Speech by ASIC Deputy Chair Karen Chester at the 2021 Annual Industry Forum of the Insurance Council of Australia, Wednesday 13 October 2021.
Check against delivery
I would like to begin by acknowledging the Traditional Owners of the many lands upon which we gather today, for me the peoples of the Kulin Nation, and pay my respects to Elders past, present and emerging.
My thanks to the Insurance Council of Australia for inviting us to join you this morning; alongside APRA’s Helen Rowell and my colleague Rhys Bollen, to share with you what’s on regulators’ radars.
In the last two years it seems as though the Four Horsemen of the Apocalypse can’t decide ‘what next?’ for the insurance industry. You’ve faced fire, flood, storm, pestilence, pandemic and even law reform.
How you treat your customers through challenging times has always been the litmus test of trust in the years that follow. But perhaps with the 2021 wave of law reforms – six that matter most for insurers – you have a collective ‘insurance policy’ for securing a trust‑dividend. An opportunity to move beyond the trust-deficit, rent asunder by the Royal Commission.
At the same time, ASIC remains mindful of the confluence of uncertainties you’re facing. Least not the above-average losses with the increased frequency of extreme weather events. And the way-too-long uncertainty for you and your policy holders on Business Interruption Insurance claims arising from the COVID-19 pandemic.
I do want to acknowledge the work you’ve done to-date on systems and processes to bring them into line with these new obligations. Much of the initial hard-wiring work should now be completed and what lies ahead are your decisions and ultimately – your conduct. And with this will come your opportunity to reap the ‘trust-dividend’.
From ASIC’s perspective, three actions will see you move from trust-deficit to trust-dividend:
- maintaining focus on conduct risk
- keeping pace with legislative step-changes in regulatory obligations
- investing in data, systems and processes – essential prerequisites for delivering good consumer outcomes.
1. Maintaining focus on conduct risk
Conduct, climate and cyber are three big ‘here-and-now’ issues for the general insurance sector. And it’s good to see climate and cyber being covered in other sessions today, which enables me to focus on conduct risk.
ASIC defines conduct risk as: ‘the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’.[1]
ASIC and APRA have complimentary roles for insurance. APRA’s focus is chiefly on matters prudential (especially financial risk management) and ASIC on conduct (a non-financial risk). For us, the end-game on most conduct risk is ‘customer outcomes’.
But the last three years has revealed (and demonstrably so) that poor conduct has serious financial implications for companies, their investors, and their customers. Not to mention the costly lag and drag of remediation and reputational damage.
Right now, ASIC is monitoring 71 remediations that will see the ultimate (estimated) return of over $5.2 billion to consumers upon finalisation. General insurance remediations account for 11% ($566.3 million) of that total. Over $2 billon has been returned so far for these active remediations, with 17% ($337.86 million) of that $2 billion related to general insurance.
Measuring consumer outcomes – and doing so well – is today’s must‑have for the insurance industry. And going forward, it ideally should not be measured by remediation figures.
To illustrate why, I’ll ask you to imagine that you’ve stepped inside Dr Who’s ‘Tardis’ and travelled six-years back in time. Imagine if these changes had been introduced back in 2015:
- design and distribution obligations
- changes to breach reporting and how you manage disputes internally
- prohibition on unfair contract terms
- claims-handling reforms
- add-on insurance reforms.
Can you also imagine that at the same time in 2015, adequate investment in good systems, processes and controls had been introduced in lock-step.
If this had all happened six years ago, would we now be seeing the current levels of breach reporting, remediation and refunds for things such as the mis-selling of credit insurance? Or for the mis‑selling of add‑on insurance with car sales?
Being consumer-centric, and having adequate investment in your data and systems, are not a regulatory burden. They are simply good risk-management. They’re an ‘insurance policy’ for you, your Board and your investors.
ASIC wants to see insurers selling simpler, more easily understood and comparable products. And with it, robust competition and sustainable products and revenues.
2. Keeping pace with legislative step-change
Turning now to the second action that will move industry closer towards the state of trust-dividend. The need to keep pace with legislative step-changes in regulatory obligations.
As I said earlier, you’ve worked hard to meet the legislative step‑change for insurance obligations. But the pace must be maintained, with five commencing last week and the sixth, claims‑handling, will start in January.
I’d like to thank you all for how you worked with us, providing helpful input into the consultation on those reforms. Assisting Treasury on getting the legislative settings right. Helping us to advance and target our guidance and information sheets.
I’d especially like to acknowledge a handful. On the deferred sales model, you worked closely with us and the Government to finalise the guidance. Not only by providing relevant examples of how the model would work in practice, but also identifying an implementation issue on digital products, and providing the solution.
On the hawking guidance, you provided us with practical examples of where clarification was needed, which assisted us immensely.
Finally, your collective efforts to align the update of the General Insurance Code of Practice to ASIC’s guidance on internal dispute resolution. Your inclusion of the reduction from 45 to 30 days to resolve a complaint, and the updated definition of ‘complaint’, was terrific.
