EIOPA Insurance Risk Dashboard: Risk exposures for the European insurance sector – July 2019

Risk exposures for the European insurance sector remain overall stable.

Macro and market risks are now at a high level due to a further decline in swap rates and lower returns on investments in 2018 which put strain on those life insurers offering guaranteed rates. The low interest rate environment remains a key risk for the insurance sector.

Credit risks continue at medium level with broadly stable CDS spreads for government and corporate bonds.

Profitability and solvency risks increased due to lower return on investments for life insurers observed in year-end 2018 data; SCR ratios are above 100% for most undertakings in the sample even when excluding the impact of the transitional measures.

Market perceptions were marked by a performance of insurers’ stocks broadly in line with overall equity markets, while median CDS spreads have slightly increased. No change was observed in insurers’ external ratings and rating outlooks.

RD 719 1

Macro risks are now at a high level. Since the April 2019 assessment, swap rates have further declined for all the currencies considered (EUR, GBP, CHF, USD). The indicator on credit-to-GDP gaps has deteriorated due to a more negative gap in the Euro area. Key policy rates remained unchanged and the rate of expansion of major central banks’ (CB) balance sheets is now close to zero. Recent monetary policy decisions suggest that some degree of monetary accomodation is still to be expected for the forseeable future.

Credit risks remained stable at medium level. Since the previous assessment, spreads have remained broadly stable for all corporate bond segments except financials (unsecured). The average credit quality of insurers’ investments remained broadly stable, corresponding to an S&P rating between AA and A, while the share of below investment grade assets remains limited.

Market risks are now at a high level. Volatility of the largest asset class, bonds, remained broadly stable compared to the January’s assessment, whereas equity market volatility spiked in June 2019. Newly available annual information shows a decline in the spread of investment returns over the guaranteed rates to negative values in 2018, mainly due to lower investment returns. The mismatch between the duration of assets and liabilities remained broadly stable in the same period.

Liquidity and funding risks remained stable at medium level. Liquidity indicators have remained broadly unchanged since the previous quarter, while funding indicators such as the average ratio of coupons to maturity and the average multiplier for catastrophe bond issuance increased.

Profitability and solvency risks remain at medium level but show an increasing trend. This is mainly due to newly available data on the return on investments for life solo undertakings, which was considerably lower in 2018 than in the preceding year. SCR ratios are above 100% for the majority of insurers in the sample even when excluding the impact of the transitional measures on technical provisions and interest rates. The proportion of Tier 1 capital in total own funds remains high across the whole distribution and the share of expected profit in future premiums in eligible own funds is below 15% for most undertakings in the sample.

Interlinkages and imbalances risks remained at medium level in Q1-2019. A minor increase is observed for exposures to banks, while the opposite is true for exposures to other financial institutions. An increase has been reported in the share of premiums ceded to reinsurers.

Insurance risks remained constant at a medium level. Median premium growth of life and non-life business remains positive and a reduction has been reported in insurance groups’ loss ratios and cat loss ratios.

Market perceptions remained constant at medium level. Insurance groups stocks’ performance was broadly in line with the overall market. Median insurers’ CDS spreads have increased, while external ratings have remained unchanged.

RD 719 2

Click here to access EIOPA’s Risk Dashboard July 2019

EIOPA : Sound Regulation in an Evolving Landscape

Regulation is only effective for as long as it remains relevant. While EIOPA is evolving into a supervisory-focused organisation, it pays close attention to how regulation is applied and how effective it remains, with a view to reinforcing cross-sectoral consistency and improving fairness and transparency and with a focus on better and smart regulation.

INSURANCE

  • SOLVENCY II REVIEW

Since the successful implementation of Solvency II Directive in 2016, EIOPA played an important role in monitoring its consistent implementation and during 2018 was able to provide valuable input into preparations for its review.

EIOPA provided advice to the European Commission on the review of the Solvency Capital Requirement based on an in-depth analysis of 29 different elements of the Standard Formula. The advice focused on increasing proportionality, removing unjustified constraints to financing the economy and removing technical inconsistencies.

EIOPA proposed further simplifications and reduced the burden to insurers by:

  • Further simplifying calculations for a number of sub-modules of the Solvency Capital Requirement (SCR) such as natural, man-made and health catastrophes, in particular fire risk and mass accident;
  • Simplifying the use of external credit ratings in the calculation of the SCR (an issue especially relevant for small insurers);
  • Reducing the burden of the treatment of lookthrough to underlying investments;
  • Developing simplifications in the assessment of lapse and counterparty default risks;
  • Recommending the use of undertaking specific parameters for reinsurance stop-loss treaties.

Furthermore, one of the major technical inconsistencies found related to the calculation of interest rate risk, which did not capture very low or even negative interest rates. EIOPA recommended to adjust the methodology using a method already adopted by internal model users and, given the material impact on capital requirements, suggested to implement it gradually over three years.

EIOPA also carried out an analysis of the loss-absorbing capacity of deferred taxes practices. In face of the evidence of wide diversity, especially concerning the projection of future profits, EIOPA proposed a set of key principles that will ensure greater convergence and level playing field, while maintaining a certain degree of flexibility.

Finally, EIOPA analysed the treatment and the evidence available on unrated debt and unlisted equity and proposed criteria for a more granular treatment, namely with the use of financial ratios.

In some areas, the analysis of recent developments did not provide for sufficient reasons to change. This is, for example, the case of mortality and longevity risks and the cost of capital in the calculation of the risk margin. The evolution of financial markets does not justify a change in the cost of capital: the decrease in interest rates has not lead to a decrease in the cost of raising equity.

EIOPA1

  • REPORTING ON THE IMPLEMENTATION OF SOLVENCY II

In 2018, EIOPA published a number of reports related to different aspects of Solvency II.

  • Report on group supervision and capital management

In response to a European Commission’s request for information, EIOPA submitted its Report on Group Supervision and Capital Management of (Re)Insurance Undertakings and specific topics related to Freedom to Provide Services (FoS) and Freedom of Establishment (FoE) under the Solvency II Directive. The report concluded that overall the Solvency II Group supervision regime was operating satisfactorily. The tools developed by EIOPA to further strengthen group supervision and supervision of cross-border issues contributed to further convergence of practices of NCAs’ supervisory practices.

