In a speech to the ICA Annual Conference in Brisbane yesterday, APRA Executive Board member, Suzanne Smith said, ‘a focus for APRA over the coming year: [is] the risk associated with outsourced underwriting to agencies.’
Ms Smith continued
Partnering with experts to underwrite hard-to-place risks or to reduce operational and distribution costs can be a strategy. However, it is important to remember that the responsibility for core underwriting decisions always remains with the licensed insurer, as insurance risk and accountability are the very reason why insurers hold licences in the first place.
Strong governance practices are crucial here, including robust on-boarding and exit plans, elimination or clear management of conflicts of interest, adequate governance resources, and sound data security. This also extends to scaling operations, such as ramping up claims handling during a crisis.
The key takeaway is that while authority can be delegated, the ultimate responsibility remains solely with the insurer.
The intersection between Prudential Standard CPS 230 & AFS Licence obligations
I asked the question from the floor, ‘how should the dichotomy between the obligations of an APRA regulated insurer in respect of CPS 230 for underwriting agencies be managed, given the independent obligations of an agency holding an AFS Licence?‘
Let me answer my own question.
CPS 230 requirements
An APRA-regulated entity must … manage the material risks associated with using [material service] providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. (paragraph 49 CPS 230)
Underwriting Agencies, TPA’s (insurance claim managers) & insurance brokers with delegated underwriting authority are deemed to be material servcie providers, unless the insurer can justify otherwise (p 50).
Operational risk is defined to include but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. (p24)
AFSL requirements
Underwriting agencies (& TPAs & brokers), who hold an AFS Licence, have general obligations (refer section 912A(1) Corporations Act) including the obligation to have adequate risk management systems (s912A(1)(h)).
ASIC expects that Licensee’s risk management system will be:
(a) be based on a structured and systematic process that takes into account your obligations under the Corporations Act;
(b) identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws);
(c) establish and maintain controls designed to manage or mitigate those risks; and
(d) fully implement and monitor those controls to ensure they are effective.
(refer RG 104.62)
Importantly, ASIC also notes that [the licensees] risk management systems will depend on the nature, scale and complexity of their business and their risk profile (my emphasis). They will be different for each licensee. (RG 104.63)
So what does this mean for insurers and their underwriting agencies?
It follows from the above, that:
- Underwriting Agencies holding an AFS Licence must have a fit-for-purpose system of managing risk, including operational risk
- Insurers must manage the risk, to the insurer, of outsourcing underwriting to an underwriting agency.
Unpacking the comments of APRA’s Executive Board member
Ms Smith stated, The key takeaway is that while authority can be delegated, the ultimate responsibility remains solely with the insurer.
It is noted that in CPS 230 that financial risk is not a sub-category of operational risk. It is a distinct category of risk.
Included in financial risk, for an APRA regulated insurer, is Insurance Risk (refer Prudential Practice Guide GPG 240).
Insurance risk is the risk that inadequate or inappropriate underwriting, claims management, product design and pricing will expose an insurer to financial loss and the consequent inability to meet its liabilities (CPG 240 paragraph 1)
This is the important context for Ms Smith’s statement.
Insurers enter into a binder agreements with Underwriting Agencies that include terms and conditions providing the guardrails for the underwriting agency to underwrite risk [and manage claims]. This is more commonly know as delegated [underwriting/claims] authority.
It is clearly the insurers responsibility to mange insurance risk through the scope of the delegated authority issued. It’s the underwriting agencies responsibility to provide their financial services & products to consumers while acting within the scope of such delegated authority.
Underwriting Agencies, as a licensee, also have an obligation to manage their financial risk however this relates to meeting the base level financial requirements (RG 166) & other licence conditions but does not extend to Insurance risk.
APRA regulated insurers ultimate responsibility for outsourcing underwriting to underwriting agencies under CPS 230 arises from insurance risk, manifested through delegated underwriting authority. It is through this lens that operational risk should be viewed.
How can insurers and Underwriting Agencies meet their respective obligations?
Insurers compliance with CPS 230 (& FAR) and an Underwriting Agencies AFSL general obligations are not mutually exclusive.
Insurers must conduct due diligence of the agency before issuing any delegated authority. Such due diligence must include an analysis of the adequacy of the agencies risk management sysytem to:
- meet the Licensee’s obligations under s912A(1)(h); and
- the insurers obligations to manage the operational risk in outsourcing to material service providers.
Monitoring & oversight
The insurer’s ongoing monitoring and supervision of underwriting agencies is critical. It should be noted that the obligation to monitor also arises under the insurers own AFSL obligations & the GI Code of Practice (ie this is not new).
Clearly, an insurer has provided delegated underwriting authority to an underwriting agency, as the agency can provide (underwrite) the respective insurance products more effectively & efficiently than the insurer. The partnership is built on trust. An insurer can not be looking over the shoulder of the agency every minute of the day nor can it impose its own risk management system on agencies. That would simply not work & would stifle the agency.
2 lines of defence approach
The key is to adopt a 1st line/2nd line approach as per the 3 lines of defence model. This model is conceptually sound from a governance perspective.
The agency is the 1st line, managing risk on a day-to-day basis. The insurer is the 2nd line, monitoring & provide oversight.
The insurer will examine the adequacy of the agencies risk management system and periodically receive data (monthly or quarterly) that provides an indicator of the health of that system.
Such data includes risk profiles, control testing outcomes, obligations management, incident & breach management, complaints, file reviews, training, QA etc
Formal meetings at different levels will discuss the data and operational & strategic matters.
The insurer will dive deeper when the data indicates a potential issue. In addition, the insurer will conduct or arrange an annual auidt/review to be conducted including compliance with delegated underwriting authority & compliance with financial service laws.
An insurer also needs to manage the accumulation and aggregation risk of having multiple underwriting agencies.
Be diligent but don’t panic
It’s critical that insurers don’t impose themselves into the daily operations of the underwriting agency.
Insurers can meet their CPS 230 obligations with due diligence, clarity on the scope of delegated underwriting authority & a robust monitoring program. In turn, this will also assist the agency in meeting its own AFSL obligations.