Up Against the Wall

Up Against the Wall

For as long as carriers have been in business, they have been dealing with state regulators. But federal regulators have been applying additional pressure in recent years to make compliance a top-of-the-stack issue for IT leaders.

Insurers understand the regulatory environment as well as any industry operating in this country. Compliance always has been a part of doing business, but in recent years, doing business has become more costly. With state regulators pushing from one end, the federal government has begun shoving from the other end with regulations of its own.

"Even without the omnipresence of Sarbanes-Oxley, there still is a fair amount of issues for the mutuals and some mid-tier companies to deal with in a very complex regulatory environment," says Sonny Sonnenstein, a director with PricewaterhouseCoopers. "Most [insurers] are dealing with multiple states, multiple jurisdictions, and multiple regulators. That affects not only what IT is doing around compliance but the way underwriting and administration systems get built. You are dealing with more rules than you might deal with if you had fewer regulators."

Know Your Regs

When the security rule for HIPAA took effect in April, the effort to remain compliant in the healthcare industry became more challenging, asserts Edward Dudek, senior IS auditor with BlueCross BlueShield of South Carolina. Among the security issues health insurers are dealing with are the controls they must demonstrate and the reporting and monitoring requirements of the legislation.

"For HIPAA, when we were working to become compliant with the security component, we looked at the legislation and translated it into what we need to be doing from a process and IT standpoint so we could fulfill each one of the regulations," explains Dudek.

Recently, all employees at FBL Fi-nancial Group, a multiline insurer in Iowa, received a booklet called "Doing What's Right" to explain which compliance areas might affect them, says Carrie Dostal, life accounting manager. "The problem with a regulation such as unclaimed property is, while it may fall under the broad umbrella of regulatory compliance, the average employee either doesn't know much about it or doesn't understand it because it's not as publicized as security issues or Sarbanes-Oxley compliance."

In looking at HIPAA and some of the loss regulations that have had an impact on all sides of the healthcare industry, there has been a premium on security and data protection, according to Sonnenstein. "That's been a real focus of emphasis over the last few years," he says. "I don't think any IT organization is unaware of those issues and dealing with some of the implications. There are a couple of core elements. You can try to deal with every regulation and compliance issue in a one-off fashion, but you wind up building a lot of solutions tacked on top of solutions. At some point, you have to take a step back and look at the framework you need to support the appropriate IT governance, IT risk management, and IT compliance."

Carriers need to set up that structure to define policies, standards, roles, and accountability, Sonnenstein believes, driving that down to broader-based solutions around security and privacy such as identity management or data-encryption technology. "Instead of addressing everything one off, you set your policies and standards in such a manner you are going to try to meet all of those needs," he says. "By doing that, you get out of having to deal with every little issue, and that's what we're starting to see leading companies do."

With many of the regulatory requirements, the major concern is the protection of the integrity of the environment, according to Daniel Vogel, a vice president with Gartner. "Knowledge of what you have in that environment is the first thing that should be there, but today most organizations don't have it," he says. "As a result, you've got regulatory requirements, such as HIPAA and Sarbanes-Oxley, which look to do some kind of audit trails against alterations made to the environment. Because the knowledge of what's there is sorely incomplete, the ability to track, monitor, and identify what potential alterations should be made, what potential impact they may have, what the current value of the structure might be, and the availability of the environment are somewhat voided."

IT to the Rescue

When Sarbanes-Oxley first was introduced, companies went from more of a business approach to compliance and began looking at the IT components and accountability. The regulatory issue involves "not just the asset but the availability of the asset," says Vogel. "It's what you consider the system, but [the regulation] doesn't tell you what the system should include. It could be the application, the end point, the database, the operating system–depending on how far you want to take it. The regulations are identified at a moderately high level; the organizations then open them up to interpretation. [Companies] decided if they are looking at SOX compliance, they also should look at the IT processes related to those items, and then that expanded even further."

Much of the responsibility for dealing with regulatory issues has fallen to the IT departments, reports Sonnenstein. "Certainly, if you look at SOX and what that meant to IT organizations across industries–the IT portion of the control environment, the general computer controls, the specific application-level security, the segregation of duties–a lot of responsibility fell on IT's shoulders, both to make the IT environment sound and secure and also to support all the business systems," he says.

There are tools available to facilitate compliance, Vogel believes, but there isn't a single tool today that is going to cut across end to end throughout the regulatory environment. "So what [companies] need to do is look at the regulations and come up with their interpretation of the regulations," he says. "When it comes to Sarbanes-Oxley, I think a lot of people have relied on their auditors to give them an interpretation as opposed to determining what's appropriate for themselves. Once you have your interpretation in place, you need to determine what units, assets, or components are relevant and then determine what the appropriate strategy might be."

Some companies will take an asset management strategy, some will take more of a service-desk approach, and a third community will look at discovery and mapping. "Tools aren't going to be able to discover everything," Vogel says. "Going forward you will see a blending of all three, but today you see a few variations of those."

Dostal agrees: "The more complicated your corporate structure is, the more you have to rely on IT to implement your plan–not necessarily to come up with the plan or to be responsible for reporting, but IT definitely is a tool and a resource."

Software Works

FBL will be cutting tremendous amounts of hours and days out of its business processes for dealing with unclaimed property regulations, Dostal asserts, because it now has the right software tools in place. "The majority of our unclaimed property is in the form of unclaimed checks–for example, someone canceled a policy and then moved before the check arrived," she says. "We are responsible to make due diligence efforts to get the check to [policyholders], and if that is not possible, we are responsible to get that money to their last known state of residence."

