2020 Insurance Regulatory Outlook From Deloitte: Status Quo Not An Option For Insurers

The Deloitte Center for Regulatory Strategy, Americas’ prepares a cross-industry series on the forthcoming year’s top regulatory trends, eyeing some of the issues that will have a significant impact on businesses

We excerpt liberally from the text…

With the increasing prevalence and effectiveness of technology around the globe, the status quo is no longer an option. To keep up with the pace of change, the insurance industry should continue evolving its approach to keep up with the myriad of challenges that it is facing, and more importantly, the opportunities that it can take advantage of in this 4th industrial revolution. Regulatory, legal, and compliance functions are being asked to do more with less, while grappling with new and emerging challenges that stem from the near ubiquitous use of advanced technologies to meet the increasing cost pressures and need to deliver value beyond limitations with traditional approaches to testing, monitoring, analysis, and supervision.

In this digital world, new threats are emerging along with new laws and regulations to help protect consumers and the markets. Regulators, both domestic and foreign, are focused on data privacy protections to mitigate the risks that result from improper collection, handling, storage, and use of data. Cyber threats continue to become more sophisticated and more damaging, putting even more urgency around developing protections from bad actors, both external and internal.

Against this backdrop, insurance companies should continue to modernize and rationalize their regulatory, legal, and compliance functions and their practices. Insurance companies that take a holistic view of regulatory risk management may find efficiencies that can lead to streamlined and rationalized programs. A modernized compliance function can help insurance companies achieve compliance as efficiently and effectively as possible by “thinking forward” and then harnessing the leading available compliance practices and technologies to comply with current and future regulatory requirements.  Some companies are even looking at their regulatory and compliance risk management programs as a competitive differentiator that enables them to be more nimble in the market place.

Regardless of how the changes promulgated by lawmakers and regulators affect insurance companies, it is imperative that they continue to modernize and rationalize their regulatory, legal and compliance risk management programs so that they can meet applicable laws, regulations, and oversight and monitoring expectations in a sustainable, proactive, and cost-effective way.

Privacy compliance with data management upgrades

Insurers have spent a lot of time and money preparing to comply with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But have they done enough?

The immediate concern, particularly for those subject to the new CCPA once enacted, is implementation and execution of compliance plans. Have insurers done enough to meet the new standards and avoid potential stiff penalties and reputational damage, or are there elements they have overlooked? What course corrections still need to be made?

Looking ahead, insurers need to brace themselves for additional regulatory initiatives. For example, New York is debating its own stringent privacy rule that goes further than either GDPR or CCPA by establishing insurers and other data collectors as information fiduciaries and allowing private causes of action.

The good news for organizations with a global footprint is that much of the effort that has gone into GDPR compliance overlaps with what needs to be done for CCPA (see figure 10). Also, the European Court of Justice recently ruled that the GDPR’s “right to be forgotten,” which allows individuals to ask that their personal information be removed from websites, news articles, and databases, cannot be applied outside the European Union. In essence, this means such a right will not exist in the United States without federal or state laws mandating it, easing the burden on insurers with US operations.

Tackling privacy and data management in 2020

Many insurers are struggling to meet the new regulatory requirements because their siloed legacy systems lack integration. The overwhelming volume of data being maintained can also be a problem. Insurers should consider establishing a more comprehensive information governance program that addresses these and other data management and privacy challenges, not just to meet compliance standards, but also to enable better business decisions and actions.

One potentially helpful approach is data minimization, which involves setting protocols to automatically flush superfluous information on a regular basis. Insurers are learning that one of the leading ways to protect sensitive information from a breach is to carefully and legally discard that information when it is no longer needed for legal or business reasons.

Insurers should also realize that regulatory compliance is only half the story. From a business perspective, insurance companies should consider increasing their engagement with customers to better utilize all the new data at their disposal — for the mutual benefit of the company and the customer. Treating data as a tradable asset that consumers knowingly and willingly exchange for something of value could be turned into a competitive advantage.

Key questions to ask

Insurers need to know exactly what and where data about specific consumers is being stored, how complete and accurate it is, and how it is being used and protected. They should also ask themselves:

• Do we have the appropriate leadership, structure, capabilities, resources, collaboration, and support to manage data privacy risks in the context of our business model and goals?

