Both banking and insurance sectors have experienced a stream of new regulations over the past decade. Much of it stems from the global financial crisis and centres on capital stability in the shape of the Basel reforms, in banking, as described by the Bank for International Settlements; while the introduction of Solvency II for the insurance industry has led to an overhaul of governance.
The Solvency II directive, which became fully applicable to European insurers and reinsurers in January 2016, placed an obligation on insurance companies to implement an adequate and transparent governance system and to conduct their own risk and solvency assessment on a regular basis.
In the insurance sector the regulation and supervision of internal governance mechanisms form a core part of the risk-management framework because some risks may only be addressed properly through governance requirements.
According to Michele Siri, a professor of Business Law at the University of Genoa, “an effective system of governance requires a proactive approach on the part of insurance firms, with a significant impact on the duties and obligations of the members of the board, on the one hand, and on the supervisor’s ability to assess the compliance of the internal governance with these specific requirements, on the other.”
Furthermore, Solvency II places policyholder protection at the heart of each link in the supply chain, thereby imposing a duty on the board to incorporate this into company-wide governance.
Guidelines on the systems of governance issued by the European Insurance and Occupational Pensions Authority suggested a more “intrusive” approach, which focuses on making forward-looking judgements about firms. This proactive attitude also includes supervision of how the board agrees and oversees the firm’s risk framework.
According to Siri, “this is a profound change which introduces a ‘four-eyes’ principle to decision-making and the specific role of signing off the strategic plan and monitoring its execution by managers.”
The spectre of IFRS 17 will have a profound effect on the industry as participants look to comply with a 2021 implementation deadline. The new regulation presents a profound challenge as insurance companies pull together divergent local operational and accounting models into a single global coherent standard.
As an example of the diversity of approaches that need to be reconciled, EU regulations currently require insurers to use updated discount rates to value future cashflows. Others, including America and many parts of Asia, allow the use of historical discount rates and assumptions valid at the time the policy was issued.
Beyond the hundreds of millions in compliance costs, the implementation of IFRS 17 will consume management time and resources at the very top of the organisation. In banking, local and supranational regulators have sought to tackle excessive short-term risk-taking, introducing curbs on compensation and increasing the ability of boards to claw back bonuses of officers found guilty of misconduct or in breach of risk limits.
Continuous compliance culture
The direction of regulatory travel has moved towards holding individuals accountable, with a view to ensuring that companies implement a continuous compliance culture within their organisation. Applying proportionality to their approach to compliance has also long been a challenge for smaller firms.
For many this reached its peak with the introduction of the Senior Managers and Certification Regime (SM&CR) to the banking industry in 2016, a measure which gave designated individuals responsibility and provided tough sanctions, including heavy fines and even imprisonment, for breach of duties.
The SM&CR is now being rolled out in the insurance industry which needs to comply from 10 December 2018. On the one hand it places the responsibility for good governance on the shoulders of the executive committee and the board of directors, pushing compliance to the top of the agenda.
On the other, it has acted as a deterrent, prompting experienced professionals to leave the industry, or made it hard for financial services firms to attract talented non-executive directors as individuals consider the level of personal risk involved.
Mazars’ Dan Mellows says: “This shift towards greater personal accountability may inadvertently risk a tendency for self-preservation at the expense of the wider organisation’s best interests. Surely the collective responsibility of boards should remain undiminished.”
Meanwhile, the introduction in January 2018 of MIFID II in banking and asset management is leading to consolidation in banking, as asset managers respond to unbundling by reviewing the allocation of their research wallet and reducing the number of brokers they deal with.
Policy (premium) pricing practices have also been brought to the forefront of insurers’ minds, as they respond to the UK Financial Conduct Authority’s (FCA) thematic review of fair treatment of long-standing customers in the life insurance sector. Also to new guiding principles from the Association of British Insurers’ and British Insurance Brokers’ Association, which target excessive discrepancies between new business premiums and policy renewals.
Furthermore, the application of the Ogden rate changes, reducing it from 2.5% to -0.75%, has piled the pressure on insurers and their approach to reserving.
The challenge for every board is to ensure that compliance functions have the resources, know-how and organisational status to provide proper checks and balances. Failure to do so results in heavy fines. In 2017, Barclays chairman John McFarlane said the bank had given all its revenues back in fines. As a result, the bank’s share price remains depressed.
Ineffective compliance can destroy shareholder value and damage corporate reputation. Goldman Sachs is braced for a legal battle after one of its former bankers said the bank encouraged a culture of evading compliance in the pursuit of deals. Other banks such as HSBC and Standard Chartered have suffered punitive settlements with regulators following the breach of anti-money laundering regulations. They have also been forced to adopt know-your-customer programmes that ensure they do not trade with corporations or individuals that break the law, while the PPI (payment protection insurance) scandal has cost UK banks billions of pounds.
The financial and non-financial sectors held their collective breath in anticipation of the first round of potentially significant fines being levied for non-compliance with the EU’s General Data Protection Regulation (GDPR), expected by the end of 2018. GDPR imposes a maximum fine for breaches of €20m or 4% of annual global turnover, whichever is higher.
Mellows adds: “Whilst public opinion is that the Information Commissioner’s Office will actively scrutinise dotcom giants’ and public bodies’ treatment of personal data, larger financial services institutions are unlikely to be far down the ICO’s risk list. This is due to both the sensitivity of the data they hold and the potential for prevailing mistrust in light of a chequered past, notably the PPI and Libor scandals.”
The key is for boards to ensure compliance by placing it top of the agenda. A survey of 22 institutions conducted last year by the FCA found that, by and large, “the compliance function is moving toward a pure, independent, second-line-of-defence risk function with a higher profile within firms.”
Compliance representatives have been added to boards and governance committees, and reporting lines of the function elevated, it found. The survey also found that compliance functions have grown in size and are relying more on technology to deliver against their mandates. Business and product knowledge are required to understand and effectively challenge front-office activities, as are communication and influencing skills.
Stay ahead
Boards can take a number of steps to ensure they stay ahead of this new complex environment. In terms of governance and oversight, measures can include creating new board level representation, and ensuring they have the right talent within the compliance function.
“Indeed, the effectiveness of the second-line functions should be of personal interest to those fulfilling regulated functions due to the role risk, compliance and legal play in protecting them from myriad regulatory and organisational pitfalls,” says Mellows.
Allocating accountability for specific compliance activities is also crucial, and the creation of regulatory affairs functions is now more commonplace. As a third-line function, internal audit is increasingly being used to assess the maturity, status and impact of their counterpart compliance functions.
There are also a number of organisational and structural elements to consider. The perceived Balkanisation of regulation, with firms subject to increasingly local rules as well as global directives, presents a particular challenge, especially when financial services institutions continue to operate as global entities.
The growth of the compliance function means that it may be more appropriate to align it with global divisions and functions, while embedding it more within operational risk. One of the lessons of the financial crisis was that compliance functions were seen as supine, powerless in the face of autocratic management against a backdrop of light-touch regulation.
This tide has turned, and as legislation such as the Senior Managers and Certification Regime shows, regulators have more power than ever before. Compliance functions are stiffening their resolve and finding their voice. This creates a new concern: as control stands at the very top of board agendas, risk avoidance must not be prioritised at the expense of pragmatism and entrepreneurialism.
In a fluid technological and regulatory landscape, firms seeking growth must stay ahead of more nimble competitors while ensuring they maintain compliance. This requires strong leadership at board level but also a recognition of the second line’s status and the importance of its counsel.
This article is an excerpt from the Special Report – Future-Proofing Financial Services . You can read the full report here