PRU 7.1 1 Insurance risk systems and controls
Application
PRU 7.1 applies to an insurer unless it is:
- (1)
-
(2)
an incoming EEA firm; or
- (3)
PRU 7.1 applies to:
-
(1)
an EEA-deposit insurer; and
- (2)
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
Purpose
This section provides guidance on how to interpret PRU 1.4 (Prudential risk management and associated systems and controls) in so far as it relates to the management of insurance risk. Insurance risk refers to fluctuations in the timing, frequency and severity of insured events, relative to the expectations of the firm at the time of underwriting. Insurance risk can also refer to fluctuations in the timing and amount of claim settlements. For general insurance business some specific examples of insurance risk include variations in the amount or frequency of claims or the unexpected occurrence of multiple claims arising from a single cause. For long-term insurance business examples include variations in the mortality and persistency rates of policyholders, or the possibility that guarantees could acquire a value that adversely affects the finances of a firm and its ability to treat its policyholders fairly consistent with the firm's obligations under Principle 6. More generally, insurance risk includes the potential for expense overruns relative to pricing or provisioning assumptions.
Insurance risk concerns the FSA in a prudential context because inadequate systems and controls for its management can create a threat to the regulatory objectives of market confidence and consumer protection. Inadequately managed insurance risk may result in:
-
(1)
the inability of a firm to meet its contractual insurance liabilities as they fall due; and
-
(2)
the inability of a firm to treat its policyholders fairly consistent with the firm's obligations under Principle 6 (for example, in relation to bonus payments).
Appropriate systems and controls for the management of insurance risk will vary with the scale, nature and complexity of a firm's activities. Therefore, the material in this section is guidance. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations, as set out in Principle 3, to organise and control its affairs responsibly and effectively.
General requirements
High level rules and guidance for prudential systems and controls for insurance risk are set out in PRU 1.4. In particular:
-
(1)
PRU 1.4.18 R requires a firm to take reasonable steps to establish and maintain a business plan and appropriate risk management systems;
-
(2)
PRU 1.4.19R (2) requires a firm to document its policy for insurance risk, including its risk appetite and how it identifies, measures, monitors and controls that risk; and
-
(3)
PRU 1.4.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.
Insurance risk policy
A firm's insurance risk policy should outline its objectives in carrying out insurance business, its appetite for insurance risk and its policies for identifying, measuring, monitoring and controlling insurance risk. The insurance risk policy should cover any activities that are associated with the creation or management of insurance risk. For example, underwriting, claims management and settlement, assessing technical provisions in the balance sheet, risk mitigation and risk transfer, record keeping and management reporting. Specific matters that should normally be in a firm's insurance risk policy include:
-
(1)
a statement of the firm's willingness and capacity to accept insurance risk;
-
(2)
the classes and characteristics of insurance business that the firm is prepared to accept;
-
(3)
the underwriting criteria that the firm intends to adopt, including how these can influence its rating and pricing decisions;
-
(4)
its approach to limiting significant aggregations of insurance risk, for example, by setting limits on the amount of business that can be underwritten in one region or with one policyholder;
-
(5)
where relevant, the firm's approach to pricing long-term insurance contracts, including the determination of the appropriate level of any reviewable premiums;
-
(6)
the firm's policy for identifying, monitoring and managing risk when it has delegated underwriting authority to another party (additional guidance on the management of outsourcing arrangements is provided in SYSC 3A.9);
-
(7)
the firm's approach to managing its expense levels, including acquisition costs, recurring costs, and one-off costs, taking account of the margins available in both the prices for products and in the technical provisions in the balance sheet;
-
(8)
the firm's approach to the exercise of any discretion (e.g. on charges or the level of benefits payable) that is available in its long-term insurance contracts, in the context also of the legal and regulatory constraints existing on the application of this discretion;
-
(9)
the firm's approach to the inclusion of options within new long-term insurance contracts and to the possible exercise by policyholders of options on existing contracts;
-
(10)
the firm's approach to managing persistency risk;
-
(11)
the firm's approach to managing risks arising from timing differences in taxation or from changes in tax laws;
-
(12)
the firm's approach to the use of reinsurance or the use of some other means of risk transfer;
-
(13)
how the firm intends to assess the effectiveness of its risk transfer arrangements and manage the residual or transformed risks (for example, how it intends to handle disputes over contract wordings, potential payout delays and counterparty performance risks);
-
(14)
a summary of the data and information to be collected and reported on underwriting, claims and risk control (including internal accounting records), management reporting requirements and external data for risk assessment purposes;
-
(15)
the risk measurement and analysis techniques to be used for setting underwriting premiums, technical provisions in the balance sheet, and assessing capital requirements; and
-
(16)
the firm's approach to stress testing and scenario analysis, as required by PRU 1.2 (Adequacy of financial resources), including the methods adopted, any assumptions made and the use that is to be made of the results.
