As evidenced by the European Insurance and Occupational Pensions Authority ("EIOPA") Warning to insurers and banks in the credit protection insurance market and the Central Bank of Ireland's ("Central Bank") September 2022 Dear CEO Letter, compliance with Product Oversight and Governance ("POG") requirements has come under increased regulatory scrutiny at both a European and Irish level. The regulatory message has been for firms to strengthen POG processes, ensure better alignment of POG with risk management and for firms to put customers’ interests at the heart of their business model. Communications of this nature to the market typically signpost further regulatory focus. As such, it was of little surprise that POG was most recently the subject of a Central Bank thematic inspection.
The Central Bank's thematic inspection included a selection of six non-life insurance undertakings to assess the current level of controls, processes and systems in place in relation to POG arrangements. The inspection centred on five key control areas: (1) POG policies & procedures; (2) underwriting controls; (3) post implementation reviews; (4) risk management oversight; and (5) board oversight.
The Central Bank highlighted its expectation that (re)insurance undertakings:
- have robust processes in place to ensure they are continuously aware of the cover they provide and to have a full understanding of their exposures; and
- be continuously assessing exposures that could arise as a result of new and emerging risks such as silent cyber exposures, climate change risk, and other systemic risks.
Key themes identified:
- Board oversight:
The inspection found that there wasn’t always strong Board oversight of all new products and material changes to existing products. The Central Bank notes that Boards should have a sign-off role for material new products and material product changes.
In our experience, it is always a challenge for management to determine the appropriate level of information on POG to report to the Board. In addition to being a clearly stated regulatory expectation, the ultimate responsibility of the Board for POG is also specified in legislation. Therefore, it is important that sufficient information is reported to the Board to enable directors to discharge their legal and regulatory obligations with respect to POG and an audit trail of POG actions (analysis / decisions / rationale) maintained to demonstrate compliance more generally.
- Risk management:
The Central Bank found the risk function's role in POG arrangements, the Chief Risk Officer's ("CRO") active monitoring of emerging risks, and communication and collaboration between risk and underwriting to be lacking in some instances. Specifically, the Central Bank stated that the POG process should not to be viewed just as a tick-box exercise, but rather a meaningful process and control that is integrated with both the emerging risk and Own Risk and Solvency Assessment ("ORSA") processes.
To meet regulatory expectations, POG processes should be embedded within the overall risk management framework and utilised as a proactive risk management tool, with appropriate monitoring of management information, risk metrics and risk appetite and materiality thresholds included.
- Policy wording:
The Central Bank found that, in general, undertakings took action to review policy wordings in light of issues that arose from COVID-19 and took steps to strengthen their POG frameworks by addressing legacy policy wording issues and rationalising product suites. The Central Bank noted that this was not always the case and outlined its expectation that undertakings ensure sufficient resources and attention are provided to ensure that any potential detriment to the undertaking or its customers is identified and mitigated without delay and also have in place a plan of ongoing policy wording reviews.
We are seeing an increasing trend towards plain English / customer language reviews as firms take steps to ensure that policy wording is accessible, clear and transparent in accordance with regulatory expectations.
- Protection gaps:
EIOPA's recent Supervisory Statement highlighted various issues regarding protection gaps in the context of systemic events giving rise to detriment to customers, increased complaints and legal disputes between customers and insurance undertakings due to product complexity and unclear policy wording; improper application of POG processes following systemic events, reputational risks for the sector and possible significant losses for all parties involved.
The inspection found that, while undertakings in general were aware of the Supervisory Statement the requirements need to be reinforced to ensure that the POG process considers both prudential and consumer considerations and ultimately works to mitigate potential detriment to both undertakings and consumers.
The Supervisory Statement sets out the steps that should be taken by insurers where product issues have been identified. While these steps are outlined in the context of systemic events, they provide useful guidance to firms on the process to follow where product issues arise, which can be built into the POG framework.
Good Practices identified
The Central Bank outlined various good practices which firms should consider embedding into their own POG arrangements:
- Role of CRO in product changes: The CRO should have a ‘gatekeeper’ role with responsibility for considering the materiality of product changes and whether they should be referred to / approved by the Board Risk Committee ("BRC") and / or Board.
- Board technical insurance expertise: At least one member of the Board and BRC should have a general insurance background and a detailed understanding of products.
- Customer Forum: A Customer Forum should be established to ensure customer considerations are at the forefront of the product development and amendment process.
- Dedicated Wordings Committee: A formally constituted Wordings Committee should be established to oversee and provide technical input and challenge to scheduled product wording reviews and product consolidation, with a focus on prudential aspects.
- Schedule of product reviews: A formal schedule and defined cycle (with frequency determined by the materiality of the product) of wording reviews and/or product consolidation should be put in place with reporting, tracking, actions and owners.
- System controls over policy wordings and non-standard endorsements: Strong system controls should be in place whereby current, approved versions of policy wordings are embedded in the underwriting system and coded to relevant customer categories, mitigating the risk that a frontline underwriter might select and issue an incorrect or unapproved policy wording. Preventative controls should be used for non-standard endorsements.
- Underwriting assurance activity focus on manual wordings: Sampling methodology in underwriting QA should include specific review of manual and non-standard wordings and endorsements.
- Underwriting authorities reviewed: Formal product reviews should include a requirement to consider the appropriateness of the relevant underwriting licence / authority and a review of the suitability of individuals to hold the licence / authority.
- Customers automatically benefit from latest product versions: Legacy products or older versions of a product coverage or wording should be completely eliminated as existing policyholders are rolled over onto new wording and coverage at renewal.
- Wordings interpretation controls: Sales agents / advisers and frontline underwriters should not be authorised to provide policy interpretation advice and should be restricted to providing factual information only based on supplied text.
The Central Bank concluded that:
- many undertakings need to do more to ensure they have robust procedures and controls, as well as technical expertise to advise and challenge, to ensure they have a full understanding of their exposures in relation to the products they offer;
- undertakings should be continuously assessing exposures, both to their own balance sheets and to their consumers, from new and emerging risks; and
- when developing or updating products, equal importance and attention needs to be paid to consumer requirements, impact and expectations.
Ultimately, notwithstanding the simplicity or complexity of their product suite, firms are expected to have robust and effective POG processes in place. Therefore, all firms should carefully consider the expectations of the Central Bank and EIOPA and take steps to ensure that their POG framework is aligned with regulatory expectations.
How we can assist
Matheson's Financial Institutions Group includes a specialist team of highly experienced lawyers who are focussed exclusively on advising insurance clients and have the necessary expertise to assist clients with all aspects of POG.