The report also highlighted a number of gaps in the regulatory framework, including issues related to the application of Solvency II requirements for determining scope of insurance groups subject to Solvency II group supervision, the application of certain of these provisions governing the calculation of group solvency in particular where several methods are used, the definition and supervision of intra-group transactions, or the application of governance requirements at group level.

Further, EIOPA’s report emphasised that effective supervision of insurance groups will benefit from a harmonised approach on a number of areas, for example, early intervention, recovery and resolution and the assessment of group own funds.

  • Second annual report on the use of capital addons under Solvency II

In December 2018, EIOPA published its second annual report on the use of capital add-ons by NCAs according to Article 52 of Solvency II. The objective was to contribute to a higher degree of supervisory convergence in the use of capital add-ons between supervisory authorities and to highlight any concerns regarding the capital add-ons framework. In general, the capital add-on appears to be a good and positive measure to adjust the Solvency Capital Requirement to the risks of the undertaking, when the application of other measures, for example the development of an internal model, is not adequate.

  • Third annual report on the use of limitations and exemptions from reporting under Solvency II

This report, published in December 2018, addresses the proportionality principle on the reporting requirements, from which the limitations and exemptions on reporting – as foreseen in Article 35 of the Solvency II Directive – are just one of the existing proportionality tools. Reporting requirements also reflect a natural embedded proportionality and in addition, risk-based thresholds were included in the reporting Implementing Technical Standard (ITS).

  • Third annual report on the use and impact of long-term guarantee measures and measures on equity risk

This is a regular report published in accordance with Article 77f(1) of the Solvency II Directive. This year’s report also included an analysis on risk management aspects in view of the specific requirements for LTG measures set out in Article 44 and 45 of the Directive as well as an analysis of detailed features and types of guarantees of products with long-term guarantees.

This report shows that – as in previous years – most of the measures, in particular the volatility adjustment and the transitional measures on technical provisions are widely used. The average Solvency Capital Requirement (SCR) ratio of undertakings using the voluntary measures is 231 % and would drop to 172 % if the measures were not applied. This confirms the importance of the measures for the financial position of (re)insurance undertakings.

  • INVESTIGATING ILLIQUID LIABILITIES

The treatment of long-term insurance business remains a hotly debated issue. In particular, it has been discussed whether the risks of long-term insurance business and the associated investments backing those long-term insurance business are adequately reflected. The illiquidity characteristics of liabilities may contribute to the ability of insurers to mitigate short-term volatility by holding assets throughout the duration of the commitments, even in times of market stress.

To explore any new evidence on the features of liabilities, especially concerning their illiquidity characteristics, a dedicated EIOPA Project Group on illiquid liabilities was set up with the following main goals:

  1. To identify criteria of liquidity characteristics for the liabilities and measures for insurers’ ability to invest over the long term;
  2. To explore the link between the characteristics of liabilities and the management of insurers’ assets;
  3. To analyse whether the current treatment in the regulatory regime appropriately addresses the risks associated with the long-term nature of the insurance business.

Following a request for information from the European Commission on asset and liability management, EIOPA launched a request for feedback on illiquid liabilities in autumn and held a roundtable with interested stakeholders in December to discuss the submitted responses on illiquidity measurements and asset liability management practices.

  • ANALYSIS OF THE INTERNATIONAL FINANCIAL REPORTING STANDARDS (IFRS) 17 INSURANCE CONTRACTS

Following the publication of International Financial Reporting Standards (IFRS) 17 Insurance Contracts by the International Accounting Standards Board (IASB), EIOPA assessed its potential effects on financial stability and the European public good, on product design, supply and demand of insurance contracts, and the practical implementation in light of the applicable inputs and processes for Solvency II.

EIOPA concluded that the introduction of IFRS 17 can be described as positive paradigm shift compared to its predecessor IFRS 4 Insurance Contracts, bringing increased transparency, comparability and additional insights on insures’ business models. EIOPA, however, noted a few reservations regarding concepts that may affect comparability and relevance of IFRS 17 financial statements.

PENSIONS

EIOPA promotes greater transparency in the European pensions sector. In support of this aim, EIOPA is working to enhance the information available to consumers and supporting pension providers by making clear the expectations, justifications and decisions linked with the information they provide, in particular to prospective members, members and beneficiaries as laid out in Articles 38 – 44 of the EU Directive on the activities and supervision of institutions for occupational retirement provision (IORP II).

  • REPORT ON THE PENSION BENEFIT STATEMENT: GUIDANCE AND PRINCIPLESBASED PRACTICES IMPLEMENTING IORP II

The report presents the outcomes of NCA exchanges of views and assessments of current practices for the implementation of the IORP II Pensions Benefit Statement (PBS) requirement. Based on this investigation, several principles have been identified that will facilitate clear understanding and comparability of statements.

Two proposals are now in further development: a basic PBS and an advanced PBS (containing more detailed information) to meet the PBS goals. These proposals will, as far as possible, take account of the behavioral approach principle be subject to further consumer testing.

  • DECISION ON THE CROSS-BORDER COLLABORATION OF NCAS WITH RESPECT TO IORP II DIRECTIVE

This Decision, published in November 2018, replaces the former Budapest Protocol which had to be revised as a result of the new IORP II Directive. The Decision introduces new rules to improve the way occupational pension funds are governed, to enhance information transparency to pension savers and to clarify the procedures for carrying out cross-border transfers and activities.

The Decision also describes different situations and possibilities for NCAs to exchange information about cross-border activities in relation to the ‘fit and proper’ assessment and the outsourcing of key functions, both new provisions of the IORP II Directive in addition to the cross-border transfer.

PRESERVING FINANCIAL STABILITY

As part of EIOPA’s mandate to safeguard financial stability, EIOPA works to identify trends, potential risks and vulnerabilities that could have a negative effect on the pension and insurance sectors across Europe.

