News

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]

One of the compliance services that I provide is a fit-for-purpose & tailored risk & compliance manual All Manuals are personally designed by myself. 𝙏𝙝𝙚 𝙗𝙚𝙣𝙚𝙛𝙞𝙩𝙨 – governance, risk & compliance is maintained in a single place (~30-40 pages) – documented evidence of your arrangements that can be easily shared with others. This is particularly useful for CPS 230 & FAR when dealing with APRA regulated insurers – the manual is an accessible, learning tool for your staff – at a glance you can view your key controls – the manual provides you with an operating rhythm for risk & compliance 𝙏𝙝𝙚 𝙛𝙚𝙖𝙩𝙪𝙧𝙚𝙨 – your manual is crafted based on what you do. If you are a Licensee, Auth Rep, Code subscriber, Lloyds coverholder etc your manual talks about the uniqueness of your business based upon the nature & scope of what you do & how you do it – the manual is a source of staff training. Written in plain english, the manual provides easy-to-understand & concise guidance. Sources of law, Code & regulatory guidance are included as footnotes for when you need to know a little bit more. If something does not apply to your business, its not included. This reduces complexity, uncertainty & confusion. – the manual includes the context for each obligation & incorporates your key controls. This joins the dots for your people, key stakeholders & partners in understanding how your control environment manages your obligations. – the manual provides an operating rhythm for: a) governance including oversight by your board/senior management & your risk & compliance committee; b) roles & responsibilities c) risk management process d) licence management e) control testing f) monitoring of your people, Auth Reps & material servcie providers g) incident management & breach reporting h) dealing with regulatory change. – the Manual reflects your business. Its branded with your Corporate logo & colours, it talks about your AFS Licence or your Auth Rep scope, your AFCA responsibilities, your obligations under Code, your obligations as a member of a group network or industry body If you are a Steadfast broker & use CCX 360, the manual includes that. If you are a Lloyds coverholder, the manual includes Lloyds market bulletins If you have a binder, the manual includes your key binder obligations. If you are a material service provider, the manual assists in managing the expectations of your partners. 𝘼𝙨𝙨𝙪𝙧𝙖𝙣𝙘𝙚 Importantly, your Risk & Compliance Manual provides assurance of the adequacy of your compliance arrangements to your key stakeholders The Manual clearly shows: the sources of your obligations =>your obligations => your key controls. If you are interested in understanding how a tailored, fit-for-purpose Risk & Compliance Manual can benefit your business, contact me.

