As the regulatory burden grows, Beth Grossman says the time for global data standards has come

Regulatory compliance is nothing new for insurance companies. Industry regulation goes back over 200 years. As early as the 18th century, the benefits of regulations to protect the policyholder were identified when the British Parliament mandated the use of the Lloyd's standard policy form. The issue arose when several ships would arrive in the same harbour at the same time, each having a different policy form. When a loss occurred on the wharf where offloaded goods commingled, confusion ensued among underwriters who were interpreting different forms for the same loss.

More recently, 9/11 issues of contract certainty on manuscript subscription policies are still creating challenges from a claims perspective: World Trade Center - was it one occurrence, or two?

Yet a combination of geopolitical events, corporate malfeasance and financial collapses has brought new challenges to regulatory compliance and thrust it into the hard light of public and corporate scrutiny. A broad array of regulations in effect in a variety of jurisdictions - including the USA and the EU as individual states and collectively - have raised both the stakes of compliance and the investment needed to achieve it.

These regulations include Europe's Basel II and Reinsurance Directive, the US Sarbanes-Oxley Act 2002, and the UK's Financial Services and Markets Act 2000. The rules deal with operational risk, records management, privacy, accounting and business integration and reporting.

The complexity and depth of some of the new regulations have caused compliance officers within insurance companies to consider how to optimise their activities. Given that a company's regulatory response often depends on its ability to access and manage information, this is causing a rethink of how IT infrastructures can be used to capture, analyse, and store data more effectively. The advice of industry research organisation TowerGroup, outlined in its new 'Recent Regulations Affecting the Insurance Industry' report, is to modernise core system infrastructure where most of the data to support compliance resides and employ flexible IT architectures that can quickly extract and manage information.

This is a painful task for those with legacy systems and processes that have created silos of data that are hard to access. They will not roll over easily to provide in-depth reporting. This means getting a handle on tools for data management, understanding metadata (data about data), and implementing industry standards as a corporate enterprise data strategy.

Regulators want data, but in what format?

There is an emergent need to bring together business processes, regulation and technology in a more cohesive fashion. For this to happen, the role of organisations that most expediently and effectively develop and administer data standards for this purpose - standards development organisations (SDOs) - has become more pivotal to the industries they serve. By maintaining clear, consistent data in an industry-standardised format provided by SDOs like ACORD in the insurance sector, insurance companies can more easily transfer information between systems, partners and regulatory agencies.

Not all standards are created equal, however. Re/insurers are wise to engage regulators not only on the amount and type of information being required, but also on the format in which it is provided. If every regulator requires information in a data format that suits its own needs, insurers will need to build multiple interfaces from the company data store at great expense. The regulators are in effect creating a proprietary data standard for data exchange and this can be an onerous burden for companies in their drive for operational efficiency. Whereas the use of voluntary consensus data standards ensures that regulators are receiving data that is built into companies' infrastructures at an operational level.

Voluntary consensus standards can be characterised as those developed with support from the majority of interested stakeholders to meet the needs of a broad constituency and are technology, vendor, and platform neutral. In contrast, proprietary or prescriptive standards are developed by a specific entity or subgroup, with a special interest, and they can mandate not only the desired result but the means, methods and technologies to get there.

When the governing bodies support standards

Global support for consensus standards is expressed in the WTO 'Agreement Regarding Technical Barriers to Trade' (TBT Agreement), which in 1995 adopted a "code of good practice" for preparing, adopting and applying standards. To date some 144 standardising bodies from 104 countries have accepted the code. An example of one national governing body's endorsement of the code is the series of legal decisions, statutes and executive orders in which the US government has recognised the dangers associated with the capture of standards by special interest groups and the benefits of consensus standards. This included the 1996 National Technology Transfer and Advancement Act (NTTAA), enacted by the US Congress when it found that the global competitive stance of the US was being hurt because its own government agencies routinely ignored widely-used consensus standards and imposed unique, proprietary standards for goods and services.

