1Insurance Regulatory Outlook 2020

Insurance regulatory outlook 2020

The Hong Kong insurance sector is going through a considerable period of change — with technology-driven disruption continuing at pace as the virtual insurer agenda, digitization of distribution channels and increased focus on both the customer journey and experience drives initiatives across the industry.

The Hong Kong Insurance Authority (HKIA) is taking on increased powers in the regulation of agents and brokers from 23 September 2019, and with it their focus will continue to be on effective systems and controls across the enterprise. It is reasonable to expect, therefore, that the whole value chain and ecosystem around the manufacturing, distribution and selling of insurance products will be subject to increased scrutiny. This in part is reflected in the finalized enterprise risk management (ERM) guidelines issued under GL21 as part of the Hong Kong risk-based capital (RBC) regime, as well as in the Codes of Conduct for Agents and Brokers which set a higher bar with regards to conduct.

Many firms with a global footprint will be familiar with the direction of travel from the HKIA as the regulatory agenda is driven by Hong Kong’s membership of the International Association of Insurance Supervisors (IAIS). However, for some firms operating on a more local or regional basis, and individuals in roles with a similar level of local or regional exposure, the changes being introduced should be prioritized appropriately.

Introduction

4 Insurance Regulatory Outlook 2020

Top Hong Kong Insurance regulatory themes for 2020

Conduct and accountabilityWith an increase in focus on accountability across the financial services sector, evidenced through the HKMA’s Bank Culture Reform initiative and the Securities and Futures Commission (SFC) Manager-In-Charge regime, the HKIA has followed suit by introducing incremental changes through the Codes of Conduct for Agents and Brokers, which seek to expand the coverage of accountability-related regulation by clarifying expectations around professional conduct. The focus of the new codes is predominantly on treating customers fairly, however, further to this are Guidelines on Fit and Proper Criteria for Licensed Insurance Intermediaries and Guidelines on Continuing Professional Development.

In order to respond to the anticipated enhanced level of focus in this area from the HKIA, firms should consider the how relevant roles and responsibilities throughout the organization are aligned and delivered against the treating customers fairly principles. Other aspects which should be taken into consideration include:

• Having systems and controls necessary to ensure that compliance standards are met• Ensuring that customer issues are addressed adequately in their best interests• Assuring that reporting mechanisms are in place to ensure communication of material incidents to

the HKIA• Retaining relevant records

Individuals who are accountable for the above arrangements should also ensure they are familiar with the enhancements being pushed through by the HKIA. Particular consideration should be given to the requirement to obtain the regulator’s consent for the appointment of key persons in intermediary management.

In parallel to the above revisions, the HKIA has also brought into focus under GL21 the requirement, where relevant and material, for firms to have a conduct risk policy in place as part of their broader approach to ERM. It is therefore essential that firms consider a holistic approach to the management of conduct-related risks in responding to the existing and emerging requirements coming from the HKIA. Finally, the HKIA’s approach to group-wide supervision continues to evolve, with further guidance expected later in 2019.

Data and privacyWith the changing technology landscape, the business models of insurers have evolved at a rapid pace. Insurers are now increasingly driving growth from digital and online business, by tapping into critical technologies such as big data, artificial intelligence, cloud computing and internet of things (IoT). The market is shifting from push to full, with an increased focus on better understanding customers and addressing their unmet needs. By leveraging data, insurers are empowered to improve customer service, innovate products and enhance underwriting.

1.

2.

5Insurance Regulatory Outlook 2020

Under a more data-relevant business model, a larger volume of data will be collected, transferred, processed and used. While data privacy-related regulations evolve in different geographical locations, insurers will also need to be more agile and efficient, and act quickly to address gaps and comply with the specific regulatory regimes where they operate. Insurers will be more frequently faced with challenges in data privacy protection, particularly during rapid cross-border data transfer, and outsourcing and contracting cloud services.

Insurers are expected to strengthen their executive and board governance, and oversight for data privacy management — a trend manifested in recent regulations, such as the European Union’s General Data Privacy Regulation (GDPR). Organizational accountability is becoming a global trend where data privacy management is expected to be more proactive and top-down. Best practices, such as setting up a privacy management program, have been encouraged by the Privacy Commissioner for Personal Data (PCPD), who are also in the process of reviewing Personal Data (Privacy) Ordinance (PDPO). This review focuses on identifying measures to address the inadequacies of the current voluntary data breach notification regime and revisiting issues that were raised during the last PDPO review exercise in 2009–12 but were not pursued, in addition to the new elements brought by the European Union’s GDPR.

