Insurance Bulletin, January 2024
In this edition: PRA's supervision priorities for 2024; Regulators publish joint consultation paper proposing new framework for critical third parties to the UK financial system; Focus on fraud: D&O cover should be checked following new anti-fraud laws; What does it mean to condone?; Court of Appeal considers COVID-19 Aggregation – Various Eateries v Allianz; “Plane” English: Court of Appeal holds no-assignment clause does not prevent transfer of claim to insurer.
PRA’s supervision priorities for 2024
The PRA has outlined1 its supervision priorities for 2024 in respect of the insurance sector. The letter notes that since the PRA’s 2023 letter, there have been a number of innovations in the general insurance sector, including the rapid expansion of cyber risk underwriting. In this article we summarise the key priorities.
Financial markets and the economic environment
The PRA flags that firms are exposed to a subdued economic outlook and inflationary pressures and so must focus on credit risk management. The PRA intends to focus on this area and also to work with stakeholders to develop liquidity reporting requirements.
To improve its understanding of credit and liquidity risks to and from insurers in deteriorating conditions, the PRA will prepare for stress tests and run an exploratory system-wide exercise in 2024. This will explore how insurers’ behaviour might interact with the behaviours of other financial institutions in stressed financial market conditions and amplify shocks.
Business and operating environment
The PRA flags that insurers have had a year to implement the PRA’s operational resilience expectations and by no later than March 2025 should be able to demonstrate that they can remain within impact tolerances for their important business services. See Ali Mynott’s article below for more on operational resilience, and a consultation paper on critical third parties.
Another key objective for the PRA is to increase confidence that insurers can exit the market in an orderly way, and it is consulting on requirements for insurers to prepare plans for an orderly solvent exit as part of their business-as-usual activities.
The PRA is considering feedback on its consultations on the Solvency II regime, and will publish final policy statements in 2024. It will also seek to provide more clarity on matters such as the updated approach to the matching adjustment and internal model review processes.
General insurance sector
The priorities here are:
Cyber underwriting risk
The PRA will focus on ensuring firms’ capital and exposure management capabilities are commensurate to the growth in exposure and inherent volatility of the risk.
Work in 2023 found that, whilst reserves have increased, there remains material uncertainty and the potential for excessive optimism to impact reserving, pricing and reinsurance planning. The PRA will continue to monitor the impact of claims inflation via the regulatory data it collects.
In the PRA’s model drift analysis in 2023, the PRA identified a number of issues relating to: limited allowances for inflation uncertainty; optimism in expected underwriting profits and the cost and benefit of reinsurance; and limited allowance for economic and geopolitical uncertainties. The PRA will continue to monitor this issue with an emphasis on improving the effectiveness of internal model validation.
General insurance stress test
In 2025, the PRA will run the first dynamic stress test, which represents a change from previous exercises. The 2025 test will involve simulating a sequential set of adverse events over a short period of time. More details of this exercise will be provided in 2024.
Although positive steps have been taken to embed the PRA’s supervisory expectations in this area, further progress is required by all firms, particularly on scenario analysis and risk management. All firms must demonstrate how they are responding to expectations and set out the steps they are taking to address barriers to progress, and firms are expected to increase efforts now. The PRA is commencing work to update Supervisory Statement SS3/19 (Enhancing banks’ and insurers’ approaches to managing the financial risks from climate change) to include identified effective practice and developments in wider regulatory thinking.
Regulators publish joint consultation paper proposing new framework for critical third parties to the UK financial system
At the end of 2023, the PRA and the FCA published a joint consultation paper on operational resilience and critical third parties (CTPs). The paper sets out proposals for the management of risks to the stability of the UK financial system that arise where CTPs provide services to authorised persons and financial infrastructure entities (FMIs).
The consultation paper follows a joint discussion paper published in July 2022, the responses to which have been described by the regulators as being broadly supportive of the need for greater direct regulatory oversight of CTPs and demonstrated a receptiveness to the idea of minimum resilience standards for the services that CTPs provide.
Over recent years we have seen the regulators become increasingly concerned about systemic risks to the UK financial services market, including insurance, stemming from a reliance on third-party service providers (e.g., cloud service providers and data analytics services) to support the operations of authorised persons and FMIs.
Concern from the regulators is unsurprising, as there have been a number of high-profile operational failures in recent years, with large fines imposed for IT issues arising from operational risk management and governance failures.
The introduction of the Financial Services and Markets Act 2023 (FSMA 2023) granted the regulators, and the Treasury, powers allowing them to intervene to raise the resilience of the services provided by CTPs.
The proposals set out a new regulatory framework for CTPs that will include new rules for CTPs being inserted into the Bank rulebook, PRA rulebook and FCA Handbook and a supervisory statement from the regulators setting out expectations on compliance.
The new framework will consist of a set of fundamental rules and operational risk and resilience requirements.
The fundamental rules are six broad principles that CTPs will be expected to observe, including the requirement for a CTP to conduct its business with due skill, care and diligence. The six principles are not dissimilar to the FCA’s principles for business and the PRA’s fundamental rules.
The operational risk and resilience requirements are a set of eight requirements that CTPs must comply with in respect of their material services. The requirements cover governance, risk management, technology and cyber resilience, and change and incident management.
In addition to the fundamental rules and operational risk and resilience requirements, the regulators propose a range of information-gathering and testing requirements. Of note in these requirements is that the regulators will have the power to require CTPs to conduct skilled person reviews.
Designation of CTPs
CTPs will be designated as such by the Treasury under regulations made under FSMA 2023 following recommendations by the regulators. The paper sets out that the regulators will recommend CTP designations to the Treasury with reference to the statutory test for the identification of CTPs contained in FSMA 2023. At a high-level, a third party will be considered a CTP where the failure or disruption of the services it provides poses a risk to the stability of, or confidence in, the UK financial system. Reference will be given to the materiality of the services which it provides, and the number and types of firms and FMIs that it provides services to.
