relation to capital, we performed a number of assessments of the appropriateness of the standard formula across the various sectors. The Solvency II standard formula works well for many firms. However, no standard formula, no matter how well it is designed can fit all companies perfectly. Therefore, it is important that we, and you, remain vigilant to monitor the appropriateness of this as businesses and the environment changes.

In relation to Internal Model firms we continued our work to ensure implementation of Terms & Conditions imposed as part of the previous model approval process. In addition to this we have established an internal group of experts to monitor the movements of the overall Solvency Capital Requirement (SCR), and the underlying risk modules. It should come as no surprise that we will continue to approach internal models rigorously and with a questioning attitude.

We have engaged with our supervisory colleagues across Europe, and the Prudential Regulatory Authority, to discuss approaches to major changes to internal models. It has been noted, thus far, that proposals for major model changes, more often than not, have reduced rather than increased capital requirements. Although we have received a minimal amount of requests for major model changes to date, we would echo the sentiment of the PRA, that where such requests will be made in the future, significant weight will be put on the accountability of the senior executives, risk and actuarial functions and the strength of the governance of companies.

In addition to monitoring changes in the actual capital position, we have also endeavoured to work with industry over the past number of years, to identify potential sensitivities in the balance sheet in times of stress. The life sector participated in the EIOPA stress tests in the past, however, in 2017 we believed it was appropriate to request a suite of bespoke stress testing in the non-life sector. This is in light of the peculiarities of the domestic market.

The aim of this exercise was to acquire greater insight into potential vulnerabilities of the business, balance sheet resilience and the realism of proposed management actions in the wake of a stress event. We expect the analysis of the results of this to be completed by the end of the year.

Outsourcing

Finally, over the course of 2017, there was an increased focus on outsourcing risk for companies. This was both from the insurance, and the policy and risk directorates of the Central Bank. Most recently, an outsourcing questionnaire has been circulated and seeks to identify potential concentration or interconnected risks across the financial services industries, as well as to gauge the potential differences in approach to managing external third parties.

In light of further potential for increased numbers of companies putting in place business models, which heavily avail of outsourced services post Brexit, we will continue to carry out a number of supervisory initiatives to understand the risks that this may pose. For example, in 2017 the insurance on-site inspections team has conducted a thematic inspection of outsourcing to external third parties across a number of cross border life insurance companies.

In addition to the outsourcing of operational aspects of companies, we expect that there may be increased change in distribution channels through the Freedom of Services and Freedom of Establishment frameworks, as a result of Brexit. This may lead to business models which delegate responsibility for core insurance activities such as underwriting and claims management to a third party. It should come as no surprise that our overall expectation would be that companies, and their boards, remain the first line of defence and are accountable for the risks written on their balance sheets, regardless of the distribution channel used. Where insurers participate in delegated underwriting or claims management arrangements, we will expect them to retain the ability to understand the impact of business written through these channels on their overall risk profile. We will approach the assessment of such arrangements diligently and rigorously, both at home and across borders, leveraging relationships with our European supervisory colleagues.

Closing Remarks

This brings me to the end of the opening address for today’s event. What I have set out today is a picture of an external environment that continues to evolve and change driven by various factors including political, societal and technological changes. Regulation and supervision will also be subject to change so as to keep pace. We will continue to update our approach in light of new information or changing circumstances, and work with our European supervisory colleagues in doing so.

We will also continue to work through some of the refinements required to the Solvency II framework, as part of the Solvency II review. Although it would be surprising if a new regulatory framework as complex as Solvency II had no shortcomings, I am a firm believer that the Solvency II risk based regime has positioned us to be more nimble and realistic in the face of such dynamic market conditions as those which we face today.

Some will question if the Central Bank has been overly intrusive in its implementation of Solvency II. We have certainly been busy, however, I believe that we have struck the right balance through our engagements.

Thank you for your time today. I would now like to take the opportunity to introduce you to the new Head of Division for Insurance Supervision, Marie Louise Delahunty, who will take you through some of the ‘Challenges Ahead for Insurance Supervision’ and how we will take supervision forward.