Getting prepared for Solvency II
On January 1 Bermuda will be handed a golden opportunity to further differentiate itself as a leading jurisdiction for insurance and reinsurance as Solvency II equivalence ‘goes live’.
From that moment, Bermuda (re) insurance companies will be placed on an equal footing with existing EU organisations and the door marked “two-way expansion” will be firmly opened. On-island firms will be able to conduct business freely within Europe without regulatory burdens. At the same time they will also be able to champion new incoming opportunities as European insurers will continue to be able to reinsure in Bermuda without now having to take special capital reserving or risk mitigation measures.
In short, it levels the playing field both ways and adds a dynamic to the Bermuda mix that few other jurisdictions are able to provide. And it doesn’t take a genius to work out the likely scale of this growth given the position of the EU on the world stage in terms of economic output. Being able to align Bermuda as a jurisdiction with the same (re)insurance regulatory framework as an “EU superpower”, while also bringing its inherent other benefits to bear, will only serve to strengthen the Island’s credibility further.
So, the New Year question many Bermuda CEOs will be asking their teams is: are we Solvency II ready and how fast can we move to capture this growth?
To answer this call, senior managers will need to first understand the basic objectives of Solvency II before being able to assess its impact on the different parts of their respective organisations, and therefore how quickly their business can be ready for action. The basic objectives of Solvency II are:
Consumer protection: at its heart, Solvency II is very much about consumer protection, from the perspective of ensuring that an insurance company can pay claims even if the financial markets are stressed, or something goes wrong within the organisation’s operations.
Capital control: despite its name, Solvency II is very much about capital control as opposed to solvency as such. This means that an insurer or reinsurer must have the ready capital to be able to pay claims and conduct business in a timely fashion, even in situations or scenarios that would previously have been considered unthinkable.
Disclosure: Solvency II has sought to introduce greater transparency, with highly prescriptive levels of regulatory reporting together with more public disclosure requirements.
Resiliency: ensuring that the organisation is resilient enough to be able to continue operating as usual despite operational or external difficulties. This is a challenge for organisations of all sizes; not only understanding where the risks exist, but being able to mitigate them with a proportionality appropriate to the organisation’s size and other factors.
Impact of Solvency II on the board and on management: Solvency II places the onus on boards to understand their operations. It requires senior executives be able to provide intelligent challenge to the business that the company is doing the right thing, understands the risks that it faces and is taking the appropriate action to mitigate these.
In February 2015, the UK regulator the PRA (Prudential Regulation Authority) said: “Senior managers will be held individually accountable if the areas they are responsible for fail to meet our requirements. Our new accountability regime will hold all senior managers, including non-executive directors, to a clear standard of behaviour and we will take action where they fail to meet this.”
Solvency II’s Impact on IT
IT is a key part of an organisation’s operations and resiliency. Many Bermuda organisations recognise this, so where will the changes be in the Solvency II world that Bermuda is now part of? As with most regulatory requirements, IT — whether provided by internal or third party resources — has a large and continuing role to play in Solvency II compliance, but particularly in the following:
Data quality: data are the lifeblood of an organisation. Their importance in the decision making process within the company is recognised by Solvency II in a number of ways, but key to this is the ability to be able to measure and correct the data quality (defined by Solvency II as being: accurate, complete and appropriate).
Companies implementing Solvency II in Europe have needed to introduce extensive new controls to help them understand the strengths and weaknesses of their data quality processes and measures. This has been a great challenge, not least of all due to the added focus on asset data. Importantly organisations should also document what they mean by quality, and the processes and procedures that are in place to validate and update the information. This documentation should also identify areas where data quality is known to be compromised or needs improvement.
Data governance: companies must look at their data governance to ensure that it is able to maintain (and evidence as such) the integrity of data during the course of maintenance and updates. Undocumented changes or updates to data may call into question the provenance of the data, even if the data are seen to be of good quality. Taking control of, and evidencing each step, is a requirement of Solvency II.
Data history: it is important that the company collects and maintains the appropriate amount of historic data to ensure that the validity of the data, and the decisions made using it can be validated with historical data. This means that the amount of data held in any data warehouse, and the policies and procedures relating to the retention and deletion of the data, should be considered as part of Solvency II preparations.
Data provenance: Data provenance is being able to identify data used for decision making and reporting back through any transformations that may be applied to the data, all the way to its source. This requires a data dictionary/directory to be in place, and for data transformations to be well documented.
Resiliency: IT as a department typically has a good idea of resiliency from a business continuity or disaster recovery perspective; however, Solvency II has a broader requirement for IT resiliency that is aligned with the risks identified by the business. This also means that the organisation should be able to demonstrate its IT General Controls.
Evidence: as is increasingly usual with regulatory and governance requirements, it is not just the doing the right thing that matters, it is being able to evidence that the right thing was, and continues, to be done. Building the ability to evidence the actions taken within the organisation is an important part of meeting the Solvency II governance requirements.
Proportionality: clearly the risks and exposures of a large and complex business will require different scales of solutions than is the case of smaller, less complex organisations. Solvency II acknowledges this, and recognises the need for a proportionate implementation. A critical part of this is to be able to demonstrate the risk-based decision making approach as to what to implement and how to implement it. This comes down to being able to evidence the decision making process.
In summary: Solvency II is a step change in governance and reporting for (re)insurers. The requirements are so fundamental that hardly any part of an undertaking is not affected to one degree or another, and responsibilities and accountabilities of senior management have been reaffirmed.
Introducing Solvency II compliant capability has been, and remains a major undertaking. But that is just the start.
Maintaining future compliance as Solvency II programmes transition into business as usual, will be challenging for the most organised and proficient of companies. For those that do not have the culture, governance or change management processes to cope, there is now a very profound risk that they will quickly fall from favour and miss this golden opportunity for growth.
Darren Wray is the chief executive officer of Fifth Step.