Further, more detailed, guidance is given in PRU 7.1.11 G to PRU 7.1.37 G on the identification, measurement, monitoring and control (including the use of reinsurance and other forms of risk transfer) of insurance risk. A firm should consider what additional material to that set out above should be included in its insurance risk policy on each of these for its various activities.
Risk identification
The identification of insurance risk should normally include:
-
(1)
in connection with the firm's business plan:
- (a)
processes for identifying the types of insurance risks that may be associated with a new product and for comparing the risk types that are present in different classes of business (in order to identify possible aggregations in particular insurance risks); and
- (b)
processes for identifying business environment changes (for example landmark legal rulings) and for collecting internal and external data to test and modify business plans;
- (a)
-
(2)
at the point of sale, processes for identifying the underwriting risks associated with a particular policyholder or a group of policyholders (for example, processes for identifying potential claims for mis-selling and for collecting information on the claims histories of policyholders, including whether they have made any potentially false or inaccurate claims, to identify possible adverse selection or moral hazard problems);
-
(3)
after the point of sale, processes for identifying potential and emerging claims for the purposes of claims management and claims provisioning; this could include:
A firm should also identify potential pricing risks, where the liabilities or costs arising from the sale of a product may not be as expected.
Risk measurement
A firm should have in place appropriate systems for collecting the data it needs to measure insurance risk. At a minimum this data should be capable of allowing a firm to evaluate the types of claims experienced, claims frequency and severity, expense levels, persistency levels and, where relevant, potential changes in the value of guarantees and options in long-term insurance contracts.
A firm should ensure that the data it collects and the measurement methodologies that it uses are sufficient to enable it to evaluate, as appropriate:
-
(1)
its exposure to insurance risk at all relevant levels, for example, by contract, policyholder, product line or insurance class;
-
(2)
its exposure to insurance risk across different geographical areas and time horizons;
-
(3)
its total, firm-wide, exposure to insurance risk and any other risks that may arise out of the contracts of insurance that it issues;
-
(4)
how changes in the volume of business (for example via changes in premium levels or the number of new contracts that are underwritten) may influence its exposure to insurance risk;
-
(5)
how changes in policy terms may influence its exposure to insurance risk; and
-
(6)
the effects of specific loss scenarios on the insurance liabilities of the firm.
A firm should hold data in a manner that allows for it to be used in a flexible way. For example, data should be sufficiently detailed and disaggregated so that contract details may be aggregated in different combinations to assess different risks.
A firm should be able to justify its choice of measurement methodologies. This justification should normally be documented.
A firm should periodically review the appropriateness of the measurement methodologies that it uses. This could, for example, include back testing (that is, by comparing actual versus expected results) and updating for changes in market practice.
A firm should ensure that it has access to the necessary skills and resources that it needs to measure insurance risk using its chosen methodology.
When measuring its insurance risks, a firm should consider how emerging experience could be used to update its underwriting process, in particular in relation to contract terms and pricing and also its assessment of the technical provisions in the balance sheet.