• Have we organized our compliance and privacy functions to best provide support for—and oversight of—our business and operations?

• How do our information governance programs and capabilities stack up against industry standards and our industry peers?

• What new uses and technologies for data are planned, and how might we engage with customers more effectively to access data in return for added value?

• Does our chief privacy officer have the skills and stature to coordinate privacy and data governance efforts across the organization — and to positively affect the customer experience?

The answers to these questions can help insurance organizations understand where they stand and determine the right path forward to developing an effective privacy compliance program.

Best interest industry sales standards

The insurance industry is facing transformative changes to its sales conduct standards, driven by important new federal securities and state insurance regulations. While these regulations vary considerably in scope (affected sales professionals and products, disclosure obligations, etc.), they all reflect an ongoing trend towards acting in the client’s best interest and requiring heightened standards that go beyond existing suitability obligations when providing advice and recommendations to clients.

On June 5, 2019, the US Securities and Exchange Commission (SEC) voted to adopt new principles-based rules and interpretations in its “Regulation Best Interest package, including Form CRS Relationship Summary and other interpretations (Reg BI).” Reg BI requires broker-dealers (including insurance affiliated broker-dealers) and their registered representatives to act in the “best interest” of their clients when providing securities transaction and/or investment strategy recommendations, including those related to variable life and annuity products. The compliance date for Reg BI is June 30, 2020.

Reg BI requires broker-dealers to satisfy four important obligations:

• care obligation

• disclosure obligation

• conflicts of interest obligation

• compliance obligation

The SEC has also clarified certain aspects of the fiduciary duty that investment advisers owe to their clients. The Investment Advisers Act of 1940 specifies a duty of care and loyalty that at all times requires an adviser to “serve the best interest of its client and not subordinate its client’s interest to its own.”

Similarly, although different in scope and approach, the New York Department of Financial Services’ (NYDFS) Regulation 187 – Suitability and Best Interests in Life Insurance and Annuity Transactions (Reg 187) sets forth important requirements for insurers and producers (i.e., insurance agents/registered representatives) who provide recommendations for the purchase of annuity products (effective August 1, 2019). It also sets forth requirements for life insurance products (effective February 1, 2020). Reg 187 covers policies and contracts delivered or issued for delivery in the state of New York. Importantly, the scope of Reg 187 includes non-investment life and annuity insurance products, as well as variable insurance products. Some of the regulation’s other requirements relate to preventing financial exploitation and abuse, producer training, producer titles, and an effective system of supervision.

Overall, the regulatory landscape is becoming hazier as multiple states introduce legislation focused on different requirements for investment and financial advisers, such as fiduciary duties, conflicts of interest disclosures, best interest standards, and fee transparency.

At their core, all of the various requirements are intended to address the inherent conflicts of interest associated with recommendations by producers. Affected professionals are expected to be unbiased and not place their own financial interest above their client’s when providing recommendations. Note that the standards do not require firms and advisers to recommend the lowest cost product, but more aptly recognize that there are a variety of available products that may meet a client’s needs and objectives, as well as a variety of compensation models – fee-based and commission-based – that may align with a client’s best interest.

Firms will likely face significant strategic and operational decisions as they analyze the various regulations and implement measures to meet the requirements. Impacts will likely span a wide range of areas, including: product offerings; conflicts analysis; producer compensation and incentives; various client disclosures; documentation to support producer recommendations; and supervisory and compliance policies, procedures, monitoring mechanisms, and recordkeeping.

Effective planning and implementation to meet the various requirements will require strong governance, as well as integrated planning and decision-making across multiple workstreams. It will also require significant involvement from the IT function.

Market conduct

Market conduct exams continue to be a hot topic in the insurance industry. Recently, regulators have been increasing their use of examinations to ensure consumers are protected and to verify that insurers are complying with statutes and regulations and adhering to their filings.

This uptick in exam activity shows how serious regulators are about ensuring compliance, as do recent multi-million-dollar fines and remediation activities that required insurers to go back several years in order to make consumers whole.

In addition to rising fines, the costs of compliance and remediation are also rising to a point that the mere thought of a market conduct exam can cause some insurers to cringe at the time and expense required to respond.   