I have worked with more than 175 firms in general insurance, providing compliance assistance. I’ve found that the best leaders consistently possess certain fundamental qualities & skills when viewed through a compliance lens. 𝗛𝗼𝘄 𝗱𝗼 𝘆𝗼𝘂 𝗰𝗼𝗺𝗽𝗮𝗿𝗲 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝘁𝗵𝗲𝘀𝗲 𝟭𝟬 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗹𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽 𝗮𝘁𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝘀? 1. 𝘿𝙤𝙣’𝙩 𝙙𝙚𝙛𝙚𝙧 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 Good leaders don’t say ‘compliance is someone elses job’. They own responsibility for compliance in their business area & are accountable & take ownership for control-breakdowns, issues & breaches & resultant customer remediation. 2. 𝙋𝙧𝙤𝙩𝙚𝙘𝙩 𝙮𝙤𝙪𝙧 𝙩𝙚𝙖𝙢 𝙢𝙚𝙢𝙗𝙚𝙧𝙨 They protect the careers of their team members. They ensure that compliance arrangements provide a safe environment for team members to perform their work. Good leaders make staff aware of their compliance obligations through training &, consistently, through team meetings. Good leaders protect team members from the team members ‘compliance ignorance’ through adopting Sandard operating procedures, implementing sales, underwriting & claims guidelines & through business documented business practices, systems & ongoing training. 3. 𝘾𝙧𝙚𝙖𝙩𝙚 𝙖 𝙨𝙖𝙛𝙚 𝙚𝙣𝙫𝙞𝙧𝙤𝙣𝙢𝙚𝙣𝙩 Leaders create a safe environment for team members to self-report incidents, breaches & complaints quickly. They accept that team members are human & make mistakes. They are fair & equitable in their responses to compliance incidents. They remain calm & focused on facts when presented with potential customer or business harm arising from something going wrong within their team. They remain focused on remediation & rectification and not retribution. 4. 𝘽𝙚 𝙞𝙣𝙛𝙤𝙧𝙢𝙚𝙙 𝙖𝙣𝙙 𝙖𝙬𝙖𝙧𝙚 𝙤𝙛 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙝𝙖𝙥𝙥𝙚𝙣𝙞𝙣𝙜𝙨 Leaders stay on top of compliance change, they are curious & seek to understand how upcoming changes (such as CPS 230, FAR, Code review, flood inquiry) may impact their area of accountability & risk profile. They seek out the advice & counsel from compliance & legal specialists to fully understand the impacts of regulatory (& Code) change. They openly discuss with their team news headlines (commission payments, premium affordability & availablity) even when those conversations may be difficult due to potential business impacts. 5. 𝙊𝙗𝙩𝙖𝙞𝙣 𝙙𝙖𝙩𝙖 𝙛𝙤𝙧 𝙮𝙤𝙪𝙧 𝙖𝙧𝙚𝙖 𝙤𝙛 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙞𝙡𝙞𝙩𝙮 They obtain data (incidents, breaches, complaints, control testing, QA etc) to inform them of the adequacy of compliance arrangements for their area of accountability. They drill-down & ask questions including when there is a lack of data They compare their area’s data with other business areas from a learning perspective not from a competition perspective. 6. 𝙒𝙖𝙡𝙠 𝙩𝙝𝙚 𝙩𝙖𝙡𝙠 – 𝙖𝙩𝙩𝙚𝙣𝙙 𝙖𝙣𝙙 𝙚𝙢𝙗𝙧𝙖𝙘𝙚 𝙮𝙤𝙪𝙧 𝙤𝙬𝙣 𝙩𝙧𝙖𝙞𝙣𝙞𝙣𝙜 They are mindful of the compliance shadow they cast. Good leaders enthusiastically inform team members about upcoming compliance training the leader is attending & share the outcomes & learnings back with the team. They consistently demonstrate through their actions how compliance protects the business, their team members, customers & business partners 7. 𝙐𝙨𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙞𝙨𝙨𝙪𝙚𝙨, 𝙗𝙧𝙚𝙖𝙘𝙝𝙚𝙨 𝙖𝙣𝙙 𝙘𝙤𝙢𝙥𝙡𝙖𝙞𝙣𝙩𝙨 𝙖𝙨 𝙖 𝙡𝙚𝙖𝙧𝙣𝙞𝙣𝙜 𝙚𝙭𝙥𝙚𝙧𝙞𝙚𝙣𝙘𝙚 They use data from their own area together with other business areas to provide learnings & business continuous improvement. They use story-telling from their lived experience to bring compliance to life for the team. They use practical business examples to create […]

