Up Against the Wall

For as long as carriers have been in business, they have beendealing with state regulators. But federal regulators have beenapplying additional pressure in recent years to make compliance atop-of-the-stack issue for IT leaders.

Insurers understand the regulatory environment as well as anyindustry operating in this country. Compliance always has been apart of doing business, but in recent years, doing business hasbecome more costly. With state regulators pushing from one end, thefederal government has begun shoving from the other end withregulations of its own.

"Even without the omnipresence of Sarbanes-Oxley, there still isa fair amount of issues for the mutuals and some mid-tier companiesto deal with in a very complex regulatory environment," says SonnySonnenstein, a director with PricewaterhouseCoopers. "Most[insurers] are dealing with multiple states, multiplejurisdictions, and multiple regulators. That affects not only whatIT is doing around compliance but the way underwriting andadministration systems get built. You are dealing with more rulesthan you might deal with if you had fewer regulators."

Know Your Regs

When the security rule for HIPAA took effect in April, theeffort to remain compliant in the healthcare industry became morechallenging, asserts Edward Dudek, senior IS auditor with BlueCrossBlueShield of South Carolina. Among the security issues healthinsurers are dealing with are the controls they must demonstrateand the reporting and monitoring requirements of thelegislation.

"For HIPAA, when we were working to become compliant with thesecurity component, we looked at the legislation and translated itinto what we need to be doing from a process and IT standpoint sowe could fulfill each one of the regulations," explains Dudek.

Recently, all employees at FBL Fi-nancial Group, a multilineinsurer in Iowa, received a booklet called "Doing What's Right" toexplain which compliance areas might affect them, says CarrieDostal, life accounting manager. "The problem with a regulationsuch as unclaimed property is, while it may fall under the broadumbrella of regulatory compliance, the average employee eitherdoesn't know much about it or doesn't understand it because it'snot as publicized as security issues or Sarbanes-Oxleycompliance."

In looking at HIPAA and some of the loss regulations that havehad an impact on all sides of the healthcare industry, there hasbeen a premium on security and data protection, according toSonnenstein. "That's been a real focus of emphasis over the lastfew years," he says. "I don't think any IT organization is unawareof those issues and dealing with some of the implications. Thereare a couple of core elements. You can try to deal with everyregulation and compliance issue in a one-off fashion, but you windup building a lot of solutions tacked on top of solutions. At somepoint, you have to take a step back and look at the framework youneed to support the appropriate IT governance, IT risk management,and IT compliance."

Carriers need to set up that structure to define policies,standards, roles, and accountability, Sonnenstein believes, drivingthat down to broader-based solutions around security and privacysuch as identity management or data-encryption technology. "Insteadof addressing everything one off, you set your policies andstandards in such a manner you are going to try to meet all ofthose needs," he says. "By doing that, you get out of having todeal with every little issue, and that's what we're starting to seeleading companies do."

With many of the regulatory requirements, the major concern isthe protection of the integrity of the environment, according toDaniel Vogel, a vice president with Gartner. "Knowledge of what youhave in that environment is the first thing that should be there,but today most organizations don't have it," he says. "As a result,you've got regulatory requirements, such as HIPAA andSarbanes-Oxley, which look to do some kind of audit trails againstalterations made to the environment. Because the knowledge ofwhat's there is sorely incomplete, the ability to track, monitor,and identify what potential alterations should be made, whatpotential impact they may have, what the current value of thestructure might be, and the availability of the environment aresomewhat voided."

IT to the Rescue

When Sarbanes-Oxley first was introduced, companies went frommore of a business approach to compliance and began looking at theIT components and accountability. The regulatory issue involves"not just the asset but the availability of the asset," says Vogel."It's what you consider the system, but [the regulation] doesn'ttell you what the system should include. It could be theapplication, the end point, the database, the operatingsystem–depending on how far you want to take it. The regulationsare identified at a moderately high level; the organizations thenopen them up to interpretation. [Companies] decided if they arelooking at SOX compliance, they also should look at the ITprocesses related to those items, and then that expanded evenfurther."

