Finding Solutions to the Industry’s Compliance Requirements

Compliance requirements for the insurance industry have changed radically in the last three years, including the The Patriot Act and Sarbanes Oxley (SOX) for public companies. Now, the National Association of Insurance Commissioners is implementing SOX-like requirements for private companies. Insurers of all types and sizes have to be concerned and will continue to face new compliance challenges in the future.

Besides processing, insurance companies have to document every communication, audit every dollar and be in a position to run a report on any aspect of the business. In order to comply, all data needs to be accessible in what is deemed very close to real-time. Firms need to know whom exactly they are dealing with at all times with all interactions-both on the agent side and on the customer side.

Insurance companies also need to garner more information about agents and customers, while at the same time maintaining the privacy of the insured. California, for example, has stricter privacy regulation with the SB 1386 security breach disclosure law; many other states are rapidly following suit.

Compliance categories

There are four main areas of insurance compliance: services provided, licenses required, information disclosure and recordkeeping.

Marketing materials for services provided must be consistent with and/or provided by the company. Required licensing is not complicated, but does vary from state to state.

Information disclosure is the primary focus of client related compliance and misunderstandings are a common source of liability issues. Meticulous records enhance and demonstrate compliance, plus complement business efforts.

To keep these four in compliance, a firm requires meticulous record keeping to document the fact that all work was done in line with compliance guidelines. All communications that take place need to be recorded as part of documentation: letter, voice, e-mail, fax, etc.

Requirements and consequences

The NAIC began revising its Model Audit Rule (MAR) as a direct result of SOX. The revision will ultimately result in SOX-like requirements for almost the entire insurance industry.

New requirements to MAR include the formation of a defined Audit Committee, overseen by an independent financial expert and composed of a specific number of independent committee members.

A company’s Audit Committee must now pre-approve both audit and non-audit CPA activities and the firm must submit certain reports to the Audit Committee.

The Patriot Act requires that U.S.-based insurers must implement anti-money laundering programs that include verification of customer information and reporting of suspicious financial activity. Customer information must be continuously checked against governmental lists. Companies must verify the identity of all third parties to a financial transaction and must have a detailed understanding of customer business, business patterns and sources of funds.

The SOX legislation was born out of the fraud at Enron and WorldCom. SOX dictates that the CEO and CFO are accountable and responsible for everything that happens at the company, including transactions at every level. Executives can even be found culpable even if they were not intentionally committing fraud.

Section 404 is particularly menacing. It involves direct management responsibility over the assessment of internal controls. Section 404 demands more internal controls, faster reporting and stronger security. In order to close operational and reporting gaps, actively monitor business performance, facilitate communication and standardize internal controls in financial and accounting measures, an insurance company needs to have a real-time, paperless and automated environment. Doing business the manual way will not cut it-too easy to hide things.

The Health Insurance Portability and Accountability Act Security Rule contains three measures that must be addressed in order to protect and assure the confidentiality of electronic protected health information. The three measures are: Administrative Safeguards (i.e., employee guidelines, incident detection and reporting); Physical Safeguards (i.e., facility security against unauthorized intrusion); and Technical Safeguards (i.e., user authorization, data security, auto log-off).

Benefits of compliance

Done properly, compliance efforts can have a positive effect on the bottom line instead of being a cash drain on a company. Using low-tech methods of documenting and reporting will spell disaster, both in profitability and compliance.

Having rules-based engines and a unified database, allowing integration with the entire insurance value chain (i.e., supplies, agents, brokers, intermediaries, adjusters) will increase visibility and margins.

With the right systems in place, this type of compliance can support strategic initiatives across the enterprise. This includes everything from customer service to target marketing and monitoring the results of marketing campaigns as well as real-time profitability of business written across chosen class codes and other initiatives such as cross-selling.

Components for a compliance solution

Because the Sarbanes-Oxley Act does not specify a roadmap to compliance, it brings about certain challenges. This challenge is compounded by the fact that the insurance industry is infamous for multiple siloed Enterprise Resource Planning systems. Hence the task of becoming compliant is daunting. Here are the components of such a solution.

Business Intelligence. Corporate governance and compliance are indirectly driving business intelligence. Both go hand in hand. Insurance industry compliance initiatives such as Sarbanes-Oxley place an increasing amount of pressure on executives for enhanced financial reporting. The pressure is on IT to supply a clean, integrated, enterprise-wide accurate data set for reporting and analysis. The days of allowing each department to have ownership of separate, unreliable data sets are over. Ad-hoc reporting, a library of Management Information System reports and On-Line Analytical Processing capabilities are essential components of an integrated ERP.

Enterprise Compliance. Real-time enterprise compliance management means integrating all business units within an insurance organization; each unit becomes transparent in real-time, controlled through rules-based engines and supported by real-time reporting technologies.

Unstructured Data Organization and Integrated Correspondence. In the insurance world unstructured information is stored in multiple forms (photos, faxes, paper files, voicemails, e-mails, and so forth) in multiple silos including physical filing cabinets. This can represent 80 percent of all insurance information. Getting this under consistent control is next to impossible. Unlike records managed in a database, unstructured content (i.e., e-mail, electronic documents, instant messages, voicemail, notes, Post-its, scanned documents, faxes, web conferences) is typically poorly organized, hard to find and controlled only under ad-hoc security.

In order to mitigate risk and strengthen corporate compliance, companies need to manage unstructured content in a centralized database repository. Users need to establish process controls for cost-effective audits; then information may be retained, archived and managed for compliance.

Workflow Monitor. A workflow monitor allows managers to audit in “real-time” the activities and workload of anyone in the organization. This provides for active management of remote offices and of individuals that may be “telecommuting” as well. A workflow monitor can also fully integrate with all the normal means of communication such as faxes, e-mails and letters.

Customer Relationship Management. An integrated CRM monitors the status of each agent or insured in real-time. Integrated policy management, claims and AP/AR mean that decisions can be made rapidly; it also ensures no mistakes are made when handling customer related issues.

Rules-Based Engine. There are many advantages to a rules-based technology engine. By integrating business rules into a system, a consistent output of insurance application is achieved. Agents begin to anticipate and provide the correct information the first time and so there production numbers increase. Critical underwriting criteria can be assured as when a question must be answered in a specific way to qualify for coverage. Last, but not least, many monotonous tasks are reduced such as manual calculation of tax rules, unnecessary and time consuming iterations of information requests between agent and underwriter, and agents can increase the time they spend on face-face selling because they can do their quoting when convenient.

Unified Database. Data quality assurance, real-time data accessibility and operational transparency are all critical to compliance. A unified database ensures that all data is of the highest integrity and accessible anytime from anywhere as long as the appropriate security protocols are met.

Secure System. Security includes full activity monitoring of all employees within the organization as well as full audit logs. A secure system has the ability to restrict any user based on job title, position or other criteria. This allows managers to reward efficient and effective employees as well as identify areas of improvement required by individuals and departments.

Summary

Strong corporate governance is no doubt a major strategic imperative for insurance companies today. In order to comply, it is clear that technology solutions will be a key part of the solution. Companies that implement processes to enhance internal controls and financial reporting can enjoy benefits at all organizational levels.

James Mullarney, president and CEO of InsurSys, has spent over 16 years working for global institutions such as CNA, Zurich Financial Services Group and Allied Irish Banks. Duncan Beatty, InsurSys, has extensive experience in heavily regulated industries and is versed in all financial management, accounting and compliance related issues.

Topics Agencies Market