Sweeping federal legislation passed in the wake of September 11 has had significant impact on the insurance industry, but few details have been provided regarding implementation requirements, audits or enforcement. The result is a seemingly endless stream of new federal guidelines and regulations to further define the legislation.
Although they were passed in October 2001, Presidential Executive Order 13224 and the USA Patriot Act are still not well defined or understood. Property & casualty insurers still have unanswered questions about the Terrorism Risk Insurance Act of 2002.
Pending legislation, such as optional federal chartering, remains on the legislative docket. With the federal governments lack of experience in insurance regulation, there is ample opportunity for confusion and also for conflict with state regulation.
Compliance with the federal legislation necessitates major changes in business processes, IT systems, organizational structure and insurance products. Insurers need to be prepared to quickly and effectively comply with new regulations and those that are bound to follow.
However, many in the industry have not taken action. For example, many companies believe they are exempted from OFAC (Office of Foreign Assets Control) compliance, which applies to all U.S.-based entities. Anti-money-laundering provisions of the USA Patriot Act have major implications for life insurance IT systems, but some insurers have ignored the proposed regulations, waiting for the deferred final regulations before making any plans for compliance.
Similarly, the Terrorism Risk Insurance Act of 2002 was effective immediately upon its passage, leaving many insurers out of compliance, with major product and pricing questions still to be resolved.
The combination of legislative lack of definition and the significant impact of these laws across insurance organizations creates serious problems. No longer can compliance be thought of as a reactive process. Insurers must change their thinking and be proactive.
Compliance requires input from many functions within the organization including customer service, underwriting, claims, finance, actuarial, IT, legal and compliance. These areas need to work together proactively to understand the effect that current and future legislation will have on their businesss products, processes, organizational structure and IT systems and to determine a reasonable and cost-effective solution for legislative compliance.
By following the five steps listed below, companies can successfully maintain compliance with federal regulations.
1. Assign a responsible compliance officer or compliance team and build a compliance program. A compliance program with an assigned compliance officer is required for insurers affected by the USA Patriot Act. The Treasury Department recommends one for OFAC compliance as well. The four required elements for the compliance program are: an accountable officer, organizational training, independent testing and/or audit, and internal controls. The compliance officer or team assesses vulnerabilities and determines where to cost-effectively spend corporate investment dollars for compliance.
2. Develop a compliance committee with representatives from various business units and functions. Existing and proposed legislation has broad impact on the strategy of the company and its operations. For example, proposals for optional federal regulation of the industry could change a companys strategic direction, broadening its target market, distribution channels and competition. OFAC processing requires a company to chart a careful course to be compliant with federal regulations while not violating state regulations.
3. Determine a process for handling new legislation. The compliance officer or team is responsible for anticipating required changes. They review proposed regulations from the federal government and respond to any requests for comments. They also analyze upcoming pieces of legislation. They work with other companies through industry organizations such as LOMA to make sure proposed changes are reasonable to implement and serve their purpose. Members of the compliance committee meet regularly to review upcoming legislation and assess the impact on their business units and the organization as a whole.
4. Review current and proposed legislation when determining annual budgets both in IT and business areas. The impact of upcoming legislation must be one of the considerations during the budgeting cycle. Otherwise, additional processing requirements resulting from legislation will require elimination or reduction of key IT and business area investments that are needed to drive the companys growth, profitability and competitiveness.
5. Manage each compliance effort as a project or set of projects with a clear scope, budget, timeframe and dedicated staff. Compliance efforts must be managed this way to ensure they meet the timeframes, budgets and compliance objectives set by the organization and limit the chance of violating the regulation. Vulnerabilities and high-risk areas should be considered first, with most effort expended where the risk is high. Training of the operational areas and documentation of the training must be considered as part of the project. In fact, good documentation of processes will prove compliance efforts in the situation where a company is audited or fined.
These steps will help insurers better prepare for timely and accurate implementations of compliance solutions that will, in turn, decrease the chances of being fined. The resulting solutions will be well thought out and designed in accordance with the organizations degree of risk.
It is clear that in the future more federal regulations and changes to existing regulations will continue to challenge insurers business processes, IT systems, organizational structure and product offerings. These regulations are likely to be passed with the same lack of clarity as current legislation. With careful planning and a proactive approach, insurers can limit negative effects on business operations and financial results.
is principal, consulting group, Computer Sciences Corporation. He can be reached via e-mail at firstname.lastname@example.org.
Reproduced from National Underwriter Edition, April 7, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.