Risk monitoring
A firm should provide regular and timely information on its insurance risks to the appropriate level of management. This could include providing reports on the following:
-
(1)
a statement of the firm's profits or losses for each class of business that it underwrites (with an associated analysis of how these have arisen for any long-term insurance contracts), including a variance analysis detailing any deviations from budget or changes in the key performance indicators that are used to assess the success of its business plan for insurance;
-
(2)
the firm's exposure to insurance risk at all relevant levels (see PRU 7.1.15 G (1)), as well as across different geographical areas and time zones (see PRU 7.1.15 G (2)), also senior management should be kept informed of the firm's total exposure to insurance risk (see PRU 7.1.15 G (3));
-
(3)
an analysis of any internal or external trends that could influence the firm's exposure to insurance risk in the future (e.g. new weather patterns, socio-demographic changes, expense overruns etc);
-
(4)
any new or emerging developments in claims experience (e.g. changes in the type of claims, average claim amounts or the number of similar claims);
-
(5)
the results of any stress testing or scenario analyses;
-
(6)
the amount and details of new business written and the amount of business that has lapsed or been cancelled;
-
(7)
identified fraudulent claims;
-
(8)
a watch list, detailing, for example, material/catastrophic events that could give rise to significant numbers of new claims or very large claims, contested claims, client complaints, legal and other developments;
-
(9)
the performance of any reinsurance/risk transfer arrangements; and
-
(10)
progress reports on matters that have previously been referred under escalation procedures (see PRU 7.1.23 G).
A firm should establish and maintain procedures for the escalation of appropriate matters to the relevant level of management. Such matters may include:
-
(1)
any significant new exposures to insurance risk, including for example any landmark rulings in the courts;
-
(2)
a significant increase in the size or number of claims;
-
(3)
any breaches of the limits set out in PRU 7.1.27 G and PRU 7.1.28 G, in particular senior management should be informed where any maximum limits have been breached (see PRU 7.1.29 G); and
-
(4)
any unauthorised deviations from its insurance risk policy (including those by a broker, appointed representative or other delegated authority).
A firm should regularly monitor the effectiveness of its analysis techniques for setting provisions for claims on general insurance contracts.
A firm should have appropriate procedures in place to allow managers to monitor the application (and hence the effect) of its reinsurance programme. This would include, for a general insurer, procedures for monitoring how its reinsurance programme affects the gross provisions that it makes for outstanding claims (including claims that are incurred but not reported).
Risk control
A firm should take appropriate action to ensure that it is not exposed to insurance risk in excess of its risk appetite. In so doing, the firm should be both reactive, responding to actual increases in exposure, and proactive, responding to potential future increases. Being proactive should involve close co-ordination between the processes of risk control, risk identification and risk measurement, as potential future exposures need to be identified and understood before effective action can be taken to control them.
A firm should consider setting limits for its exposure to insurance risk, which trigger action to be taken to control exposure. Periodically these limits should be amended in the light of new information (e.g. on the expected number or size of claims). For example, limits could be set for:
-
(1)
the firm's aggregate exposure to a single source of insurance risk or for events that may be the result of a number of different sources;
-
(2)
the firm's exposure to specific geographic areas or any other groupings of risks whose outcomes may be positively correlated;
-
(3)
the number of fraudulent claims;
-
(4)
the number of very large claims that could arise;
-
(5)
the number of unauthorised deviations from its insurance risk policy;
-
(6)
the amount of insurance risk than can be transferred to a particular reinsurer;
-
(7)
the level of expenses incurred in respect of each relevant business area; and
-
(8)
the level of persistency by product line or distribution channel.
A firm should also consider setting individual underwriting limits for all employees and agents that have the authority to underwrite insurance risk. This could include both monetary limits and limits on the types of risk that they can underwrite. Where individual underwriting limits are set, the firm should ensure that they are adhered to.
In addition to setting some 'normal' limits for insurance risk, a firm should consider setting some maximum limits, beyond which immediate, emergency action should be taken. These maximum limits could be determined through stress testing and scenario analysis.
A firm should pay close attention to the wording of its policy documentation to ensure that these wordings do not expose it to more, or higher, claims than it is expecting. In so doing, the firm should consider:
-
(1)
whether it has adequate in-house legal resources;
-
(2)
the need for periodic independent legal review of policy documentation;
-
(3)
the use of standardised documentation and referral procedures for variation of terms;
-
(4)
reviewing the documentation used by other insurance companies;
-
(5)
revising documentation for new policies in the light of past experience; and
-
(6)
the operation of law in the jurisdiction of the policyholder.