Key areas of regulatory scrutiny

Data analytics are gaining importance as regulators analyze Market Conduct Annual Statement (MCAS) peer data looking for outliers. Data calls are another tool regulators are using to increase their vigilance and industry monitoring. Activities likely to attract regulatory scrutiny include: increases in complaint ratio; large increases or decreases in premium volume; significant changes in a company’s book of business; rapid expansion in a new state or states; and heavy reliance on third parties for key business functions.

Market conduct exams can cover a variety of areas, with regulators focusing on just one area or multiple areas. If issues are found in one area, examiners will often expand their examination to include additional areas. This expanded scope can cost an insurer significant time and money.

Typical examination areas include: sales practices; claims; underwriting; forms; sales materials; complaints; policy issuance; new business and/or renewals; policy administration; customer service; suitability; replacements and surrenders; fees and charges; and agent licensing.

In addition to typical market conduct exams, the NYDFS has begun to conduct a cybersecurity regulatory examination process. According to superintendent Linda A. Lacewell, “As technology changes the financial services industry, regulation must evolve, and [NYDFS] is evolving to meet the challenges and opportunities of the new landscape, to protect consumers, safeguard the industry, and encourage innovation.”

Meanwhile, Financial Industry Regulatory Authority (FINRA) continues to actively examine insurance companies that include broker-dealers, scrutinizing conduct in key areas such as: insider trading; money laundering; improper use of funds/forgery; quality of markets; best execution; reporting/provision of information; sales practices; recordkeeping; compliance procedures; sales practices and suitability; communication with the public; disclosure of conflicts of interest; net capital requirements; and supervision.

At the National Association of Insurance Commissioners (NAIC), the Big Data Working Group continues to focus on data algorithms and models, particularly those using data from third parties since many of those external vendors are not regulated entities and their data could contain inaccuracies and inherent biases. Regulators are educating themselves on these sophisticated data models—including how the models operate, and the potential impacts of their components—so they can effectively assess the models’ appropriateness in the marketplace.

Getting ahead of the curve

Insurers can take steps to prepare for or mitigate potential market conduct activity by proactively monitoring compliance with policies, procedures, statutes, and regulations. Helpful tools include: self-assessments; mock market conduct exams; self-analysis of MCAS data to look for significant year-to-year variances; and use of data analytics to identify outliers or points of noncompliance that might attract the attention of regulators. Insurers should also closely monitor their rate compliance to ensure the rates they charge consumers comply with what has been filed and approved. A firmly established three-lines-of-defense model for risk mitigation can help monitor risk and noncompliance throughout an organization.

Innovative technologies such as robotic process automation (RPA) combined with natural language processing (NLP), higher-order cognitive technologies, and artificial intelligence (AI) can help enable end-to-end product oversight, as well as monitoring of market reactions and regulatory actions. These technologies can also be enablers for a talent transformation, freeing up people in the compliance function to focus on high-value work beyond reporting. Insurers not yet exploring such technologies might find it useful to create a framework that can help them appropriately leverage talent and technology to cope with a world of increased market conduct oversight.

Fraud

Many insurers continue to struggle identifying and reducing both hard and soft insurance fraud within their companies, a problem that costs the industry $80 billion annually. Fraud is perpetrated by different parties involved in the insurance transaction lifecycle, including applicants for insurance, policyholders, third-party claimants, internal employees, and professionals who provide services and equipment to claimants.

Fraud activity is up 62% year-over-year, often driven by the extensive theft of personal data and the continued digitization of insurers. Recent studies reveal a number of customer soft fraud incentives — belief they can get away with it; belief that insurance costs too much; desire to recover the deductible, and poor customer service – all of which motivate retribution.

During the Anti-Fraud Taskforce session of the most recent NAIC Summer Meeting, there were discussions about how to make the process more efficient for companies to submit anti-fraud plans to the states, and also how to consolidate state-specific requirements for the anti-fraud plans.  The Coalition Against Insurance Fraud noted that 174 anti-fraud bills have been introduced into legislation within the states, so the fraud epidemic is clearly on the minds of regulators and legislators.

Also, in July 2019, the National Council of Insurance Legislators amended the Insurance Fraud Model Act, which had last been updated in 1998. The major changes included increasing authority for prosecutors; streamlining the proof of intent to defraud and how the intent to defraud is identified; and eliminating multiple-proof requirements in many areas to allow for greater prosecution.

