SYSC 17
Insurance risk systems and controls
SYSC 17.1
Application
- 31/12/2006
SYSC 17.1.1
See Notes
SYSC 17.1 applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
- 31/12/2006
SYSC 17.1.2
See Notes
SYSC 17.1 applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
- 31/12/2006
Purpose
SYSC 17.1.3
See Notes
- 31/12/2006
SYSC 17.1.4
See Notes
Insurance risk concerns the FSA in a prudential context because inadequate systems and controls for its management can create a threat to the regulatory objectives of market confidence and consumer protection. Inadequately managed insurance risk may result in:
- (1) the inability of a firm to meet its contractual insurance liabilities as they fall due; and
- (2) the inability of a firm to treat its policyholders fairly consistent with the firm's obligations under Principle 6 (for example, in relation to bonus payments).
- 31/12/2006
SYSC 17.1.5
See Notes
- 31/12/2006
SYSC 17.1.6
See Notes
- 31/12/2006
SYSC 17.1.7
See Notes
- 31/12/2006
General requirements
SYSC 17.1.8
See Notes
High level rules and guidance for prudential systems and controls for insurance risk are set out in SYSC 14. In particular:
- (1) SYSC 14.1.18 R requires a firm to take reasonable steps to establish and maintain a business plan and appropriate risk management systems;
- (2) SYSC 14.1.19R (2) requires a firm to document its policy for insurance risk, including its risk appetite and how it identifies, measures, monitors and controls that risk; and
- (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.
- 31/12/2006
Insurance risk policy
SYSC 17.1.9
See Notes
A firm's insurance risk policy should outline its objectives in carrying out insurance business, its appetite for insurance risk and its policies for identifying, measuring, monitoring and controlling insurance risk. The insurance risk policy should cover any activities that are associated with the creation or management of insurance risk. For example, underwriting, claims management and settlement, assessing technical provisions in the balance sheet, risk mitigation and risk transfer, record keeping and management reporting. Specific matters that should normally be in a firm's insurance risk policy include:
- (1) a statement of the firm's willingness and capacity to accept insurance risk;
- (2) the classes and characteristics of insurance business that the firm is prepared to accept;
- (3) the underwriting criteria that the firm intends to adopt, including how these can influence its rating and pricing decisions;
- (4) its approach to limiting significant aggregations of insurance risk, for example, by setting limits on the amount of business that can be underwritten in one region or with one policyholder;
- (5) where relevant, the firm's approach to pricing long-term insurance contracts, including the determination of the appropriate level of any reviewable premiums;
- (6) the firm's policy for identifying, monitoring and managing risk when it has delegated underwriting authority to another party (additional guidance on the management of outsourcing arrangements is provided in SYSC 13.9);
- (7) the firm's approach to managing its expense levels, including acquisition costs, recurring costs, and one-off costs, taking account of the margins available in both the prices for products and in the technical provisions in the balance sheet;
- (8) the firm's approach to the exercise of any discretion (e.g. on charges or the level of benefits payable) that is available in its long-term insurance contracts, in the context also of the legal and regulatory constraints existing on the application of this discretion;
- (9) the firm's approach to the inclusion of options within new long-term insurance contracts and to the possible exercise by policyholders of options on existing contracts;
- (10) the firm's approach to managing persistency risk;
- (11) the firm's approach to managing risks arising from timing differences in taxation or from changes in tax laws;
- (12) the firm's approach to the use of reinsurance or the use of some other means of risk transfer;
- (13) how the firm intends to assess the effectiveness of its risk transfer arrangements and manage the residual or transformed risks (for example, how it intends to handle disputes over contract wordings, potential payout delays and counterparty performance risks);
- (14) a summary of the data and information to be collected and reported on underwriting, claims and risk control (including internal accounting records), management reporting requirements and external data for risk assessment purposes;
- (15) the risk measurement and analysis techniques to be used for setting underwriting premiums, technical provisions in the balance sheet, and assessing capital requirements; and
- (16) the firm's approach to stress testing and scenario analysis, as required by GENPRU 1.2 (Adequacy of financial resources), including the methods adopted, any assumptions made and the use that is to be made of the results.
- 31/12/2006
SYSC 17.1.10
See Notes
- 31/12/2006
Risk identification
SYSC 17.1.11
See Notes
- 31/12/2006
SYSC 17.1.12
See Notes
The identification of insurance risk should normally include:
- (1) in connection with the firm's business plan:
- (a) processes for identifying the types of insurance risks that may be associated with a new product and for comparing the risk types that are present in different classes of business (in order to identify possible aggregations in particular insurance risks); and
- (b) processes for identifying business environment changes (for example landmark legal rulings) and for collecting internal and external data to test and modify business plans;
- (2) at the point of sale, processes for identifying the underwriting risks associated with a particular policyholder or a group of policyholders (for example, processes for identifying potential claims for mis-selling and for collecting information on the claims histories of policyholders, including whether they have made any potentially false or inaccurate claims, to identify possible adverse selection or moral hazard problems);
- (3) after the point of sale, processes for identifying potential and emerging claims for the purposes of claims management and claims provisioning; this could include:
- (a) identifying possible judicial rulings;
- (b) keeping up to date with developments in market practice; and
- (c) collecting information on industry wide initiatives and settlements.
- 31/12/2006
SYSC 17.1.13
See Notes
- 31/12/2006
Risk measurement
SYSC 17.1.14
See Notes
- 31/12/2006
SYSC 17.1.15
See Notes
A firm should ensure that the data it collects and the measurement methodologies that it uses are sufficient to enable it to evaluate, as appropriate:
- (1) its exposure to insurance risk at all relevant levels, for example, by contract, policyholder, product line or insurance class;
- (2) its exposure to insurance risk across different geographical areas and time horizons;
- (3) its total, firm-wide, exposure to insurance risk and any other risks that may arise out of the contracts of insurance that it issues;
- (4) how changes in the volume of business (for example via changes in premium levels or the number of new contracts that are underwritten) may influence its exposure to insurance risk;
- (5) how changes in policy terms may influence its exposure to insurance risk; and
- (6) the effects of specific loss scenarios on the insurance liabilities of the firm.
- 31/12/2006
SYSC 17.1.16
See Notes
- 31/12/2006
SYSC 17.1.17
See Notes
- 31/12/2006
SYSC 17.1.18
See Notes
- 31/12/2006
SYSC 17.1.19
See Notes
- 31/12/2006
SYSC 17.1.20
See Notes
- 31/12/2006
SYSC 17.1.21
See Notes
A firm should have the capability to measure its exposure to insurance risk on a regular basis. In deciding on the frequency of measurement, a firm should consider:
- (1) the time it takes to acquire and process all necessary data;
- (2) the speed at which exposures could change; and
- (3) that it may need to measure its exposure to certain types of insurance risk on a daily basis (for example, weather catastrophes).
- 31/12/2006
Risk monitoring
SYSC 17.1.22
See Notes
A firm should provide regular and timely information on its insurance risks to the appropriate level of management. This could include providing reports on the following:
- (1) a statement of the firm's profits or losses for each class of business that it underwrites (with an associated analysis of how these have arisen for any long-term insurance contracts), including a variance analysis detailing any deviations from budget or changes in the key performance indicators that are used to assess the success of its business plan for insurance;
- (2) the firm's exposure to insurance risk at all relevant levels (see SYSC 17.1.15G (1)), as well as across different geographical areas and time zones (see SYSC 17.1.15G (2)), also senior management should be kept informed of the firm's total exposure to insurance risk (see SYSC 17.1.15G (3));
- (3) an analysis of any internal or external trends that could influence the firm's exposure to insurance risk in the future (e.g. new weather patterns, socio-demographic changes, expense overruns etc);
- (4) any new or emerging developments in claims experience (e.g. changes in the type of claims, average claim amounts or the number of similar claims);
- (5) the results of any stress testing or scenario analyses;
- (6) the amount and details of new business written and the amount of business that has lapsed or been cancelled;
- (7) identified fraudulent claims;
- (8) a watch list, detailing, for example, material/catastrophic events that could give rise to significant numbers of new claims or very large claims, contested claims, client complaints, legal and other developments;
- (9) the performance of any reinsurance/risk transfer arrangements; and
- (10) progress reports on matters that have previously been referred under escalation procedures (see SYSC 17.1.23 G).
- 31/12/2006
SYSC 17.1.23
See Notes
A firm should establish and maintain procedures for the escalation of appropriate matters to the relevant level of management. Such matters may include:
- (1) any significant new exposures to insurance risk, including for example any landmark rulings in the courts;
- (2) a significant increase in the size or number of claims;
- (3) any breaches of the limits set out in SYSC 17.1.27 G and SYSC 17.1.28 G, in particular senior management should be informed where any maximum limits have been breached (see SYSC 17.1.29 G); and
- (4) any unauthorised deviations from its insurance risk policy (including those by a broker, appointed representative or other delegated authority).
- 31/12/2006
SYSC 17.1.24
See Notes
- 31/12/2006
SYSC 17.1.25
See Notes
- 31/12/2006
Risk control
SYSC 17.1.26
See Notes
- 31/12/2006
SYSC 17.1.27
See Notes
A firm should consider setting limits for its exposure to insurance risk, which trigger action to be taken to control exposure. Periodically these limits should be amended in the light of new information (e.g. on the expected number or size of claims). For example, limits could be set for:
- (1) the firm's aggregate exposure to a single source of insurance risk or for events that may be the result of a number of different sources;
- (2) the firm's exposure to specific geographic areas or any other groupings of risks whose outcomes may be positively correlated;
- (3) the number of fraudulent claims;
- (4) the number of very large claims that could arise;
- (5) the number of unauthorised deviations from its insurance risk policy;
- (6) the amount of insurance risk than can be transferred to a particular reinsurer;
- (7) the level of expenses incurred in respect of each relevant business area; and
- (8) the level of persistency by product line or distribution channel.
- 31/12/2006
SYSC 17.1.28
See Notes
- 31/12/2006
SYSC 17.1.29
See Notes
- 31/12/2006
SYSC 17.1.30
See Notes
A firm should pay close attention to the wording of its policy documentation to ensure that these wordings do not expose it to more, or higher, claims than it is expecting. In so doing, the firm should consider:
- (1) whether it has adequate in-house legal resources;
- (2) the need for periodic independent legal review of policy documentation;
- (3) the use of standardised documentation and referral procedures for variation of terms;
- (4) reviewing the documentation used by other insurance companies;
- (5) revising documentation for new policies in the light of past experience; and
- (6) the operation of law in the jurisdiction of the policyholder.
- 31/12/2006
SYSC 17.1.31
See Notes
- 31/12/2006
SYSC 17.1.32
See Notes
- 31/12/2006
SYSC 17.1.33
See Notes
- 31/12/2006
Reinsurance and other forms of risk transfer
SYSC 17.1.34
See Notes
Before entering into or significantly changing a reinsurance agreement, or any other form of insurance risk transfer agreement, a firm should:
- (1) analyse how the proposed reinsurance/risk transfer agreement will affect its exposure to insurance risk, its underwriting strategy and its ability to meet its regulatory obligations;
- (2) ensure there are adequate legal checking procedures in respect of the draft agreement;
- (3) conduct an appropriate due diligence of the reinsurer's financial stability (that is, solvency) and expertise; and
- (4) understand the nature and limits of the agreement (particular attention should be given to the wording of contracts to ensure that all of the required risks are covered, that the level of available cover is appropriate, and that all the terms, conditions and warranties are unambiguous and understood).
- 31/12/2006
SYSC 17.1.35
See Notes
In managing its reinsurance agreements, or any other form of insurance risk transfer agreement, a firm should have in place appropriate systems that allow it to maintain its desired level of cover. This could involve systems for:
- (1) monitoring the risks that are covered (that is, the scope of cover) by these agreements and the level of available cover;
- (2) keeping underwriting staff informed of any changes in the scope or level of cover;
- (3) properly co-ordinating all reinsurance/risk transfer activities so that, in aggregate, the desired level and scope of cover is maintained;
- (4) ensuring that the firm does not become overly reliant on any one reinsurer or other risk transfer provider; or
- (5) conducting regular stress testing and scenario analysis to assess the resilience of its reinsurance and risk transfer programmes to catastrophic events that may give rise to large and or numerous claims.
- 31/12/2006
SYSC 17.1.36
See Notes
In making a claim on a reinsurance contract (that is, its reinsurance recoveries) or some other risk transfer contract a firm should ensure:
- (1) that it is able to identify and recover any money that it is due in a timely manner; and
- (2) that it makes adequate financial provision for the risk that it is unable to recover any money that it expected to be due, as a result of either a dispute with or a default by the reinsurer/risk transfer provider. Additional guidance on credit risk in reinsurance/risk transfer contracts is provided in INSPRU 2.1 (Credit risk in insurance).
- 31/12/2006
SYSC 17.1.37
See Notes
- 31/12/2006
Record keeping
SYSC 17.1.38
See Notes
The FSA's high level rules and guidance for record keeping are outlined in SYSC 3.2.20 R (Records). Additional rules and guidance in relation to the prudential context are set out in SYSC 14.1.51 G to SYSC 14.1.64 G. In complying with these rules and guidance, a firm should retain an appropriate record of its insurance risk management activities. This may, for example, include records of:
- (1) each new risk that is underwritten (noting that these records may be held by agents or cedants, rather than directly by the firm provided that the firm has adequate access to those records);
- (2) any material aggregation of exposure to risk from a single source, or of the same kind or to the same potential catastrophe or event;
- (3) each notified claim including the amounts notified and paid, precautionary notices and any re-opened claims;
- (4) policy and contractual documents and any relevant representations made to policyholders;
- (5) other events or circumstances relevant to determining the risks and commitments that arise out of contracts of insurance (including discretionary benefits and charges under any long-term insurance contracts);
- (6) the formal wordings of reinsurance contracts; and
- (7) any other relevant information on the firm's reinsurance or other risk-transfer arrangements, including the extent to which they:
- 31/12/2006