Anti-money laundering (AML) and counter-financing of terrorism (CFT)The Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) Act has been a key focus point of HKIA inspections and guidance over the last year and will continue to remain so throughout 2020 with particular emphasis on politically exposed persons, mainland Chinese customers and source of wealth. In addition, HKIA has been reviewing the broker or agent relationships, particularly around any facilitation in policy funding in avoidance or violation of mainland China exchange controls.

With the intention of ensuring a consistent level of awareness from industry participants extending to the US Office of Foreign Assets Control (OFAC) and UN sanctions lists, economic sanctions controls are also likely to receive increased attention from the regulator. Any dealings with foreign nationals from North Korea, Iran and Cuba, will likely be heavily scrutinized.

Finally, it is expected that HKIA will undertake enforcement actions or require industry participants to undertake remedial action in relation to failures to meet minimum standards around Know-Your-Client and transaction monitoring.

Technology dependency and cybersecurityWhile digital and online channels become the growth driver for insurers, cyber risk is becoming one of the most significant operational risks faced by insurers.

Insurance regulators are taking cybersecurity risks seriously. In June 2019, the HKIA published the guideline on cybersecurity (GL20) which sets the minimum standard on cybersecurity that authorized insurers are expected to have in place and the general guiding principles that the HKIA will use to assess the effectiveness of insurers’ cybersecurity frameworks. Insurers need to get ready for GL20 which will take effect from 1 January 2020. GL20 highlighted the importance of board accountability and oversight on setting up and maintaining a corporate cybersecurity strategy and framework, a self-assessment regime as part of the ERM program, and effective monitoring and response mechanisms.

3.

4.

6 Insurance Regulatory Outlook 2020

ResilienceResilience has received heightened focus from the HKIA, particularly through the GL21 requirement to have contingency or recovery plans in place to restore financial strength and viabilityon going concern basis and winding up basis.

Within the Hong Kong Insurance sector, the market contains a broad spectrum of firms, some of whomare Global Systemically Important Insurers (GSIIs) and, therefore, have been required to developrecovery plans already. Among the GSII companies in Hong Kong, they may have a recovery plan atgroup level which may not be sufficiently detailed from the local entity’s perspective. These companieswould need to assess the appropriateness of the group’s recovery plan in meeting the HKIA’s GL21requirement. As for the non-GSII companies, they would need to prepare a recovery plan leveragingthe lessons learnt from the GSII companies and other markets. While the expectations of what form therecovery plan needs to take from an HKIA perspective have not been communicated, it is reasonable toenvisage that the level of detail required will be proportionately lighter than what is mandated forthe GSII.

The key considerations for the recovery plan are the recovery triggers, the recovery options and therecovery scenarios. Examples of these include breach of solvency ratio or the liquidity ratio (recoverytrigger), disposal of businesses or the fund raising of capital (recovery options), and pandemic or stockmarket crash (recovery scenarios).

Insurtech (including virtual insurers)The insurtech journey continues to evolve in Hong Kong, with the licensing regime particularly under thespotlight following the awarding of the first license issued to a virtual insurer operating solely throughdigital distribution channels. As the flow of applicants or license awardees continues, a key point foremerging virtual insurers covering life insurance to consider is the extent to which they can leveragethe non-technology infrastructure of their traditional insurance partner to meet the broader regulatoryrequirements mandated by the HKIA. Another point which they could consider is where they need to buildsomething bespoke which allows them to realize the anticipated benefits from running an agile businesswith proportionate and effective internal controls, and risk-related systems and processes in place.

Suitability and disclosureSuitability is a recurring theme across the financial services sector, and with the insurance sector, inparticular, undergoing some fundamental changes driven predominantly by the addition of agencyand broker regulation under the HKIA from 23 September 2019 is something that is likely to receiveheightened focus from market participants going forward.

At the same time as these fundamental changes are taking place, professional conduct is under theregulatory microscope. As part of this agenda, disclosure of information is becoming increasinglyimportant as one of the eight core principles of professional conduct, extending to insurance agents’identity and capacity, insurance products (e.g., key features), and also disclosures relating to policyholderobligations.

