Regulators across the globe are attempting to address the root causes of poor outcomes for insurance customers, and focusing on insurer conduct and consumer protection.
Now that a range of global and European solvency and prudential standards have been implemented for insurance firms, the International Association of Insurance Supervisors (IAIS), the European Insurance and Occupational Pensions Authority (EIOPA) and regulators across the globe are shifting their focus to address the root causes of poor outcomes for insurance customers, and increasingly focusing on the insurer conduct and consumer protection agenda.
Since the Financial Conduct Authority (FCA) was established in 2013 the UK has, arguably, led the way in focusing on conduct risk and the delivery by the insurance industry of good outcomes for customers. In Ireland, possibly due to a significant focus on renewing the health of our banks, implementation of Solvency II and, more recently, concerns about the domestic non-life insurance market, conduct risk has not featured as highly on the regulatory agenda. This is changing. This increased focus coincides with some key legislation that will come into force in the next two years, namely the Packaged Retail Insurance and Investment Products Regulation (PRIIPs) and the Insurance Distribution Directive (IDD).
Elsewhere, having completed its Solvency II level III guidance, EIOPA is now active in the conduct risk agenda, producing a range of papers and opinions. EIOPA's 4th Consumer Trends Report paves the way for further investigations, thematic reviews and potential guidelines that member states must either comply with or explain departures from.
While there is much to consider in the emerging regulatory landscape, many firms have more immediate interest in dealing with the more practical aspects of conduct risk. Firms wish to understand "what good looks like" and what gaps exist in their approach to conduct risk management.
At a global level, of the 26 insurance core principles (ICP) initially developed by the IAIS, only one (ICP 19) focuses on conduct of business requirements, with the remainder focusing on prudential requirements. However, the IAIS has recently supplemented the ICP by releasing two issues papers in relation to conduct risk, one of which applies to all insurers [IAIS Issues Paper on Conduct of Business Risk and its Management, November 2015] and the other which focuses on conduct risk issues specifically in relation to inclusive insurance.
EIOPA describes conduct risk as the risks to consumers, insurance undertakings and the insurance market as a whole that arise from insurance undertakings and/or insurance intermediaries conducting their business in a way that does not ensure fair treatment of consumers. Poor conduct outcomes may result from the characteristics of the insurance products themselves, as well as from the distribution models chosen in bringing them to the market.
The issue of conduct risk can be viewed through a number of lenses. As an area of increasing regulatory focus, there is a danger of considering conduct risk predominantly from a compliance and supervision perspective. However, as a business and operational risk with potential consequences such as loss of market share, reputational and brand damage, and customer litigation, we propose that the conduct risk agenda be considered primarily from two viewpoints:
A third lens may consider the customer angle. Taking this view conduct risk could be described as: "consumer detriment arising from the wrong products ending up in the wrong hands, and the detriment to society of people not being able to get access ton the right products". This is the FCA's definition; in its Risk Outlook 2013, the FCA has further identified three broad drivers of conduct risk across different financial markets (see Figure 1). While the regulator's perspective is based on a very different remit, its highlighting of the customer lens is notable. The inherent customer issues the FCA identifies "information asymmetries, biases and heuristics, and inadequate financial capability" are equally relevant for insurance companies and intermediaries.
As firms will focus on what they can control we suggest customer issues should be a central feature in any risk management perspective adopted.
The Central Bank of Ireland has also placed a supervisory priority on conduct risk across financial services and in PRISM Explained in 2011 defined it as "the risk the firm poses to its customers through its direct interaction with them" and since 2015 has included conduct risk as a key supervisory objective and it has been a feature of a number of supervisory inspections.
The causes of poor insurance customer outcomes are broadly split across three areas: information asymmetry in insurance sales and communications; poor product design; and ineffective insurance culture. Insurers consider insurance sales, products and culture.
Information asymmetry exists in sales of financial products whereby the provider of a product often has a detailed and in-depth understanding of a product while a consumer is generally less well informed. Global regulators have criticised the sales process and clarity of customer communications as a driver of poor customer outcomes, which can leave customers with products that do not perform as they were led to expect.
Historically, regulatory responses have traditionally sought to address these imbalances by providing prescriptive requirements for disclosure and setting professional standards for sales advisers. The most recent example of this is the EU PRIIPs, which requires the production of a precontractual key information document to be provided to retail investors, outlining the key facets and associated risks with investment products in plain and clear language.
