REGULATION AND COMPLIANCE Chaired by Ravi Rastogi, Mercer Caroline Gardner, FCA Steve Dixon, SDA LLP Cheryl Martin, EY
Emerging issues in Conduct Regulation AFM Conference 10th October 2016 Caroline Gardner FCA Head of Department Pensions and Retirement Income
2
Agenda • • • • •
Role of the FCA Pensions changes Health and Protection EU Regulation Corporate Governance
Role of the FCA in insurance regulation The FCA’s statutory duties: •
Ensuring that markets work well
•
Securing an appropriate degree of protection for consumers
•
Protecting and enhancing the integrity of the UK financial system
•
Promoting effective competition in the interests of consumers
Pension freedoms •
Major changes for firms and for consumers
•
Availability of guidance/advice – adequacy of signposting to Pension Wise
•
Impact on lifestyling
•
Exit charge caps for those exercising pension freedoms
•
Underlying challenge for the individual consumer remains to accumulate sufficient resources during their working life to fund their lifestyle in retirement
Longstanding customers •
Initial findings of our thematic review were published in March 2016
•
Finalised Guidance is being drafted and our intention is to publish this year.
•
In July we held a CEO roundtable on capping or removing exit charges
•
We continue to work with the eleven firms in the survey
•
Our expectation is that the rest of the industry will also engage with the guidance.
Secondary Annuity Market •
Enables consumers with pre-existing annuities to benefit from pension freedoms
•
Some remaining issues: • Comparing an income stream with a lump sum • Consumer understanding e.g. longevity risk • Role of annuity providers and intermediaries
Health and Protection •
Importance of income protection & critical illness cover
•
Relationship between protection and mortgage business – particularly critical illness cover
•
The role of automated advice
•
With an ageing population comes the need for long term care which could increase the need for health insurance protection products
The EU agenda •
FCA is working with Govt to provide technical support as required
•
Existing financial regulation remains in place
•
Any changes are for the Govt and Parliament
•
Firms must continue to abide by their relevant obligations and to implement plans for legislation that is still to come into effect
PRIIPs regulation •
Affects all firms selling insurance-based investment products
•
A PRIIPs KID needed for all PRIIPs products available to retail consumers
•
From the end of the year (unless that changes…)
•
Legal liability for KID shortcomings lies with the PRIIPs manufacturer.
•
FCA will monitor the market
Insurance Distribution Directive •
Our intention is to consult on some of the requirements early in 2017.
•
Further consultation is likely later in the year once EIOPA has considered its technical advice on IBIPs & the pre-sale PID
•
We encourage industry to review the Directive and to participate in the consultations
Governance and the SM&CR •
Governance is a key theme for regulation
•
SIMR and the Senior Managers & Certification Regime
•
Affects all SII insurers and large NDFs
•
Proportionate regime for small NDFs
•
We expect to consult in 2017 on extending SIMR into the full SM&CR
And finally………. •
The value of the mutual sector
•
Diversity and challenge in financial services
REGULATION AND COMPLIANCE Chaired by Ravi Rastogi, Mercer Caroline Gardner, FCA Steve Dixon, SDA LLP Cheryl Martin, EY
Solvency II – Public Disclosure and Reporting to Supervisors Steve Dixon of SDA llp at the AFM 2016 Conference
What will I talk about?
What?
•What is in the reports and the detail required? •Public / private?
Who?
•Suggested people to do the reports? •How do you bring it together?
When?
So far?
•Timetable? •Audit? •Experience to date?
What is reported?
A – Business and Performance B – System of Governance C – Risk Profile D – Valuation for Solvency Purposes E – Capital Management
What are the reports?
´ Solvency and Financial Condition Report ´ Public document in pdf form on your website ´ Some of the quantitative templates added in pdf form.
´ Regular Supervisory Report (or Report to Supervisors) ´ Private report that goes alongside the quantitative templates to PRA.
Only answering required questions?
Easier to have RSR as extensions to SFCR?
One document
Two Documents
Options on RSR and SFCR?
