- New York’s Proposed ERM and ORSA Requirements: A Uniform Approach?
- February 3, 2014
- Law Firm: Drinker Biddle Reath LLP - Philadelphia Office
New York’s recently proposed regulation on enterprise risk management (ERM) and own risk and solvency assessment (ORSA) incorporates many of the concepts adopted by the National Association of Insurance Commissioners (NAIC) and, so far, uniformly adopted by a number of states. However, there are some significant variances in the New York proposal that require consideration by New York domestic insurers, holding companies and foreign licensed insurers, including:
- All New York licensed insurers would be required to adopt a formal ERM function to identify, assess, monitor and manage “enterprise risk” (including areas that overlap with the ORSA requirements with the latter ostensibly applying only to New York domestic insurers). This requirement potentially could take immediate effect upon formal adoption of the proposed regulation.
- The requirement to file an enterprise risk report applies not only to insurers subject to New York’s holding company law but also to all New York domestic insurers of a certain size, as well as insurers that control one or more subsidiaries.
- The requirements to annually conduct an ORSA and file an ORSA Summary Report would be implemented by regulation rather than by statute, as contemplated by the NAIC ORSA Model Act.
- New York’s ORSA proposal does not include the NAIC ORSA Model Act’s provisions on confidentiality.
- New York has not incorporated the “lead state” procedures contemplated by the NAIC for either the enterprise risk report filing or the review of the ORSA Summary Report and related requests for information.
Below is a more detailed summary of the proposed regulation. A 45-day public comment period will begin on January 22, 2014, and conclude on March 8, 2014.
Proposed 11 NYCRR 82 (Insurance Regulation 203): Enterprise Risk Management and Own Risk and Solvency Assessment
On January 7, 2014, the New York Department of Financial Services (the Department) issued a proposed rulemaking (Regulation 203) on insurance company ERM and ORSA requirements. If adopted, the proposal would implement amendments made to the New York Insurance Law (NYIL) during 2013 that enhanced the Department’s supervision authority over insurers, their affiliates, and risks affecting affiliate groups as a whole.
Regulation 203 is generally consistent with similar group solvency measures that have been adopted by the NAIC and a number of other states through amendments to the Insurance Holding Company Act and Regulation and the ORSA Model Act as a response to the financial crisis of 2008. New York’s ERM and ORSA proposals are summarized below. We have highlighted the significant variations from the NAIC and uniform state approach.
Enterprise Risk Management
Although most states adopted the enterprise risk report requirement (known as the “Form F”) as part of the amendments to their Insurance Holding Company Acts and Regulations, the Department previously announced its decision to promulgate a separate regulation to implement the enterprise risk report because the Department believes that the requirement to file an enterprise risk report should apply not only to insurers subject to the Insurance Holding Company Act (Article 15 of the NYIL), but also to insurers subject to Articles 16 and 17 of the NYIL (New York domestic property/casualty insurers that control one or more subsidiaries and New York domestic life insurers that control one or more subsidiaries).
New York’s proposed ERM requirement follows the Department’s December 19, 2011, Circular Letter. That Circular Letter is addressed to “all domestic insurers” but otherwise could be read to apply more broadly to any New York licensed insurer. In the Circular Letter the Department expressed its “expectation” that every insurer adopt a formal ERM function. Thus, Regulation 203 would be a codification of the Department’s stated existing practice. The proposed regulation would formally adopt this practice for a broad range of insurers/groups and require the annual filing of an enterprise risk report by New York domestic insurers and certain controlled groups.
Formal ERM Function
Regulation 203 would require each of the following persons to adopt a formal ERM function that identifies, assesses, monitors and manages “enterprise risk”:
A holding company that controls a New York-authorized insurer (Article 15 of the NYIL);
A New York-domiciled insurer that controls one or more subsidiaries (Articles 16 and 17 of the NYIL); and
“An insurer authorized to do an insurance business” in New York that is not a member of an affiliate group.
Regulation 203’s definition of “enterprise risk” tracks the definition set forth in the 2013 amendments to the NYIL and is similar, but not identical, to the definition set forth in the NAIC Model Insurance Holding Company Act.
The ERM function must, inter alia:
- Be headed by an appropriately experienced individual “with the requisite authority and who has access to the board of directors and senior management”;
- Include a written risk policy adopted by the board that delineates “risk/reward framework, risk tolerance levels, and risk limits”;
- Have a process of risk identification and measurement, supported by documentation that sets forth detailed descriptions and explanations of risks identified, measurement approaches used, key assumptions made, and outcomes of “plausible” adverse scenarios that were run;
- Utilize prospective solvency assessments, including scenario analysis and stress testing;
- Incorporate risk tolerance levels and limits in the policies and procedures, business strategy, and day to day strategic decision making processes;
- Consider a risk and capital management process to monitor the level of financial resources relative to economic capital and regulatory capital requirements;
- Address all reasonably foreseeable and relevant material risks, such as underwriting, credit, market, operation, reputational and any other significant risks;
- Assess the “relationship between risk management and the level and quality of financial resources”; and
- Identify, quantify and manage any risks arising from affiliate transactions.
There is no proposed effective date associated with this proposal. Therefore, it is possible that the requirement to adopt a formal ERM function could take immediate effect upon the Department’s formal adoption of the regulation.