As product design and governance has been identified as a key weakness of firms in multiple jurisdictions some countries have provided their conduct supervisors with additional powers to make interventions and even ban particular products. Good conduct is not simply about ensuring customer satisfaction but delivering a good outcome for the customer. This goes beyond process and procedure - good conduct aims to deliver value for the customer and the shareholder with a balance of customer outcome and profitability for the firm.
This includes considering the wider culture of the firm, since firms often use the term culture and conduct interchangeably. Culture is often described as "the way things are done around here". It is the complex result of a broad range of drivers and includes people, performance and related incentives, individual beliefs and leadership. It is difficult to ensure good conduct where poor culture exists.
Although it is a global challenge, protecting the consumer remains a national issue with widely divergent approaches taken between countries. As a result, insurers have approached conduct in different ways, with some firms building an assessment of conduct risk in to their risk framework fully and others identifying conduct as a subset of operational risk. The Central Bank of Ireland has highlighted that culture will continue to feature in its supervisory priorities, given its impact on the consumer and also its centrality to meaningful demonstration of regulatory compliance by the firm.
While firms must follow regulatory developments, a more pressing need for many firms is to improve their internal risk management approach to conduct risk. In our view this is not a question of adding yet more checks and controls to business processes, but it involves changing business culture and finding better ways to identify, measure and mitigate conduct risk.
Although it is becoming the norm that risk awareness and management belongs to the first line of defence, responsibility for the compilation of management Information, and for testing and monitoring conduct risk, may vary among firms. As an extension of consumer protection some firms may choose to leave conduct risk with the compliance function, while others may see ownership in the risk function. There is no single correct answer to role of the second line, with involvement by both risk and compliance very likely.
Rather than attempting to provide a definitive list of risks, which will vary widely among firms, the following are generally regarded as the key areas where risks will emerge:
As just one of many business risks (albeit one that may have been recently added to firm's risk registers), conduct risk needs to be accommodated within firms' risk management framework in terms of risk assessment, mitigation and monitoring. To date, outside of the measurements of compliance with the local Consumer Protection Code, we understand that firms have faced challenges in producing additional tangible metrics for measuring conduct risk. Examples include net promoter scores, analysis of complaints resolution and key performance indicators relating to service-level agreements. This challenge is not unexpected given the subjective elements that contribute to conduct risk such as culture, tone at the top and quality of service.
Taking product governance from the list of risk drivers, it may be possible to measure on a policy basis, what a range of likely outcomes would be for the (target) client, and how these might vary if an inappropriate client group received the product (which could be for a range of reasons, including mis-selling, client bias, adverse selection).
Good management information will allow the business to determine whether good outcomes are resulting, through monitoring whether the product offers value for money, whether suitable customers were initially targeted and whether suitable customers are the main buyers of the product. Mystery shopping, customer sales reviews, post-sale interviews, and questionnaires provide additional customer feedback.
Not all conduct risk metrics must be outcomes-focused, as firms need a suite of metrics to build up an overall picture of conduct risk. For example, it is still important to receive management information on customer satisfaction, even if, by itself, this does not necessarily demonstrate a good customer outcome.
Other approaches to looking at metrics, or areas of focus that may raise flags regarding conduct issues, may include:
Clearly, what comprises key metrics for firms will vary widely depending on individual markets and products, however a conduct risk committee may provide a useful forum for sharing knowledge and experience of what works well, and other insights.
Conduct risk presents challenges in terms of mitigation but arguably at its core is the issue of corporate culture. In this new era, being customercentric or putting customers at the heart of the organisation needs to be more than a corporate sound bite. Difficult questions with potentially uncomfortable answers are involved in moving the focus of and mitigating risk. The following are examples of such questions:
In mitigating conduct risk it becomes clear that culture is a key defence.
This may manifest through a combination of soft and tangible mitigants including:
As the regulatory focus increases companies need to consider key questions such as:
At KPMG, we advise and work with firms to prevent, mitigate and resolve conduct risk issues. We advise and support firms on:
This article was originally published in the Intelligent Insurer Dublin and Ireland Report 2017 and is reproduced here with their kind permission.