CENTER For REGULATORY - Deloitte

2y ago
20 Views
2 Downloads
8.40 MB
28 Pages
Last View : 21d ago
Last Download : 2m ago
Upload by : Wren Viola
Transcription

Navigating the year ahead2018 insurance regulatory outlookUnited StatesDecember 2017CENTER forREGULATORYSTRATEGYAMERICAS

Insurance 2018 Regulatory OutlookThis publication is part of the Deloitte Center for RegulatoryStrategy, Americas’ cross-industry series on the year’s topregulatory trends. This annual series provides a forwardlook at some of the regulatory issues we anticipate willhave a significant impact on the market and our clients’businesses in 2018. The issues outlined in each of thereports provide a starting point for an important dialogueabout future regulatory challenges and opportunities tohelp executives stay ahead of evolving requirements andtrends. For 2018, we provide our regulatory perspectiveson the following industries and sectors: banking, securities,insurance, investment management, energy and resources,life sciences, and health care. For a view of the other trendsimpacting insurance in 2018, we encourage you to read theDeloitte Center for Financial Services companion paper.We hope you find this document to be helpful as you planfor 2018 and the regulatory changes it may bring. Pleasefeel free to contact us with questions and feedback atCenterRegulatoryStrategyAmericas@deloitte.com.02

Navigating the year ahead 2018 insurance regulatory outlookContentsGlobal foreword 2Introduction 6Cyber regulation 8What’s next in the march toward best-interest standards? 11Big data: Big issues, big potential rewards 13Enterprise risk management and Own Risk and SolvencyAssessment (ORSA)15Prepare for corporate governance disclosure172018 market conduct environment19International regulatory change21Taking decisive action in uncertain times221

Theme Title regulatory outlook 2018Global forewordAnother year has passed, so what has changed?This time last year, we expected 2017 to be a period of uncertainty for financial services regulation. Financial servicesfirms were challenged by the continuing lack of clarity over the final shape of post-crisis reforms, the implications ofBrexit, and a new US political administration. We also saw significant pressures on the banking and life insurancesectors from sluggish economic growth and low interest rates in Europe and the US, as well as from competitionfrom new entrants (particularly fintechs).Looking ahead to 2018, most of these challenges and uncertainties remain.Economic growth, but how robust?Global growth prospects improved through 2017 and continue to be broadly positive, albeit more subdued thanin the period before the financial crisis. China, Europe, and Japan have all been outperforming expectations,and although India’s economy has slowed lately, the long-term outlook is upbeat. There are now signs that theextraordinary monetary easing of the last ten years is starting, slowly, to unwind in Europe and the US, although thisstands in contrast to the situation in China and Japan.There are reasons for caution. Asset markets and prices have seemed impervious to the prospect of tightermonetary conditions and geopolitical tensions. This has left many commentators worrying that markets are in thegrips of a bout of irrational exuberance. There are also signs of price bubbles in commercial and residential propertymarkets, as well as leveraged finance markets, and of elevated levels of consumer indebtedness, particularly in theadvanced economies.Supervisors across the globe are very alert to the financial stability risks posed by the political and economic climate,and we expect them to focus on the ability of financial institutions in all sectors to deal with the downside risks ofan abrupt shift in market sentiment and any increase in asset price volatility, irrespective of the trigger. Boards areexpected to keep their risk appetites under review and will also need to engage closely with stress testing, whetherprompted by supervisors or carried out internally.What does this mean for the regulatory agenda?Last year we predicted that there would be no wholesale rolling back of the post-crisis regulatory framework, andthis continues to be our view. The consensus in the US is that there will be some meaningful adjustments to theDodd-Frank Act, but no large-scale repeal or rewrite. In the EU there remains a considerable volume of ongoinglegislative work; and even where there is no new legislation, there is a great deal of “fine tuning” of existing rules. TheAsia Pacific region faces a long tail of implementation work and must also deal with the impact of regulation fromoutside the region.At the international level, the Financial Stability Board (FSB) has shifted its primary focus toward a postimplementation evaluation framework, which will be “progressively applied” in the coming years. This is part of arebalancing away from introducing new rules and toward assessing the effectiveness of what has been done over thepast decade. Boards will need to be ready to demonstrate to supervisors that they have embedded change and thatthis is leading to the desired outcomes.2