Most states require insurers to document and submit their anti-fraud plan to the state’s department of insurance. These anti-fraud plans outline the company’s procedures (appropriate to the type of insurance provided by the company) to prevent, detect, and investigate fraud in applications for insurance, renewal documents, rating of insurance policies, claims fraud, and security of the company’s data processing systems.

Although companies have documented anti-fraud plans, do they know how effective they are? How are they measured?

Types of fraud

Insurers should manage against several different types of fraud threats, both internal and external, including:

• Adverse selection. Withholding information from an insurer (e.g., not disclosing poor health status on an application).

• Agent fraud and/or sales risk. Commission theft via falsified sales (e.g., fictitious policy,  misclassified type of sale to meet a sales goal or contest) or fraud against the customer (e.g., theft of account value, unsuitable sale).

• Cyber risk. An attack on an organization’s IT system targeting sensitive client data (e.g., hacking or phishing), often resulting in financial and/or reputational losses.

• Employee theft. Misuse of an employer’s assets (e.g., embezzlement, insider threat, intellectual property theft, conspiring with outside actors) often enabled by insufficient segregation of duties and controls.

• Known-party account takeover or impersonation. A known-to-you party, such as an agent or family member, pretending to be someone else in order to gain access to an account and take or misdirect cash value, premium, payments, etc.

• False claims or information. Submitting false claims or information for injuries or damage that never occurred, services never rendered, equipment never delivered or owned, attributing a prior condition to the current event, or providing an incorrect loss date to bring a claim into the coverage period.

• Third-party account takeover or impersonation. A third party pretending to be someone else in order to gain access to an account and take or misdirect cash value, premium, investment contribution, payments, loans, etc.

• Underwriting misrepresentation. Misrepresenting facts on an insurance application (e.g., falsely claiming not to smoke).

Traditional fraud management typically handles business risks in silos: a fake customer account here, a padded claim there. It’s an inefficient model that is not able to quickly counter evolving fraud schemes and behaviors. Thus, insurers keep suffering loss—and constantly seem one or two steps behind—despite experience that indicates that enhanced analytics yields a favorable return on investment through increased prevention and recovery.

Three core principles

Many companies are beginning to break down those silos by assessing their Enterprise Fraud Management Risk across three high level core principles: govern, manage, and operate.

Govern

• Enterprise strategy that defines the anti-fraud function role and fraud program objectives and establishes a forward-looking strategic roadmap.

• Organizational and governance components for an effective fraud program that include roles and responsibilities, goals & objectives, policies & procedures, transparency, and culture/awareness in order to manage fraud risks across various businesses.

Manage

• Policies, standards, and procedures defining fraud, activities across the anti-fraud lifecycle, and integration points between functions to improve consistency and quality in program activities.

• Coordinated communication channels and programs to educate stakeholders about their responsibilities at all stages of the fraud program lifecycle.

Operate

• Due diligence and ongoing oversight that an organization should consider exercising throughout the fraud program lifecycle, including a fraud risk assessment that aligns risks and controls and that measures residual risks.

• Aligned technologies to support fraud prevention and detection; use of advanced analytics, behavioral economics, and adaptive behaviors.

• Metrics and reports that provide a comprehensive view of enterprise fraud risk to the relevant stakeholders across the organization, including cost/benefit analysis considerations.

Don’t operate in a digital future with an anti-fraud strategy from the analog past

Traditional fraud detection depends on rules, which requires fairly specific knowledge of previous fraudulent behaviors. It is also labor-intensive, since it requires subject-matter experts to write, apply, and continuously modify the rules. A modernized approach using advanced analytics—whether through real-time, near-term dynamic, and longer-term scanning/emerging threats—can help a company respond to gaps in current processes and/or improve controls and monitoring for fraud. Key capabilities include:

• Anomaly detection. Identifying patterns inconsistent with ‘normal’ activity through statistical profiling/outlier detection; might include data from external sources and social media.

• Machine learning. Detecting how issues relate to one or more other factors using patterns uncovered within historical data.

• Text/voice analytics. Unlocking patterns trapped in unstructured data and developing measurable data points to use for modeling.

• Network analytics. Discovering associations between similar and related entities to identify fraud networks and other collusive behavior.

By applying an updated approach to discovering and preventing risk across the modern digital enterprise, as well as leveraging tools that might already be in use somewhere in the business, companies can gain high-value risk insights. They can then use those insights to dramatically improve operational and strategic decision making.