Business and Performance 1 - Basics Item
SFCR / RSR
Name and legal form of undertaking
SFCR
Name and contact details of supervisory authority and contact details of supervisor if applicable
SFCR
Name and details of external auditor of firm
SFCR
Description of qualifying holdings in firm
SFCR
If in group, details of position in group within legal structure
SFCR
Material lines of business and material geographical areas where it carries out business
SFCR
Any significant event over the reporting period that had a material impact on the firm
SFCR
Main trends contributed to development and position over its business planning period including competitive position/ legal and regulatory issues
RSR
Description of business objectives of firm including strategies and time frames
RSR
Business and Performance 2. Underwriting performance
Item
SFCR/RSR
Qualitative and Quantitative information on underwriting performance at aggregate and material lines of business level and material geographical areas level including comparison last year
SFCR
Underwriting income and expenses split as above with comparative and reasons for any change
RSR
An analysis of overall underwriting performance
RSR
Comparison of performance against projections and significant factors for divergence from projection
RSR
Projections of underwriting performance plus significant factors that could affect over business planning time period
RSR
Information on any risk mitigation techniques entered into during reporting period
RSR
Business and Performance 3. Investments – all comparative Item
SFCR / RSR
Information on income and expenses from investments and components of the income and expenses if necessary to understand it
SFCR
Any gains and losses in value
SFCR
Information on investments in securitisation
SFCR
Reasons for material changes in income and expenses from last year to this
RSR
An analysis of overall investment performance during period and by class
RSR
Projections of investment performance and significant factors that could affect this over business planning time period
RSR
Key assumptions firm makes on investment decisions on movement in interest rates, exchange rates, other market parameters over business time planning period
RSR
Securitisation information including risk management procedures
RSR
Business and performance 4 Other…. Item
SFCR / RSR
Other income and expenses incurred plus comparison with previous reporting period
SFCR
Other income and expenses expected over business time planning period
RSR
Any other material information on business and performance in a separate section
SFCR & RSR
Systems of Governance 1. Basic information Item
SFCR / RSR
Structure of Board and Committees including descriptions of main roles and responsibilities and segregation in responsibilities within bodies and key functions
SFCR
Any material change taken place in governance in period
SFCR
Remuneration policy and practices : principles including split fixed/variable, individual and collective performance criteria, supplementary pension / early retirement schemes for Board members
SFCR
Material transactions with shareholders or people who exercise influence
SFCR
Information allows supervisor to understand governance arrangements and assess its appropriateness to strategy and operations
RSR
Information on delegation of authority, reporting lines and allocation of functions
RSR
Remuneration entitlements of Board over the reporting period and comparative with last period and reasons for any material change
RSR
Systems of Governance 2. Fit and proper Item
SFCR / RSR
Description of firm’s requirements on skills, knowledge, expertise key functions and people who run the organisation
SFCR
Description of process for assessing fitness and propriety of persons
SFCR
A list of persons in undertaking who carry out key functions
RSR
Policies and processes established to ensure persons above are fit and proper
RSR
Systems of Governance 3 Risk Management Systems Item
SFCR / RSR
Description of system including strategies, processes and reporting and how able to identify, measure, monitor, manage and report on continuous basis
SFCR
How implemented and integrated into organisational and decision making structure
SFCR
Risk management strategies, objectives, processes and reporting for each risk
RSR
Information on significant risks exposed to over life time of insurances and how captured in solvency needs
RSR
Information on significant risks identified not captured in SCR
RSR
How firm fulfils “prudent person principle” in investment
RSR
How verifies credit assessments from rating bodies and how ratings used
RSR
Results of assessment of extrapolation of risk free rate, matching adjustment and volatility adjustment
RSR
Systems of Governance 4 ORSA
Item
SFCR / RSR
Description of process undertaken to conduct ORSA as part of risk management including how integrated within organisational structure and decision making
SFCR
How often ORSA is reviewed and approved by the Board
SFCR
Explain how determined own solvency needs given risk profile, capital management activities and its risk management system interact
SFCR
Description of how ORSA done, internally documented and reviewed
RSR
How it is integrated into management and decision making
RSR
System of Governance 5 Internal Control Systems Item
SFCR / RSR
Description of internal control system
SFCR
Description of how compliance function operates
SFCR
Information on key procedures of control system
RSR
Information activities during the reporting period
RSR
Information on compliance policy , process for review, frequency of review and any significant changes during reporting period
RSR
Systems of Governance 6 Internal Audit
Item
SFCR / RSR
Description of how internal audit function is implemented