Navigating the year ahead 2018 insurance regulatory outlookOne major area where a number of significant unanswered questions remains is bank capital requirements.Although the Basel Committee on Banking Supervision (BCBS) has until now been unable to complete the Basel IIIpackage, final agreement on the open issues seems within reach. We do not see any major economies as being in ahurry to introduce more legislation, and we also see those economies being more willing to depart from the letter ofglobal standards where they conclude it is in their interest to do so.As a consequence, financial services firms need to be prepared to deal with the challenges of diverging regulatoryframeworks. At a minimum, they will need globally coordinated approaches to understand overlaps, incompatibilities,and potential synergies.Supervisors are turning more attention to long-term structural issuesTechnological innovation, aging populations, and climate change have all caught the attention of the regulatoryand supervisory community as emerging risk areas. We expect some supervisors to begin to challenge boards, riskcommittees, and senior management to demonstrate that they understand the impact on their customer bases,business models, and risk profiles—and that they are set to take effective mitigating actions where needed. Fintech: While new technologies present opportunities, regulators want to understand the potential risks andthe likely impact on incumbents’ business models. The FSB has a clear interest in the subject. The EuropeanCommission is expected to deliver a fintech “action plan” in January. Similarly, US regulators are considering theimplications of new technologies, including third-party relationships among fintechs and banks. They’re evenexploring special purpose bank charters for fintechs. Climate change: The FSB has taken the lead internationally with its Task Force on Climate-Related FinancialDisclosures, which made its final recommendations in June 2017. Many regulators in the Asia Pacific region areinstituting policies to encourage green finance. The Bank of England (BoE) is also researching climate change, andthe EU recently proposed to integrate environmental risks into the mandates of the European Space Agency aspart of its action plan on sustainable and green finance. Aging populations: Aging populations worldwide will create a widening pool of potentially vulnerable customersand influence demand for different types of financial services. They will also affect how financial institutions engagewith their customers. At the international level, the International Organization of Securities Commissions (IOSCO) istaking forward work on aging populations.Leadership changesFinally, we note that by the end of 2018, the most senior leadership of many of the world’s leading regulatory bodieswill be starkly different from what it has been for the majority of the post-crisis regulatory reform era. Mark Carney’sterm as chairman of the FSB has been extended through December 2018, lending some additional continuity toreform efforts. But this will be his final year at the top of the FSB. We expect Stefan Ingves to stand down as chairof the BCBS in the near future. There’s also a great deal of change in senior leadership across national and regionalregulatory bodies, particularly in the USA. It remains to be seen how far new leaders will uphold the key tenets ofthe international supervisory agenda of the last decade, particularly its emphasis on cross-border coordination, orwhether supervisory priorities will tilt more toward promoting the competitiveness of individual jurisdictions.3

Navigating the year ahead 2018 insurance regulatory outlookOn balance, we think that these new leaders will emphasize practical supervisory initiatives over (new) rule making, as well asthe need for firms to demonstrate that they’re financially and operationally resilient to a range of threats, both old and new. Newleaders will be keen to consolidate the outcomes and achievements of the prudential policy agenda that has dominated the last10 years and focus their tenures on continuing structural challenges as well as emerging risks and issues.Acting in the face of uncertaintyWhile we expect some greater clarity about the regulatory outlook to emerge in 2018, the overriding challenge for firms remainscoping with uncertainty, including from the global impacts of Brexit and how markets in Europe and elsewhere will be reshapedby Markets in Financial Instruments Directive (MiFID) II. This will put a premium on firms maintaining strategic flexibility, whilethey also adopt new technologies to react to the threat from “challengers,” improve their customer service and outcomes,better manage their risks, and help control costs. With yields, income levels, and return on capital still under severe pressure,cost control will continue to be extremely important. Even though interest rate rises are underway, they will be neither quickenough nor big enough to alleviate pressure on incumbents' business models.David StrachanCentre for Regulatory Strategy, EMEADeloitte UK4Kevin NixonCentre for Regulatory Strategy, APACDeloitte AustraliaChris SpothCenter for Regulatory Strategy, AmericasDeloitte US

