23 September 2010
The Bermuda Monetary Authority (BMA) has recently issued an Insurance Code of Conduct (Code) which is consistent with previously issued Guidance Notes. As a member of the International Association of Insurance Supervisors (IAIS), the BMA developed the Code taking into account core principles developed by the IAIS. It will come into effect on July 1, 2010 and prescribes duties and standards to be complied with by all insurers registered under the Insurance Act 1978 (Act).
Failure to comply with these requirements will be a factor to be taken into account by the BMA in determining whether an insurer is conducting its business in a sound and prudent manner under the Act. If necessary, insurers will have until December 31, 2010 to become compliant with the Code.
Bermuda insurers have varying risk profiles and insurers with higher risk profiles will require more comprehensive governance and risk management frameworks to conduct their business in a sound and prudent manner within the meaning of the Code. The BMA will assess an insurer's compliance with the Code in proportion to the nature, scale and complexity of its business. For these purposes, nature includes the relationship between the policyholder and the insurer (captive versus commercial underwriter) or the characteristics of the insurer’s business (volatile versus stable). Scale includes the volume of premium written or the size of its balance sheet in relation to materiality considerations. Complexity includes organisational structures and multi-faceted business or business lines.
The "proportionality principle" is applicable to all sections of the Code and insurers will need to be mindful of the same in establishing sound corporate governance, risk management and internal controls frameworks.
Corporate Governance
Every insurer must establish and maintain a sound corporate governance framework having regard to international best practice. Corporate governance includes principles on corporate discipline, accountability, responsibility, compliance and oversight. Whilst the primary responsibility for compliance with the Code rests with the Board of Directors of a company, in many instances the Board will delegate responsibility and authority to one or more committees, chief and senior executives or external parties (such as insurance managers). However, such delegation will not relieve the Board from its ultimate oversight responsibilities. Processes must be implemented to ensure that the Board has appropriate access to accurate, relevant and timely information and proper safeguards must be in place to protect sensitive information, including employee and policyholder information.
The Code sets out a non-exhaustive list of oversight responsibilities that the Board must consider when establishing and assessing the effectiveness of the insurer's corporate governance framework, including contingency planning, records maintenance and the establishment of procedures for dealing with conflicts of interest at Board level, the appointment of non-executive directors and policyholder complaints. The creation of and delegation to committees to oversee key operational areas including underwriting and investments and key functions including risk management, corporate governance, audit and compliance is encouraged, provided that the Board and the committees appropriately document the significant policies and procedures employed.
The Board has oversight and accountability for all outsourced functions as if these functions were performed internally and subject to the insurer’s own standards on corporate governance and internal controls.
Risk Management
The Board and the Chief and Senior Executives of an insurer, where applicable, should ensure the adoption of a sound risk management and a general controls framework. The framework should have regard to international best practice to ensure the fitness and propriety of individuals responsible for the management and oversight of the framework.
The Board has the responsibility of establishing processes to assess and document the fitness and propriety of its members, controllers and officers. In addition, it is responsible for setting appropriate strategies and policies and for providing suitable prudential oversight of an insurer’s risk management and internal controls framework. An insurer will need to clearly document significant policies and procedures surrounding its risk management and internal controls framework. These policies should be reviewed at least annually to ensure that they continue to support the insurer's overall operational strategy.
The insurer must develop policies, processes and procedures to assess its material risks and self determine the capital it requires to support its insurance undertaking, at least annually. The risk management framework should (at a minimum) be sufficient to identify/measure/monitor all material risks of the insurer on a continual basis and involve appropriate reporting and delegation of oversight and operational responsibilities. Sound accounting and financial reporting procedures and practices should be developed in order to provide timely, complete and accurate representations of the insurer’s financial position on a regular basis.
Types of material risk to be addressed by the risk management framework include: insurance underwriting risk; investment, liquidity and concentration risk; market risk; credit risk; systems and operations risk; group risk; strategic risk; reputational risk; and legal/litigation risk.
The design and effectiveness of the risk management and internal controls framework should be regularly assessed and reported to the Board and the Chief and Senior Executives to ensure refinement as appropriate.
Governance Mechanisms
Sound governance mechanisms is a central theme of the corporate governance and risk management frameworks of an insurer under the Code. Functions assisting the Board with its oversight responsibilities may be internally developed, such as independent risk management, internal audit and/or compliance functions, or outsourced to third party service providers, as appropriate, given the insurer’s risk profile. Functions to be considered are:
- Risk management – depending on the insurer’s risk profile, this function may be headed up by a Chief Risk Officer or the responsibilities shared amongst the operational unit leaders of the insurer. Regardless, direct reporting must be made to the Board or its established committees to ensure the fitness and propriety of the individuals entrusted with the responsibility.
- Internal controls – the Board and the chief and senior management should ensure that policies and procedures requiring direct reporting of internal control weaknesses are developed and material deficiencies should be documented and resolution measures should be implemented in a timely manner.
- Internal audit functions – clearly defined and documented roles and responsibilities should be approved by the Board and reviewed thereafter on a regular basis. Operational practices should be examined to ensure compliance with jurisdictional laws and regulations and internal policies, procedures and controls.
- Compliance – an insurer must develop a function to assist it to monitor and evaluate its compliance with internal controls, policies and procedures and external laws and regulations. This function may be delegated to third party service providers or internal audit.
- Actuarial – an effective actuarial function based on the nature, scale, complexity and profile risks to which the insurer is exposed should be developed. The insurer should ensure the fitness and propriety of the individuals performing the actuarial function.
- Self-assessment – this is an integral part of the insurer’s risk management framework. It involves the development of policies, processes and procedures to assess its material risks and self-determine the capital requirement it would need to support its insurance undertaking, on an annual basis. It should be clearly documented, reviewed and evaluated regularly by the Board and the chief and senior executives to ensure continual advancement in light of changes in the strategic direction, risk management framework and market place developments, taking into consideration the proportionality principle.
Conclusion
Over the past twelve to eighteen months the BMA has promulgated a number of significant insurance regulations which have been largely driven by Bermuda's goal of achieving regulatory equivalency under the EU Solvency II Directive. Insurers must familarise themselves with these various new regulations, including the Code.
The principles of corporate governance articulated in the Code reflect international best practice and it is expected that most insurers are already compliant for the most part with its terms. The Code comes into effect on July 1, 2010 and, prior thereto, insurers should satisfy themselves of their compliance with its requirements in accordance with the proportionality principle. Where necessary, insurers will have until December 31, 2010 to bring themselves into compliance.
David J. Doyle
Director
Gemma Carreiro
Associate
This article is not intended to be a substitute for legal advice or a legal opinion. It deals in broad terms only and is intended to merely provide a brief overview and give general information.
About Conyers Dill & Pearman
Conyers Dill & Pearman advises on the laws of Bermuda, British Virgin Islands, Cayman Islands, Cyprus and Mauritius. Conyers’ lawyers specialise in company and commercial law, commercial litigation and private client matters. Conyers’ structure, culture and expertise enable responsive, timely and thorough service. Conyers provides clients with the highest quality legal advice from strategic global locations including offices in the world’s leading financial centres in Europe, Asia, the Middle East and South America. Founded in 1928, Conyers comprises 600 staff including more than 150 lawyers. Affiliated companies (Codan) provide a range of trust, corporate secretarial, accounting and management services.
For more information please contact:
Naomi Little
+1 (441) 298 7828
Connect With Business Bermuda
Facebook Twitter LinkedIn YouTube