  • 2018 INSURANCE STRESS TEST

EIOPA published the results of its stress test of the European insurance sector in December 2018. This exercise assessed the participating insurers’ resilience to the three severe but plausible scenarios: a yield curve up shock combined with lapse and provisions deficiency shocks; a yield curve down shock combined with longevity stress; and a series of natural catastrophes.

EIOPA2

In total, 42 European (re)insurance groups participated representing a market coverage of around 75 % based on total consolidate assets. EIOPA published for the first time the post-stress estimation of the capital position (Solvency Capital Requirement ratio) of major EU (re)insurance groups.

Overall, the stress test confirmed the significant sensitivity to market shocks combined with specific shocks relevant for the European insurance sector. On aggregate, the sector is adequately capitalised to absorb the prescribed shocks. Participating groups demonstrated a high resilience to the series of natural catastrophes tested, showing the importance of the risk transfer mechanisms, namely reinsurance, in place.

An additional objective of this exercise, stemming from recommendations from the European Court of Auditors, was to increase transparency in order to reinforce market discipline by requesting the voluntary disclosure of a list of individual stress test indicators by the participating groups. Since EIOPA does not have the power to impose the disclosure of individual results, participating groups were asked for their voluntary consent to the publication of a list of individual stress test indicators. Only four of the 42 participating groups provided such consent.

  • RISK DASHBOARD

EIOPA publishes a risk dashboard on a quarterly basis and a financial stability report twice a year. In the December 2018 report, EIOPA concluded:

  1. the persistent low yield environment remains challenging for insurers and pension funds;
  2. the risk of a sudden reassessment of risk premia has become more pronounced over recent months amid rising political and policy uncertainty;
  3. interconnectedness with banks and domestic sovereigns remains high for European insurers, making them susceptible to potential spillovers;
  4. some European insurers are significantly exposed in their investment portfolios to climate-related risks and real estate.
  • FINANCIAL STABILITY REPORT

EIOPA published two reports on the financial stability of the insurance and occupational pensions sector in 2018.

In general the persistent low yield environment remains challenging for both the insurance and pension fund sector, which continues to put pressure on profitability and solvency. However, towards the end of the year, as noted in the December report, the risk of a sudden reassessment of risk premia became more pronounced. This is largely due to rising political uncertainty and trade tensions, concerns over debt sustainability and the gradual normalisation of monetary policy. In the short run a sudden increase in yields driven by rising risk premia could significantly affect the financial and solvency position of insurers and pension funds as the investment portfolios could suffer large losses only partly offset by lower liabilities. In this regard, the high degree of interconnectedness with banks and domestic sovereigns of insurers could lead to potential spillovers in case a sudden reassessment of risk premia materialise.

While overall the insurance sector remains adequately capitalised, profitability is under increased pressure in the current low yield environment. The Solvency Capital Requirement ratio for the median company is 225 % for life and 206 % for non-life insurance sector, although significant disparities remain across undertakings and countries.

In the European occupational pension fund sector, total assets increased for the euro area and cover ratios slightly improved. However, the current macroeconomic environment and ongoing low interest rates continue to pose significant challenges to the sector, with the weighted return on assets considerably down in 2017.

  • ENHANCED INFORMATION AND STATISTICS

EIOPA continuously works to improve the availability and quality of available information and statistics on insurance and pensions.

  • Solvency II information

For the insurance sector, EIOPA publishes high-quality insurance statistics at both solo and group level. The statistics are based on Solvency II information from regulatory reporting and their regular publication demonstrates EIOPA’s commitment to transparency. Over the past year, through the increased availability of Solvency II data EIOPA has been able to increase the coverage of its statistics. In June 2018, for the first time, the Authority published further insight into the assets of solo (re)insurance undertakings at country level.

  • Decision on EIOPA’s regular information requests towards NCAs regarding provision of occupational pensions information

In April 2018, the Authority published its decision regarding the submission of occupational pension information. The decision defined a single framework for the reporting of occupational pension information that facilitates reporting processes. As a result, EIOPA will receive the information required to carry out appropriate monitoring and assessment of market developments, as well as in-depth economic analyses of the occupational pension market. The requirements were developed in close cooperation with the European Central Bank in order to minimise the burden on the industry and will apply as of 2019.

  • Pensions information taxonomy

In November 2018, EIOPA published the eXtensible Business Reporting Language (XBRL) Taxonomy applicable for reporting of information on IORPs. It provides NCAs with the technical means for the submission to EIOPA of harmonised information of all pension funds in the European Economic Area. Developed in close collaboration with the European Central Bank (ECB), it allows for integrated technical templates and means to report via a single submission both the information required by EIOPA and the ECB.

CRISIS PREVENTION

In addition to regular financial stability tools, EIOPA undertooka number of additional activities in 2018 related to crisis prevention.

  • Development of a macroprudential framework for insurance

With the aim of contributing to the overall debate on systemic risk and macroprudential policy, over the last year, EIOPA has published a series of reports that extend the debate to the insurance sector and, more specifically, the characteristics of that sector. These reports cover the following:

  1. Systemic risk and macroprudential policy in insurance;
  2. Solvency II tools with macroprudential impact; and
  3. Other potential macroprudential tools and measures to enhance the current framework.

As a next step, EIOPA will consult on concrete proposals to include macroprudential elements in the upcoming review of Solvency II.

  • Analysis of the causes and early identification of failures and near misses in insurance

In July 2018, EIOPA published ‘Failures and near misses in insurance: Overview of the causes and early identification’ as the first in a series aimed at enhancing supervisory knowledge of the prevention and management of insurance failures. The report’s findings are based on information contained in EIOPA’s database of failures and near misses, covering the period from 1999 to 2016, including sample data of 180 affected insurance undertakings in 31 European countries.

The report focuses on an examination of the causes of failure in insurance, as well as the assessment of the reported early identification signals. It also examines the underlying concepts ‘failure’ and ‘near miss’ as well as providing further information on EIOPA’s database, established in 2014.

