News

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]