Much of the responsibility for dealing with regulatory issueshas fallen to the IT departments, reports Sonnenstein. "Certainly,if you look at SOX and what that meant to IT organizations acrossindustries–the IT portion of the control environment, the generalcomputer controls, the specific application-level security, thesegregation of duties–a lot of responsibility fell on IT'sshoulders, both to make the IT environment sound and secure andalso to support all the business systems," he says.

There are tools available to facilitate compliance, Vogelbelieves, but there isn't a single tool today that is going to cutacross end to end throughout the regulatory environment. "So what[companies] need to do is look at the regulations and come up withtheir interpretation of the regulations," he says. "When it comesto Sarbanes-Oxley, I think a lot of people have relied on theirauditors to give them an interpretation as opposed to determiningwhat's appropriate for themselves. Once you have yourinterpretation in place, you need to determine what units, assets,or components are relevant and then determine what the appropriatestrategy might be."

Some companies will take an asset management strategy, some willtake more of a service-desk approach, and a third community willlook at discovery and mapping. "Tools aren't going to be able todiscover everything," Vogel says. "Going forward you will see ablending of all three, but today you see a few variations ofthose."

Dostal agrees: "The more complicated your corporate structureis, the more you have to rely on IT to implement your plan–notnecessarily to come up with the plan or to be responsible forreporting, but IT definitely is a tool and a resource."

Software Works

FBL will be cutting tremendous amounts of hours and days out ofits business processes for dealing with unclaimed propertyregulations, Dostal asserts, because it now has the right softwaretools in place. "The majority of our unclaimed property is in theform of unclaimed checks–for example, someone canceled a policy andthen moved before the check arrived," she says. "We are responsibleto make due diligence efforts to get the check to [policyholders],and if that is not possible, we are responsible to get that moneyto their last known state of residence."

Several years ago, when FBL had just five core states in whichit was licensed, that wasn't so difficult. "But as our company hasgrown and people become more transient, we have unclaimed propertyin nearly every state," she says. "So keeping up with 50 sets ofregulations is the first hurdle for the solution we chose to gowith from Fiserv. The second thing [we needed] is a database tohelp us sort things–get things filed, create letters, do thosetypes of processes. In the past, we had gotten a file from our cashdisbursement system of uncashed checks that were of a certainamount, and we would have to get that file several months inadvance [of the filing date] to sort out by state and contact thebusiness units to see what was going on. When we got theinformation back, we had to figure out which states required whichthings. It was a time-consuming process. All of that–especially thedatabase function and keeping track of the regulations by state–iswhat [Fiserv's] Tracker does for us."

Battle for Control

Connie Jasper Woodroof, NAIC liaison for Fiserv InsuranceSolutions, explains watching the federal government be-comeinvolved in regulatory issues has been an ongoing situation withthe NAIC and the insurance industry. The industry is divided interms of preferring complete federal regulation vs. the currentstate regulation, she believes. "The NAIC always is concerned aboutwhat the federal government is doing, but that's a situation it'sbeen in for a long time," she says. "When the federal governmentstarts to talk about a certain area [of regulation], there will bean immediate reaction from the NAIC."

While nonpublic companies escaped the initial push of theSarbanes-Oxley Act, the NAIC is looking to institute new andpossibly tighter regulations. "We're a mutual insurance company,and we're regulated by the South Carolina Department of Insurance,"says Charlie Higgins, chief audit executive for South CarolinaBlueCross. "Through that, the NAIC will be moving toward adoptingcertain aspects of the Sarbanes-Oxley Act, and we expect that totake effect probably within the next 12 to 18 months. It will beissuing a directive to the health insurance industry as to what itwould expect our operating procedures would be."