SFCR
How internal audit maintains its independence and objectivity
SFCR
Description of internal audits performed during period with summary of material findings and any actions undertaken
RSR
Internal audit policy, process for undertaking reviews of policy, frequency of reviews and any significant changes to policy
RSR
Audit plan including future internal audits and rationale
RSR
If carry out other key functions how you have assessed no conflict of interest and in line with proportionality
RSR
System of Governance 7. Actuarial function
Item
SFCR / RSR
How the actuarial function is implemented
SFCR
Overview of activities undertaken by actuarial function during the period and how contributes to the risk management system
RSR
System of Governance 8. Outsourcing
Item
SFCR / RSR
Description of the outsourcing policy, any critical outsourcing and where located the service providers including jurisdiction
SFCR
Rationale for critical or important function outsourcing and evidence of safeguards and oversight is in place
RSR
Information on service providers of critical and important functions and activities and how ensure that complies with Article 274 of delegated Act – fitness, data protection and so on
RSR
List of persons responsible for outsourced key functions in service provider
RSR
System of Governance 9. Other…..
Item
SFCR / RSR
Assessment of adequacy of system of governance relative to nature, scale and complexity of risks inherent
SFCR
Any other material information?
SFCR
Any other material information?
RSR
Risk Profile 1. Headings for information
Heading
SFCR / RSR
Underwriting risk
SFCR & RSR
Market risk
SFCR & RSR
Credit risk
SFCR & RSR
Liquidity risk
SFCR & RSR
Operational risk
SFCR & RSR
Other material risks
SFCR & RSR
Any other information
SFCR & RSR
Risk Profile 2. Risk exposure including off balance sheet
Item
SFCR / RSR
Measures used to assess these risks including material changes
SFCR
The material risks that firm is exposed to including material changes
SFCR
How assets have been invested in accordance with prudent person principle so that risks can be managed
SFCR
Overview of material risks anticipated over business planning time period given business strategy and how these will be managed
RSR
If sells or pledges collateral, the amount
RSR
Where provides collateral, nature of collateral and assets and liabilities
RSR
Material terms and conditions of collateral agreements
RSR
Complete list of assets and how they have been invested
RSR
Repo or securities lending arrangements including liquidity swaps
RSR
Variable annuities – terms on guarantee riders and hedging of guarantees
RSR
Risk Profile 3 Loans, concentration and mitigation
SFCR / RSR Volume and nature of loan portfolio
RSR
Description of material risk concentrations
SFCR
Overview of future material risk concentrations anticipated over business plan and how they will be managed
RSR
Description of techniques for mitigating risks and processes for monitoring effectiveness of these techniques
SFCR
Description of risk mitigation considering over the business time planning period including rationale and effect of such techniques
RSR
If hold collateral, value of collateral and information on material terms
RSR
Risk Profile 4. Liquidity risk and risk sensitivity
Item
SFCR / RSR
With regard to liquidity risk, amount of expected profit in future premiums assumed
SFCR
Amount of expected profit in future premiums, result of qualitative assessment and methods and main assumptions used to calculate
RSR
Risk sensitivity, methods used, assumptions made and outcome of stress testing and sensitivity analysis for material risks
SFCR
All other stress testing and sensitivity analysis, methods and assumptions and outcome
RSR
Risk Profile 5. Other
Item
SFCR / RSR
Quantitative information on dependencies of risk modules and of the BSCR
RSR
Other material information
SFCR & RSR
Valuation for solvency purposes 1. General ´ Split between assets, technical provisions and other liabilities ´ All require
Item
SFCR / RSR
Value plus description of bases, methods and main assumptions used for each material line of business, asset and other liability
SFCR
Quantitative and qualitative explanation of any material differences in methods, bases and assumptions against that used in report and accounts
SFCR
If alternative methods are used, justify and describe method used, explain level of uncertainty and comparison against experience (equity release eg)
RSR
If not following IFRS, need to explain why costs would be disproportionate
RSR
Valuation for Solvency Purposes 2. Extra for technical provisions Item
SFCR / RSR
Best estimate and risk margin given separately
SFCR
Description of level of uncertainty
SFCR
Matching adjustment – statement of use, description and policies covered and assigned assets plus impact of removing matching adjustment on technical provisions and on SCR / MCR, basic own funds and amount of own funds to cover SCR / MCR
SFCR
Volatility adjustment – statement of use, and impact of removing as above
SFCR
Transitional risk free – statement of use and impact of removing as above
SFCR
Transitional deduction – statement of use, impact of removing as above
SFCR
Recoverables from reinsurance and SPVs
SFCR
Material changes in assumptions and methods from last time
SFCR
Assumptions on future management actions described
RSR
Assumptions on policy behaviour
RSR
Valuation for Solvency Purposes 3. Other
Item
SFCR / RSR
Items on risk management on underwriting and reserving, claims management, asset liability management, investment risk management, liquidity management (including EPIFP), reinsurance management, concentration risk management and operational risk management – Article 260.