Where business data becomes regulatory data

The primary concern of regulators is that poor management of operational risk in the insurance industry is not in the interest of policyholders and creates an overlying risk of insolvency in the involved companies and therefore a risk of market failure overall. Regulations that require reporting of information for national security and anti-fraud purposes, only add further complexity to the gathering of data. What's more, regulators also want insurers to put control systems on reporting processes that will improve the accuracy and timeliness of the information they receive.

ACORD's voluntary consensus standards are already playing a role in helping companies serve up information the way regulators like it. Yet there is potential for even greater industry use of ACORD's SDO process and standards to satisfy regulators.

For London market players, recent comments by John Tiner, Financial Services Authority (FSA) chief executive, were an eerie echo of the concerns of 18th century regulators. At a symposium in New York in December, Mr Tiner drew a direct connection between contract certainty and improved reserving.

"We want," said Mr Tiner, "to see the end of a practice which is 'deal now, detail later.' The lack of contract certainty creates risks for the policyholder as well as the insurer and brokers." Contract certainty is being tackled through the London Market Principles (LMP) reforms and Lloyd's Business Process Reforms. One initiative is the mandated use of a standard placing slip in the London market. The LMP slip is an interim standardised placement document which will soon be replaced by a global placing document that ACORD is currently developing with its membership.

The new document will be ACORD's first international form. In creating it, ACORD builds upon its 35-year history of developing standard forms in the US. ACORD forms have allowed companies that are doing business across multiple states to keep their forms compliant with the regulations of each state. The same kind of opportunity could be available to reinsurers in Europe and elsewhere to provide a greater degree of contract certainty.

As regulators consider monitoring contract certainty, the use of standardised data has obvious application.

Another example that highlights the value of international standards is the regulatory challenge faced by insurers operating or looking to expand into other countries. They have to analyse regulatory requirements for licensing, maintaining operations, and reporting in every one of those countries, and send the data in a different way for each. While different geographical regions have some unique needs, widely accepted data can be standardised.

In another application to help meet FSA requirements and improve risk management, Lloyd's recently required its syndicates to do risk modelling of prescribed exposure scenarios so that a better assessment of the capital needed to support each syndicate can be gained. This CAT modelling is being accomplished with the use of ACORD exposure reporting standards created in conjunction with the industry's major CAT modellers.

The International Association of Insurance Supervisors (IAIS), which had stepped into the role of supervising global reinsurance, is similarly concerned about exposure reporting. According to a report in Standard and Poor's 'Global Reinsurance Highlights 2004', IAIS is interested in achieving transparency, particularly as it relates to the sector's resilience to large loss events. Capturing detailed loss and payment data in ACORD standard format will be critical to these efforts.

In the US, Sarbanes-Oxley (SOX) is commanding much attention. SOX requires executives of publicly held companies in the US to certify the effectiveness of financial controls and the accuracy of financial reports. While the regulatory compliance requirements are related to process and the controls at various crucial points in the process, the number of manual interfaces that the companies maintain can seriously compromise their ability to comply. Implementation of ACORD standards can assist in reducing the number of interfaces - between internal systems and external trading partners - and providing more effective audit trails. In the coming months, ACORD and its members will be exploring the implementation of standards as a facilitator of SOX compliance.

SOX casts a long shadow, long enough to have ramifications for the international trading partners of insurers and reinsurers operating under SOX mandates.

The latter may need to audit trading partners whose information is material to their operations. Obviously the relationship between reinsurers, retrocessionaires, and their ceding companies falls into this category. Before SOX, most reinsurers operated under the assumption that they could rely on information from ceding companies. Many contracts called for 'bulk' reporting and administration where policy level data was kept primarily at the ceding companies. However, under SOX more detail than that is required.

Strategy for compliance and business

There doesn't appear to be any slowing of regulatory demands for data anywhere on the horizon. Yet it is clear that data standards can effectively ameliorate the costly burden of the compliance process for insurers, reinsurers and regulators alike. In the broader business context, using data standards to facilitate compliance is like pulling a single arrow from a full quiver.

The effective management of data and use of data standards provides companies with an arsenal of opportunity to improve business operations, and it is increasingly becoming one of the key differentiators of a successful insurance operation.

Beth Grossman, Assistant Vice President, Industry Relations, ACORD.