Page Contents
Related areas
Key contacts
On 29 August 2024, the Central Bank of Ireland (the CBI) issued a Dear CEO letter to the insurance industry, detailing its findings following a recent targeted Consumer Protection Risk Assessment (CPRA) of insurance firms’ consumer protection risk management frameworks. The letter also sets out certain actions which insurance firms are required to take in the coming months.
In this short publication, we look at the CBI’s findings and required actions. We also consider how taking those actions may dovetail well with broader preparations for the “securing customers’ interests” requirements of the proposed new regulations that will in due course replace the Consumer Protection Code (the Code).
Insurers will need to start planning and conducting the necessary gap analyses now, as well as considering the impact of the regulator’s consumer protection expectations as reflected in the consultation on reforms to the Code.
Background – the CPRA Model and the Assessment
While the CBI continues to review and analyse the feedback received following its March – June 2024 Consultation on its review of the Code, it has in tandem been compiling the findings of its CPRA which it had embarked on in Q2 2023.
The stated aim of the CPRA was to evaluate the overall appropriateness of insurers’ existing consumer protection risk management (CPRM) frameworks, paying particular attention to how insurers identify, monitor, manage and mitigate risks to consumers. The assessment focused on Module 1 of the CPRA Model: “Governance and Controls”, with a specific focus on:
The CBI first introduced the CPRA model in 2017 to establish a more robust and intrusive method to assess regulated firms’ conduct and consumer protection risk management. Specifically, CPRAs enable the CBI to assess how firms manage and identify risks to consumers in the context of their strategies, business models and their internal structures and processes.
Following its introduction, the CBI published its CPRA Guide which provides regulated firms with insight into how the CPRA model works in practice and details the CBI’s expectations as regards the development and implementation of CPRM frameworks across all regulated firms. While individual firms may have had engagement with the CBI on their CPRMs in the intervening six years, this is the first targeted/thematic review carried out by the CBI.
The wider context of risk management for regulated firms
Insurers are in the business of managing risk and are very familiar with risk management frameworks generally. There has been a particularly heavy focus over the last number of years on the risks to which Irish (and European) insurers are exposed, with operational resilience and outsourcing risk in particular attracting regulator time and attention. Risk management frameworks have therefore been developed and enhanced as new and changing risks are identified. However, regulators’ focus on culture and conduct and on firms’ understanding of the risks faced by their customers from the behaviour of firms themselves, has been equally prominent.
It is in this wider context that we recommend all financial services providers dealing with consumers in the Irish market should reflect on the findings in the letter.
Findings and expectations
In conducting the CPRA, the CBI identified differing levels of maturity across insurer CPRM frameworks but overall some positive improvements since 2017. It made the following noteworthy observations:
CPRM Frameworks and Policies (Element 5)
Risk identified for assessment: That there is no clear ownership for the identification, assessment, mitigation and monitoring of consumer protection risks.
Control Functions/Consumer Monitoring (Element 3)
Risk identified for assessment: Risk that the control functions do not support the identification, monitoring and management of consumer protection risk and therefore are not effective in influencing the firm’s behaviour to ensure fair customer outcomes.
Consumer Reporting (Element 6)
Risk identified for assessment: Risk that the management information (MI) to monitor and track consumer outcomes is limited, insufficient or not focussed enough and/or not used to drive effective consumer protection risk management.
Some examples of “Notable Practices” that support CPRM
In conducting its assessment, the CBI identified many “notable practices”. The following is a sample of practices that we believe many financial services firms likely already follow or are considering and would fit well with preparing for the revised Code:
Follow-up actions required
Next steps - how ALG can help
The publication of this letter is timely with the CBI due to publish the outcome of its assessment of submissions received on the proposed new regulations that will replace the Code in early 2025.
Insurers will be considering the extent to which the regulatory expectations evident in the Code reforms should be factored into any steps arising from this current gap analysis.
In anticipation of the reforms to the Code, ALG has assembled a cross-disciplinary team to track these proposals and map them against our experience in dealing with consumer protection issues across retail financial services, particularly in the insurance and banking sectors. Our recent Guide to the Code Reforms summarises the key compliance and governance steps required of firms.
We are already supporting a range of consumer financial services firms, including insurers, in assessing and presenting to management and Boards on the requirements of the Code Reforms and how to plan to implement these changes.
Our cross-practice team including our Insurance & Reinsurance Group and Regulatory Investigations Group has deep experience in acting in supervisory and enforcement engagements relating to consumer protection issues, understanding the CBI’s consumer expectations and in delivering similar implementation projects such as the introduction of IAF/SEAR.
To discuss how ALG can support with conducting your gap analysis ahead of the 30 November deadline, or more broadly with design of your Code implementation plans, please contact Dario Dagostino, partner, Laura Mulleady, partner, or any member of the A&L Goodbody Insurance & Reinsurance Group or Regulatory Investigations Group.
Date published: 5 September 2024