Office of the Superintendent of Financial Institutions
Certainly there are a lot of unknowns in the Canadian life insurance business, but allow me to close by saying that Canada has a lot of advantages. There is excellent communication between the regulator and the institutions, whether or not we agree on how to resolve an issue. Our international activities have shown that we can act quickly compared to other jurisdictions. OSFI is a principles-based regulator that allows all to compete. We do not apply a one-size-fits all, rules-based mentality that may hinder some and favour others.
Though I have attended this forum in the past, this is the first time I have had the pleasure of speaking to you as the Assistant Superintendent of the Insurance Supervision Sector.
Due to our internal restructuring, my responsibilities at the Office of the Superintendent of Financial Institutions (OSFI) were expanded to include the supervision of the property and casualty, mortgage, and life insurance businesses.
As you are painfully aware, the global financial crisis hit all sectors of the economy hard, but it was particularly harsh for financial institutions.
Much attention has been paid to the banks and how they fared during the crisis resulting in a lot of work in the area of bank capital, including new domestic and international capital frameworks for banks, naming banks Globally Systemically Important Banks (G-SIBs), or Domestic Systemically Important Banks (D-SIBs), and so on. This is understandable because of the negative impact the crisis exerted on the banking sector internationally and domestically.
Insurers, however, are not typically victim to a crisis that causes a run-on-the bank type of event due to the long term nature of their liabilities and their conservative reserves. The issues that affect insurers are generally slower to develop, but once established, take a long time to correct.
Nonetheless, there have been significant changes to the insurance capital frameworks and the increase in regulatory requirements has increased the cost of doing business around the world.
Today I am going to provide some insights into where things are heading from a capital perspective, both domestically and internationally. I will then touch on other areas of risk management that may be of interest to this audience, namely Own Risk Solvency Assessments (ORSA), and OSFI’s Operational Risk Guideline, E-21.
On the domestic front, we are still on track to implement OSFI’s new life insurance regulatory capital framework in 2018. The new capital framework will provide a superior risk based assessment methodology for determining capital requirements. The new test will make use of more current analysis and methodologies as well as explicitly taking into account mitigating actions and diversification benefits. It will allow our capital requirements to remain state of the art compared to those of other jurisdictions.
The capital changes in the new framework are explicitly calibrated to a consistent level of conditional tail expectation (CTE) across the various risks. Actuarial valuation of insurance company liabilities are explicitly intended to include conservative margins with the degree of conservatism varying across risks.
To help ensure that this approach results in consistent capital measures across companies, OSFI has asked the Canadian Institute of Actuaries and the Actuarial Standards Board to consider certain issues with a view to updating actuarial standards and /or guidelines if required.
To avoid double counting and inconsistent treatment of different risks, this new framework will include margins for adverse deviations as an available capital resource.
While we are awaiting the results of Quantitative Impact Study (QIS)7, we are in the process of planning to conduct two framework runs, one in 2016 followed by another one in 2017. These “test drives” will allow us to validate the new capital test and help insurers gear up for the updated regulatory compliance requirements under the new framework.
We should also have a final guideline ready for issue in July 2016, following input from the industry on the draft. Any anomalies uncovered in the testing will be taken into consideration prior to implementation. This will allow time for industry feedback and enable insurers to plan and prepare their systems for implementation of the framework in early 2018.
While work continues on the domestic front, there are also developments in standards for internationally active insurers.
The International Association of Insurance Supervisors (IAIS) is refining the Basic Capital Requirement (BCR) and Higher Loss Absorbency (HLA) requirements for Global Systemically Important Insurers (GSIIs) for implementation in 2019. Work in this area is aimed at mitigating or avoiding risks to the global financial system.
To eventually replace the BCR, the IAIS is developing an internationally agreed upon risk based capital test. The Insurance capital standard (ICS 1.0) for the broader list of Internationally Active Insurance Groups (IAIG) will be ready by the end of 2016, for implementation in 2019.
OSFI looks carefully at the Canadian marketplace and Canadian requirements before deciding whether to adopt international standards. We will take ICS into consideration as we fine tune our current capital tests. The work we do on the OSFI life insurance framework already includes many of the changes stemming from these international standards and we don’t expect ICS 1.0 to be as sophisticated as our current Minimum Continuing Capital and Surplus Requirements (MCCSR) capital test. Consequently, we do not foresee a need to implement any significant changes.