A firm should ensure that it has appropriate systems and controls for assessing the validity of claims. This could involve consideration of the evidence that will be required from policyholders and how this evidence is to be tested as well as procedures to determine when experts such as loss adjusters, lawyers or accountants should be used.
Particular care should be taken to ensure that a firm has appropriate systems and controls to deal with large claims or large groups of claims that could significantly deplete its financial resources. This should include systems to ensure that senior management (that is, the governing body and relevant senior managers) is involved in the processing of such claims from the outset.
A firm should consider how it intends to use reinsurance or some other form of insurance risk transfer agreement to help to control its exposure to insurance risk. Additional guidance on the use of reinsurance/risk transfer is provided below.
Reinsurance and other forms of risk transfer
Before entering into or significantly changing a reinsurance agreement, or any other form of insurance risk transfer agreement, a firm should:
-
(1)
analyse how the proposed reinsurance/risk transfer agreement will affect its exposure to insurance risk, its underwriting strategy and its ability to meet its regulatory obligations;
-
(2)
ensure there are adequate legal checking procedures in respect of the draft agreement;
-
(3)
conduct an appropriate due diligence of the reinsurer's financial stability (that is, solvency) and expertise; and
-
(4)
understand the nature and limits of the agreement (particular attention should be given to the wording of contracts to ensure that all of the required risks are covered, that the level of available cover is appropriate, and that all the terms, conditions and warranties are unambiguous and understood).
2A firm should analyse regularly the full effect of all its reinsurance agreements and other risk transfer agreements (both current and proposed), including any related agreements or side-letters, on both its current and potential future financial position, and ensure that:
-
(1)
all significant risks related to these agreements, and the residual risks borne by the firm, have been identified; and
-
(2)
appropriate risk mitigation techniques have been applied to manage and control the risks.
In managing its reinsurance agreements, or any other form of insurance risk transfer agreement, a firm should have in place appropriate systems that allow it to maintain its desired level of cover. This could involve systems for:
-
(1)
monitoring the risks that are covered (that is, the scope of cover) by these agreements and the level of available cover;
-
(2)
keeping underwriting staff informed of any changes in the scope or level of cover;
-
(3)
properly co-ordinating all reinsurance/risk transfer activities so that, in aggregate, the desired level and scope of cover is maintained;
-
(4)
ensuring that the firm does not become overly reliant on any one reinsurer or other risk transfer provider;
-
(5)
conducting regular stress testing and scenario analysis to assess the resilience of its reinsurance and risk transfer programmes to catastrophic events that may give rise to large and or numerous claims.
In making a claim on a reinsurance contract (that is, its reinsurance recoveries) or some other risk transfer contract a firm should ensure:
-
(1)
that it is able to identify and recover any money that it is due in a timely manner; and
-
(2)
that it makes adequate financial provision for the risk that it is unable to recover any money that it expected to be due, as a result of either a dispute with or a default by the reinsurer/risk transfer provider. Additional guidance on credit risk in reinsurance/risk transfer contracts is provided in PRU 3.2 (Credit risk in insurance).
Where the planned level or scope of cover from a reinsurance/risk transfer contract is not obtained, a firm should consider revising its underwriting strategy.
Record keeping
The FSA's high level rules and guidance for record keeping are outlined in SYSC 3.2.20 R (Records). Additional rules and guidance in relation to the prudential context are set out in PRU 1.4.51 G to PRU 1.4.64G. In complying with these rules and guidance, a firm should retain an appropriate record of its insurance risk management activities. This may, for example, include records of:
-
(1)
each new risk that is underwritten (noting that these records may be held by agents or cedants, rather than directly by the firm provided that the firm has adequate access to those records);
-
(2)
any material aggregation of exposure to risk from a single source, or of the same kind or to the same potential catastrophe or event;
-
(3)
each notified claim including the amounts notified and paid, precautionary notices and any re-opened claims;
-
(4)
policy and contractual documents and any relevant representations made to policyholders;
-
(5)
other events or circumstances relevant to determining the risks and commitments that arise out of contracts of insurance (including discretionary benefits and charges under any long-term insurance contracts);
-
(6)
the formal wordings of reinsurance contracts; and
-
(7)
any other relevant information on the firm's reinsurance or other risk-transfer arrangements, including the extent to which they: