IRE CB Insurer Consumer Protection


On Aug. 29, IRE CB issued consumer protection risk assessment.


  • IRE CB issued Dear CEO letter containing findings of a Consumer Protection Risk Assessment (CPRA) of insurance firms' consumer risk management frameworks.
  • This assessed appropriateness of insurance firms' risk management frameworks, in particular how they identify, manage, and mitigate the risks posed to consumers.
  • Follows IRE CB Mar. 2017 new model for assessing consumer protection, see #31651.
  • Background
  • IRE CB expects firms to have an effective consumer-focused culture, which must be underpinned by an effective consumer protection risk management framework.
  • Have robust compliance and risk management processes in place to manage risks.
  • For this reason, in 2017 IRE CB introduced CPRA Model to establish new and more intrusive approach for supervisory assessments of regulated firms in relation to conduct and consumer protection risk management, set out expectations of firms.
  • Guide to the CPRA was published to set out IRE CB's approach to carrying out CPRAs.
  • Overview
  • Assessment found that overall, while insurers assessed were at differing levels of maturity, there was evidence that more intrusive oversight of sector and developments initiated by insurers since issue of CPRA Guide have had positive effect on industry.
  • Well-designed processes and framework improvements around identification and management of consumer risks were evident, but clear that some firms less mature in design of frameworks and the effectiveness of some was not as evident as for others.
  • While clear progress has been made, some firms have more work to do than others to reach required maturity levels to avoid/manage risks, drive culture of high standards.
  • Findings
  • The IRE CB's assessment focused on Module 1: Governance and Controls, with a specific focus on Element 5: Consumer Protection Risk Management; Element 3: Control Functions/Consumer Monitoring; and Element 6: Consumer Reporting.
  • Letter sets out risk identified for assessment, expectation, findings, good practices.
  • Consumer Protection Risk Management
  • Firm should have an approved consumer protection risk management framework and policy in place supporting it, should be part of overall risk management framework.
  • While most firms have both consumer protection framework and policy in place, some only have one or the other, some firms' risk appetite statements did call call out consumer protection risk, firms' frameworks typically structured by pillars, e.g. sales.
  • However not firms all were able to evidence the link to consumer outcomes.
  • Generally firms have set out clear roles and responsibilities in frameworks/policies, but not evident that have rolled out training on consumer risk management frameworks.
  • Not all senior management taking adequate responsibility for embedding consumer-focused cultures throughout firms, to ensure fair outcomes at heart of what firm does.
  • All firms undertake risk identification, but did not always document processes.
  • Control Functions/Consumer Monitoring
  • Control functions should support identification, monitoring and management of consumer protection risk, and influence firm's behavior to ensure fair outcomes.
  • Found that control function plans and frameworks generally well defined, aligned with each firm's strategy and took consumer protection risks into account.
  • Roles and responsibilities generally clear and documented, control functions able to demonstrate they undertake setting and approval of monitoring plans, though challenge was sometimes limited in nature, which raises concerns re effectiveness.
  • Vast majority of control functions able to demonstrate that they consider consumer interests as part of their planning process, undertake consumer-focused reviews.
  • However, some reviews lacked depth and only considered risks at high level.
  • Some concerns on effectiveness of control functions in challenging and influencing the business units, but functions able to demonstrate knowledge sharing among them.
  • Consumer Reporting
  • Firms' resources, systems, processes, controls should allow for greater use of automated management information (MI) with manual intervention for analysis etc.
  • All firms found to have a level of automation supported by manual intervention, but such intervention significantly higher in some, could lead to errors in MI used.
  • Maturity level of firm's consumer reporting varied significantly, some clearly able to show how consumer reporting led to identification of consumer protection risks.
  • Assessment found that not all firms included consumer outcomes in their reporting.
  • Consumer MI generally circulated to correct audiences, some firms remain heavily focused on quantitative rather that qualitative data, can impact how useful data is.
  • Time afforded to senior management to review MI generally considered sufficient, while escalation processes for issues are available, some could be bypassed.
  • Next Steps
  • All insurance firms are required to review and consider the expectations, findings and notable practices set out in the letter and 2017 Guide in context of their own business.
  • Should complete gap analysis, identifying gaps and weaknesses that exist in the design and/or effectiveness of their consumer protection risk management framework in respect of all elements of Module 1: Governance and Controls of the Guide.
  • And put a plan in place to mature their frameworks, plans to be presented to Board for approval and then changes must be implemented in line with the approved plan.
  • Effectiveness
  • Plan to be presented to Board by Nov. 30, 2024, changes made by Jun. 30, 2025.
  • Must provide IRE CB with name of an individual in a pre-approved controlled function (PCF) role with accountability for delivery of expectations in letter by Sep. 30, 2024.
  • Firms should consider including assessment against the Guide for Modules 2, 3, 4 and 5 as a matter of good practice, in their future audit and compliance plans.

Regulators IRE CB
Entity Types CNSM; Ins
Reference Lt, 8/29/2024
Functions Compliance; C-Suite; Exams; Legal; Market Conduct; Operations; Product Administration; Record Retention; Reporting; Risk; Training
Countries Ireland
Category
State
Products Insurance; Insurance-Casualty; Insurance-Health; Insurance-Life; Insurance-Property
Regions EMEA
Rule Type Final
Rule Date 8/29/2024
Effective Date 11/30/2024
Rule Id 224165
Linked to Rule :31651
Reg. Last Update 8/29/2024
Report Section EU

Last substantive update on 08/31/2024