Your people are a critical part of your compliance arrangements and serve the purpose of being your early warning system. In addition to employees, this includes Authorised Representatives, Material Service Providers and anyone acting on your behalf to provide your financial services and general insurance products. Your compliance arrangements provide a safe place to do business. Your Compliance arrangements are the (1) governance & frameworks, (2) people & culture, (3) processes & procedures & (4) systems & reporting, that collectively operate together and provide a fortress, protecting what matters – the business & its customers, people, partners & stakeholders. What is an incident However, stuff happens and things go wrong. Technically, this means there has been a break-down in your control envirronment. When this happens, an incident has escaped from within the safe harbour of your compliance arrangements. The sole purpose of an incident is to cause as much harm and chaos in the shortest time possible. Incidents act stealthily. They lurk in the shadows causing loss, harm and detriment until detected. An incident may or not not be a breach, however, if left undetected they will exponetially grow until they are so big that they have manifested into a breach of obligations/code or a complaint & become visible to customers and regulators It is critical to identify incidents as early as possible. An incident, self-identified & reported on day 1, may cost the business $1,000; 4 years later, the same incident may have matured into a breach & cost $xx million + interest + lost management time + reputational impacts + regualtory enforcement action. Your people as an early warning system Your compliance arrangements are the first layer of protecting what matters. Your people are the 2nd layer. Your people vigilantly survey the landscape waiting to identify & self-report when ‘something has happened that shouldn’t have or hasn’t happened that should have’ (the definition of an incident). In this context, incidents are those being self-identified & reported & not incidents discovered through other mechanisms such as quality assurance monitoring, 2nd line oversight, customer complaints or regulatory activity. The golden rules of incident management The quicker an incident is identified & raised, the less likelihood of harm or detriment being caused Provide a safe environment to raise incidents Be conservative & raise everything. Look at the root cause and review the control environment Use AIRR Awareness Identify Raise Report Awareness Train your people on what an incident is (identify) and what to do when detected (report). Your training should not focus on the 10,000+ laws & Code that governs our industry. Provide examples of what an incident in each area of the business looks like – sales, underwriting, claims, finance, broking etc An incident, something has happened that shouldn’t have, is: a pool of water on the staff kitchen floor my IT system is down for 30 minutes I didn’t send out an FSG or PDS I haven’t completed my training I think I provided the customer some incorrect information […]

In a speech to the ICA Annual Conference in Brisbane yesterday, APRA Executive Board member, Suzanne Smith said, ‘a focus for APRA over the coming year: [is] the risk associated with outsourced underwriting to agencies.’ Ms Smith continued Partnering with experts to underwrite hard-to-place risks or to reduce operational and distribution costs can be a strategy. However, it is important to remember that the responsibility for core underwriting decisions always remains with the licensed insurer, as insurance risk and accountability are the very reason why insurers hold licences in the first place. Strong governance practices are crucial here, including robust on-boarding and exit plans, elimination or clear management of conflicts of interest, adequate governance resources, and sound data security. This also extends to scaling operations, such as ramping up claims handling during a crisis. The key takeaway is that while authority can be delegated, the ultimate responsibility remains solely with the insurer. The intersection between Prudential Standard CPS 230 & AFS Licence obligations I asked the question from the floor, ‘how should the dichotomy between the obligations of an APRA regulated insurer in respect of CPS 230 for underwriting agencies be managed, given the independent obligations of an agency holding an AFS Licence?‘ Let me answer my own question. CPS 230 requirements An APRA-regulated entity must … manage the material risks associated with using [material service] providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. (paragraph 49 CPS 230) Underwriting Agencies, TPA’s (insurance claim managers) & insurance brokers with delegated underwriting authority are deemed to be material servcie providers, unless the insurer can justify otherwise (p 50). Operational risk is defined to include but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. (p24) AFSL requirements Underwriting agencies (& TPAs & brokers), who hold an AFS Licence, have general obligations (refer section 912A(1) Corporations Act) including the obligation to have adequate risk management systems (s912A(1)(h)). ASIC expects that Licensee’s risk management system will be: (a) be based on a structured and systematic process that takes into account your obligations under the Corporations Act; (b) identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws); (c) establish and maintain controls designed to manage or mitigate those risks; and (d) fully implement and monitor those controls to ensure they are effective. (refer RG 104.62) Importantly, ASIC also notes that [the licensees] risk management systems will depend on the nature, scale and complexity of their business and their risk profile (my emphasis). They will be different for each licensee. (RG 104.63) So what does this mean for insurers and their underwriting agencies? It follows from the above, that: Underwriting Agencies holding an AFS Licence must have a fit-for-purpose system of managing risk, including operational risk Insurers must manage the risk, […]