Solvency II and the Compliance Function: It's not just about risk.
Introduction and context
Solvency II is the biggest single internal project that the FSA has ever undertaken and arguably the biggest single piece of regulatory change to ever hit the insurance industry.
Firms’ preparations for Solvency II implementation have been gathering pace as the 1st January 2013 implementation date approaches. It is worth noting that a recent European Commission paper – Omnibus II – has proposed key amendments, including extending the implementation deadline to 1st January 2014. Whilst this awaits confirmation, firms should continue to aim for the envisaged 2013 ‘go live’ date.
The sheer volume of changes introduced by Solvency II has created significant challenges and operational transformation for insurance firms. While some aspects are well defined and prescriptive, others are less clear and open to interpretation; further guidance on implementation is due to be confirmed in March 2012. Consequently, there is currently significant debate regarding the impact of Solvency II on the compliance function. We consider some of these potential impacts in greater detail below.
What does the Solvency II Directive say about the compliance function?
Article 46 of the Solvency II Directive states that firms covered under the Solvency II Directive must establish a compliance function as one of four “key functions” set out within the Directive (alongside audit, risk and actuarial). The Directive outlines the key responsibilities of the compliance function as:
- advising the senior management of the firm on compliance with regulations.
- assessing the impact of changes in laws.
- regulating, and identifying and assessing compliance risk.
Many firms would argue that they already possess compliance functions that carry out these tasks. In which case, what are the detailed impacts of Solvency II for the compliance function?
A key element of Solvency II is the Own Risk and Solvency Assessment (ORSA). ORSA requires firms to embed capital and risk management in a holistic process, so that it is used as a tool to inform strategic and risk-based decision making. The ORSA therefore needs to be integrated into the strategic planning of the business, and compliance risk should be a key element.
This means that the compliance function will have an increasingly important role in the business planning process and broader strategic planning as part of the ORSA. It will also have a role to play in evaluating any strategic changes to assess their impact on the regulatory risk profile, and to ensure this does not conflict with the firm’s agreed risk appetite.
More forward looking
Solvency II is driving change within compliance functions in a number of other ways. As part of the ORSA, firms will have to be more forward looking in the way that they manage risk, and compliance risk is no exception. Firms will have to put practical measures in place to ensure that the compliance function is not only advising management of the current regulatory risks but also of future regulatory risks and emerging regulation. This is particularly critical given the continuously evolving and changing regulatory environment. Firms will also have to ensure that the appropriate governance mechanisms devote sufficient time to ‘horizon’ compliance risks, and that that they are adequately captured and reported through management information.
Prudential vs. conduct
The Compliance Function has traditionally needed to balance the sometimes conflicting aspects of conduct regulation and prudential regulation. While Solvency II is largely prudential focussed, it does attempt to bring together elements of conduct with those of prudential regulation. This can be seen in the ORSA, where regulators expect conduct risks to be included.
As we move towards the new regime, firms will have to review their annual compliance monitoring plans to ensure that they remain fit for purpose. This will not be limited to reviewing the actual content and make-up of the annual compliance monitoring plan; they could impact upon the skills required within the function. Firms will also have to consider the impacts that such changes might have on training and development of their compliance professionals, particularly where there is a need for individuals to specialise across both conduct and prudential issues.
Changes to policies
Furthermore, Solvency II contains requirements for documented policies in particular areas. The Internal Control Policy and Outsourcing Policy are both likely to require significant input, ownership and annual review from the compliance function. The compliance function will also possibly have to maintain responsibility for annual review of compliance against such policies.
Solvency II sets out a heightened focus on the controls around outsourcing arrangements, to ensure that there is adequate oversight in place. In many firms, responsibility for overseeing outsource arrangements on a day-to-day basis rests with the compliance function. As such, any changes brought about through Solvency II will have a significant impact.
It is clear that Solvency II will have, and is already having, a significant and enduring impact on compliance functions as firms move towards implementation. The role of the compliance function will undoubtedly evolve under Solvency II, and the skills and experience required for the people doing this work, will require ongoing review. To complicate matters further, firms must also juggle the competing challenges of prudential and conduct regulation coming from UK and European regulators at a time of structural change within the UK regulatory framework. Compliance functions will indeed have their hands full.
Executive Advisor, Insurance Risk