1. Background and Rationale
This year, one of the main goals of the Office of the Insurance Commission (OIC) is to launch a number of compliance-related regulations to meet the standards of the Insurance Core Principles (ICPs), a globally accepted framework for the promotion of policyholders' protection, and the financial stability of the insurance sector.1 With regards to insurance fraud risks, the OIC believes that such risks are operational risks that could affect income, capital fund and capital maintenance of insurance companies, as well as the reputation of and the public confidence in the insurance industry.
Therefore, recently, the OIC arranged for a public hearing on the OIC's Notifications re: Rules, Procedures, and Conditions for the Minimum Standard Requirements for Management of Risks Related to Insurance Fraud for Life and Non-Life Insurance Companies (Draft Notifications). The aim of the Draft Notifications is to ensure that insurance companies, under the guidance of the OIC, can effectively manage both internal and external insurance fraud risks, which include the prevention, identification, reporting, and remedying of such risks.
The Draft Notifications impose the following requirements on both life and non-life insurers.
2. Key Definitions
"Fraud" means an act or omission, which is deceptive or is conducted in bad faith for the purpose of acquiring unlawful benefits, regardless of whether the person benefiting from such act or omission is the person committing such act or omission.
"Internal Fraud" means fraud towards the company, the insured, the beneficiary, or the person entitled to claim the benefits of an insurance policy, or the injured person, which is committed by a director, manager, or employee, whether acting alone or jointly with others from within or outside of the organization.
"External Fraud" means fraud towards the company, the insured, the beneficiary, or the person entitled to claim the benefits of an insurance policy, or the injured person, which is committed by a policyholder, a beneficiary, a person entitled to claim the benefits of an insurance policy, an agent, a licensed broker, an assignee, or any other person who is not the director, manager, or employee of the company.
3. Key Requirements
3.1 The board of directors must ensure that the company complies with the requirements contained in the Draft Notifications.
3.2 The company must:
- prepare a written policy for insurance fraud risk management, to be approved by the company's board of directors. The policy must be communicated to all the company's departments, who must strictly apply the policy. It is a legal requirement that the policy be reviewed at least once a year, or upon every incident which may affect the company's financial stability.
- prepare a code of ethics for employees, and promote a culture with an emphasis on ethics and honesty. Employee training on insurance fraud risks must be arranged by the company.
- specify events and sources of internal and external insurance fraud risks, which include any of its operations that might affect the company's income, capital fund, reputation, or existence.
- prescribe the procedures for insurance fraud risk assessment, and implement so.
- manage its insurance fraud risks, by performing at least the following:.
- set a standard for qualifications and suitability of directors, managers, and employees, and periodically perform such assessments;
- set a policy for accepting customers or categorizing customers, as well as carry out Customer Due Diligence (CDD) based on types of insurance;
- set procedures and guidelines for managing compensation claims, in order to reduce fraud relating in this respect;
- set a guideline for assessing the qualifications and suitability of insurance agents and brokers, which includes background checks;
- monitor the operations of insurance agents and brokers; and
- prepare a policy for outsourcing third-party services, in order to control risks relating to third-party service providers.
- prepare a policy for reporting fraud, which must include the protection of the whistle-blower and the complainant, and must treat any information received as confidential.
- appoint an independent person to perform an investigation on any suspicious event, to deal with and remedy any damage. The company must report the investigation findings to the OIC at least once every quarter.
- prepare a database for internal and external fraud for monitoring fraud, and enhancing its efficiency in insurance fraud risk management.
- revisit its policy at least once a year to ensure compliance with the Draft Notifications.
- prepare a report summarizing its implementation of insurance fraud risk policies and procedures, which have been approved by the risk management committee, and submit such report to its board of directors for consideration, at least once a year.
Failure to comply with the requirements could result in insurers being prosecuted and penalized under the insurance acts. However, it should be noted that compliancy with these new requirements will not release insurers from certain obligations under the insurance acts, i.e. joint liability with insurance agents. These Draft Notifications are merely additional requirements that insurers must abide by.
The Draft Notifications are currently undergoing the OIC's internal consideration process. If the OIC approves the Notifications, they will come into force 180 days after the date of publication in the Royal Gazette. Insurers should ensure they are well prepared to comply with the above mentioned requirements.
We will keep monitoring the progress and ensure to inform any further developments.
1 Report on Insurance Core Principles (updated November 2017) by the International Association of Insurance Supervisors, page 5