There is a high degree of commonality between the papers, although the structure and tone is quite different. While ESMA issued nine distinct principles, EIOPA’s principles are set out under broad headings. The tone is also softer, with EIOPA only referring to “foster(ing) convergence and consistency of authorisation processes”, which allows more scope for discussion and agreement with supervisors.
Both ESAs require supervisors to undertake a sound authorisation process, with no automatic authorisations granted and each case reviewed on its own merits. Both require strong scrutiny of the governance structure, including outsourcing arrangements.
Firms should note EIOPA’s requirement to explain any formal or informal approaches to other Member States and why these were rejected.
Solvency II approvals
EIOPA makes it clear that any PRA-granted approvals cannot be used by the new European insurer and must be subject to a formal approval process. For internal model applications, some account can be taken of existing knowledge of the model, provided this takes account of changes in risk profile, risk management system or the model’s use. New internal model (or model change) applications could be required in some group situations.
We expect the PRA will adopt a similar approach in respect of new UK insurance subsidiaries created by European groups that wish to retain access to the UK market.
Governance and risk management
EIOPA expands on ESMA’s no letter-box entities principle to also consider the impact of reinsurance arrangements. EIOPA requires an assessment of whether the EEA insurer will have “an appropriate level of corporate substance, proportionate to the nature, scale and complexity of the planned business”.
Supervisors should assess whether the proposed governance arrangements will ensure “effective decision-taking and risk management” locally, with an “appropriate” Board and key functions presence and sufficient local staff.
This should enable constructive dialogue between the applicant firm and the proposed regulatory authority to enable a model appropriate to the firm’s business plan.
EIOPA clearly wants to avoid pure fronting arrangements, with reinsurance aligned with the insurer’s risk appetite. Importantly for some, EIOPA proposes a minimum retention level should be required, suggesting 10% as a threshold - although this is not mandated, leaving flexibility for discussion.
High risk transfer should necessitate an assessment of the impact on prudent person principles, SCR, availability of collateral and the impact of adverse conditions on counterparty exposure.
EIOPA’s language appears more flexible than ESMA’s, linking with existing outsourcing Guidelines. However, many of the general principles are consistent - for example the need to ensure appropriate oversight of the outsourced functions and access to data and premises.
EIOPA does not ban the outsourcing of any functions outside the EU, merely reminding the supervisor to pay particular attention to any intended outsourcing of critical or important activities. Consideration must be given both to the complexity of the business model and size of the insurer.
While the Board remains fully responsible, there must be a nominated individual responsible for outsourced key functions. Outsourcing must not materially impair the system of governance or the supervisors’ ability to monitor compliance and should not unduly increase operational risk.
Supervisory access to both information and the service provider’s premises needs to be assured.
EIOPA refers to the need to ensure continuous compliance, full access to outsourced providers, no impediments to supervisors’ ability to enforce requirements and the importance of supervisory cooperation being discussed early in the authorisation process.
Relevance to insurers (UK and EEA)
While the Opinion is primarily directed at European regulators, these general principles will likely also be applied in the UK for applications from European (re)insurers.
Firms will need to factor in sufficient time for both the authorisation process and any required Solvency II approvals, taking account of the risk that the standard formula may apply at least initially. Key considerations will be significant outsourcing (or reinsurance) proposals and the level of substance required locally. Much will be subject to agreement with the local regulator and final agreements are likely to be bespoke.