“Dear CEO” Letter on Consumer Protection Risk Management Frameworks in Insurance Firms: A steer in the direction of “securing customers interests”?

On 29 August 2024, the Central Bank of Ireland (the CBI) issued a Dear CEO letter to the insurance industry, detailing its findings following a recent targeted Consumer Protection Risk Assessment (CPRA) of insurance firms’ consumer protection risk management frameworks. The letter also sets out certain actions which insurance firms are required to take in the coming months.

In this short publication, we look at the CBI’s findings and required actions. We also consider how taking those actions may dovetail well with broader preparations for the “securing customers’ interests” requirements of the proposed new regulations that will in due course replace the Consumer Protection Code (the Code).

Insurers will need to start planning and conducting the necessary gap analyses now, as well as considering the impact of the regulator’s consumer protection expectations as reflected in the consultation on reforms to the Code.

Background – the CPRA Model and the Assessment

While the CBI continues to review and analyse the feedback received following its March – June 2024 Consultation on its review of the Code, it has in tandem been compiling the findings of its CPRA which it had embarked on in Q2 2023.

The stated aim of the CPRA was to evaluate the overall appropriateness of insurers’ existing consumer protection risk management (CPRM) frameworks, paying particular attention to how insurers identify, monitor, manage and mitigate risks to consumers. The assessment focused on Module 1 of the CPRA Model: “Governance and Controls”, with a specific focus on:

1. CPRM (Element 5 of Module 1)
2. Control Functions/Consumer Monitoring (Element 3 of Module 1)
3. Consumer Reporting (Element 6 of Module 1)

The CBI first introduced the CPRA model in 2017 to establish a more robust and intrusive method to assess regulated firms’ conduct and consumer protection risk management. Specifically, CPRAs enable the CBI to assess how firms manage and identify risks to consumers in the context of their strategies, business models and their internal structures and processes.

Following its introduction, the CBI published its CPRA Guide which provides regulated firms with insight into how the CPRA model works in practice and details the CBI’s expectations as regards the development and implementation of CPRM frameworks across all regulated firms. While individual firms may have had engagement with the CBI on their CPRMs in the intervening six years, this is the first targeted/thematic review carried out by the CBI.

The wider context of risk management for regulated firms

Insurers are in the business of managing risk and are very familiar with risk management frameworks generally. There has been a particularly heavy focus over the last number of years on the risks to which Irish (and European) insurers are exposed, with operational resilience and outsourcing risk in particular attracting regulator time and attention. Risk management frameworks have therefore been developed and enhanced as new and changing risks are identified. However, regulators’ focus on culture and conduct and on firms’ understanding of the risks faced by their customers from the behaviour of firms themselves, has been equally prominent.

It is in this wider context that we recommend all financial services providers dealing with consumers in the Irish market should reflect on the findings in the letter.

Findings and expectations

In conducting the CPRA, the CBI identified differing levels of maturity across insurer CPRM frameworks but overall some positive improvements since 2017. It made the following noteworthy observations:

CPRM Frameworks and Policies (Element 5)

Risk identified for assessment: That there is no clear ownership for the identification, assessment, mitigation and monitoring of consumer protection risks.

• The CBI expects clear ownership of the identification, assessment, mitigation and monitoring of consumer risks, including adequate support from the control functions. As such, firms are expected to have both an approved CPRM framework and policy in place. It found that there are still some firms which have only either a framework or a policy in place, which presents risks.
• The CBI commended firms whose frameworks were used to great effect during the Covid-19 pandemic to ensure customer interests were secured, such as by having processes in place for customers experiencing financial difficulty.
• The CBI also commended firms that have been engaging with external support groups and charities, to better their understanding of the needs of vulnerable customers. This point resonates with the increased expectations of firms’ conduct in relation to “consumers in vulnerable circumstances” in the proposed new regulations that will replace the Code.
• The CBI noted that some CEOs and senior management are active in promoting and communicating with staff in relation to consumer protection risks via townhalls and newsletters, but that others are less active in this area. It explained that senior management must take responsibility for embedding consumer-focused cultures throughout their firms, underpinned by an effective CPRM and commended the practice of firms with established dedicated consumer protection committees or forums as well as having consumer focussed agendas at other committee meetings.
• Finally, the CBI linked the issue of some firms having less effective CPRM frameworks including (less effective) risk identification and decision-making processes, with falling short of the CBI’s expectations that firms secure customers’ interests. In addition, these firms were found to have disproportionately balanced shareholder and customer interests.

Control Functions/Consumer Monitoring (Element 3)

Risk identified for assessment: Risk that the control functions do not support the identification, monitoring and management of consumer protection risk and therefore are not effective in influencing the firm’s behaviour to ensure fair customer outcomes.