Click here to access EIOPA’s 2018 Annual Report

EIOPA’s Supervisory Statement Solvency II: Application of the proportionality principle in the supervision of the Solvency Capital Requirement

EIOPA identified potential divergences in the supervisory practices concerning the supervision of the SCR calculation of immaterial sub-modules.

EIOPA agrees that in case of immaterial SCR sub-modules the principle of proportionality applies regarding the supervisory review process, but considers it is important to guarantee supervisory convergence as divergent approaches could lead to supervisory arbitrage.

EIOPA is of the view that the consistent implementation of the proportionality principle is a key element to ensure supervisory convergence for the supervision of the SCR. For this purpose the following key areas should be considered:

Proportionate approach

Supervisory authorities may allow undertakings, when calculating the SCR at the individual undertaking level, to adopt a proportionate approach towards immaterial SCR sub-modules, provided that the undertaking concerned is able to demonstrate to the satisfaction of the supervisory authorities that:

  1. the amount of the SCR sub-module is immaterial when compared with the total basic SCR (BSCR);
  2. applying a proportionate approach is justifiable taking into account the nature and complexity of the risk;
  3. the pattern of the SCR sub-module is stable over the last three years;
  4. such amount/pattern is consistent with the business model and the business strategy for the following years; and
  5. undertakings have in place a risk management system and processes to monitor any evolution of the risk, either triggered by internal sources or by an external source that could affect the materiality of a certain submodule.

This approach should not be used when calculating SCR at group level.

An SCR sub-module should be considered immaterial for the purposes of the SCR calculation when its amount is not relevant for the decision-making process or the judgement of the undertaking itself or the supervisory authorities. Following this principle, even if materiality needs to be assessed on a case-by-case basis, EIOPA recommends that materiality is assessed considering the weight of the sub-modules in the total BSCR and

  • that each sub-module subject to this approach should not represent more than 5% of the BSCR
  • or all sub-modules should not represent more than 10% of the BSCR.

For immaterial SCR sub-modules supervisory authorities may allow undertakings not to perform a full recalculation of such a sub-module on a yearly basis taking into consideration the complexity and burden that such a calculation would represent when compared to the result of the calculation.

Prudent calculation

For the sub-modules identified as immaterial, a calculation of the SCR submodule using inputs prudently estimated and leading to prudent outcomes should be performed at the time of the decision to adopt a proportionate approach. Such calculation should be subject to the consent of the supervisory authority.

The result of such a calculation may then be used in principle for the next three years, after which a full calculation using inputs prudently estimated is required so that the immateriality of the sub-module and the risk-based and proportionate approach is re-assessed.

During the three-year period the key function holder of the actuarial function should express an opinion to the administrative, management or supervisory body of the undertaking on the outcome of immaterial sub-module used for calculating SCR.

Risk management system and ORSA

Such a system should be proportionate to the risks at stake while ensuring a proper monitoring of any evolution of the risk, either triggered by internal sources such as a change in the business model or business strategy or by an external source such as an exceptional event that could affect the materiality of a certain sub-module.

Such a monitoring should include the setting of qualitative and quantitative early warning indicators (EWI), to be defined by the undertaking and embedded in the ORSA processes.

Supervisory reporting and public disclosure

Undertakings should include information on the risk management system in the ORSA Report. Undertakings should include structured information on the sub-modules for which a proportionate approach is applied in the Regular Supervisory Reporting and in the Solvency and Financial Condition Report (SFCR), under the section “E.2 Capital Management – Solvency Capital Requirement and Minimum Capital Requirement”.

Supervisory review process

The approach should be implemented in the context of on-going supervisory dialogue, meaning that the supervisory authority should be satisfied and agree with the approach taken and be kept informed in case of any material change. Supervisory authorities should inform the undertakings in case there is any concern with the approach. In case the supervisory authority has any concern the approach should not be implemented or might be implemented with additional safeguards as agreed between the supervisory authority and the undertaking.

In some situations supervisory authorities may require a full calculation following the requirements of the Delegated Regulation and using inputs prudently estimated.

Example : Supervisory reporting and public disclosure

Undertakings should include information on the risk management system referred to in the previous paragraphs in the ORSA Report.

Undertakings should include structured information on the sub-modules for which a proportionate approach is applied in the Regular Supervisory Reporting, under the section “E.2 Capital Management – Solvency Capital Requirement and Minimum Capital Requirement” (RSR), including at least the following information:

  1. identification of the sub-module(s) for which a proportionate approach was applied;
  2. amount of the SCR for such a sub-module in the last three years before the application of proportionate approach, including the current year;
  3. the date of the last calculation performed following the requirements of the Delegated Regulation using inputs prudently estimated; and
  4. early warning indicators identified and triggers for a calculation following the requirements of the Delegated Regulation and using inputs prudently estimated.

Undertakings should also include structured information on the sub-modules for which a proportionate approach is applied in the Solvency and Financial Condition Report, under the section “E.2 Capital Management – Solvency Capital Requirement and Minimum Capital Requirement” (SFCR), including at least the identification of the submodule(s) for which a proportionate calculation was applied.

An example of structured information to be included in the regular supervisory report in line with Article 311(6) of the Delegated Regulation is as follows:

Proportionality EIOPA

This proportionate approach should also be reflected in the quantitative reporting templates to be submitted. In this case the templates would reflect the amounts used for the last full calculation performed.

Click here to access EIOPA’s Supervisory Statement

Outsourcing to the Cloud: EIOPA’s Contribution to the European Commission FinTech Action Plan

In the European financial regulatory landscape, the purchase of cloud computing services falls within the broader scope of outsourcing.

The credit institutions, investment firms, payment institutions and the e-money institutions have multiple level 1 and level 2 regulations that discipline their use of outsourcing (e.g. MIFID II, PSD2, BRRD). There are also level 3 measures: CEBS Guidelines on Outsourcing, representing the current guiding framework for outsourcing activities within the European banking sector.

Additional “Recommendations on cloud outsourcing” were issued on December 20, 2017 by the European Banking Authority (EBA) and entered into force on July 1, 2018. They will be repealed by the new guidelines on Outsourcing Arrangements (level 3) which have absorbed the text of the Recommendations.