Benefits of improved enterprise fraud management

The incentive to begin this work is quite powerful. A new approach to enterprise fraud management can provide organizations with many benefits, including:

• Substantial, concrete near-term return on investment resulting from the detection and resolution of current inappropriate business activities.

• Strategically improved ability to predictively protect the business and the brand from a wide range of previously unidentifiable dangers—including internally and externally perpetrated fraud, non-malicious employee errors, compliance failures, and cybersecurity issues.

• Enhanced credibility with compliance auditors resulting from the differentiated level of diligence, as demonstrated by the adoption of innovative self-policing.

• Better long-term business performance through reduced financial leakage, optimized brand value, and more secure lifetime relationships with customers, vendors, and other stakeholders.

Moving forward, the industry (including regulators) should continue looking for ways to educate consumers about the products available in the marketplace, their purpose, and the components of the policy (including deductibles). Educating consumers about insurance products—and fraud in general—can affect their behavior patterns. Consumers need to understand the impact of fraud on the industry – and that fraud is a major crime that does more than cost companies money. These nudges can have a significant impact on consumer behavior and reduce the perception of insurance fraud as a normal cost of doing business.

Development of capital standards for US insurers

The US will have a group insurance capital calculation/standard for the first time (in addition to the existing legal entity risk-based capital (RBC) requirements). However, various proposals are still being consulted upon and currently it is not clear exactly how insurers will be affected. For example, one proposal includes a capital buffer that could be used to limit capital distributions and discretionary bonus payments should insufficient capital be held.

The 2008 financial crisis prompted a variety of regulatory activities related to capital standards. The NAIC launched its Solvency Modernization Initiative (SMI) to review many aspects of the US regulatory framework, including RBC. US legislators passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which subjected a number of insurance companies to Fed supervision. Globally, the International Association of Insurance Supervisors (IAIS), of which US insurance supervisors are a part, was challenged by the Financial Stability Board (FSB) to develop insurance group capital measures that would enable comparison of insurers’ solvency across jurisdictions (the United States has traditionally had a legal entity-based approach to monitoring insurers’ capital positions). Additionally, the International Monetary Fund (IMF) conducted its Financial Sector Assessment Program (FSAP) of the US insurance supervisory process and found that no supervisory tool existed to monitor group solvency.

Partly due to these various events and resulting initiatives, multiple US-based capital standards options are now being developed by regulatory bodies such as the Federal Reserve Board (FRB), the US states (through the work of the NAIC), and internationally under the IAIS. The proposed capital standards/calculations, which at some point will likely affect US-based insurers, are currently in varying stages of development. However, the objectives of each are largely similar: provide a commonly accepted method across the industry that enables insurers to understand and communicate their capital positions against the regulatory requirements they face.

In October 2019, the FRB invited public comment on a proposal to establish capital requirements for certain insurance companies supervised by the FRB. The proposal builds on existing state-based insurance standards, while also establishing minimum capital requirements that are specific to the insurance business. Under the proposed framework, known as the Building Block Approach (BBA), holding companies significantly engaged in insurance activities would be required to aggregate their state-based capital requirements into a consolidated requirement. The proposal would establish both minimum requirements and a potential buffer on top of the minimum.

At the state level, US regulators are developing a Group Capital Calculation (GCC), which is a supervisory tool and not a standard, to monitor solvency across insurers. According to NAIC, “the GCC will be an aggregation method for use with groups that include a US insurance company, and it is intended to provide additional analytical information to the lead state for use in assessing group risks and capital adequacy to complement the current holding company analysis in the US.”

On the global stage, the IAIS is pushing forward with design and implementation of a global insurance capital standard (ICS). The objective of the ICS is to provide a common language, along with comparable outcomes, for insurance company regulatory capital. The ICS version 2.0 was approved at the end of November 2019, with an initial five-year monitoring period during which it will not be a prescribed capital requirement (PCR) but will be used by supervisors to monitor performance.

Upon implementation, each of these proposed capital standards/calculations could have a significant impact on US-based insurers, which means the domestic insurance industry is likely approaching a pivotal point in this important regulatory area. Insurers should understand the various proposals and their potential impacts, and if necessary take the opportunity to provide input into the regulatory consultation processes while there is still time.