The significant changes will likely come as ICS 2.0 is finalized. It may bring sufficient worldwide convergence for OSFI to start thinking about implementation.
I will now turn to ORSA. As we have stated in the past, ORSA stands for Own assessment, not OSFI’s assessment. Consequently, we expect each institution’s ORSA to reflect the board and management’s assessment of their institution’s risks. Each insurance company is required by OSFI to annually present its ORSA to its board or Chief Agent.
ORSA is a forward-looking process consistent with an insurance firm’s strategic and business plans. It explores and assesses potential threats to capital and solvency positions. ORSA is expected to provide senior management’s view on risk assessment, risk management and planning to its board or chief agent.
The ORSA exercise is relatively a new one. When we surveyed insurers on their ORSA practices, we found that they are taking one of three approaches in their ORSA work.
First, some companies discussed the risks quite comprehensively in the report. They generally provided good qualitative discussion and typically included a reasonable amount of detail on methodology and critical assumptions. We believe that this is helpful to the institution in understanding its risks and the sensitivity of its internal capital targets. OSFI has asked to see the ORSAs once they are approved by the board. A reason for this is to compile a list of “best practices” for the industry as a whole. You can expect to see a number of “best practices” examples from this first group.
Second, some companies spent large amounts of text on descriptions of the processes they used, but little substantive discussion about the assessment of their overall risks. Hopefully this commentary is in the supporting documentation. If so that would be acceptable provided the Board or Chief Agent is receiving the information. Some text is comprehensive, with useful information about certain risks or processes, but some is at a very high level, with little useful information. This indicates to us that some of the ORSA principles are being adopted, but perhaps not uniformly across the enterprise, so there is still some work to be done.
Third, some treat ORSA strictly as a compliance exercise. These reports generally tend to be short with little useful information for decision making. The brevity of the report is not considered to be an issue by itself; it is the lack of information that is not considered to be “best practice”. Most components of the ORSA process – such as dynamic capital adequacy testing, sound governance and risk management – should be familiar to Canadian insurers. These pieces all exist within the institution so what is required is a process that captures and quantifies the risks and presents them through the ORSA framework.
We have found that some companies find the emerging-risk component of ORSA to be a struggle. Management can start this process by asking a simple question; “What keeps us awake at night?” The initial responses can then be formalized into a more robust emerging-risk identification process.
From our perspective, the ORSA should be used to link the institution’s risk assessment to its internal target for capital. A robust ORSA would be one where the company has comprehensively assessed the potential impacts of the risks it faces, and uses that assessment to make prudent decisions.
For many insurers, ORSAs are being refined so there will continue to be an evolution in the way they are implemented. It is our expectation that greater intensity should be focused on material risks. For smaller or less complex institutions, we found that ORSA borrowed heavily from the Dynamic Capital Adequacy Test (DCAT) and the capital frameworks. This may be fine for many insurers but it should be supported with documentation as to why those approaches are appropriate.
My penultimate topic today touches on operational risk. Operational risk is inherent in all products, activities, processes and systems of an institution. Therefore, the effective management of operational risk should be a fundamental element of an institution’s risk management program. However, it is a difficult risk to measure and there are many possible areas of duplication.
This is why all federally regulated financial institutions will soon be expected to establish and maintain an enterprise-wide framework of operational risk management. Operational risk will become part of OSFI’s ongoing supervisory activities.
To help institutions comply with this new requirement, OSFI has developed an Operational Risk Guideline, E-21. A draft of this guideline was released on August 20 of this year for consultation, and we are currently reviewing the comments received from the industry.
The Guideline regroups aspects of operational risk that were previously addressed in various guidelines and sets out four principles for operational risk management.
Principle #1: Operational risk management is fully integrated within the institutions overall risk management program and is appropriately documented.
Understanding operational risks leads to better decision making through the observation and analysis of past operational risk events, and by studying the subsequent patterns of behaviour within the institution. This is important, because a robust framework for operational risk management provides a mechanism for discussion and effective escalation of issues leading to better risk management over time, and increased institutional resilience.