For the (re)insurance sector, the current Regulatory framework of Solvency II (level 1 and level 2) discipline outsourcing under Articles 38 and 49 of the Directive and Article 274 of the Delegated Regulations. The EIOPA guidelines 60-64 on System of Governance provide level 3 principle based guidance.

On the basis of a survey conducted by the National Supervisory Authorities (NSAs), cloud computing is not extensively used by (re)insurance undertakings: it is most extensively used by newcomers, within a few market niches and by larger undertakings mostly for non-critical functions.

Moreover, as part of their wider digital transformation strategies many European large (re)insurers are expanding their use of the cloud.

As to applicable regulation, cloud computing is considered as outsourcing and the current level of national guidance on cloud outsourcing for the (re)insurance sector is not homogenous. Nonetheless, most NSAs (banking and (re)insurance supervisors at the same time) declare that they are considering the EBA Recommendations as a reference for the management of cloud outsourcing.

Under the steering of its InsurTech TaskForce, EIOPA will develop its own Guidelines on Cloud Outsourcing. The intention is that the Guidelines on Cloud Outsourcing (the “guidelines”) will be drafted during the first half of 2019, issued then for consultation and finalised by the end of the year.

During the process of drafting the Guidelines, EIOPA will organize a public roundtable on the use of cloud computing by (re)insurance undertakings. During the roundtable, representative from the (re)insurance industry, cloud service providers and the supervisory community will discuss views and approaches to cloud outsourcing in a Solvency II and post-EBA Recommendations environment.

Furthermore, in order to guarantee a cross-industry harmonization within the European
financial sector, EIOPA has agreed with the other two ESAs:

  • to continue keeping the fruitful alignment kept so far; and
  • to start – in the second part of 2019 – a joint market monitoring activity aimed at developing policy views on how cloud outsourcing in the finance sector should be treated in the future.

This should take into account the increasing use of the cloud and the potential for large cloud service providers to be a single point of failure.

Overview of Cloud Computing

Cloud computing allows users to access on-demand, shared configurable computing resources (such as networks, servers, storage, applications and services) hosted by third parties on the internet, instead of building their own IT infrastructure.

According to the US National Institute of Standards and Technology (NIST), cloud computing is: “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

The ISO standard of 2014 defines cloud computing as a: “paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand”. It is composed of

  • cloud computing roles and activities,
  • cloud capabilities types and cloud service categories,
  • cloud deployment models and
  • cloud computing cross cutting aspects”.

The European Banking Authority (EBA) Recommendations of 2017 – very close to NIST definition – defines the cloud services as: “Services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Shared responsibility framework

The cloud provider and cloud customer share the control of resources in a cloud system. The cloud’s different service models affect their control over the computational resources and, thus, what can be done in a cloud system. Compared to traditional IT systems, where one organization has control over the whole stack of computing resources and the entire life-cycle of the systems, cloud providers and cloud customers collaboratively

  • design,
  • build,
  • deploy, and
  • operate

cloud based systems.

The split of control means that both parties share the responsibilities in providing adequate protections to the cloud-based systems. The picture below shows, as “conceptual model”, the different level of sharing responsibilities between the cloud provider and the cloud customer.

These responsibilities contribute to achieve a compliant and secure computing environment. It has to be noted that, regardless the service provided by the cloud provider:

  • Ensuring that the data and its classification are done correctly and that the solution is compliant with regulatory obligations is the responsibility of the customer (e.g. in case of data theft the cloud customer is responsible towards the damaged parties or the customer is responsible to ensure – e.g. with specific contractual obligations – that the provider observe certain compliance requirements such as give the competent authorities access and audit rights);
  • Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.

The remaining responsibilities and controls are shared between customers and cloud providers according to the outsourcing model. However, the responsibility (in a supervisory sense) remains with the customers. Some responsibilities require the cloud provider and customer to manage and administer the responsibility together including auditing of their domains. For example, identity & access management when using a cloud provider’s active directory services could require that the configuration of services such as multi-factor authentication is up to the customer, but ensuring effective functionality is the responsibility of the cloud provider.

EIOPA Outs

Summary of Key Takeaways and EIOPA’s Answer to the European Commission

The key takeaways of the analysis carried out and described within this document are the following:

  1. cloud computing is mostly used extensively by newcomers, by a niche of the market and by larger undertakings mostly for non-critical function. However, as part of their wider digital transformation strategies many European large (re)insurers are expanding their use of the cloud;
  2. the current Regulatory framework of Solvency II (level 1 and level 2) appears to be sound to discipline the outsourcing to the cloud by the current outsourcing provisions (Articles 38 and 49 of the Directive and Article 274 of the Delegated Regulations);
  3. cloud computing is a fast developing service so in order for its regulation to be efficient it should be principle-based rather than attempting at regulating all (re)insurance-related aspects of it;
  4. cloud computing services used by (re)insurance undertakings are aligned to the one used by banking sector. The risks arising from the usage of cloud computing by (re)insurance undertakings appear to be, generally, aligned to the risks bear by the banking players with few minor (re) insurance specificities;
  5. both banking and (re)insurance regulations discipline cloud computing by their current outsourcing provisions. Under these, banking and (re)insurance institutions are required to classify whether the cloud services they receive are „critical or important“. The most common approach is to classify cloud computing on a case-by-case approach – similarly to the other services – on the basis of the service / process / activity / data outsourced;
  6. the impact of cloud computing on the (re)insurance market is assessed differently among jurisdictions: due to the complexity and the high level of technicality of the subject, some jurisdictions have planned to issue (or already issued) national guidance directly applicable to the (re)insurance market on cloud outsourcing;
  7. from the gap analysis carried out, the EBA Recommendations are more specific on the subject (e.g. the specific requirements to build a register of all the cloud service providers) and, being built on shared common principles, can be applied to the wide Solvency II regulations on outsourcing, reflecting their status at level 3;
  8. to provide legal transparency to the market participants (i.e. regulated undertakings and service providers) and to avoid potential regulatory arbitrage, EIOPA should issue guidance on cloud outsourcing aligned with the EBA Recommendations and, where applicable, the EBA Guidelines on outsourcing arrangements with minor amendments.

