Because of its importance in society, the insurance industry has always faced a considerable amount of regulatory requirements at the national (BaFin) and international (EIOPA) level.
Although this is generally something to be welcomed, this also presents a range of different challenges – not least because the regulations have indirect effects and unintended side effects. This article outlines current and future regulatory requirements beyond Solvency II that insurance companies will have to adjust to. The focus is primarily laid on what is known as the Insurance Distribution Directive (IDD) and the consequences for distribution compliance. In addition, the current draft of the BaFin on the Insurance Supervisory Requirements for IT (VAIT) is addressed. In addition to a description of the regulatory requirements that apply to insurance policies, options for meeting these requirements are described.
Regulatory requirements for distribution – subject and consequences of the IDD
The Directive (EU) 2016/97 of the European Parliament and the European Council for Insurance Distribution (IDD), published on 2 February 2016 and enacted on 23 February 2016, has the objective of achieving a minimum level of harmonization in the EU member states with regard to existing national insurance distribution rules and to improve consumer protection through greater transparency and advice tailored to the needs of the consumers. Member states must incorporate the directive into national law within two years, i.e. by 23 February 2018 at the latest. This happened by means of a resolution in the German Bundestag on 30 June 2017 and ratification by the Bundesrat on 7 July 2017. The IDD was implemented, with the exception of two changes in favour of insurance brokers, according to the previously published government bill of 9 January 2017. Although the details are still to be settled in a forthcoming national decree, and the European Parliament is currently in favour of postponing the implementation deadline (for parts) of the IDD to 1 October 2018, insurers must already take the necessary steps to ensure successful implementation. The requirements for the distribution of insurance can be derived from the bill; some important aspects are briefly described below.
In future, the distribution fee (Section 48a of the Insurance Supervision Act (VAG)) should not conflict with the obligation of the insurance companies or their employees to act in the best possible interest of the customers. The incentive system must not be designed in such a way that a specific insurance product is offered to a customer even though another would be more appropriate to their needs. Here, in particular, target conflicts between sales targets at the product level and the interests of the customer must be resolved. This also affects the process of designing commissions and incentives in sales management. In this context, appropriate organisational or administrative measures must be taken to prevent this problem. If the precautions are not sufficient to avoid conflicts of interest, the nature and source of those conflicts of interest must be disclosed to the customer on a durable medium in a clear and timely manner prior to conclusion of the contract. German legislature did not make use of the option to introduce a ban on commission; however, when granting commission, care must be taken to ensure that they do not adversely affect the quality of the service to the customer.
Furthermore, changes are planned in the Insurance Contracts Act (VVG), for example, a newly inserted Section 7a of the VVG on cross-selling. If an insurance product is sold together with a by-product that is not insurance, the individual components of the package offered must be individually described and explained, including the costs and fees applicable to the individual components. Information must also be provided as to whether the components can be purchased separately. In addition, the reciprocal effects arising from the package compared to separately purchasing the components, in particular the related risks and insurance cover, must be disclosed. If insurance is offered as a by-product to a non-insurance product, as is the case, for instance, with car insurance when a car is sold, then the policyholder is also to be offered the non-insurance product (this is usually the case when buying a car) individually (there are a few exceptions, for example if the by-product is a credit agreement).
Special rules also apply to the sale of packaged retail investment and insurance products (PRIIPs) (Sections 7b, 7c of the VVG). A PRIIP is an insurance product that offers a maturity value or a redemption value that is fully or partially exposed to market fluctuations directly or indirectly. Excluded from this are the products listed in Art. 2 (17 a) to e)) of the IDD, such as term life insurance or Riester and Rürup pensions. In the case of insurance investment products, the customer must be informed as to whether a regular suitability test of the insurance investment product is carried out for the target market, of risks associated with the product and of any existing costs and fees. If the insurance broker or the insurance company provides consulting services for an insurance investment product, there is an obligation to provide the customer with a suitability statement by means of a durable medium before conclusion of the contract, in which the consulting services provided and the way in which these correspond to the preferences, goals and other customer-specific characteristics are listed. In addition, the planned new introduction of Section 6a of the VVG must be considered, in which the obligation to document the advice given to the customer and the reasons for this are regulated much more precisely than before.
The future requirements mentioned here not only go beyond legal but also beyond currently voluntary rules, such as the principles of the GDV Code of Conduct imposed by most German insurers on themselves. It is advisable to check the existing distribution processes as soon as possible despite the planned delay of entry into force.
Regulatory requirements in IT – the VAIT consultation process and possible consequences for IT risk management
IT requirements for insurance companies have recently become subject to increased regulatory focus in the wake of the current consultation and a first draft by BaFin on the Insurance Supervisory Requirements for IT (VAIT). The aim of this process is to substantiate the general requirements for the business organisation of insurance companies in terms of technical and organisational aspects in accordance with Section 23 (1) of the VAG or to provide a standard for assessing appropriateness (see also VAIT draft version dated 6 November 2017, p. 3). Important requirements for the areas of IT risk management can be found in the VAIT draft especially regarding:
- Information risk management
- IT operations (including data backup)
- IT projects/application development
- User authorisation management
Regarding information risk management, the risk (potential damage and frequency of damage) of the IT application must be analysed and monitored. The procedural and technical requirements increase depending on the risk. In this context, assignment to a protection requirement class is recommended as part of an inventory of IT applications. Because IT systems and ‑processes are designed to ensure the integrity, availability, authenticity and confidentiality of the data being processed, the aforementioned aspects act as protection goals. User numbers, level of complexity, data volume, integration into key decision-making processes and the type of data generated by the IT application may serve as indicators for the assignment.
