The Cost of Transparency

The Sarbanes-Oxley Act grabbed corporate America by its lapels and shook it, but after a few years of understanding what SOX is all about, U.S. insurers are returning much of their compliance attention to state regulators.

Clearly, SOX was important in the world of financial reporting for compliance, states Ellen Walsh, partner in the risk and regulatory practice of Pricewaterhouse-Coopers. SOX helped shed light on the importance of having a solid compliance program across the business, particularly for large life insurance companies that are beholden to a number of different regulators.

In addition to the departments of insurance in all 50 states, if carriers are selling security products, they need to comply with the NASD rules in terms of their broker/dealer operations as well as the SEC rules on variable insurance products and the underlying funds that support them, explains Walsh. "Insurance companies, especially on the life side, continue to be required to be in compliance with a whole host of very different regulations," she says. "It can be managed, but what we are seeing is the cumulative effect of the whole host of regulatory requirements is forcing companies to step back and ask, 'Are we approaching all this in the best way we can?'"

In the Celent report "Compliance & Technology: Best Practices for Insurers," Donald Light reports there are process best practices and organization best practices. "The compliance process should link and integrate information and workflows among the three tiers of the compliance cycle: monitor and analyze, prioritize and implement, and operate and audit," writes Light. "The corporate and insurance scandals of the past few years have created a high level of senior-management support for and interest in compliance. While compliance requirements have grown substantially, so have the process, organizational, and technology capabilities to meet them."

Rather than dealing with each one-off requirement, companies have to examine how they are approaching compliance in its entirety, points out Walsh. Do they have the right compliance structure in place? Do they have the right resources? Are they using those resources as efficiently as they can? Are they leveraging technology where they can? Are they using a similar platform for assessing the impact of these requirements and how they need to be implemented in the operation?

"We're finding a number of clients, even those with mature compliance functions, really viewing the time as right to assess whether they are approaching this in the right way," says Walsh.

The driving forces behind getting the technology platform in place were SOX and the continuing need to cut expenses, Walsh believes. "I think companies in some cases were quick to identify a package to use to get things going," she says. "We have seen some companies utilize what they did for SOX and more broadly apply it to other compliance needs."

The keys to regulatory compliance involve organization, speed, simplifying the process, and training, according to Dan Trotter, director of rate development and filings for Bituminous Insurance. "You have to have your staff be able to use the product and understand it and all of its functions," he says. As carriers move to paperless environments, more technology begins to kick in. "We used to get two or three filings in a two-inch folder," he recalls. "Now, I'm up to 10 or 12 files in each of those folders because we've reduced most of the paper."

Bituminous pulls information from several different areas–financial information, rating bureaus, outside data bureaus, actuarial consultants, and the individual state's department of insurance. "Our [software from Whitehill] lets us bring in information from several different sources, keep it organized, and keep it flowing," he says.

One way companies can organize their compliance efforts is to look at all of the tools they are using internally to assess their various levels of risk, explains Walsh. "Basically, is there an opportunity to use a single platform or at least one platform with some modifications related to the risks?" she asks. "If you see an opportunity to consolidate from that perspective, a lot of the redundancies are going to pop out. When you consider how many times a certain business function is being reviewed by all these risk and control entities, almost immediately you can start talking about opportunities for saving money and consolidating some of that."

One challenge to the allocation of resources, notes Walsh, is the existence of a number of different organizations within a company doing different types of work that ultimately involves compliance, which creates redundancies in the enterprise. "There is potential for companies doing similar types of self-assessment and control testing," she says. "To illustrate, you have the folks doing SOX from the financial control side of things. A lot of times they get into operational controls, as well. In some organizations, you have a risk management function that also is asking the business units to assess their risks. You have the compliance department assessing compliance risks. Then you have internal audit in its traditional role of doing its planning for what it needs to make it to the audit plan in any given year."

Walsh believes there is a level of fatigue that has set in with many of these companies. Similar questions are asked of business people by three or four different control groups within the carrier. "[All the parties involved] understand they need to be compliant and the importance of compliance given the environment, but I think there are questions on whether this is the smartest way of doing this and whether we are allocating our resources and our expenses in the right way," she contends.

Trotter doesn't mind the added work because he considers himself an insurance professional, not just a compliance professional. "I came over from the underwriting side into compliance," he says. "I think that's part of the added value I bring to the department. I can look at a form and decide whether there is a conflict. I talk to the actuaries and understand the rates." Some compliance people want to fill out the forms, send them into the state, and leave it to the underwriters to make sure the carrier is not culpable. "I'm the compliance professional," he says. "That's my value added. It's part of my function. For me, I have no problem with it because that's part and parcel of the job."