Click here to access EIOPA’s detailed Contribution Paper

EIOPA: Peer review assessing how National Competent Authorities (NCAs) supervise and determine whether an insurer’s set­ting of key functions fulfils the legal requirements of Solvency II

The main task of the European Insurance and Occupational Pensions Authority (EIOPA) is to

  • enhance supervisory convergence,
  • strengthen consumer protection
  • and preserve financial stability.

In the context of enhancing supervisory convergence and in accordance with its mandate, EIOPA regularly conducts peer reviews, working closely with national competent authorities (NCAs), with the aim of strengthening both the convergence of supervisory practices across Europe and the capacity of NCAs to conduct high-quality and effective supervision.

In line with its mandate, the outcome of peer reviews, including identified best practices, are to be made public with the agreement of the NCAs that have been subject to the review.

BACKGROUND AND OBJECTIVES

Enhancing the governance system of insurers is one of the major goals of Solvency II (SII). The four key functions (risk management, actuarial, compliance and internal audit) as required under the SII regulation are an essential part of the system of governance. These key functions are expected to be operationally independent to ensure an effective and robust internal control environment within an insurer and support high quality of decision making by the management. At the same time it is also important that these governance requirements are not overly burdensome for small and medium-sized insurers. Therefore SII allows NCAs to apply the principle of proportionality in relation to compliance with key function holder requirements for those insurers.

Under SII, insurers may combine key functions in one holder. However, such combinations have to be justified by the principle of proportionality and insurers need to properly address the underlying conflicts of interest. Holding a key function should generally not be combined with administrative, management or supervisory body (AMSB) membership or with operational tasks because of their controlling objective. Thus, these combinations should rather occur in exceptional cases, taking into account a risk-based approach and the manner in which the insurer avoids and manages any potential conflict of interest.

This peer review assesses how NCAs supervise and determine whether an insurer’s setting of key functions fulfils the legal requirements of SII with a particular emphasis on proportionality. The peer review examines practices regarding:

  • combining key functions under one holder;
  • combining key functions with AMSB membership or with carrying out operational tasks;
  • subordination of one key function under another key function;
  • split of one key function among several holders;
  • assessment of the fitness of key function holders; and
  • outsourcing of key functions.

The period examined under the scope of this peer review was 2016 but also covered supervisory practices executed before 2016 in the preparatory stage of SII. The peer review was conducted among NCAs from the European Economic Area (EEA) on the basis of EIOPA’s Methodology for conducting Peer Reviews (Methodology).

Detailed information was gathered in the course of the review. All NCAs completed an initial questionnaire. This was followed by fieldwork comprising visits to 8 NCAs and 30 conference calls.

MAIN FINDINGS

The review showed that NCAs in general apply the principle of proportionality and that they have adopted similar approaches.

SUMMARY RESULTS OF THE COMPARATIVE ANALYSIS

  • Supervisory framework: Approximately half of NCAs use written supervisory guidance for the application of the principle of proportionality. Larger NCAs in particular use written supervisory guidance in order to ensure consistency of their supervisory practice among their supervisory staff.
  • Approach of NCAs: Most NCAs have a similar approach. NCAs assess the insurers’ choice of key function holders at the time of initial notification regarding the key function holder’s appointment. If any concerns are noted at this stage, for example regarding combinations or fitness, NCAs generally challenge and discuss these issues with the insurer, rather than issuing formal administrative decisions.
  • Combining key functions in one holder: This occurs in almost all countries. The most frequent combinations are between risk management and actuarial functions and between risk management and compliance functions. Combinations are most commonly used by smaller insurers but are also seen in large insurers. EIOPA has identified the need to draw the attention of NCAs to the need to challenge combinations more strongly, especially when they occur in bigger, more complex insurers, and to ensure that adequate mitigation measures are in place to warrant a robust system of governance.
  • Holding the internal audit function and other key functions: The combination of the internal audit function with other key functions occurs in 15 countries, although the frequency of such combinations is relatively low. Moreover, there were cases of the internal audit function holder also carrying out operational tasks which could lead to conflicts of interest and compromise the operational independence of the internal audit function. It is important to emphasise that the legal exemption of Article 271 of the Commission Delegated Regulation EU (2015/35) does not apply to the combination with operational tasks.
  • Combining a key function holder with AMSB membership: Most NCAs follow a similar and comprehensive approach regarding the combination of key function holder and AMSB member. In this regard, NCAs accept such cases only if deemed justified under the principle of proportionality. This peer review shows that two NCAs request or support combinations of AMSB member and the risk management function holder regardless of the principle of proportionality in order to strengthen the knowledge and expertise regarding risk management within the AMSB.
  • Combining key function holders (excluding internal audit function holder) with operational tasks: In nearly all countries combinations of risk management, actuarial and compliance key function holders with operational tasks occur, but such combinations generally occur rarely or occasionally. However, several NCAs do not have a full market overview of such combinations with operative tasks. Adequate mitigating measures are essential to reduce potential conflicts of interest when key function holders also carry out operational tasks. The most common combinations are the compliance function holder with legal director and the risk management function holder with finance director.
  • Splitting a key function between two holders: About half of the NCAs reported cases where more than one individual is responsible for a particular key function (‘split of key function holder’). The most common split concerns the actuarial function (split between life and non-life business). NCAs should monitor such splits in order to maintain appropriate responsibility and accountability among key function holders.
  • Subordination of a key function holder to another key function holder or head of operational department: This is observed in half of the countries reviewed. An organisational subordination can be accepted, but there needs to be a direct ‘unfiltered’ reporting line from the subordinated key function holder to the AMSB. In cases of subordination, conflicts of interest have to be mitigated and operational independence needs to be ensured including the mitigating measures concerning the remuneration of the subordinated key function holders.
  • Fitness of key function holders: Most NCAs assess the fitness of the key function holder at the time of initial notification and apply the principle of proportionality. Several NCAs did not systematically assess the key function holders appointed before 2016. These NCAs are advised to do so using a risk-based approach.
  • Outsourcing of key function holders: Most NCAs have observed outsourcing of key function holders. According to the proportionality principle, an AMSB member may also be a designated person responsible for overseeing and monitoring the outsourced key function. Eight NCAs make a distinction between intra-group and extra-group outsourcing and six NCAs do not require a designated person in all cases, which may give rise to operational risks.