• The CBI outlined its expectations regarding well defined roles and responsibilities within control functions, with the consumer being a central consideration. There should be regular review and effective challenge of control functions’ plans to monitor consumer risks. It found varying practices in this regard and commended firms with formal engagement processes across the control functions, to ensure plans are considered across the second and third lines of defence, in order to avoid duplication of reviews and leverage off plans where possible.
• The CBI is aware of resourcing challenges some firms have faced and commended those that monitor their control function resourcing levels on a regular basis and take action as required, where gaps arise.

Consumer Reporting (Element 6)

Risk identified for assessment: Risk that the management information (MI) to monitor and track consumer outcomes is limited, insufficient or not focussed enough and/or not used to drive effective consumer protection risk management.

• The CBI expects firms to have resources, systems, processes and controls that allow for greater use of automated consumer MI with manual intervention used to support analysis and commentary. The MI should be effective in identifying both current and future consumer protection risks and be consumer outcome focussed, with a view to driving effective consumer protection risk management. It noted that all firms track complaints management, though to varying degrees. 
• The CBI raised a concern that adequate consideration of consumer outcomes, risks or patterns of complaints was not evident, which of itself raised questions about the effectiveness of such firms’ use of their own MI to drive effective CPRM.

Some examples of “Notable Practices” that support CPRM

In conducting its assessment, the CBI identified many “notable practices”. The following is a sample of practices that we believe many financial services firms likely already follow or are considering and would fit well with preparing for the revised Code:

• Establishment of designated consumer protection committees or forums.
• Engaging with charities on how to address the needs of certain cohorts of vulnerable customers.
• Including a “check box” as part of a control function’s review processes, to ensure that consumer interests have been considered in audits and reviews of the function’s consumer risk processes.  
• Producing an annual consumer specific report for senior management, enabling senior management to satisfy themselves that they are effectively driving consumer protection risk management and in turn delivering fair outcomes for consumers.
• Prioritising the consumer at committee/board meetings by placing them higher up on the agenda to ensure sufficient focus and time for discussion.

Follow-up actions required

• All insurance firms are now required to review, consider, and assess the findings detailed in the letter together with the expectations outlined in the CPRA Guide, in the context of their existing CPRM frameworks.
• The CBI has requested that insurers confirm by 30 September 2024, which PCF holder (by reference to the allocated responsibilities in the firms’ Management Responsibility Map) will be accountable for the delivery of the expectations set out in this letter. The reference to considering a firm’s MRM is in line with the CBI’s expectations regarding the clarity of roles and senior accountability for regulatory change projects of this nature under the Individual Accountability Framework and SEAR. 
• The CBI expects firms to complete a gap analysis to identify shortcomings in the design and/or effectiveness of their governance and control frameworks (Module 1 of the CPRA Guide), specifically with a view to adopting a plan to mature and improve their frameworks where possible.
• Insurance firms are required to present these plans and seek approval from their boards and/or executive senior management by no later than 30 November 2024, with any required changes to be implemented by 30 June 2025.
• Although the CBI’s current focus is directed at governance level, the CBI recommends that firms consider including in their future audit and compliance plans an assessment of their frameworks against the remaining Modules 2-5 in the CPRA Guide as a matter of good practice.

Next steps - how ALG can help

The publication of this letter is timely with the CBI due to publish the outcome of its assessment of submissions received on the proposed new regulations that will replace the Code in early 2025.  

Insurers will be considering the extent to which the regulatory expectations evident in the Code reforms should be factored into any steps arising from this current gap analysis.

In anticipation of the reforms to the Code, ALG has assembled a cross-disciplinary team to track these proposals and map them against our experience in dealing with consumer protection issues across retail financial services, particularly in the insurance and banking sectors. Our recent Guide to the Code Reforms summarises the key compliance and governance steps required of firms. 

We are already supporting a range of consumer financial services firms, including insurers, in assessing and presenting to management and Boards on the requirements of the Code Reforms and how to plan to implement these changes. 

Our cross-practice team including our Insurance & Reinsurance Group and Regulatory Investigations Group has deep experience in acting in supervisory and enforcement engagements relating to consumer protection issues, understanding the CBI’s consumer expectations and in delivering similar implementation projects such as the introduction of IAF/SEAR.

To discuss how ALG can support with conducting your gap analysis ahead of the 30 November deadline, or more broadly with design of your Code implementation plans, please contact Dario Dagostino, partner, Laura Mulleady, partner, or any member of the A&L Goodbody Insurance & Reinsurance Group or Regulatory Investigations Group.

Date published: 5 September 2024