SFCR
Any other material information
SFCR
Capital Management 1. Own funds Item
SFCR / RSR
Objectives, policies and processes for managing own funds, time horizon for business planning and any material changes over time period
SFCR
For each tier: amount, quality of own funds at end of reporting period and last including analysis of significant changes over period
SFCR
Eligible amount to cover SCR by tier
SFCR
Eligible amount of basic own funds to cover MCR by tier
SFCR
Quantitative and qualitative explanation of differences with Report and Accounts and excess of assets over liabilities for solvency purposes
SFCR
Transitional capital for basic own funds and ancillary own funds (Art 308b – Dir)
SFCR
Description of any deduction / restriction from own funds
SFCR
Material terms and conditions of main items of own funds
RSR
Expected movement in own funds over business planning period, redeem raise more
RSR
Plans on replacing own funds subject to transitionals
RSR
Capital Management 2. SCR and MCR Item
SFCR / RSR
SCR and MCR amounts at end of reporting period – is it subject to approval PRA
SFCR
Amount of SCR split by risk modules if uses standard formula / risk categories internal model
SFCR
Whether standard formula using simplifications
SFCR
Whether using undertaking specific parameters (GI)
SFCR
Whether there is a capital add on
SFCR
Impact of USP and impact of capital add on and justification by supervisor
SFCR
Inputs used to calculate MCR
SFCR
Any material change in SCR / MCR over period and reasons for change
SFCR
Expected developments in SCR / MCR over business time planning period
RSR
Estimate of standard formula SCR if internal model but required to give standard
RSR
Capital Management 3. Duration based equity
Item
SFCR / RSR
Indication using duration based equity after authorisation
SFCR
Amount of duration based equity capital
SFCR
Capital Management 4. Internal models Item
SFCR / RSR
Description of purposes of the internal model
SFCR
Scope of internal model by business units and risk categories
SFCR
If partial, how was it integrated into standard formula and any alternative methods
SFCR
How was the probability distribution forecast for the internal model
SFCR
Risk measure and time period used and why different from 0.5% over 1 year
SFCR
Description of nature and appropriateness of internal model
SFCR
Results of review of causes / sources profit and loss and how categorisation of risk chosen explains these sources
RSR
Whether and how much risk profile deviates from assumptions in internal model
RSR
Future management actions assumed in Internal Model
RSR
Capital Management 5. Non compliance
Item
SFCR / RSR
For MCR, amount non-compliance during time period, period and maximum amount each occurrence, explanation of origin and consequences, remedial measures taken and effect of remedial measures
SFCR
If MCR non-compliance not resolved, amount at end of time period
SFCR
Any significant non-compliance with SCR, similar information as for MCR
SFCR
If SCR non-compliance not resolved, amount at end of time period
SFCR
Any reasonably foreseeable risk of non-compliance with MCR or SCR and plans to ensure compliance maintained
RSR
Capital Management 6. Others Item
SFCR / RSR
Any other material information
SFCR / RSR
IF USPs or a matching adjustment, are there any changes in information given in application for approval that are relevant to supervisory approval
RSR
Who does the work? Suggestions Business Performance • CEO • CFO
System of Governance • Company Secretary • CEO • CRO
Valuation • CA (tech provns) • CFO
Risk Profile • CRO • CA • CEO
Capital Management • CRO • CFO • CA
How do you bring it together?