BEST PRACTICES

Through this peer review, EIOPA identified four best practices.

  • When NCAs adopt a structured proportionate approach based on the nature, scale and complexity of the business of the insurer regarding their supervisory assessment of key function holders and combination of key function holders at the time of initial notification and on an ongoing basis. The best practice also includes supervisory documentation and consistent and uniform data submission requirements (for example an electronic data submission system for key function holder notification). This best practice has been identified in Ireland and the United Kingdom.
  • When an NCA has a supervisory panel set up internally which discusses and advises supervisors about complex issues regarding the application of the proportionality principle in governance requirements regarding key functions. This best practice has been identified in the Netherlands.
  • When assessing the combination of key function holder with AMSB member, EIOPA considers the following as best practice for NCAs:
    • To publicly disclose the NCA’s expectations that controlling key functions should generally not be combined with operational functions for example with the membership of the AMSB. Where those cases occur, NCAs should clearly communicate their expectation that the undertaking ensures that it is aware of possible conflicts of interest arising from such a combination and manages them effectively.
    • To require from insurers that main responsibilities as a member of the AMSB do not lead to a conflict of interest with the tasks as a key function holder.
    • To assess whether the other AMSB members challenge the key function holder also being an AMSB member.

This best practice has been identified in Lithuania.

  • When NCAs apply a risk-based approach for the ongoing supervision that gives the possibility to ensure the fulfilment of fitness requirements of KFHs at all times by holding meetings with key function holders on a regular scheduled basis as part of an NCA’swork plan (annual review plan). The topics for discussion for those meetings can vary, depending for example on actual events and current topics. This best practice has been identified in Ireland and the United Kingdom.

These best practices provide guidance for a more systematic approach regarding the application of the principle of proportionality as well as for ensuring consistent and effective supervisory practice within NCAs.

EIOPA NCA KFH

Click here to access EIOPA’s full report on its Peer Review

 

The Prudential Regulation Authority’s approach to insurance supervision

UK’s Insurance Supervisory Body PRA just published a very interesting paper describing it’s purpose and it’s working principles. Even if Bexit will exclude PRA from EIOPA associated supervisory bodies, this paper should be considered as being landmark as most of the EIOPA associated bodies didn’t go this way of transparency and methodology yet, despite EIOPA having set a framework at least for some of these issues, crucial for insurers to manage thair risk and capital requirements.

« We, the Prudential Regulation Authority (PRA), as part of the Bank of England (‘the Bank’), are the UK’s prudential regulator for deposit-takers, insurance companies, and designated investment firms.

This document sets out how we carry out our role in respect of insurers. It is designed to help regulated firms and the market understand how we supervise these institutions, and to aid accountability to the public and Parliament. The document acts as a standing reference that will be revised and reissued in response to significant legislative and other developments which result in changes to our approach.

This document serves three purposes.

  1. First, it aids accountability by describing what we seek to achieve and how we intend to achieve it.
  2. Second, it communicates to regulated insurers what we expect of them, and what they can expect from us in the course of supervision.
  3. Third, it is intended to meet the statutory requirement for us to issue guidance on how we intend to advance our objectives.

It sits alongside our requirements and expectations as published in the PRA Rulebook and our policy publications.

EU withdrawal

Our approach to advancing these objectives will remain the same as the UK withdraws from the EU. Our main focus is on trying to ensure that the transition to our new relationship with the EU is as smooth and orderly as possible in order to minimise risks to our objectives.

Our approach to advancing our objectives

To advance our objectives, our supervisory approach follows three key principles – it is:

  1. judgement-based;
  2. forward-looking; and
  3. focused on key risks.

Across all of these principles, we are committed to applying the principle of proportionality in our supervision of firms.

PRA1

Identifying risks to our objectives

The intensity of our supervisory activity varies across insurers. The level of supervision principally reflects our judgement of an insurer’s potential impact on policyholders and on the stability of the financial system, its proximity to failure (as encapsulated in the Proactive Intervention Framework (PIF), which is described later), its resolvability and our statutory obligations. Other factors that play a part include the type of business carried out by the insurer and the complexity of the insurer’s business and organisation.

Our risk framework

We take a structured approach when forming our judgements. To do this we use a risk assessment framework. The risk assessment framework for insurers is the same as for banks, but is used in a different way, reflecting our additional objective to contribute to securing appropriate policyholder protection, the different risks to which insurers are exposed, and the different way in which insurers fail.

Much of our proposed approach to the supervision of insurers is designed to deliver the supervisory activities which the UK is required to carry out under Solvency II.

The key features of Solvency II are:

  • market-consistent valuation of assets and liabilities;
  • high quality of capital;
  • a forward-looking and risk-based approach to setting capital requirements;
  • minimum governance and effective risk management requirements;
  • a rigorous approach to group supervision;
  • a Ladder of Intervention designed to ensure intervention by us in proportion to the risks that a firm’s financial soundness poses to its policyholders;
  • and strong market discipline through firm disclosures.

Some insurers fall outside the scope of the Solvency II Directive (known as non-Directive firms), mainly due to their size. These firms should make themselves familiar with the requirements for non-Directive firms.

PRA2

Supervisory activity

This section describes how, in practice, we supervise insurers, including information on our highest decision-making body and our approach to authorising new insurers. As part of this, it describes the Proactive Intervention Framework (PIF) and our high-level approach to using our legal powers. For UK insurers, our assessment covers all entities within the consolidated group.

PRA3

Proactive Intervention Framework (PIF)

Supervisors consider an insurer’s proximity to failure when drawing up a supervisory plan. Our judgement about proximity to failure is captured in an insurer’s position within the PIF.

