Solvency II, the EU directive that updates capital adequacy rules for the European insurance industry, is about to move to centre stage. We look at what IT departments of insurance companies in the UK must do.
Compliance with Solvency II will provide IT managers with many challenges, not least the sheer scale of the exercise. There is also greater complexity, with legal rules shifting from spelling out a series of provisions, to being a principles-based system.
Peter Skinner, the British MEP who nursed the package though the European Parliament, says, "Solvency II shifts the focus of supervisory authorities from merely checking compliance with a tick-the-box approach based on a set of rules to more proactively supervising the risk management of individual companies based on a set of principles."
The directive, which cleared the Brussels legislative machinery in April last year, requires IT architectures to be ready for the directive's enactment in national legislation by 31 October 2012. Non-compliance could endanger an insurance company's right to trade.
Timing for setting up the modelling software to meet of the new rules has to follow a set programme, broken down into stages. For instance, according to risk management consultancy Watson Wyatt, the UK Financial Services Authority (FSA) required that as early as March 2009, firms should have stated whether they plan to apply for internal model approval,
By June to November 2010, the start of the first model dry-run period should have started. By October 2011, the FSA should be in receipt of the first batch of dry-run submissions. Second dry runs should take place in 2011 and 2012, with the FSA review/approval process running from 2012.
Jürgen Weiss, principal research analyst at Gartner, reckons that some companies will start the main IT work in three months, but others will not get going for another nine months.
Weiss says most European insurers are still in "a discovery phase". IT managers are uncertain about budgeting their future Solvency II programmes. Some have not even requested an IT budget to cover work in 2010 on the regulations.
Almost all IT organisations that are familiar with the regulations have focused exclusively on the first of the three pillars of Solvency II. This primarily addresses the quantitative capital requirements for European insurers and the actuarial models with which these requirements are being calculated.
Gartner believes the efforts to comply with Pillar 2 requirements will be significantly higher than the efforts for the other two Solvency pillar investments because of the heterogeneous IT landscape of many insurers and the efforts to at least semi-automate data collection and normalisation. Weiss says this is worrying.
He says several level-two implementation measures on Solvency II, published in November 2009 by the EU's advisory body for the insurance industry, the Committee of European Insurance and Occupational Pensions (CEIOPS) explicitly address IT issues. Examples are advice on data quality, data governance and documentation.
Weiss says risk managers and actuaries should now be collaborating with their IT colleagues. Business and IT managers should also be aware that Solvency II requires a holistic approach to risk management, encompassing people, processes and applications.
A contrasting view on timing comes from Steve Bell, financial services advisory partner at Ernst & Young: "With regard to timescales, there are a large number of interim dates, and in my experience for most clients they are not running too late as there is time remaining to gear up programmes.
"IT will need to deliver new or enhanced risk management systems. This will be the key IT new system build. The bigger challenge will be to provide accurate data to a lower level of granularity on more regular intervals than before from source systems many of which in insurance are legacy in nature. This is the area that will be harder for insurance IT teams."
Management consultancy Deloitte and Touche is helping insurance companies to specify their IT needs to enable them to purchase compliance software. It says an official EU guideline, IP 58, gives a steer on the pre-application process, offering "advice on supervisory reporting and disclosure deals with the requirements for insurance companies to report to both the regulators and the public".
Companies lining up to supply insurance companies with the software they need include: IBM, SAS, SAP, Oracle, Sungard, Fermat, EMB, Algorithmics, Towers Perrin, plus a fragmented array of specialist application providers.
IBM says the revision of its insurance industry framework - which it describes as a blueprint to address all three pillars of Solvency II - is complete and already being used by more than 150 insurers.
Isabella Hess, senior managing consultant at IBM Global Business Services, says IT departments should be thinking about adopting an enterprise-wide information architecture as, for most large groups, the concepts and strategic direction are "more or less ready".
Hess says there is little real choice as the regulator and analysts are unlikely to look favourably on any big player adopting a more simplistic, standard model-based risk management framework.
One fundamental issue is the quality, availability and traceability of data. For example, the data "granularity" defined by data models is usually hardwired into policy systems and can be difficult and expensive to change. (Granularity is the level of detail of "attributes, "fields, and data types that can be provided).
Similarly, insurers may need to collect more comprehensive information about the quality and risk-sensitivity of their investments portfolios than was required previously, and do so more frequently and faster.
Solvency II software will eventually better reflect an insurance company's exposure to risk. This will enable a company to plan its business development, liquidity management and risk appetite to get the best payback on its capital reserves. In other words, IT managers will be buying a system that will enable firms to make better use of their capital.
Hess refers warmly to phase two of the International Accounting Standard Board's forthcoming IFRS 4 on insurance contracts, for which an exposure draft is due in the second quarter of 2010. In planning Solvency II architecture, she advocates the use of other industry standards. These include Acord, the emerging international standard for information exchange, and service-oriented architecture for data exchange.
How much will it cost?
Hess says large insurance firms could be facing bills for around €100m each as a result of Solvency II. However, many have partially completed work on data and processes, leaving only "heavy lift work in intellectual modelling and embedding their enterprise risk models" to be done.
Hess estimates that second-tier insurers will need to invest between €30m and €40m over three years. Smaller companies could expect to pay €1m to - €1.5m each.
According to the CEA, the European insurance and reinsurance federation, the total number of insurance companies operating in the EU is 5,200. This figure could be increased if one takes in associated economic zones, such as the European Economic Community.
More accurate ideas on cost are likely to come from the publication of the next Quantitative Impact Studies (QIS) on Solvency II, expected in August 2010. The fifth in a series of reports, the study aims to assess the likely impact on insurance markets and products, social and economic impacts and the likely impact on insurers' balance sheets and business behaviour of the potential policy options being considered by the EC.
Insurance companies are reminded that in 2012 it will not be enough just to say that you have purchased a Solvency II compliance software package. A Brussels mandarin close to the directive emphasises that this will not satisfy the regulators. "In the UK, the FSA will never give blind approval to the software itself, but will check on functionality," he says.