Last September we shared our views on what should be front of mind for insurance sector firms and their internal audit functions. Now we revisit those topics and how they have evolved.
Protecting the consumer
As predicted, Consumer Duty has been a significant focus for firms during 2023. The new Consumer Duty is an important piece of regulatory change: the FCA is looking for a cultural shift. It requires significant effort to implement and has widespread impacts on firms.
As firms put their energies into that implementation, the FCA has provided further guidance and released updates to the market earlier this year. These included both Dear CEO / portfolio letters and the results from their multi-firm review. The FCA is keen that firms have a structured and robust approach to implementing and embedding the Consumer Duty rules into their processes, systems and cultures. And it has highlighted several key considerations for firms ahead of the nearing July 2023 deadline for open products. You can read more in our article about Consumer Duty in this issue.
Internal audit functions are developing their approaches and plans, focusing first on whether implementation plans are progressing and whether the key Consumer Duty requirements due by 31 July 2023 have been completed. These Consumer Duty-related assurance needs will likely continue to ensure that the FCA’s intended outcomes are achieved and that Consumer Duty is sufficiently embedded in firms’ culture and operations.
Financial management
Financial resilience remains a key priority for the regulators. In its Dear CEO letter Insurance supervision: 2023 priorities in January, the PRA highlighted the effects of the difficult economic outlook on the insurance sector. In particular, credit and concentration risks are a challenge for life insurers, and claims inflation is a challenge for general insurers. The effects of inflation on pricing, reserving, business planning and capital planning / modelling need to be carefully considered. The PRA will continue to monitor this through its supervisory activities.
In January this year the UK Government consulted on introducing an Insurer Resolution Regime which will give the Bank of England powers to take action to stabilise and manage the failure of an insurer. Again, it shows a desire to minimise the impact of financial failure.
For internal audit functions, there can be a tendency to rely on external auditors to cover the financial risks and controls of a firm. In the current economic environment, internal audit functions should challenge themselves over whether this approach remains appropriate. Is there enough consideration and coverage of financial risks within the audit universe and plan?
Governance, culture & people
The SM&CR came into force for insurers on 10 December 2018 and is now well established and understood, with its overall aim to improve accountability and culture in the financial services sector.
In March this year, the Government launched its call for evidence of the SM&CR, part of a wide-ranging shake-up to make UK financial services more competitive post-Brexit. The FCA and PRA also issued a joint discussion paper (to seek views from firms, consumers, and other stakeholders on the effectiveness, scope and proportionality of the SM&CR. The deadline for responses was 1 June.
Whilst we don’t expect wholescale changes to the SM&CR, it’s good news that it is under review and that possible improvements are being explored. Certainly, any changes to reduce the administrative burden of the SM&CR on firms will be appreciated.
In more recent news, the FRC launched a consultation document on the UK Corporate Governance Code in May. The consultation focuses on internal control, assurance and resilience. The main changes relate to:
- ESG – proposed changes that require boards to report on climate ambitions and transition planning in the context of firm strategy, and expand the remit of audit committees to oversee ESG disclosures, controls, processes and assurance.
- Director commitments – in response to investor concerns over the number of board positions held by directors and their time commitment, proposals address this issue and suggest increasing transparency and reporting on director appointments.
- Diversity and inclusion – proposed revisions to strengthen the Code in this area, including consideration of diversity beyond gender and ethnicity and increased reporting on succession planning.
- Audit, risk and internal control – significant changes to Section 4 of the Code reflecting the need for a more robust framework of risk management and internal control. This includes requirements for an audit and assurance policy and to follow the FRC’s minimum standard for audit committees.
The proposed changes to the Code will apply to accounting years starting on or after 1 January 2025. Although the Code only applies to premium listed companies, the proposed changes will interest all firms as an example of best practice which could, in time, cascade down to non-listed and smaller firms.
For internal audit functions, it’s important to monitor proposed changes to the SM&CR and Code for their potential impact on firms. Where changes need to be implemented, internal audit functions should be giving assurance on their effective implementation and embedding.
Operational & IT risks
Operational resilience and IT risks, particularly cyber risk, remain top priorities for firms and the regulators. The threats are continually evolving and there are increased cyber incidents, including ransomware attacks.
Both the FCA and PRA business plans for 2022/23 highlight the ongoing importance of operational resilience and indicate further oversight and supervision in this area. Firms have until March 2025 to test and refine their operational resilience frameworks. In particular, the regulators will be looking at consistency in approach and dependency of third parties. Joint consultation papers on the oversight of third parties and the reporting of operational incidents are expected later this year.
For internal audit functions, operational and IT risks should remain a key component of internal audit plans and subject to regular reassessment given the evolving risks. Most importantly, internal audit functions should make sure their firms continue to test and refine operational resilience frameworks before the March 2025 deadline.
Regulatory change
In September we identified ESG, appointed representatives, back-branching and the Solvency II review as key areas of regulatory change. Of these topics, ESG and the Solvency II review will have the most prominent and wide reaching impact. You can read more in our article about the Solvency II review in this issue.
ESG initiatives and reporting remain high on firms’ agendas, reflecting increased pressures from a wide range of stakeholders: regulators, investors, customers, employees and wider society. The UK intends to make TCFD-aligned disclosures mandatory throughout the economy by 2025, with a significant number of requirements in place this year. There is also growing demand from investors for firms to provide ESG data and reporting.
The regulators are particularly focused on climate-related financial risks including physical risks, transition risks and liability risks. In its business plan for 2023/24, the PRA says that insurers have taken “concrete and positive steps” to implement their expectations in this area, but the level of embedding varies and more progress is needed in all firms.
ESG should now feature in some way in internal audit universes and plans. For example, this might mean a high-level review of implementation and embedding of the PRA’s expectations for managing climate-related financial risks, a targeted review of compliance with any ESG underwriting or investment guidelines, or ESG disclosures and public commitments / statements. Undoubtedly, internal audit functions need to develop their skills and understanding of this topic. Future work in this area is only likely to increase, with greater demands for ESG assurance from a variety of stakeholders.
If you would like further support on any of the issues raised in this article, please contact PKF’s Governance, Risk & Control Assurance team.