Chris Finney, a partner ar Edwards Wildman
Palmer, and Tom McKernan, a trainee solicitor at Edwards Wildman
Palmer, explain the detailed requirements entailed with Solvency II
as well as the legal, regulatory and reputational risks
involved.

The Solvency II Directive (the Directive,
Solvency II) was adopted in 2009. The new regime has three
objectives: to protect policyholders, to enhance financial
stability, and re-establish a single European market in insurance
and reinsurance (“(re)insurance”).

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

It will achieve these objectives by requiring
insurers and reinsurers (“(re)insurers”) to comply with a modern
set of risk-based capital requirements, and by requiring Europe’s
supervisory authorities to supervise their (re)insurers in a more
intrusive way than has previously been required under European
law.

At the time of writing, it seems likely that
the member states of the European Economic Area (EEA) will be
required to transpose the directive into their national laws by 30
June 2013, and that almost all of the (re)insurers domiciled in the
EEA will be required to comply with those laws from 1 January
2014.

Pillar 1

Solvency II is notionally divided into three
pillars which, although not expressly referred to in the directive,
provide a convenient way of grouping the various rules together by
subject matter.

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

Pillar 1 is concerned with capital. Every
(re)insurer will be obliged to calculate its technical provisions,
minimum capital requirement (“MCR”), and solvency capital
requirement (SCR), and to hold capital against each of these
things.

The Pillar 1 requirements are complex, and
(re)insurers will need to do a great deal of work to comply with
them. For this reason and others, many (re)insurers and most
commentators have focused their efforts almost entirely on the
pillar 1 requirements, to the partial exclusion of pillar 2 and
pillar 3.

Pillar 2 and Pillar 3

Pillar 2 and pillar 3 (often referred to
together as pillar 5) will also bring significant changes to the
way (re)insurers run their businesses. In addition, pillar 5 has
the potential to generate new and unexpected legal and regulatory
risk for (re)insurers.

Pillar 2 requires (re)insurers to develop,
document and maintain effective corporate governance arrangements,
which include:

  • A risk management system comprising the strategies, processes
    and reporting procedures necessary continuously to identify,
    measure, manage and report on the actual and potential, individual
    and aggregate, risks to which the firm is exposed so that it can
    respond to them in an effective and proportionate way;

 

  • An internal control and internal compliance system which
    includes effective administrative and accounting procedures, must
    be sufficient to enable the firm’s compliance officers to advise
    its board on Solvency II compliance, and must allow the firm to
    assess and respond to any changes in its legal and regulatory
    environment.

 

  • An internal audit function, which is sufficiently well
    resourced, and has the freedom and independence required, to audit
    each part of the (re)insurer’s business, and its systems of
    governance, before reporting the results to the board for
    action.

 

 

  • An actuarial function to co-ordinate the calculation of the
    (re)insurer’s technical provisions and advise the board on
    underwriting policy, reinsurance arrangements and other
    issues.

 

  • A written outsourcing policy, which describes the functions or
    activities the (re)insurer is prepared to outsource, as well as any
    due diligence and other pre-conditions that must be met, before the
    (re)insurer will outsource a function or activity to an outsource
    service provider.

 

Risk assessment

(Re)insurers will also be required to: carry
out regular “own risk and solvency assessments” (or ORSAs) to
assess the firm’s solvency needs when the risks inherent in its
particular business and its board approved risk tolerance levels
have been taken into account.

[The assessments] are also carried out to make
sure the (re)insurer complies with its capital requirements on a
continuous [basis]  and satisfy itself that each of its key
function holders, and each person who effectively runs its
business, is fit and proper – a heavy responsibility, which
Solvency II imposes on the firm, rather than its regulator.

Pillar 3 requires (re)insurers and
(re)insurance groups to prepare and publish an annual “solvency and
financial condition report” (or SFCR). The published report must
also be submitted to the (re)insurer’s regulator together with a
more detailed “supervisory report”. The SFCR must include:

 

  • A description of the firm’s business and
    performance

 

  • A description of its system of governance, and an assessment
    which explains whether the system is adequate for a firm with its
    particular risk profile

 

  • A description of the firm’s risk exposure, risk concentration,
    risk mitigation and risk sensitivity, for each category of risk it
    faces

 

  • A description of the methodology used by the (re)insurer to
    value its assets, technical provisions and other liabilities,
    together with an explanation of any major differences in the bases
    and methods used to calculate these liabilities, as compared with
    those used to prepare the (re)insurer’s financial statements

 

  • A description of the firm’s approach to capital management,
    which includes the structure, amount and quality of its capital,
    and the amounts of its MCR and SCR

 

  • Enough information to allow a proper understanding of the main
    differences between the assumptions used to calculate the SCR using
    the standard formula prescribed by the directive and the internal
    model (if any), which the firm uses to calculate its SCR instead of
    some or all of the standard formula

 

  • The amount of any non-compliance with the MCR, and any
    significant non-compliance with the SCR, with an explanation of the
    cause and consequences of these breaches and the steps taken to
    correct them.

 

The Risks in Pillar 5

 

These requirements will create legal,
regulatory and reputational risk for (re)insurers.

To meet the pillar 2 requirements,
(re)insurers will have to prepare and maintain detailed risk logs
and other documents that will contain highly sensitive
information.

Each (re)insurer will be required to log each
of the actual and potential risks to which it is exposed, before
detailing the risk mitigation and risk management strategies it
will adopt in response.

Risk log preparation and maintenance will
require detailed analysis.

Expert advice may also be required. A risk
log, and the analyses and advice that sits behind it, could be
useful to adverse third parties. (Re)insurers may therefore be
obliged to disclose them, if (for example):

 

  • A policyholder sues the (re)insurer alleging that it failed
    properly to understand the nature of the risks associated with the
    investment decisions it was taking on behalf of its policyholder
    investors

 

  • A (re)insurer’s shareholders sue its directors on their own
    account or on the (re)insurer’s behalf alleging that the directors
    failed to identify and properly manage the operational and
    investment risks to which the (re)insurer was exposed

 

  • A reinsurer refuses to meet its reinsurance obligations because
    the insurer has allegedly failed to identify and manage emerging
    risks on the reinsured business

 

Given the nature of the information that will
be held in these logs, there may also be data protection, data
privacy, intellectual property and information technology risks,
which could be crystallised by normal human error, or disgruntled
employee activity.

Although (re)insurers will not be required to
publish confidential policyholder information, nor anything that
could significantly advantage their competitors, there will still
be a risk of leaks, and that risk may be higher if the information
in the (re)insurer’s logs is more sensitive than the information
the (re)insurer was required to generate and hold before Solvency
II came into force.

[Furthermore] and whether or not these risks
exist, most (re)insurers will be required to publish more, and more
sensitive, information than they have had to publish before – for
example, the (re)insurer’s approach to capital management; the
structure, amount and quality of its capital; and the amounts of
its MCR and SCR.

When this information is published for the
first time, there is a risk that the rating agencies, the markets
and actual and potential policyholders will react adversely.

And these risks will be exacerbated if the
published information includes factual errors.

In the circumstances, (re)insurers may wish to
consider how best to manage policyholder and market expectations,
and how best to present new information to key stakeholders.

(Re)insurers should also consider developing
systems and controls that will reduce error risk and help them to
maintain information security and integrity. Good quality legal
advice may also be essential.