Catherine Weatherford, executive vice president and CEO of the National Association of Insurance Commissioners (NAIC), believes the majority of the state regulatory community is technology advanced. "I believe that's because decades ago, the NAIC–where the regulators come together–embraced building financial regulatory databases," she says. Over the last two decades, the states have embraced 82 national databases, and Weatherford points out a centralized database works only if everybody is contributing regularly and making a commitment to quality and accuracy of the information compiled on those databases. "While you have some states with quite advanced systems of technology and you have some very small states that have more modest technology, everyone within the regulatory community has a high level of commitment to the databases and the transactional networks that are provided by and through the NAIC," she says. "You do have to work closely with each given state based on the way technology is set up in those states. Certain states have their technology centralized where you have to wait to get on a priority list for implementation of some pieces of technology. Also, with any governmental entity there are different levels of appropriations to the insurance regulators, so sometimes the ability to upgrade their technology must wait on a priority list."

Walsh feels the NAIC has a number of committees in place that use technology and data to get information that will help the states focus on higher-risk companies, so they are not constantly looking at companies that are in good shape. "There are efforts under way for the states to do a better job of their own surveillance," she indicates.

The state insurance regulators are highly committed to the technology they've built through the NAIC, according to Weatherford. Every state is using the SERFF system and the producer database that allows for agencies and companies to license agents and look up the background of those agents, do appointments and terminations of agents, and enable resident and nonresident licensing of agents. "Every state is a part of the financial regulatory database," she says. "We have a back-end system we provide states for free, which is a relatively new system to allow the upgrade of technology to the states for back-end operations within the states–agents license, company license, using SERFF as a component for producer licensing. It allows a state access to a back-end system that is constantly being improved. The short answer is there's a very strong and deep commitment to technology by the states."

Ten years ago, when Weatherford began with the NAIC, almost all of the filings were paper based. "Then we began doing filing through CD-ROM, which was our first move into technology," she says. "Now, we have the Internet filings, and we are at 98 percent of all companies filing via the Internet. It is incredible what the efficiency and the speed give both the companies and the regulatory community: Insurers have the ability to put the financial data together, and the regulatory community can do the analyzing and monitoring."

As for the states ceding responsibility as regulators to the federal government, Trotter indicates the plus side of such a change is there would be one set of rules for everyone in the industry to follow. On the other hand, the states have a double-edged function as regulators. They keep an eye on the carriers but also serve as a consumer protection agency. "I buy insurance just like you," he says. "If I have concerns–and there have been such situations–I much prefer to call the state because I feel the state is going to do a better job of looking out for me. If the federal government makes a mistake, you have to live with it in 50 states."

For example, Trotter tells the story of an effort Bituminous made to become licensed in a northeastern state notorious for its regulatory issues. "After about a year, it became so complicated to do business in the state we just decided we couldn't do it," he says. "It's much easier to pull out of one state and wait for the environment to change. If the federal government slaps down a rule, you can't pull out of the business."

The NAIC constantly is pushing the states to improve the technology process for carriers, in Trotter's opinion. "I will give it credit for that," he says. "It's gone miles increasing state awareness. The problem is it may have gone four or five miles, but we're talking a marathon. There's still another 20 miles in the race. Each state seems to want to put in its own little twist on things."

Weatherford believes regulators are in tune with the needs of the industry, such as the ability to license companies and agents in a timely manner and to get the products filed and in the marketplace as quickly as possible. "The regulators have a commitment to uniformity across the nation and to have a national system with state authority," she says.

This gives insurers of all shapes and sizes the benefit of technology for compliance issues and licensing and allows insurers to be served in a speedy, efficient, and cost-effective fashion. "As long as the regulators continue to move quickly to adapt to the evolving marketplace and continue toward the path of uniformity in areas where uniformity is worthwhile and necessary, then state regulations will be around for a long time," she says.

In his work with state regulators, Trotter sees a trend toward more open competition among carriers concerning their rates. "They've seen a lot of the benefits outweigh the negatives," he says. "The market does a good job of encouraging price competition. Open competition gives the customer more choices."

Trotter also believes the states have moved to speed up the regulatory process, but with that, they have shifted some of the burden back to the insurance companies in the form of self-certification. "In a nutshell, we have to keep all the records here showing what we are doing for all 50 states if a state wants to look at [the information]," he says. "As the burden has been shifted toward us, the technology becomes more important."

Weatherford concedes there are times when some people in the industry scratch their heads over why some of this information is needed. But they forget the data provided to regulators gives the regulators the ability to protect the consumers, regulate for solvency, and take care of the insurance-buying public. "That gives the public confidence in the insurance community to be able to make those purchases where you get a piece of paper with a promise to pay," she concludes. "Protecting the public and giving it good regulations only helps the insurance industry overall." TD