Getting to know your risks
The global financial crisis has precipitated a renewed vigour in the regulation of the financial services sector globally and Bermuda is not immune. New regulations have been introduced and enforcement of existing regulations has become more pronounced as regulators seek to distance themselves from the accusations of being asleep at the wheel. Boards of directors are being increasingly asked to demonstrate that they are exercising strong governance and oversight over the companies they manage and that they are aware of the risks posed to their businesses. In risk-based regulation, businesses are required to set their own risk appetites, identify the day-to-day risks they face operationally, and design and implement appropriate and proportionate systems and controls to mitigate those risks to acceptable levels.
The reinsurance industry in particular relies heavily on information for its business processes such as risk modelling, forecasting, performance measurement and analytical reporting. These processes require information to be available internally from various parts of an organisation; without this information, an organisation would not be able to accurately inform and guide its strategies. Similarly, compliance with regulations relies on information from external counterparties, such as a customer’s personal identity details or an associated person’s jurisdiction of operation; compliance can be placed in jeopardy if the information gathered by an organisation is unreliable, non-existent or not easily made available upon request.
The Bermuda market has seen a number of new regulations emerging out of this risk-based regime. These new regulations have created in some cases new information requirements within organisations in those areas associated with operational and counterparty risk, and the regulatory information requirements in the reinsurance industry are set to increase. Recent developments in bribery and corruption laws, anti-money laundering and antiterrorist financing regulations, the Foreign Account Tax Compliance Act and increased focus on compliance with international sanctions regimes has increased the regulatory and reporting burden faced by the industry.
Most recently, developments in bribery and corruption legislation have required companies to take a more cautious approach to the bribery and corruption risks they face. This caution is warranted, with many countries enacting stringent anti-bribery and corruption laws and stepping up enforcement of existing regulations. The UK Bribery Act (the Act) is the most recent development that is set to have farreaching implications for the way that companies understand their counterparties to demonstrate regulatory compliance.
The Act is relevant to Bermuda as it applies to all Bermudian nationals as citizens of a British Overseas Territory. A Bermudian national giving or receiving bribes after July 1, 2011, if caught, could face criminal proceedings and be sentenced to up to 10 years imprisonment and/or face unlimited fines. The Act introduces a new offence of bribing a foreign public official and an offence for corporations of failure to prevent bribery. The corporate offence would apply to any Bermudian entity carrying out business, or part of its business, in the UK; this gives the Act an extra-territorial dimension as it covers bribes that occur anywhere in the world if carried out by an “associated person”, with the only defence available being whether a corporate entity can prove it has implemented “adequate procedures” to prevent bribery occurring.
In the reinsurance industry, the “adequate procedures” element of the corporate offence is of most relevance. The primary step to establishing “adequate procedures” is for reinsurers to review their corporate relationships and determine who may be classed as an “associated person”. The Act broadly defines an “associated person” asa person who “performs services” for, or on behalf of, an organisation, and can be either an individual or a company. Such “associated persons” could include employees, subsidiaries, managing general agents (MGAs), brokers, third-party loss adjustors, claims handlers, external professional service providers, joint venture partners and any other third-party service provider. A corrupt act carried out by any associated party, no matter where they are located, would be included in the scope of the Act and place the organisation in breach of its obligations by failing to prevent the bribery occurring.
There is a question of whether reinsurers are able to exercise control over their “associated persons”, especially where there is an extended distribution chain. In reality, reinsurers are only likely to exercise control over their immediate contractual counterparties, and therefore should ensure that appropriate anti-bribery provisions are included in all their contractual arrangements.
"Once non-compliance has been demonstrated, it is hard to rebuild the credibility and trust once possessed with its regulators, as well as with its other stakeholders."