With regard to IT operations or data backup, requirements are made regarding the accuracy of the data used. Attention should be paid to the up-to-dateness of the source data, accurate calculations and protecting data appropriately against loss. To ensure this, the query in the source system should be standardised via specified selection criteria, e.g. by means of background processing. Completeness and unaltered storage may be ensured by appropriate techniques, e.g. semaphore, flag or hash sum techniques. Source data should preferably be adopted in the original format and stored (for example in the case of spreadsheets) in a separate, write-protected worksheet, with other worksheets being used for processing/results.
In the context of IT projects/application development, there is a requirement to adequately manage IT projects, especially taking into account the risks in terms of duration, resource consumption and quality. Above all, the applications developed by departments themselves (end-user computing (EUC)) carry an increased risk, with the result that they are explicitly mentioned in the VAIT. Due to the high degree of individualisation, the problem with EUC is that the traceability of the programme code and its versions is often not ensured, especially if a file is developed further or regularly overwritten, without this being documented. Here, versioning for the EUC application, i.e. spreadsheets, programme files, databases and related documents should be mandatory, increasing the traceability of EUC changes. In general, guidelines for requirements management, programming, documentation and test and acceptance procedures for EUC must be defined.
It must be ensured that the EUC application can be used, adapted and controlled independently of the programmer. Helpful documentation steps include:
- Documentation of the development and change requirements for the respective EUC application version to be created
- Architecture documentation that includes data sources, an overview of the logic and the results of the application
- Program documentation, which can be done in the source code by detailed comments and filed with the respective application version
- A user manual, which can also be integrated into higher-level process descriptions
In the context of user authorisation management, it must be ensured that the users are assigned appropriate authorisations. Simple restrictions to access rights regarding updates to the IT application and the correction of errors, such as a cell protection in Excel or Access database security, are viable options. The calculation logic might be a particularly vulnerable area. In this context, the processing formulas and regulations used must be properly protected against (unwanted) changes, e.g. through cell protection. The appropriate separation of functions should also be considered in this context. Above all, EUCs are often only tested or checked for plausibility by the programmer, which leads to a questionable level of application quality. Programming and quality assurance should therefore be carried out by different people. Furthermore, with EUC it is often the case that there is no clear separation between test and productive versions of an EUC and the data. To ensure appropriate control by a non-process-related third party and to prevent the inadvertent change of operational data, the following aspects should be considered, among others:
- Strict separation of test and production environments (data and applications), for example in different directories
- Traceability of the test documentation with reference to the tested version and the test data
- Before the production start, both the technical and functional acceptance of the product version of an EUC application that is to be put into use must be guaranteed and documented. A copy of the approved or product version must be stored in a protected place for the long term.
- Regular internal audits should be carried out by IT experts involved in the audit. The internal audit department must not be involved in the content design in order to preserve their neutrality/distance. For smaller insurance companies, co-sourcing or targeted support from external experts for internal auditing is certainly an option.
Implications for the significance of RegTechs
Since virtually every regulatory change leads to a greater or lesser need for adaptation of the existing IT systems, there is an increase in the importance of so-called RegTechs (regulatory technologies), which specialise in the technical aspects of legal compliance. To this end, RegTech companies combine new technologies such as big data or blockchain with regulatory expertise to help insurance companies meet their requirements. By working together, insurance companies hope to expedite the implementation of new legislation into the system landscape. Typical tasks that RegTechs undertake include the exchange of data with regulatory authorities, data analysis or reporting. For insurers, such digitalisation has the advantage that regulatory processes can be increasingly automated and thus implemented more efficiently. A chance to enhance efficiency can arise from the “necessary evil” of making regulatory adjustments. However, responsibility for the correct realisation and implementation of the processes remains with the insurance company. The extent to which only services are provided or outsourcing takes place must be examined and considered by the insurance company.
The analysis shows that insurance companies face many new regulatory requirements in the areas of distribution and IT. In the context of the IDD, this need for change results from the fact that the new regulatory requirements go both beyond existing legislation and in parts beyond the already existing voluntary industry compliance regulations in Germany, such as the GDV Code of Conduct. With IT risk management and IT security, other areas are coming under regulatory focus that reflect the increasing digitalisation of the industry and of life and that make appropriate measures necessary to handle the associated risks. The ever-increasing number of requirements coupled with strict sanctioning mechanisms and, in some cases, heavy fines mean that the significance of regulatory requirements will continue to increase. To make matters worse, regulatory changes also require adjustments in the area of IT. This is where RegTechs come into play, who, with their expertise in both regulatory and IT matters, strive to efficiently implement the necessary changes. Against this background, regulatory changes can also prove to be a trigger for process improvement.