Principle #2: Operational risk management serves to support the overall corporate governance structure of the institution. As part of this, institutions will develop an operational risk appetite statement.
The risk appetite statement for operational risk should articulate the nature, types and approximate exposure levels of operational risk that the institution is willing to assume. The operational risk appetite statement should be clear, and include a measurable component, either a limit or a threshold. The purpose of requiring a measurable component is to give an indication of the level of operational risk which the institution considers acceptable. The limit should also serve to indicate the level at which operational risk events are considered necessary for escalation to Senior Management, or the Board.
Principle #3: Institutions ensure effective accountability for operational risk management. A three lines of defense approach, or appropriately robust structure, serves to separate the key practices of operational risk management and provide adequate independent overview and challenge. How this is operationalized in practice in terms of the organizational structure of an institution will depend on its business model and risk profile.
The business line – the first line of defense – has ownership of the risk because it is managing the operational risk it incurs while conducting its activities. The first line of defense is responsible for planning and controlling the day-to-day operations of a significant activity and for identifying and managing the inherent operational risks in products, activities, processes and systems for which it is accountable.
The second line of defense consists of oversight activities that independently identify, measure, monitor and report operational risk on an enterprise wide basis. They represent a collection of operational risk management activities and processes, including the design and implementation of the institution’s framework for operational risk management. The second line of defense is best placed to provide specialized reviews related to the institution’s operational risk management.
The internal audit function is the third line of defense. It should be independent of both the first and second lines of defense, and provide an independent review of the institution’s operational risk management controls and the effectiveness of the first and second line of defense functions. The third line of defense is best placed to observe and review operational risk management more generally within the context of an institutions overall risk management and corporate governance functions.
Principle #4: Institutions ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, both within the institution, and to relevant supervisory authorities.
OSFI recognizes that the institution itself has the best perspective to determine its organizational structure, processes, and the extent of its use of tools to optimally achieve a robust level of operational risk management. Further it is the institution that is ultimately responsible for the risk assumed; therefore the specific tools used to identify and assess operational risk should depend on a range of relevant factors, particularly the nature, size, complexity and risk profile of the institution.
The four principles that I have just talked about are designed to promote best practices within the industry and they are consistent with OSFI’s Supervisory Framework and Corporate Governance Guideline. The full implementation of the Operational Risk Guideline, reflecting any changes made based on comments to the draft version, will be expected no later than one year from the date that it becomes effective.
Before I conclude my remarks, I would like to mention a few environmental changes that may impact the life insurance sector in the medium to near future, and are worthy of further monitoring both on your parts, and on OSFI’s. This is the part where I get to ask the questions.
First, how will insurers deal with the continued impact of prolonged low-interest rates on investments and long-term guarantees to their policyholders? A lot of work has been done by insurers to de-risk their portfolios. Are you now going to start getting out of long-term life policies? Especially considering the uncertainty and possible volatility that International Financial Reporting Standards (IFRS) may bring into your financial statements?
Will you chose to get more involved in the longevity business to achieve a better diversification? How will you address the longevity risk associated with the payout annuity business and how will it be affected by persistent low interest rates?
Second, are traditional products still viable? If not, what new products will need to be developed in order to meet the needs of the current and future policyholders while remaining profitable to insurers?
What will be the impact of internet based distribution on traditional distribution channels? How will this change the industry in terms of product offerings and pricing?
With the ever-increasing amount of information available, policyholders are becoming more aware of the features of existing products, even the ones with complex options. How will this new policyholder knowledge and growing preference for on-line purchasing impact profitability?
Certainly there are a lot of unknowns in the Canadian life insurance business, but allow me to close by saying that Canada has many advantages.
There is excellent communication between the regulator and the institutions whether or not we agree on how to resolve an issue.
Our international activities have shown that we can act quickly compared to other jurisdictions.
OSFI is a principles-based regulator that allows all to compete. We do not apply a one-size-fits all rules-based mentality that may hinder some and favor others. The size, complexity, and inherent risk of the organization appear as a key consideration in many of our guidelines. However, some guidelines by their nature are prescriptive.
As we face these and other challenges moving forward, I fully expect that we will continue to work together, to enhance and maintain a financial system in which Canadians can place their trust.
Thank you for inviting me to be part of this year’s Life Insurance Forum.