Once a reinsurer has determined its associated parties, it should consider the level of due diligence it should carry out. The informational requirements of such due diligence will vary according to the risk posed by an “associated party”, but may extend to credit checks, identity checks, Internet searches, direct interrogative enquiries, questionnaires, and external reports and references, to name but a few. Those “associated parties” that are considered to present a higher risk to reinsurers may be subject to additional due diligence procedures; for example, an MGA’s relationships with a reinsurer may pose higher risks and therefore the reinsurers may consider obtaining additional information on the value of the MGA’s business, the jurisdiction in which it operates, how its business is retained and documented, and what systems and controls are in place. This antibribery and corruption due diligence will place an additional burden on an organisation wishing to demonstrate compliance.
Organisations are becoming increasingly overwhelmed by their regulatory obligations. The disclosure of credible financial data and qualitative information to a regulator is top priority for most organisations; however, many organisations may fail to capture all the necessary information from their counterparties to comply with these additional regulations, making them inherently noncompliant. Exacerbating the problem, any issues identified during a regulatory inspection result in increased regulatory scrutiny upon the organisation. And once non-compliance has been demonstrated, it is hard to rebuild the credibility and trust an organisation once possessed with its regulators, as well as with its other stakeholders.
Cost is another implication of the increased compliance. Many organisations respond to increased regulatory requirements on a tactical basis by rushing to implement a set of new policies and procedures. This can often be more expensive in the long run. An organisation should look at the sustainability of its solutions and whether it can be more intelligent in how it responds to regulatory change.
What is the solution?
One of the main reasons that organisations are struggling to comply is because their historic financial risk architectures are not designed to meet the requirements of new regulations. Inherited systems and controls often operate in silos and those associated with compliance frequently face under-investment. This results in the tactical quickfix solution not being the answer. Organisations should resist the temptation to write a new finance and risk architecture in the first instance, and instead take an approach that looks at the existing information-gathering model and remediate this model to comply with changing regulations using existing processes and data available. New risk architecture can then be built upon this remodelled data, if required.
Establishing an appropriate framework is key to managing the process; setting the standard of governance and control throughout an organisation is essential. The lack of a developed governance framework can lead to the situation unravelling and the costs increasing.
Also, managing the quality of data entering an organisation is key to successful reporting. Bad data entering into a system will lead to bad reports exiting out of it. Ensuring that data is verified and that there is sufficient level of ownership and review of information-gathering will help ensure quality is maintained.
Counterparty diligence is required
We consider that the framework necessary to update organisations’ regulatory compliance processes is converging around a “know-yourcounterparty” challenge for businesses to adhere to. Counterparty diligence involves developing an integrated approach to dealing with information-gathering, intelligent processing, monitoring and recordkeeping for both compliance and business strategy requirements, and placing information at the heart of all decisions.
A risk-based framework for compliance should include:
• Control environment assessments: assessing governance frameworks, organisational tone and management structure
• Business risk assessment: analysing the business environment and periodically updating business risk assessments
• Control activities: implementation of proportionate policies and procedures, linkage to risks and evaluation of controls
• Due diligence procedures: obtaining and verifying counterparty information in line with policies and procedures
• Information and communication programmes: management information systems, employee training and awareness
• Monitoring programmes: ongoing monitoring of risks and compliance, management oversight and internal audit, and
• Reporting systems: documentation production, record-keeping and demonstration of compliance to regulators.
It is important to fundamentally change the way in which information is gathered, processed and presented within an organisation. In short, while huge amounts are spent on information technology, there can be relatively little to show for the outlay and arguably much of the data produced is inaccurate. Success comes when businesses view information as their most valuable asset and implement a framework that removes any barriers to its free and effective flow, and many organisations are looking to acquire the help of experienced business advisors to implement this process.
Those organisations willing to embrace counterparty diligence will be better able to deliver the right information, at the right time, to the right people. In the process, they will discover how information can give them real competitive advantage at both a strategic and a tactical level in their business operations and regulatory compliance.
James Berry is a director at KPMG. He can be contacted at: jberry1@kpmg.bm
Paul O’Neill is a senior manager at KPMG. He can be contacted at: pauloneill@kpmg.bm