Enterprise Risk Report
Unlike the requirement to adopt a formal ERM function, New York’s proposed requirement regarding the filing of an enterprise risk report does not apply to foreign licensed insurers. However, the scope of the filing requirement in New York, as proposed, is broader than the scope of the NAIC provision. The NAIC filing provision applies to the ultimate controlling person of an insurer in a holding company system.
The New York proposal would require the following persons to file an enterprise risk report:
- A holding company that controls a New York-authorized insurer (Article 15 of the NYIL);
- A New York-domiciled insurer that controls one or more subsidiaries (Articles 16 and 17 of the NYIL); and
- A “domestic insurer that is not a member of a holding company system, an article 16 system, or an article 17 system, and has annual direct written premium and unaffiliated assumed premium, including international direct and assumed premium, ... [of] $500 million” (excluding premiums reinsured with the Federal crop program and flood program).
The Department’s Regulatory Impact Statement for Regulation 203 states: “The Department considered requiring all insurers to file an enterprise risk report.... However, because the Superintendent could always request a report, small domestic insurers and all foreign insurers... are exempted from mandatory filing.”
The items to be addressed in the New York enterprise risk report are consistent with the items required by the NAIC’s “Form F” and include any material developments regarding strategy, internal audit findings, compliance or other management; changes in shareholders; developments in any investigations, regulator activities or litigation that could have a significant impact; and other material activity or developments.
Also consistent with the NAIC Model Insurance Holding Company Act, the New York proposal provides that an insurer subject to the filing may attach its most recent SEC filing (or, in the case of a non-U.S. insurer, its most recent public audited financial statement) as long as specific references are included to the required topics for which the SEC filing or financial statement provides responsive information.
The ERM report would need to be filed with the Department by April 30 of each year. Presumably, this requirement would begin in 2015 (given that comments on the proposal will be accepted through March 8, 2014, but the proposal does not expressly address such timing).
Own Risk Solvency and Assessment
Consistent with the NAIC’s ORSA Model Act, Regulation 203 would require New York domestic insurers to conduct an ORSA at least annually and when there are “significant changes” to the insurer’s risk profile. The insurer’s obligation to conduct an ORSA would be satisfied if its affiliate group conducts such an ORSA. An ORSA is defined in a manner similar to the definition set forth in the NAIC’s Model ORSA Act.
Each covered insurer would be required to submit a “high-level” summary of its ORSA (or, where such insurer’s affiliate group files an ORSA report in another jurisdiction, a copy of such report) to the Department by December 1 of each year, starting in 2015, and to “maintain and make available documentation and supporting information upon examination or upon the Superintendent’s request.” This specific filing date deviates from the NAIC’s Model ORSA Act, which allows for various filing dates among companies in recognition of the fact that the timing of internal strategic planning and other activities that may affect an ORSA will vary by company. Instead, the NAIC Model Act requires an insurer to submit an ORSA Summary Report to the Commissioner upon his or her request, and no more than once each year. A rigid December 1 filing date for the ORSA Summary Report in New York could raise complications if the insurer/group has filed the report with its lead state on an earlier date.
Each ORSA must be conducted in accordance with, and each summary report must contain all of the information required by, the NAIC’s ORSA Guidance Manual. The New York proposal defines the Guidance Manual as the current (2013) version. In contrast, the NAIC Model defines the Guidance Manual as the current version and as amended by the NAIC from time to time. Thus, a state that adopts the NAIC Model language would automatically adopt any changes to the Guidance Manual in the future. As proposed, the Guidance Manual to be used to satisfy the New York ORSA requirement in the future may differ from the NAIC Guidance Manual that is being used in states that have adopted the NAIC Model language. It is unclear whether the Department omitted this language intentionally so that it would have the ability to use a different Guidance Manual than the NAIC in the future, but that is one interpretation.
Consistent with the NAIC’s ORSA Model Act, under Regulation 203, an insurer would be exempt from the ORSA requirements where: (a) it has annual premiums of less than $500 million; and (b) its affiliated group, if any, has annual premium of less than $1 billion. (Where an insurer falls below the $500 million threshold, but its group has premiums of $1 billion or more, the ORSA summary report must include every insurer within the group. Conversely, where the insurer has premium of $500 million or more, but its group is below $1 billion, the ORSA summary report need include only the domestic insurer. In addition, any insurer that would otherwise be covered by the proposed ORSA requirements may apply for a waiver.)
The Regulatory Impact Statement indicates that the Department considered imposing the ORSA and ORSA report requirements on all domestic insurers regardless of size, but “decided not to deviate from the model ORSA Act in this respect.”
Similar to the NAIC’s ORSA Model Act, a domestic insurer may be required by the Department to conduct an ORSA and file an ORSA summary report, despite falling within the thresholds for an exemption:
- Based upon unique circumstances, including the type and volume of business written, ownership and organizational structure, federal agency requests, and international supervisor requests;
- If such insurer’s risk-based capital triggers a company action level event;
- If the further transaction of business would be hazardous to policyholders, creditors or the public; or
- If requiring such measures would be in the best interests of the people of New York State.
The New York proposal does not include the NAIC Model Act’s provisions regarding confidentiality, which were the subject of much discussion and debate during the NAIC drafting process. Confidentiality would instead be governed by existing New York protections.
Like the NAIC Model Act, Regulation 203 provides for a one-year transition period for any insurer that is currently exempt from the ORSA requirement but becomes subject to it in the future due to changes in its premium volume.