Time to Take Control of the Cost of Compliance

By Michael Luderer, Managing Director, Severn Consultancy (01/04/2013)

Most people in the insurance industry know that the regulators are going to make their lives very difficult indeed in the years to come. With the birth of the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) in 2013, there is a growing sense that these new UK authorities are going to shine their lights into every dark corner of the market, while on the European front, preparations for Solvency II will rumble on.

The days of simply jogging along maintaining compliance between Advanced Risk Responsive Operating Framework (ARROW) visits have long gone. Both regular submissions and ad hoc requests for information from the FSA, Lloyds and the other regulators already come thick and fast, reaching into every department and function. However, the Financial Services Authority (FSA) has made it abundantly clear that the FCA and the PRA are going to take a more interactive approach. We can expect them to be even more demanding, continuously and doggedly probing every aspect of insurance companies’ conduct and financial prudence in their quest for transparency and protection of the policyholder.

This will reinforce the imperative for absolute consistency when responding to information requests from the regulators. It will also demand a much more streamlined and coordinated approach to the way insurance companies manage both their internal communication and external interaction with the regulators. Most firms currently deploy a reactive, de-centralised approach to respond to regulators’ data requests, which introduces a genuine danger when responses to regulators are run through silos, rather than being properly managed and co-ordinated across the company.

There is no doubt that the coming regulatory environment is going to be highly disruptive and it would be simplistic to imagine that these new regulators will be concerned about the effect they have on the day-to-day running of the companies they supervise. They will not be worrying about the cost of the lost business opportunities they may cause, nor the fact that they might consume senior and valuable people’s time, keeping them away from essential tasks that have to be delayed or carried out by others. And they will certainly not lose sleep over the additional demands they place on the risk and compliance, finance, and actuarial departments – or indeed anyone else in the organisation.

At a recent breakfast seminar hosted by Severn Consulting exploring the management of regulation within the insurance industry, one of the biggest concerns voiced by delegates was the future cost of compliance and dealing with regulators’ demands. It’s hard to predict, but one thing is certain: when you take into account the total opportunity cost, disruption, short-term diversion of resources and consumption of management time, that could very well add up to a very big number indeed.

The killer problem though in an industry that is based entirely around the idea of quantifying risk, is the uncertainty about the future costs of dealing with regulators in this much tougher environment. With wafer thin margins in so many market sectors, any unknowns when it comes to the future cost of compliance could cause a problem.

Perhaps even more alarming is that many companies have yet to work out how they are going to respond to this challenge.

As things stand, most insurers run their regulation management through their risk and compliance offices. They pass on requests for information from the regulators to the relevant people or departments and then channel back the responses. The difficulty is that in most cases this approach is already creaking under the pressure from the regulator and the sheer volume and complexity of their requests.

This is unsatisfactory for many reasons, not least of which because it’s prone to error and few people have a complete picture of all the status of all information requests. Indeed, this tactical approach could well blow up entirely when the FCA and the PRA get into their stride. The risks of providing inaccurate, or even inconsistent data, the regulators getting heavy and matters escalating are considerable. And nobody in the insurance industry can afford to take any kind of gamble with their reputation.

But even leaving aside the growing problem of risk that this ad hoc approach to regulation management will carry in the post FSA era, it is also highly inefficient and costly. Duplication, misunderstanding about what’s needed and when, delays and black holes are almost inevitable as the demands for information increase. This all adds to the overall cost of compliance and regulation management and makes it even more unpredictable.

So how do you take control of the costs of regulation? The obvious answer is to manage the process properly through a centralised Regulatory Office (RO) providing a single point of contact for all regulators and internal departments. The exact scope and scale of the RO should be decided by the scope and scale of the company itself, but using simple project management techniques, they would maintain a complete understanding of the status of all information requests across the firm. This will also enable them to anticipate problems, allocate resources appropriately, avoid duplication and minimise unplanned disruption to other business as usual activities, and lost opportunity costs.  

The RO will also be in a good position to direct and co-ordinate the implementation of any structural or operational changes that may be required by future, as yet unknown, regulatory demands. Indeed, horizon scanning and the practical analysis of future regulatory trends should be a central function of the RO.

The RO will not only introduce rigour, transparency and control to the process and costs of regulation management, it will also be able to achieve more subtle benefits through its close working relationship with the regulators. If it does this well, it will be able to achieve discreet flexibility when it is needed most. For example, it may be able to influence the timing of some ad hoc information requests so that less disruption is caused. For example, the finance department would prefer not to be dealing with a sudden and detailed information request when they are busy with the year end. Equally, the IT department would feel the same if it were racing to complete a major change management project.

All these subtle compromises, earned through a proper but close working relationship with the regulators, would deliver additional operational benefits. Such a relationship would be virtually impossible under a decentralised, ad hoc regulation management system. Indeed the chances of not being able to satisfy the regulators under a diversified approach, resulting at the very least in more scrutiny and escalating demands for substantial and detailed information at short notice, will surely increase along with all the attendant costs.

The arguments in favour of a centralised regulatory management operation are compelling from every angle. The risk of non-compliance and reputational damage in a much more intensive regulatory environment, either through error or misunderstanding, will be substantially reduced. Costs of regulatory management can be controlled and minimised. Finally, the RO is a scalable concept, with systems, protocols and resources that can be expanded and adapted to meet any challenge or demand that any regulator might throw at it.

No one can predict exactly what impact the regulators are going to have on the insurance industry. We all know that they will present a big challenge, against a backdrop of continued cost pressure across the sector. But what if there’s another AIG-type incident or another financial services scandal that infects the entire industry? That might spark another reassessment of the regulatory regime.

But that’s the point: no insurance company can afford to gamble on being able to muddle their passage through a highly unpredictable regulatory cloud without a centralised RO. If they do this they risk losing control of their costs, compliance failure (even if inadvertently through an error) and perhaps serious damage to both their reputation and shareholder value.