The NAIC is working to be proactive rather than reactive,Woodroof comments. "What the industry is doing determines howproactive the NAIC can be," she says. "That's one of the reasons[the NAIC] is looking at SOX-like requirements for nonpublicinsurance companies. It costs insurers thousands of dollars eachyear [to comply] with the current [regulations] in place. One ofthe industry's concerns with bringing in these SOX-likerequirements is if it continues to go in the direction it is–evenwith a modified Section 404 compliance on the internalcontrols–that's going to add thousands of dollars to the regulatoryprocess. A lot of the industry feels it is so tightly regulatedthis is overkill."

There is no shortage of regulations currently in place, Woodroofsays. "Commissioners of insurance around the United States have thepower to ask for pretty much anything they want to see at any pointin time regarding the solvency of a company," she adds. "It's kindof a stand-off right now on that particular issue."

Higgins indicates his company already has a comprehensivecompliance program in place. "Anything that would be coming downfrom NAIC would formalize any reporting process that might berequired," he says. "We're trying to bring those in place nowrather than wait until we're required to do so. We project[regulations] may be even more stringent than what we are seeingapplying to some public companies."

ACUITY is a mutual company, but president and CEO Ben Salzmannreports the carrier already has purchased SOX software to log allthose requirements. "Our goal always is to have best practices ineverything we do," he says. "We are working to be fully compliantwith SOX just as if we were a stock company. Ironically, we weren'tthat far off. We already built a system to track all internalcontrol mechanisms tied to risk assessment studies. We then loggedit all into the software package. We already documented all ourworkflows. That's the way we want to operate, so now it's just amatter of connecting a few dots and we'll be SOX compliant."

Some insurance groups are fighting the expansion of SOXrequirements to nonpublic companies, Salzmann points out. "They aresaying insurance already is too heavily regulated, and this is justtoo burdensome," he says. "But where [opponents] lose me is whenthey say, 'At least exempt the small companies.' It's the smallcompanies that have the weaker controls. If they can't afford thecontrols because they are too small, and they aren't automatedenough or have enough internal controls to build on, they are theones that need [compliance] the worst. That's a recipe fordisaster. Then they go insolvent, and whose fault is that?"

The Audit Trail

The business side constantly relies on the IT department forassistance in compliance issues. Of course, technology has createdchallenges of its own, such as the paperless environment mostbusinesses work in. "Where claims are coming in through an EDIportal, for the most part the traditional audit trail is fastdisappearing," says Dudek. "The [regulatory] legislation is in factdriving IT resources in hardware and software purchases to housethis fixed-content data. It is driving requirement efforts here atBlue-Cross to ensure enough of the electronic audit trail exists todemonstrate we are compliant."

Salzmann contends the more carriers go paperless, the more theyhave to have cross references within their database, which improvesboth the accuracy and the flexibility carriers have in terms ofreporting.

"Regulators are catching up on paperless [environments]," saysSalz-mann. "Even three years ago, regulators and auditors weresaying [paperless] was bad. They said, 'How do we know we'regetting the real stuff.' Today, [regulators] are saying tocompanies that aren't paperless, 'You've got all this paper. Howcan I spin through all your numbers?'"

When the office of the commissioner of insurance arrives atACUITY's home office in Wisconsin for an audit, Salzmann adds, thecarrier simply gives the regulator a password and lets theregulator go right into the system and look at everything."[Regulators] really appreciate they can log on remotely," he says."They'll come here, have someone train them on the system, dowhatever site inspections they have to do, and then go back totheir office. And if they have to look up any more cases oranything they want to follow up on, they can log in remotely. Theylove it."

Take Your Pick

"If you were starting the insurance regulation from scratch,having one common set of regulations would be vastly superior.Uniformity across states would be wonderful," states Salzmann. "Onthe flip side, now that we've tailored our existence along allthese individual state regulations, [federal regulations] do add anextra level of burden."

Whether it is state or federal regulation, getting by withoutthe help of technology is impossible, maintains Dudek. "It's adifficult task that keeps getting more difficult because of theregulatory environment in which we operate," he says. "Thetechnology allows us an unfettered look at the data without movingthe data to determine whether we are in compliance or not withregulations."