Navigating the year ahead 2018 insurance regulatory outlook5

Navigating the year ahead 2018 insurance regulatory outlookIntroductionMost insurers are moving ahead deliberately with their risk andcompliance initiatives, even as certain areas pose regulatoryuncertainty that will likely remain a significant and ongoingchallenge. Even if lawmakers and regulators make certain definitivechanges, insurance companies must continue to drive effectivenessand efficiency of their risk and compliance programs so they meetapplicable laws, regulations, and supervisory expectations.Many of the new state regulatory requirements are clear. But inother areas, such as the Department of Labor’s (DOL) FiduciaryRule (Rule), companies don’t have the time or luxury of waitingto see how things will shake out. Therefore, they’re planningimplementation based on available guidance.Overall, many of the changes insurance organizations are making toachieve compliance are useful improvements that are worth doingfrom a risk and business perspective.Here’s a look at the key regulatory trends insurers will likely need tomonitor and address in 2018. By embracing regulatory complexityin 2018, organizations can accelerate performance and stay aheadof changes so they can better navigate the regulatory landscape.6

Navigating the year ahead 2018 insurance regulatory outlook7

Navigating the year ahead 2018 insurance regulatory outlookCyber regulationThe insurance industry has seen a shiftas the regulatory environment has drivenorganizations to take a serious yet freshlook at the state of their cybersecurity riskmanagement programs. Institutions atboth the state and federal levels remaincommitted to protecting insuranceorganizations from the influx of cyberthreats and to raising the bar on cyber riskmanagement and reporting. And all signspoint to this behavior continuing for theforeseeable future.A report by the New York State Departmentof Financial Services (DFS) noted that“[c]yber attacks against financial servicesinstitutions, including insurance companies,are becoming increasingly frequent andsophisticated. Insurance firms oftenpossess large amounts of personallyidentifiable information (PII) and protectedhealth information (PHI) PII and PHIare becoming more valuable on the blackmarket, which increases incentives forcyber attacks.”1DFS may have been among the earlieststate insurance regulators to recognizeand seek to address the problem witha cybersecurity regulation, but it’s notalone. Numerous regulatory agencies atthe federal level, as well as the NationalAssociation of Insurance Commissioners(NAIC), have moved or are moving toestablish regulations governing the conductof insurers with respect to this significantoperational risk.Major new cybersecurity regulationsaffecting many insurers include DFS’s newregulation, which became effective onMarch 1, 2017, and the NAIC’s InsuranceData Security Model Law, adopted on8October 24, 2017. Although there are somedifferences between the two, the goodnews for insurers is that, because there areenough functional similarities, compliancewith the New York regulation is consideredprima facie evidence of compliance with theNAIC model.The NAIC model requires an annualrisk and safeguards assessment to beincluded in an insurer’s annual reportto regulators. Annual certification toregulators is required, and recordssupporting certification—or associatedwith any cybersecurity events—need to beretained for five years. Also, cybersecurityevents must be reported within 72 hoursto the appropriate domiciliary regulatorand to any regulator where 250 or moreconsumers may be harmed (or wherenotice is provided to any other regulatorybody). The NAIC will allow a one-yearimplementation window for informationsecurity programs.The DFS regulation similarly requires arisk assessment and annual certification.Unique to the DFS regulation, firms musthave a chief information security officer(CISO) and a written cybersecurity policy,and boards must receive reports andbe involved in creating standards. Thirdparty risk must be managed consistentwith internal risk management, and anynon-public data must be encryptedand protected from alteration. Otherrequirements include periodic penetrationtesting and vulnerability assessment, aswell as breach reporting. Audit trail datamust be preserved, and entities musttrack and maintain data that enables theaccurate reconstruction of all financialtransactions, along with any accountingnecessary to respond to a cybersecurityevent for at least three years. Anyinformation needed to reconstruct materialfinancial transactions and obligations mustbe kept for five years. The system mustalso track and maintain data logging of allprivileged authorized user access to criticalsystems.One development that holds promise—especially for smaller companies thatmay not view data security as one of theircore competencies—is the opportunity tooutsource data tracking and maintenanceto a qualified entity. DFS’s regulation, forexample, allows insurers to use a qualifiedoutside service for their cyber program.Demonstrated compliance with leadingpractices and cyber regulations may beuseful for insurers with both consumerand investor stakeholders. To thatend, the American Institute of CertifiedPublic Accountants (AICPA) unveileda cybersecurity risk managementattestation reporting framework. TheAICPA’s framework strives to expand cyberrisk reporting to address expectationsof greater stakeholder transparency byproviding a range of stakeholders, bothinternal and external, with informationabout an entity’s cyber risk managementprogram effectiveness.What has become clear from evaluating therequirements from the DFS and NAIC, aswell as the guidance from the AICPA, is thata comprehensive cyber risk managementprogram needs active involvement andoversight from the board. Such involvementand oversight can hold the organizationaccountable and help shape and addressexpectations for improved cyber risk