Turning to briefly focus on three of the reforms. Arguably they are your valuable ‘canaries down the coalmine’ for your executives and your Board:
- design and distribution obligations
- internal dispute resolution requirements
- new requirements for breach reporting to ASIC.
But first, a reminder that we are and will be taking a reasonable approach in the early stages of these reforms – provided you use your best efforts to comply. Through the pandemic we’ve tried to be both pragmatic and reasonable. We’ve wanted to set the stage for the reforms to be a success. And we’ve done this by also helping the Government defer commencement of some of the biggest step-changes, such as the design and distribution obligations.
Design and distribution obligations
DDOs are now front, centre and operationalised.
The primary root-cause of the ‘risk trifecta’ – by this I mean reputational damage, consumer complaints and remediation programs – was the sale of products that are simply not fit for purpose. And in the case of some insurance products – evidence showed not fit for anyone.
The sale of junk consumer credit insurance led to $160 million in remediation for close to half a million consumers in 2020 alone, and over $250 million to-date. In addition to the reputational damage suffered by entities when those practices came to light.
DDOs require firms to design financial products to meet the needs of consumers and retail investors, and to distribute those products in a more targeted manner. And while meeting day-one compliance requirements was the first big step, it’s just the beginning of the journey. We know you will continue to embed consumer-centric product design into your businesses.
Internal dispute resolution
The same goes for internal dispute resolution (IDR).
Updated standards and requirements for IDR will assist in improving timeliness of complaints handling, clearer messaging to consumers, and consistent recording of complaints. For you and your Boards, I want you to think of IDR as your ‘back-up canary’ that will warn you if all else fails.
Breach reporting reforms
Turning to breach reporting reforms, which also started this month.
Firms are already using this data, which is being reported to ASIC, to identify any systemic issues, and to perform root-cause analysis.
Breach reporting reforms deal squarely with longstanding concerns about inconsistent, inadequate and delayed reporting of breaches by licensees.
We do expect a significant increase in the volume of reports received. This is because a wider range of entities (such as credit licensees) will now be required to report, and also because a wider range of breaches will be subject to reporting.
ASIC is ready.
Taken collectively, these reforms bring to life the old adage that what is well-reported is well-managed.
They position your firm (executives and the Board) to act pre-emptively and decisively to detect, escalate and act on consumer harms, and to identify patterns of non-compliance and possible misconduct.
And where that doesn’t happen, then – and only then – will ASIC step in, but with a much shorter time-lag.
3. Investing in systems and processes
The third and final action I’d like to discuss is the imperative to invest in data, systems and processes. This is perhaps a source of residual uncertainty for some of you.
The ongoing legacy risks created by system deficiencies, and continued under-investment in systems and data, are a ‘known-known’.
For example, a ‘system deficiency’ was the second most common root-cause of all breach reports submitted by one institution reviewed in ASIC’s institutional supervisory program.
Between October 2020 and September 2021, on average, a ‘system deficiency’ was identified as a root-cause of 19% of all breaches reported by institutions through ASIC’s Regulatory Portal.
Then there’s the more recent Business Interruption Insurance, where it was revealed that insurers’ systems and risk‑management processes were inadequate. Policy wording was not updated to refer to current legislation. And it resulted in unnecessary uncertainty for insurers about their risk exposure, and for policyholders about their coverage. And it has been uncertain for way too long.
What I want to highlight today is ASIC’s concern about the risk of ongoing and legacy misconduct being masked or facilitated by under-investment in systems and processes.
Think about that ‘Tardis’ moment I mentioned earlier. And the speed of change brought about by digitalisation in the past six years.
Put simply, ongoing systems and process under-investment is exponentially increasing your exposure.
It’s no secret that ASIC has been frustrated by the delay in addressing under-investment in data, systems and controls.
We now have a pipeline of cases in the insurance sector, mostly stemming from poor management of non-financial risk – be it lack of robust internal controls, legacy systems, product design or implementation issues. With one such case likely to become public in coming days.
Conclusion
Before I hand over to my colleague Rhys Bollen, to unbundle this and a few more insurance-specific reforms, I’ll leave you with one request.
And one I do not make lightly given the uncertainties and challenges you have faced in the last two years, coupled with the ‘step-change’ in new regulatory obligations. That is: investment in getting data, systems and internal controls right is essential.
It’s long overdue. And from ASIC’s perspective, it’s emerged as an essential prerequisite for the new obligations to deliver your trust‑dividend.
And it’s a prerequisite for harm and misconduct to be detected by you and not masked (and expensively so) by continued under-investment in data, systems and processes.
At the end of the day, our vision for a ‘fair, strong and efficient financial system for all Australians’ focuses our efforts and frames everything we do, but it’s not only about us.
Because, with both thanks and apologies to Jane Austen, 'It is a truth universally acknowledged that an insurer in possession of good data, systems and processes should not be in want of a trust-dividend.'
Thank you.
[1] ASIC REP 631 Director and officer oversight of non-financial risk report, October 2019, page 9.