Insurance intermediaries and conduct: too-good-to-be-true reporting?
The end of March 2021 marked an expansion in the scope of the senior manager and certification regimes (SM&CR) for solo-regulated firms.
Nearly all employees of these firms are now subject to the conduct rules. Prior to that, SM&CR conduct rules applied to a much smaller population — senior managers and certified staff. This article intends to shine a spotlight on the approximately 6,000 insurance intermediaries and assess how they operated within the conduct rules regime in their first year. The issues highlighted here will be magnified with the extension of the conduct rules to a much larger population.
Freedom of Information request
Sicsic Advisory submitted a request to the Financial Conduct Authority (FCA) under the Freedom of Information Act (FoI) due to concerns that some firms were under-reporting conduct rule breaches. The aim was to see if its observations of market practices were backed up by data.
Key findings: low reporting
Out of approximately 6,000 solo-regulated insurance intermediaries, only 15 conduct rule breaches by senior managers and certified staff were reported last year. That is less than 1%.
The FoI disclosure revealed that only 10 firms reported breaches between December 9, 2019 and August 31, 2020, the first period of implementation for certified staff. In addition, there were five reports on senior managers under separate reporting requirements. Sicsic Advisory expected the figure to be low, but it is surprising just how low the number is. With the extension of the application of the conduct rules, if the potential reporting gap continues to be replicated on a wider scale, it is likely the regulator will take some further action.
Why is the reporting low?
The low reporting could be due to a combination of factors, including lack of tailored training about what constitutes a breach, lack of processes to identify and escalate potential breaches, and concerns about reporting rule breaches and appearing out-of-step with firms’ peers. Taking each in turn, firms should be encouraging employees to self-identify any potential conduct rule breaches. If training is not tailored, employees are less likely to identify issues themselves and the chances of reporting are reduced. Likewise, if the processes to support identification and escalation have not been fully developed, the risk of under reporting increases.
Firms will have concerns about reporting methodology. The reality is that they will all take different approaches based on their different risk appetites, and the FCA understands this. For example, one firm may view breach of the General Data Protection Regulation (GDPR) with zero tolerance, while another will take a different view. In such a scenario two firms may legitimately reach different outcomes, with one firm reporting a breach but not the other. Firms should build their processes in line with their current disciplinary practices and be less concerned about what their peers are doing.
The FCA ultimately wants to see that disciplinary procedures, from formal warning to dismissal, are aligned to conduct rules. Reporting few or no breaches may indicate that they are not.
The regulator’s perspective
If reporting remains lower than expected, the FCA is more likely to step in and investigate firms, and the industry as a whole may face more scrutiny. In Sicsic Advisory’s view, the breach data will support the regulator in assessing the types of conduct issues firms are facing. The regulator will want to understand how firms are responding to those challenges, what root cause analysis is being undertaken and what remedial steps are in place.
The regulator communicates with firms about how it will use the data. This may help to reassure the sector and give firms the confidence to respond with openness.
The FoI disclosure confirmed that there were no appeals against disciplinary actions for conduct breaches. On one hand, this could mean firms are conducting thorough investigations and all parties agree with the outcome. On the other, it could mean only the black and white cases are being progressed. Again, this could be indicative of a failure to implement an identification and escalation process, and of training that has not been tailored to the role. Developing scenarios on conduct rule breaches in line with their disciplinary processes can help firms to navigate those inevitable grey areas with transparency.
The majority of breaches reported were against integrity, followed by due skill, care and diligence. Integrity breaches could indicate that firms have more work to do in terms of their culture and making make sure their staff are doing the right thing.
One insurance intermediary senior manager is currently under formal investigation by the FCA. Now that the regime has been extended to cover nearly all employees, however, this is just the tip of the iceberg. More enforcement from the regulator is to be expected, as it underlines its initial intent of making conduct rules the minimum behavioural standard across the industry.
What should firms be doing?
The role of senior management should not be under-estimated. Senior management should take ownership at board level and set the right tone from the top. SM&CR is not just a compliance issue or an HR issue. At heart, it is about culture, and senior management have an important role to play.
Although March 31, 2021 was a milestone, it marked the beginning of a new era and not a full stop on a compliance exercise completed. There is now an opportunity to review and take stock. Firms should be asking themselves whether they can confidently say their employees understand how the conduct rules apply to them in their role. Are they embedded in their organisation? Are they reporting breaches in line with regulatory expectations? How aligned are conduct rules with performance management and disciplinary processes?
If they are not already doing so, firms should be thinking about embedding. They should be asking themselves what management information they are receiving, and what does “good” look like?
Aligning good conduct with outcomes
In future, tick-box training and too-good-to-be-true reporting (or lack of it) will not satisfy the FCA. Nor will it help the large numbers of employees who now fall under the glare of the regulator. SM&CR is designed to align good conduct with the outcomes that reputable financial services advisers want to deliver. Firms with a customer-focused culture that deliver adequate training and consistent internal monitoring need not fear the new reporting rules.
Nindy Mellett is an associate director at Sicsic Advisory. She has more than 20 years’ experience in general insurance and specialises in supporting clients in their regulatory change projects including SM&CR, Brexit and IDD.
This article has been first published by Thomson Reuters Accelus Regulatory Intelligence on 5 May 2021.