´ Standard style ´ Make someone own whole of document ´ Make others own parts and provide glue on parts ´ Committees and meetings……
Timetable, transitional
´ First year 20th May 2017, then 2 week reduction every year until 14 weeks ´ Suggest take longer to do this year end
´ First year, do not need to state prior years. ´ SFCR annually ´ RSR is every 3 years but need to submit a report showing any material changes for intervening years and provide concise explanation of cause and effect ´ Is it easier just to submit RSR every year?
How disclosed?
´ SFCR has to be in PDF form on your website ´ Clear sign posts to it from home page ´ RSR is a pdf uploaded to PRA reporting system ´ Need to disclose anything which will affect materially the SFCR immediately it is known about.
Audit requirements (23/09/16) SFCR only
Item
Level of audit
Business and Performance
Should read and consider
System of Governance
Should read and consider
Risk profile
Should read and consider
Valuation for Solvency Purposes
Overall reasonable assurance opinion
Capital Management
Overall reasonable assurance opinion
Note also, Solvency II firms are Public Interest Entities and require a higher degree of audit assurance in their Report and Accounts and are subject to quality assurance on their audits from FRC.
Experience to date?
REGULATION AND COMPLIANCE Chaired by Ravi Rastogi, Mercer Caroline Gardner, FCA Steve Dixon, SDA LLP Cheryl Martin, EY
Living with Cyber Risk Creating Trust in a Digital World Cheryl Martin 10 October 2016
Cyber security threats are constantly evolving Today’s information security programs are challenged to effectively deliver value while managing business risk. Cyber security threats are constantly evolving, and target global corporations. Attackers today are patient, persistent, and sophisticated, and attack not only technology, but increasingly, people and processes. The challenges faced today that have altered expectations, strained resources, and caused a paradigm shift in information security processes. Consequently, organizations today need to alter their mindset on how to think about information security threats, risks, and capabilities.
Living with Cyber Risk Seminar
GISS 2015 key survey findings
36%
59%
say it is unlikely they would be able to detect a sophisticated attack
see criminal syndicates as the most likely source of an attack today
57% say that lack of skilled resources is challenging Information Security’s contribution and value to the organisation Page 56
2015 Global Information Security Survey (GISS) Highlights Specific insurance responses from the GISS 42%
27%
of respondents say that knowing all their assets is a key information security challenge
say that data protection policies and procedures are informal, or that ad hoc policies are in place
Significant attacks are likely
59%
of insurers discovered “significant” cybersecurity incidents within their organization
Quantifying the damage insurers don’t know the financial 23%ofimpact on their organization from cybersecurity incidents
84%
will spend the same or less on information security for IP over the coming year
7% of organizations claim to have a robust incident response program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management function
70%
Source of attacks Detection is difficult of insurers did not think it
will spend the same or less on security operations (antivirus, patching, encryption, etc.)
