The Gibraltar Financial Services Commission (GFSC) is actively involved in the preparation for Solvency II. As Gibraltar is home to many insurance and financial services entities operating across Europe the GFSC is observing new uses for the ORSA beyond insurance. Kathryn Morgan, director of regulatory operations, GFSC, reflects on the ORSA submissions of insurance firms in Gibraltar and how they are shaping the regulator’s wider thinking on the regulation of financial services.
The good and the bad in the ORSAs of Gibraltar
As was highlighted in the Sharma report, which set the scene for Solvency II (a lifetime ago in 2002), failures of insurers are nearly always caused by either poor governance, or a poor understanding of risk, or both. The ORSA process plays a crucial role in managing such risks by providing the discipline to a firm’s management to better understand and manage its risks and capital needs. As a result, it assists management in refining business plans and making informed decisions regarding strategy in light of these risks, and the solvency capital needs of the business.
Insurers in Gibraltar submitted their first ORSAs by the end of 2014, in line with EIOPA’s preparatory requirements. The GFSC reviewed about fifty submissions, and provided feedback to the market. As would be expected, given this was the first run through, the results showed significant variation; highlighting the value of the preparatory phase.
Our internal assessment indicated that 80% of the ORSAs were in reasonable shape, with the remainder requiring a step improvement.
On the positive side we are seeing a clear engagement by senior management and the delivery of a manageable length document for the Board. The provision of a summary of the firm’s business strategy is another positive which helped to position the risk review and forward-looking assessments.
However there were a few areas where we feel certain firms were lacking in their ORSA work and required greater emphasis on forward-looking aspects, including being more joined-up with business strategy. Other firms will need to improve the balance between the quantitative and the qualitative aspects. The exercise also exposed a need for greater stress testing of material risks beyond the highest risk.
From a standing start the industry has come far. We expect to see further improvements in the ORSAs we will receive during the rest of 2015, and for the ORSA to show greater alignment with firms’ business planning processes.
The GFSC is currently reviewing its supervisory processes to ensure that they are fully aligned with the requirements of EIOPA’s guidelines in this regard. A key component of the preparation for the start of the Solvency II supervisory process will be an understanding of the challenges facing the firm as documented in the latest iteration of its ORSA. For example, the risks to the firm’s business strategy and plans, and how it is managing these risks.
Well run firms have nothing to fear from clearly articulating their risks, and risk mitigation. Indeed, the flip side of this is that a sub-optimal ORSA is an indication of poor governance, or poor risk management, or both. And given the findings of the Sharma report, that worries us as regulators.
The problem with a “living document”
The ORSA could be considered a “living” process. However, to refer to the ORSA document as a ‘living document’, as some do, risks it not being finalised – the idea of a “living document” is a pet hate of mine. It is important that the Board are very clear which version of the ORSA document they are approving, and the key changes since the previous version that they approved.
Positive ORSA sprawl
Non-executive directors have told us that they find the ORSA a particularly tangible and useful mechanism to help them get to grips with what Solvency II means for their firm and what risks they are facing. We continue to engage with these stakeholders and encourage them to use the ORSA process to help develop their understanding of how the firm can work with the grain of Solvency II to continuously improve its governance, risk management, capital management and disclosure.
One somewhat surprising positive outcome of the ORSA has been that firms are finding it useful beyond Solvency II. We are aware of at least one parent of an insurer – a non-financial services firm – which is planning to create an equivalent process and report for itself in order to improve its risk management processes and associated governance. This has inspired us to look more closely at the ORSA for our own purposes. We consider that the way the ORSA brings together a firm’s business planning, assessment of the risks facing a firm and the capital and profit implications gives a really good insight into the working of a firm, and we use this type of analysis in developing our supervisory plans. We are also working with our licensed firms to identify risks to our objectives of protecting consumers and the reputation of the jurisdiction.
In Gibraltar, the regulated financial services industry is extensive, ranging from banks to auditors to trust and company service providers. While we don’t require all our authorised firms to have an ORSA, we are refining our supervisory approach to include an assessment of the risks posed by a firm to our objectives and, in particular, how sustainable a firm’s business model is.
As Gibraltar is part of the EU, companies domiciled here can apply to passport their services across the union – this means that selling of products can take place in a different place to the place where a firm is regulated. We have an objective to focus on public interest outcomes that are important in all the jurisdictions where Gibraltar firms operate. Our thinking here is that there is often a long chain between the consumer and the end product. The chain can cross borders, and can have unregulated links. Every link takes something away from the investment, and can leave the consumer worse off, or too distant from their investment. Distance means lack of understanding and control. Distance means there is scope for the poor operators or fraudsters to sneak in.
When we look at the risks to our objectives, we focus on risks to consumers and risks to the reputation of Gibraltar. For example, a firm may have poor controls on client money and that may lead to loss for customers. Alternatively, a firm may be heavily subsidised by its owners or other parts of a group meaning that in the long-term the business model is not sustainable. Drawing on the ORSA principles we can then take supervisory action appropriate to the risks. Alongside this, we give guidance to the different industries as to what we expect.
There is regulatory protection for consumers in target (i.e. host) third countries, such as the FCA for the UK. However, the challenge is being joined up. We are developing proactive and productive relationships with regulators in the main markets in which our firms operate.
I think regulators can do only so much here. We can look at corporate culture or the distribution chain and co-operate internationally. We can be aware that regulatory pressure in one jurisdiction can result in poor behaviour in another one. For example, requiring additional capital might put pressure on profits, leading to more aggressive selling practices. I would like to see more discussion of this issue between regulators – the only reference I have been able to find is in ‘New model financial regulation’, where the Financial Services User Group (FSUG) of the European Commission highlighted this issue in 2012. No action appears to have been taken.
The FSUG suggest that regulators act as a “super consumer” and focus on root causes (for example, high expenses in investment banks are passed on to the ultimate consumer).
The real solution lies with the people running companies. CEOs should start by thinking about their customers. And by customer, I mean the person at the end of the chain, not the intermediaries. Ask yourself, what do they want? Where are they? How do they access your services? Are there things they might need but haven’t realised? Are you allowing some parts of your organisation to behave in ways that endangers them?
Once you have answers to these questions you can then stamp out poor practice and remember why you are in business.
The ORSA is not a compliance exercise. Regulations, and compliance with them, should be a minimum standard. Of course firms should check an investor’s risk tolerance and financial status. Of course they should write it down. But there’s also a bigger responsibility to look behind the rules to what is really going on in the relationship between the investor and their adviser.
The author is the director of regulatory operations at the Gibraltar Financial Services Commission. The views expressed are the author’s own.
To subscribe to the Solvency II Wire mailing list for free click here.