Judgements about an insurer’s proximity to failure are derived from those elements of the supervisory assessment framework that reflect the risks faced by an insurer and its ability to manage them, namely, external context, business risk, management and governance, risk management and controls, capital, and liquidity. The PIF is not sensitive to an insurer’s potential impact or resolvability.

The PIF is designed to ensure that we put into effect our aim to identify and respond to emerging risks at an early stage. There are five PIF stages, each denoting a different proximity to failure, and every insurer sits in a particular stage at each point in time. When an insurer moves to a higher PIF stage (ie as we determine the insurer’s viability has deteriorated), supervisors will review their supervisory actions accordingly. Senior management of insurers will be expected to ensure that they take appropriate remedial action to reduce the likelihood of failure and the authorities will ensure appropriate preparedness for resolution. The intensity of supervisory resources will increase if we assess an insurer has moved closer to breaching Threshold Conditions, posing a risk of failure and harm to policyholders.

An insurer’s PIF stage is reviewed at least annually and in response to relevant, material developments. (…) »

Click here to access PRA’s detailed paper

EIOPA: Potential macroprudential tools and measures to enhance the current insurance regulatory framework

The European Insurance and Occupational Pensions Authority (EIOPA) initiated in 2017 the publication of a series of papers on systemic risk and macroprudential policy in insurance. So far, most of the discussions concerning macroprudential policy have focused on the banking sector. The aim of EIOPA is to contribute to the debate, whilst taking into consideration the specific nature of the insurance business.

With this purpose, EIOPA has followed a step-by-step approach, seeking to address the following questions:

  • Does insurance create or amplify systemic risk?
  • If yes, what are the tools already existing in the current framework, and how do they contribute to mitigate the sources of systemic risk?
  • Are other tools needed and, if yes, which ones could be promoted?

While the two first questions were addressed in previous papers, the purpose of the present paper is to identify, classify and provide a preliminary assessment of potential additional tools and measures to enhance the current framework in the EU from a macroprudential perspective.

EIOPA carried out an analysis focusing on four categories of tools:

  1. Capital and reserving-based tools;
  2. Liquidity-based tools;
  3. Exposure-based tools; and
  4. Pre-emptive planning.

EIOPA also considers whether the tools should be used for enhanced reporting and monitoring or as intervention power. Following this preliminary analysis, EIOPA concludes the following (Table 1):

Table 1 Macro

It is important to stress that the paper essentially focuses on whether a specific instrument should or should not be further considered. This is an important aspect in light of future work in the context of the Solvency II review. As such, this work should be understood as a first step of the process and not as a formal proposal yet. Furthermore, EIOPA is aware that the implementation of tools also has important challenges. In this respect this report provides an overview of tools, main conclusions and observations, stressing also the main challenges.

Table 2 puts together the findings of all three papers published by EIOPA by linking

  1. sources of systemic risk and operational objectives (first paper),
  2. tools already available in the current framework (second paper)
  3. and other potential tools and measures to be further considered (current paper).

Table 2 Papers

The first paper, ‘Systemic risk and macroprudential policy in insurance’ aimed at identifying and analysing the sources of systemic risk in insurance from a conceptual point of view and at developing a macroprudential framework specifically designed for the insurance sector.

The second paper, ‘Solvency II tools with macroprudential impact’, identified, classified and provided a preliminary assessment of the tools or measures already existing within the Solvency II framework, which could mitigate any of the sources of systemic risk.

This third paper carries out an initial assessment of potential tools or measures to be included in a macroprudential framework designed for insurers, in order to mitigate the sources of systemic risk and contribute to the achievement of the operational objectives.

It covers six main issues:

  1. Identification of potential new instruments/measures. The tools will be grouped according to the following blocks:
    • Capital and reserving-based tools
    • Liquidity-based tools
    • Exposure-based tools
    • Pre-emptive planning
  2. Way in which the tools in each block contribute to achieving one or more of the operational objectives identified in previous papers.
  3. Interaction with Solvency II.
  4. Individual description of all the tools identified for each of the blocks. The following classification will be considered:
    • Enhanced reporting and monitoring tools and measures. They provide supervisors and other authorities with additional relevant information about potential risks and vulnerabilities that are or could be building up in the system. Authorities could then implement an array of measures to address them both at micro and macroprudential level (see annex for an inventory of powers potentially available to national supervisory authorities (NSAs)).
    • Intervention powers. These powers are currently not available as macroprudential tools. They are more intrusive and intervene more severely in the management of the companies. Examples could be additional buffers, limits or restrictions. They are only justified where the existing measures may not suffice to address the sources of systemic risk identified.
  5. Preliminary analysis per tool.
  6. Preliminary conclusion.

Four initial remarks should be made.

  1. First, although in several instances the measures and instruments are originally microprudential in nature, they could also be implemented as macroprudential instruments, if a systemically important institution or set of institutions or the whole market are targeted.
  2. Secondly, analysing potential changes on the long-term guarantees (LTG) measures and measures on equity risk that were introduced in the Solvency II directive, although out of the scope of this paper, could contribute to further enhance the framework from a macroprudential perspective. The focus of this paper is essentially on new tools, leaving aside the analysis of potential changes in the current LTG measures and measures on equity risk, which will be carried out in the context of the Solvency II review by 1 January 2021.
  3. Thirdly, when used as a macroprudential tool, the decision process may differ, given that there are different institutional models for the implementation of macroprudential policies across EU countries, in some cases involving different parties (e.g. ministries, supervisors, etc.). This paper seeks to adopt a neutral approach by referring to the concept of the ‘relevant authority in charge of the macroprudential authority’, which should encompass the different institutional models existing across jurisdictions.
  4. Fourthly, there seems to be no single solution when it comes to the level of application of each tool (single vs. group level).

Concerning the different proposed monitoring tools, in the follow-up work, the structure and content of the additional data requirements should be defined. This should then be followed by an assessment of the potential burden of collecting this information from undertakings.

It is important to stress that this paper essentially focuses on whether a specific instrument should or should not be further considered. This is an important aspect in light of future work in the context of the Solvency II review. As such, this work should be understood as a first step of the process and not as a formal proposal yet.

Figure ORSA

Click here to access EIOPA’s detailed discussion paper