Several years ago, when FBL had just five core states in which it was licensed, that wasn't so difficult. "But as our company has grown and people become more transient, we have unclaimed property in nearly every state," she says. "So keeping up with 50 sets of regulations is the first hurdle for the solution we chose to go with from Fiserv. The second thing [we needed] is a database to help us sort things–get things filed, create letters, do those types of processes. In the past, we had gotten a file from our cash disbursement system of uncashed checks that were of a certain amount, and we would have to get that file several months in advance [of the filing date] to sort out by state and contact the business units to see what was going on. When we got the information back, we had to figure out which states required which things. It was a time-consuming process. All of that–especially the database function and keeping track of the regulations by state–is what [Fiserv's] Tracker does for us."

Battle for Control

Connie Jasper Woodroof, NAIC liaison for Fiserv Insurance Solutions, explains watching the federal government be-come involved in regulatory issues has been an ongoing situation with the NAIC and the insurance industry. The industry is divided in terms of preferring complete federal regulation vs. the current state regulation, she believes. "The NAIC always is concerned about what the federal government is doing, but that's a situation it's been in for a long time," she says. "When the federal government starts to talk about a certain area [of regulation], there will be an immediate reaction from the NAIC."

While nonpublic companies escaped the initial push of the Sarbanes-Oxley Act, the NAIC is looking to institute new and possibly tighter regulations. "We're a mutual insurance company, and we're regulated by the South Carolina Department of Insurance," says Charlie Higgins, chief audit executive for South Carolina BlueCross. "Through that, the NAIC will be moving toward adopting certain aspects of the Sarbanes-Oxley Act, and we expect that to take effect probably within the next 12 to 18 months. It will be issuing a directive to the health insurance industry as to what it would expect our operating procedures would be."

The NAIC is working to be proactive rather than reactive, Woodroof comments. "What the industry is doing determines how proactive the NAIC can be," she says. "That's one of the reasons [the NAIC] is looking at SOX-like requirements for nonpublic insurance companies. It costs insurers thousands of dollars each year [to comply] with the current [regulations] in place. One of the industry's concerns with bringing in these SOX-like requirements is if it continues to go in the direction it is–even with a modified Section 404 compliance on the internal controls–that's going to add thousands of dollars to the regulatory process. A lot of the industry feels it is so tightly regulated this is overkill."

There is no shortage of regulations currently in place, Woodroof says. "Commissioners of insurance around the United States have the power to ask for pretty much anything they want to see at any point in time regarding the solvency of a company," she adds. "It's kind of a stand-off right now on that particular issue."

Higgins indicates his company already has a comprehensive compliance program in place. "Anything that would be coming down from NAIC would formalize any reporting process that might be required," he says. "We're trying to bring those in place now rather than wait until we're required to do so. We project [regulations] may be even more stringent than what we are seeing applying to some public companies."

ACUITY is a mutual company, but president and CEO Ben Salzmann reports the carrier already has purchased SOX software to log all those requirements. "Our goal always is to have best practices in everything we do," he says. "We are working to be fully compliant with SOX just as if we were a stock company. Ironically, we weren't that far off. We already built a system to track all internal control mechanisms tied to risk assessment studies. We then logged it all into the software package. We already documented all our workflows. That's the way we want to operate, so now it's just a matter of connecting a few dots and we'll be SOX compliant."

Some insurance groups are fighting the expansion of SOX requirements to nonpublic companies, Salzmann points out. "They are saying insurance already is too heavily regulated, and this is just too burdensome," he says. "But where [opponents] lose me is when they say, 'At least exempt the small companies.' It's the small companies that have the weaker controls. If they can't afford the controls because they are too small, and they aren't automated enough or have enough internal controls to build on, they are the ones that need [compliance] the worst. That's a recipe for disaster. Then they go insolvent, and whose fault is that?"

The Audit Trail

The business side constantly relies on the IT department for assistance in compliance issues. Of course, technology has created challenges of its own, such as the paperless environment most businesses work in. "Where claims are coming in through an EDI portal, for the most part the traditional audit trail is fast disappearing," says Dudek. "The [regulatory] legislation is in fact driving IT resources in hardware and software purchases to house this fixed-content data. It is driving requirement efforts here at Blue-Cross to ensure enough of the electronic audit trail exists to demonstrate we are compliant."

Salzmann contends the more carriers go paperless, the more they have to have cross references within their database, which improves both the accuracy and the flexibility carriers have in terms of reporting.

"Regulators are catching up on paperless [environments]," says Salz-mann. "Even three years ago, regulators and auditors were saying [paperless] was bad. They said, 'How do we know we're getting the real stuff.' Today, [regulators] are saying to companies that aren't paperless, 'You've got all this paper. How can I spin through all your numbers?'"

When the office of the commissioner of insurance arrives at ACUITY's home office in Wisconsin for an audit, Salzmann adds, the carrier simply gives the regulator a password and lets the regulator go right into the system and look at everything. "[Regulators] really appreciate they can log on remotely," he says. "They'll come here, have someone train them on the system, do whatever site inspections they have to do, and then go back to their office. And if they have to look up any more cases or anything they want to follow up on, they can log in remotely. They love it."

Take Your Pick

"If you were starting the insurance regulation from scratch, having one common set of regulations would be vastly superior. Uniformity across states would be wonderful," states Salzmann. "On the flip side, now that we've tailored our existence along all these individual state regulations, [federal regulations] do add an extra level of burden."

Whether it is state or federal regulation, getting by without the help of technology is impossible, maintains Dudek. "It's a difficult task that keeps getting more difficult because of the regulatory environment in which we operate," he says. "The technology allows us an unfettered look at the data without moving the data to determine whether we are in compliance or not with regulations."