Enterprise risk management (ERM)In Hong Kong’s Insurance sector, there are a variety of organizations with differing levels of maturityregarding enterprise risk management frameworks (ERMFs), particularly as organizations juggle globalversus regional versus local standards, whether these standards are internally or externally driven.With the publication of the HKIA’s final guidelines on ERM issued in July 2019 under GL21, there will be asegment of the insurance sector in Hong Kong which is more significantly impacted by the new standards,

5.

6.

7.

8.

7Insurance Regulatory Outlook 2020

and as such will have more to do when it comes to implementing and embedding the ERMF. An example of where significant effort should be spent to support the effective embedding of ERM across the organization will be decided by the level of involvement from the board in the establishment, implementation and oversight of the framework. For those firms with an embedded ERMF and who potentially have a broad and global footprint, there is an ongoing global focus around the enhanced management of non-financial risks (NFRs) (the definition of which covers risks such as operational, cyber, conduct, third party and information technology among others) which have, in recent history, resulted in more significant risk issues than the traditional financial risk categories.Whichever of the global, regional or local groupings a firm falls into, they should consider the extent to which adequately developed policies, processes and controls are in place (with a key focus on effective operationalization of such measures) to manage all enterprise risks (including both financial and NFRs), as well as how they intend to seek assurance on the effectiveness of such arrangements.

Own risk and solvency assessment (ORSA) Under the GL21 ERM guidelines, the HKIA has specified the requirement for authorized insurers caught by GL21 to regularly perform ORSAs, with a view to the first version being submitted to the regulator by 30 April 2021 or within six months of the year ending (YE) date before Pillar 1 regulatory capital requirements come into force (i.e. by June 2021). Prior to this date, however, there are a broad set of considerations that, based on comparable RBC regimes, will be critical items to be addressed prior to producing the report. In particular developing the necessary process to produce the ORSA, implementing the process and clearing roadblocks identified through gaps between current and target state, and subsequent ongoing refinement of the ORSA process prior to submitting the regulator-ready report will need to be addressed. The production of the ORSA and utilization as a decision-making tool will, in many cases, require a mindset change from individuals with related and often new responsibilities, particularly those at the board-level for whom this is a new obligation placed upon them. As a new requirement in Hong Kong, individuals with equivalent ORSA experience from comparable jurisdictions are in short supply. And therefore, careful consideration is required to ascertain whether there is sufficient capability to run the ORSA program and deliver the report, as well as in considering further down the line the implications of independent reviews and how to resource and execute these reviews through Internal Audit or other means. While there is still a reasonable runway until insurers are required to submit their ORSA, a proactive approach to establishing and executing the ORSA program, particularly in relation to the coordination efforts, training and awareness, and dry-runs that are necessary before the regulatory submission, will put firms in a stronger position to meet the regulatory deadline.

Complaint-handlingAs agency and broker regulation switches to the HKIA, it is reasonable to expect that complaints and their subsequent handling, will become an increasingly important area of focus for the regulator and for the insurance sector more broadly.

With this in mind, and also with the direction of travel across the financial services sector clearly evident through existing HKMA and SFC standards on complaint-handling; as well as the existence of the Financial Disputes Resolution Centre (FDRC) customer dispute mediation and arbitration scheme (which is not currently extended to insurance), firms should be proactive in ensuring that the complaint-handling processes address the industry-wide principles in the public domain already. Also, firms should ensure that their complaint-handling framework adequately addresses any internal procedure or control deficiencies which could give rise to systemic failings impacting a wider population of customers.

9.

10.

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation is available via ey.com/privacy. For more information about our organization, please visit ey.com.

© 2019 EYGM Limited. All Rights Reserved.

EYG no. 004168-19Gbl

BMC Agency GA 1012901

ED None

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com

Contacts:

David Scott Partner, Financial Services Risk Management Leader, Hong Kong +852 9661 2109david.scott@hk.ey.com

Leo KittDirector, Financial Services Risk Management, Insurance Risk Lead, Hong Kong+852 3471 2723leo.kitt@hk.ey.com

Eugène Goyne Asia-Pacific Regulatory Lead +852 9666 3434 eugene.goyne@hk.ey.com

Ernest Yiu Associate Partner, Financial Services Risk Management, Insurance Regulatory Compliance Lead +852 2675 2808 ernest.yiu@hk.ey.com

Josh Heiliczer Partner, Hong Kong Financial Crime Compliance Leader +852 2849 9567 josh.heiliczer@hk.ey.com