Insurance 2018 Regulatory Outlookreporting that’s integral to the achievementof an organization’s business objectives.In an era where cyber criminals couldbe state-sponsored, part of a politicalcooperative, or just after the money, howcan boards and senior executives assessthe soundness of their cybersecurityprograms? The banking network SWIFTarticulated three overarching objectives: “Secure your Environment” "Know and Limit Access” "Detect and Respond”These objectives translate to a focus onsecurity, vigilance, and resilience as anapproach to reduce an organization’svulnerability, while being prepared torespond quickly and resume normalbusiness. Being secure means focusing protectionaround the risk-sensitive assets at theheart of the organization’s mission. Being vigilant means establishing threatawareness throughout the organizationand developing the capacity to detectpatterns of behavior that may indicate,or even predict, compromise of criticalassets. Being resilient means having thecapacity to rapidly contain the damagefrom an attack and to mobilize thediverse resources necessary to reducethe broad impact—including directcosts and business disruption, as well asreputation and brand damage.The number of cyberattacks—and theassociated costs—will likely continue torise, as will hackers’ sophistication. Muchof the new cyber regulation is designed toencourage insurers to implement the rightlevel of security, vigilance, and resilience—along with sound governance—to form aneffective defense.9

Navigating the year ahead 2018 insurance regulatory outlookInformation management, governance, and security: Lessons from DFS 500.13The DFS’s newly effective cybersecurityregulation contains even morechallenges for insurance companies thanappear at first glance. Despite the title,these rules aren’t only aboutcybersecurity. Compliance with theserules requires a commitment tostrengthened information governanceand records management, in addition tobetter information security.DFS Section 500.13 requires that, as partof their cybersecurity programs,companies: shall include policies andprocedures for the secure disposalon a periodic basis of anyNonpublic Information [as definedby these rules] that is no longernecessary for business operationsor other legitimate businesspurposes, except where suchinformation is required to beretained by law or regulation, orwhere targeted disposal is notreasonably feasible due to themanner in which the informationis maintained.DFS isn’t an outlier in this respect. TheInsurance Data Security Model Lawadopted by the NAIC provides that acompany’s information security programshall be designed to, among other things,“[d]efine and periodically reevaluate aschedule for the retention of NonpublicInformation and a mechanism for itsdestruction when no longer needed.” TheModel Law further defines an“Information Security Program” as “theadministrative, technical and physicalsafeguards [a company] uses to access,collect, distribute, process, protect, store,use, transmit, dispose of, or otherwisehandle Nonpublic Information.Emphassis AddedWhile the concept is straightforward,10compliance with this section of NY DFSwill neither be simple nor quick. Theprocess by which a company locates allthe relevant Nonpublic Information (NPI)it’s keeping—as well as what it decides todo with that NPI—could requireattention, project management,resources, and expertise beyond whatthe organization is devoting to theinformation security aspects of theserules. Industry experience suggests thatadapting existing systems to enablesystematic records destruction will be amajor undertaking.risks at stake. The informationgovernance model brings coordinationand over

regulatory trends. This annual series provides a forward look at some of the regulatory issues we anticipate will have a significant impact on the market and our clients’ businesses in 2018. The issues outlined in each of the reports provide a starting point for an important dialogue about future regulatory challenges and opportunities to

Related Documents:

Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original

XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries

Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,

10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan

service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största

Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid

LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .

A formal Regulatory Management System [RMS] can help with: reduction of regulatory burden on citizens and firms improvement of regulatory quality identification of best choice of policy options Comprised of four elements: 1. regulatory quality tools 2. regulatory processes 3. regulatory institutions 4. regulatory policies 16