Each year, thousands of regulatory changes are made that could materially affect the insurance industry, and the number is rising. In any given year, more than 40,000 regulations—including legislative bills, administrative rules, bulletins, advisories, alerts, directives, and interpretive guidance—must be vetted to determine if they affect the business of insurance. According to RegEd’s internal research, there were about 2,400 new or revised state regulations enacted or adopted that directly affected the insurance industry in 2013. In 2019, there were about 3,600, an increase of 53%. As the number escalates, new regulations themselves are becoming more complex, especially around risk management, corporate governance, cyber-security, and privacy, with wider-ranging effects that reach further across geographies, business lines, products, and processes.
Managing the regulatory change process can be complicated and time consuming. Simply to identify a new regulation is a monumental task, to say nothing of methodically analyzing each one to determine how—and whether—it could affect an insurance company’s sales operations, actuarial procedures, product features, financial obligations, or any number of other areas of the business. When a new regulation does affect the organization, an organization must take steps to bring itself into compliance. Finally, a company must demonstrate compliance to regulators.
A Repeatable Closed-Loop Process
If an organization has implemented an established and repeatable closed-loop process to manage regulatory change, it can avoid missing key regulations, determine how new regulations affect the organization with more precision, take measures to bring itself into compliance more efficiently, and demonstrate proof of compliance with comprehensive documentation and reporting. There are five steps: Be aware of new regulations; determine relevance to your organization; identify areas of ownership and translate changes into business requirements; execute, monitor, and validate a workflow plan to bring the company into compliance; and demonstrate compliance to regulators and internal stakeholders.
1. BE AWARE
An organization must be aware of what new, revised, and amended regulations have been made, and each year, there could be thousands of rule changes. As insurance regulation is decentralized, the process can be enormously challenging. There are at least 50 separate insurance jurisdictions, and it’s necessary to monitor each state legislature and agency that has the authority to regulate the business of insurance—there is no central clearinghouse. An organization’s compliance department has to know where to look.
Myriad state and local agencies are authorized to regulate the insurance industry. State departments of insurance are an obvious place to start, but it’s critical not to overlook others that may not regulate as often or as widely, including departments of transportation, departments of labor, and departments of health and human services. Equivalent regulations in different states may have different requirements, and if the company offers numerous lines of insurance in different markets, the company is subject to each rule for each product in each state.
Once aware of new regulations, it’s best to have a central system to manage them actively. Regulations that are handled through different departments within the organization with different methodologies, workflow practices, and levels of accountability can easily be lost or addressed inconsistently, creating a risk of noncompliance and inefficiencies throughout the organization.
2. DETERMINE RELEVANCE
Once in the door, a regulation must be reviewed and evaluated for relevance to an organization’s business, its spirit and intent, the areas and processes it may affect, and the types of changes necessary to comply. It’s a time-consuming and laborious process that can take months for a single regulation, and it involves a great deal of research and dialogue. In many instances, a new regulation’s relevance may not be obvious, and although a regulation ultimately may be deemed not applicable to the organization, the process to make this determination can represent a great deal of staff time, effort, and other resources.
3. TRANSLATE CHANGES INTO BUSINESS REQUIREMENTS
When it’s determined that a new regulation affects the business, an organization must identify the areas of ownership—claims department, underwriting, or actuarial, for example—and the individuals who are responsible to bring the company into compliance. As some legislative bills and administrative rules can reach hundreds of pages with a high degree of complexity, it is critical to review, interpret, package, and deliver—in plain English—a new or revised regulation to the different affected parts of the organization. This can represent a lot of work, but someone on the receiving end may not be able to interpret legal or legislative language in an effective way that’s actionable and makes sense for the business.
Many companies, especially those that haven’t established a strong compliance management cycle, don’t have the staff and resources to translate new regulations effectively. When left to individual divisions to interpret a new regulation and take measures to comply, the effort often can be like a fire drill: reactive, incomplete, and inconsistent with other areas of the company. Without a central, managed closed-loop process, this step is almost impossible to do; merely hoping for the best outcome rarely results in the best outcome.
4. EXECUTE, MONITOR, AND VALIDATE
An organization’s compliance department must assign the recommended tasks and requirements to the correct departments to make sure the changes needed to bring the company into compliance are in fact made within the required time frame. This should include guidance and a complete framework of workflow, with processes for oversight, monitoring, and accountability built in. Organizations that don’t have an established, closed-loop process can find this difficult—email usually can’t handle the job.
5. DEMONSTRATE COMPLIANCE
It’s not uncommon for regulators to ask an insurance company to show what it did to comply with a new regulation. After all, it’s the law, there are consequences for not being compliant, and the entire process is useless unless an organization can provide positive proof. In addition to providing legitimacy to regulators, it serves as valuable risk management data to senior management and other internal stakeholders.
A closed-loop process makes managing regulatory change vastly easier. Without one, complications can arise when regulators arrive, such as during a market conduct examination, that can result in a fire drill—tracking down the people involved, looking through email correspondence, searching for documents, and wading through files—that can be chaotic. If done correctly, running a quick report can provide proof by highlighting the details of how and when an organization complied.
REGULATORY CHANGE MANAGEMENT
RegEd’s Regulatory Change Management incorporates a complete, workflow-enabled, closed-loop process to be aware, determine relevance, create and execute a compliance strategy, and demonstrate compliance with all regulatory changes.
Subject Matter Experts and Specialists
A full staff of subject matter experts with deep, hands-on experience in the insurance industry, monitors the regulatory landscape, documents changes, and evaluates each new or revised regulation for relevance and applicability.
Regulatory specialists interpret, summarize, and translate legal language to business-appropriate plain English before distributing them through RegEd’s system to clients based on their lines of business. Streamlined tools enable the tasks necessary to achieve compliance and reporting functions demonstrate to executive management and regulators that an organization was aware of a regulatory change and steps were taken to comply along with a current status report and a full audit trail.
About the Author
Merlinda Johnson is the Director of Insurance Regulatory Compliance at RegEd, Inc.