62%
75%was ‘very likely’ their
will spend the same or less on incident response capabilities over the coming year
of insurers sighted either lack of executive
89%support or budget constraints as the main 34%
Page 57
source of cybersecurity attacks
organization would be able to detect a sophisticated attack
Constraints
have an informal vulnerability identification program and perform automated testing on a regular basis
insurers see criminal 63%ofsyndicates as the most likely
obstacle to effectively tackling cybersecurity
56% of respondents defined data leakage/data loss prevention as a high priority for their organization over the next 12 months
Living with Cyber Risk Seminar
Viability of current approach to Cyber of Insurers believe that their approach to
16%cybersecurity is fully meeting the needs of their organization
EY cyber insurance solutions
Meeting threat landscape and market environment demands Threat landscape • Cyber risk is #1 operational risk • The global financial impact of cyber crime ~$375 -575bn in 2014 • Increase in hacktivism , cyber extortion and cyber-espionage • Vulnerabilities are often from third parties • Increased risk of breaches from third party vulnerabilities • VCs invested $1.4bn in 230 cybersecurity companies in 2013 alone
EY’s cyber insurance solutions Cyber threat intelligence – managing the threat exposure Data protection and data privacy quality – identifying and protecting critical assets Identity and access management – managing access through digital channels Cyber transformation – aligning the security program with your digital strategy Cyber resilience
60%
69%
Undetected attacks
Victims notified by an external entity
205 Days from earliest evidence of compromise to discovery of compromise
– enhancing the ability of digital platforms to withstand attack
Market environment • Increased regulation around collection, storage and use of data, • Agreed EU Directive on Security and Breach Notification will be a catalyst to the development of cyber insurance market • Severe penalties for loss of data and breach notification • In the US cyber insurance products are widely available with more than half of Fortune 500 companies purchasing cyber coverage • Lloyd’s of London has implemented a separate cyber class code in 2015 • Lloyd’s is currently undertaking an aggregation exercise
Cyber risk and insurance – defining how much risk to take
Sources: The Global State of Information Security Survey 2015,; Center for Strategic and International Studies (CSIS); CERT Australia; Forrester; Information Week, Bloomberg, M-Trends Report 2015, Mandiant
Page 58
Why are organisations still so vulnerable?
Page 59
How do you stay ahead?
Page 60
What does your organisation require to build trust in a digital world? Knowledge of what can disrupt achieving your strategy ► Identification of your critical assets ► Cyber business risk scenarios ► Board risk appetite ► Assessment of cybersecurity maturity ► An improvement roadmap ► Tailored threat profiling and advanced Threat Intelligence ► A more advanced SOC ►
Page 61
EY’s Cyber Thought Leadership Global Information Security Survey
Cyber Resilience
Cyber Threat Intelligence
Creating Trust in a Digital World
Achieving resilience in the cyber ecosystem
Cyber Threat Intelligence – how to get ahead of cyber crime
►
►
EY’s 18th Global Information Security Survey captures the responses of Csuite leaders and Information Security and IT executives representing most of the world’s largest and mostrecognized global companies. Cybersecurity is more than a technology issue, and it cannot remain in the IT domain. It also cannot be the responsibility of any one member of the board — it affects every level of a business and every part of the C-suite in different, often subtle and not easily recognized, ways.
Page 62
►
Organizations cannot thrive in business on their own. Cyber resilience focuses on measures that an organization can take on its own to increase its security from external and internal threats — as well as those it can collaboratively develop with business partners and industry peers. Collaboration across resilient networks can help organizations anticipate and mitigate cyber attacks.
►
This report looks at the benefits of the cyber ecosystem and explains how, within its defined ecosystem, organizations need to continually reassess relationships and risks, adjusting as the business evolves; ensuring sustainable, resilient operations for the future.
►
Getting ahead of cybercrime” means knowing what is happening, how it is happening, identifying who is the threat, and determining if and when an attack can happen to you. It requires intelligence gathering, and the analytical ability to use that intelligence to make critical and strategic business decisions
►
This report explains how CTI improves an organization’s ability to anticipate breaches before they occur, and its ability to respond quickly, decisively and effectively to confirmed breaches.
Living with Cyber Risk Seminar
Cyber Security and the “Internet of Things”
Cyber and the Internet of Things ►
The internet of Things (IoT) is a future-facing development of the internet wherein objects and systems are embedded with sensors and computing power, with the intention of being able to communicate with each other. The ever-increasing networking capabilities of machines and everyday devices used in the home, office equipment, mobile and wearable technologies, vehicles, entire factories and supply chains, and even urban infrastructure, opens up a huge playing field of opportunities for business improvement and customer satisfaction
►
The security of the “thing” is only as secure as the network in which it resides: this includes the people, processes and technologies involved in its development and delivery. This report explains how effective cybersecurity can only be achieved through being proactive and anticipating cybercrime.
Questions & Answers
The better the question. The better the answer. The better the world works.
REGULATION AND COMPLIANCE Chaired by Ravi Rastogi, Mercer Caroline Gardner, FCA Steve Dixon, SDA LLP Cheryl Martin, EY