The potential scope of the CTP regime is yet to be seen, as the Treasury has not yet made any CTP designations, and, in the consultation paper, the regulators expect that CTPs will make up a very small percentage of third parties currently providing services to firms and FMIs.
The consultation will close on 15 March 2024. In connection with the paper, the regulators intend to publish a CTP approach document that addresses their oversight roles. The PRA and the bank are also expected to publish a further consultation paper which will contain a draft statement of policy on their disciplinary powers.
Focus on fraud: D&O cover should be checked following new anti-fraud laws in the UK
On 26 October 2023, the long-awaited Economic Crime and Corporate Transparency Act (ECCTA) received Royal Assent.
Key changes in the ECCTA include 1, a new failure to prevent fraud offence which will come into effect later this year and, 2, a new law for attributing corporate liability. It is important to consider these developments in the context of D&O insurance.
Failure to prevent fraud offence
The failure to prevent fraud offence is a new strict liability offence which covers the core fraud offences found in the Fraud Act 2006 (such as fraud by false representation, omission or abuse of position) and those in the Theft Act 1968 (false accounting and false statements by company directors). It also includes aiding, abetting, counselling or procuring the commission of a fraud offence. The offence will only apply to ‘large organisations’ where a person associated with it commits a relevant fraud offence intending to benefit (directly or indirectly) the organisation or any person or entity the associate provides services to on behalf of the organisation.
The failure to prevent fraud offence will also apply extraterritorially.
Reasonable prevention procedures
It will be a defence for the relevant organisation if it can show that it had in place reasonable prevention procedures, or if it can show it was not reasonable to expect the organisation to have prevention procedures in place.
The offence will not come into force until guidance has been published by the Ministry of Justice on what constitutes reasonable prevention procedures; this is expected soon. We recommend all businesses prepare to revisit existing anti-fraud measures in the wake of this new law. Insurers will likely seek information as to an insured’s procedures in this area when considering the risk in relation to D&O/management liability policies.
Attributing corporate liability for misconduct of senior managers
The expansion of corporate criminal liability under the ECCTA for certain economic crimes perpetrated by senior executives came into force on 26 December 2023.
This new law fundamentally lowers the bar for prosecuting authorities to secure convictions against companies for economic crimes. Under Section 196 of the ECCTA, where a senior manager acting within the actual or apparent scope of their authority commits a relevant offence, the organisation will also be found guilty of the offence.
Accordingly, the conduct of senior managers will increasingly be a focus for law enforcement and there is likely to be pressure for law enforcement agencies to use the new law after years of complaining that they don’t have it.
A ‘senior manager’ is an individual who plays a significant role in the making of decisions about how the whole or substantial part of the activities of the body corporate or partnership are to be managed or organised, or who actually manages or organises the whole or a substantial part of those activities.
Implications for D&O insurance
There is an increased risk of claims, both against individual senior managers, and against the corporate entity itself (ie claims that the failure to prevent fraud offence has been committed by the entity or that criminal liability should be attributed to it due to the commission of a specified crime by a senior manager).
In light of the new ECCTA, it will be key to check the extent of cover under D&O and/or management liability insurance policy wordings in order to determine whether cover remains appropriate. It must be considered whether all those individuals who fall within the definition “senior managers” are covered, and if the level of policy coverage available remains appropriate. Although D&O insurance will commonly exclude claims arising from fraud or dishonesty, defence or investigation costs cover may be provided until there is a final judgment or admission. Clearly, this will depend on the exact policy wording and circumstances.
It will also need to be considered how any cover provided in respect of the entity itself responds to the ECCTA. The prevention of fraud offence involves a form of strict liability, and it will need to be considered carefully how any exclusions and/or the illegality principle would apply to the question of cover in such circumstances.
What does it mean to condone?
In Discovery Land v Axis, the Court of Appeal has given some guidance as to the meaning of the word “condone” within the context of a fraud or dishonesty exclusion in a solicitors’ professional indemnity policy.
It provides an illustration of circumstances where, despite some fairly extensive dishonesty on the part of a second partner and poor behaviour generally, this will not be enough to engage the exclusion. The case also considered issues relating to aggregation under the SRA solicitors' minimum terms.
In this briefing note we discuss this decision further.
Rupert Warren & Kate Ayres
Court of Appeal considers COVID-19 Aggregation – Various Eateries v Allianz
The Court of Appeal has handed down a further judgment in the ongoing litigation concerning Covid-19 business interruption losses. The focus in this case was whether and how COVID-19 losses should be aggregated under the policy wording, and therefore whether the insured was entitled to one or more policy limits.
The policy in question aggregated losses by reference to a single "occurrence". Mr Justice Butcher found at first instance that the decision of COBR on 16 March 2020 and the imposition of restrictions on 20 March 2020 were the relevant aggregating occurrences. Both parties appealed in relation to different aspects of his decision. None of the appeals were successful.
In this briefing note we explore the decision further.
Rupert Warren & Alice Hunnings
“Plane” English: Court of Appeal holds no-assignment clause does not prevent transfer of claim to insurer
In the recent case of Dassault Aviation SA v Mitsui Sumitomo Insurance Co Ltd the English Court of Appeal had to consider the issue of whether a no-assignment clause in a sale contract for two aircraft applied when the insured’s rights had been assigned to its insurer under an insurance policy.
Overturning the first instance decision, the Court of Appeal held that the clause did not apply and that the insurer could pursue a claim under the sale contract.
Our briefing on the case is available here.