Change is constant – none moreso the case in General Insurance – regulatory change, upcoming Code changes, changes due to regulator reviews, Court decisions, Code compliance reviews, the list is endless, add to that internal change due to binder & capacity changes, service supplier changes and the list goes on.
Large insurers manage change through project management teams & change pipelines however what do you do if your resources are limited?
This article has been written for Underwriting Agencies, Lloyds coverholders, Insurance Brokers, TPAs, Service Suppliers & small to medium sized insurers who must manage regulatory change and remain compliant through the complexity created by change.
1. The importance of a compliance operating rhythm
The starting point is to have a tailored to your business, Risk & Compliance Manual that describes your compliance measures and provides you with an operating rhythm to managing risk & compliance. The Manual must include your obligations (financial services laws, GI or NIBA Code, binder agreement(s), service supplier agreements etc) and the key controls that are assigned to manage the obligations. A seperate Obligations register is suitable for larger firms provided the register is referenced in the Manual including how the register is managed.
2. The source of regulatory change
Your manual must identify your sources of regulatory change. They are numerous and generally include (for non-lawyers) signing up to receive email feeds from
- regulators such as ASIC, APRA, OAIC, Austrac, ACCC
- AFCA
- Industry Associations such as ICA, NIBA, UAC and Insurtech Australia
- Financial services legal firms
- Insurance news services
- me via my Linkedin posts and my monthly Newsletter Navigating Compliance in General Insurance
Also be mindful of internal change or change from your business partners.
3. High level review
You’ve identified the regulatory change. What next?
At this stage ask 3 questions:
- does this change apply to General Insurance? and, if so,
- does this change apply to the cohort I’m part of? (brokers, underwriting agency, TPA, service suppliers, insurers); and/or
- will this change impact me upstream/downstream (eg a Prudential Standard or the GI Code of Practice that applies to an insurer)?
If yes to these questions proceed with step 4 otherwise ignore the change.
4. Deep analysis
You need to work out the impact of the regulatory change to your business.
It is useful to engage with your Industry Association, peers or your risk & compliance advisor (I’m happy to assist with any queries) to understand the common approaches that are being adopted across the industry to the regulatory change.
Adopting the Who, What, When, Where, Why, and How approach is useful
- start with ‘why’ and understand the underlying rationale and purpose of the change
- ‘what’ is about the details. What does the new law require me to do?
- ‘when’ does the regulatory change take effect? This assists in planning the runway.
- ‘Where’ does the regulatory change apply? eg underwriting, claims, broking
- ‘how’ provides the details of what you must do to comply with the new regualtory change
- ‘who’ does the change apply to and impact – AFS Licensees, APRA regulated insurers, Lloyds Coverholders, authorised representatives, retail clients, service suppliers etc
5. Planning for the change
You need to consider change in context of Controls, People, Process, Systems (IT) and Regulatory artefacts.
Controls – look at your current key controls in your Risk & Compliance Manual and search for similar existing controls. If the new regulatory change requires you to notify the customer, what other existing controls are also designed to manage contact with customers? (the controls for Terms of engagement, FSG, General Advice Warning, PDS et al). Can you use an existing control? Does an existing control require amendment? Do you need a new control?
This ensures your controls are efficient and you do not have too few or too many controls or duplicate controls for similar obligations.
Don’t forget to update your Manual to include the new obligation(s) and the changes to your Key Controls. This is critical so that the new regulatory change is incorporated into your risk & compliance Operating Rhythm.
People – this will involve training and communications.
- Representatives – employees and authorised representatives need to be told about the change and trained in how to comply
- Service suppliers and business partners who may be impacted
- Customers – including notification requirements & warnings
- Distributors
- and if you act for an Insurer; the insurer, as its lkely the change also impacts their operations and you may have to coordinate your regulatory change approach with that of the insurer
Processes
Taking into account the changes to your Key controls, what processes do you need to change or introduce to ensure that you meet the requiremets of the regulatory change?
Systems – is an automated response appropriate? Do you need to update existing policy, claims or broking systems? This change usually takes the longest, so start this change early. Also, test for unintended consequences of the change through UAT in the production environment.
Regulatory artefacts
Often regulatory change will require a new disclosure document or warning to be created (regulatory artefacts). These regulatory artefacts need to be created as part of the planning process and have legal signoff.
Disclosure documents generally have timing requirements (when to provide to a customer) and content requirements – both must be met.
Also, don’t forget to update your Business Continuity Plan.
6. Implement
Implementing change involves translating planned initiatives into action by executing strategies, allocating resources, communicating effectively, and monitoring progress. It’s a process that requires a structured approach.
The progress of actions to plan should be monitored and reported internally to your Risk & Compliance Committee identifying risks, obstacles and actions to implementing the regulatory change as planned. This should be considered and reported as part of Operational risk – change management risk.
7. Connect the pipes to the system
As part of the implementing phase don’t forget ‘plug n play’ .
Any new or amended controls (people, process or systems) required to implement the regulatory change must feed into your existing processes for:
- incident management (including breach management)
- complaints management
- Risk & Compliance reporting to the Risk & Compliance committee, senior management, board and other key stakeholders
- Control testing program (a Key Control not tested is no control)
- Monitoring Program (monitoring staff, authorised representatives, distributors and service suppliers)
8. Test and review – continuous improvement
Even though your controls will be tested as part of your Control Testing program you should test the controls (people, process & systems) after implementation to ensure that they are designed & operating effectively and enable you to meet the regualtory change requirements.
It is also useful to pause and reflect and consider: what worked well? What could be improved? Don’t forget to update your Risk & Compliance Manual with changes to the regulatory change process, this will assist with continual improvement for the next regulatory change.
9. Need assistance?
If you need assistance with:
- developing a tailored to your business. Risk and Compliance Manual;
- a process for regulatory change; or
- any compliance support
Contact me, Paul Muir
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.