On September 20, 2022, the Financial Services Regulatory Authority of Ontario (FSRA) released new guidance (No. AU0137INF) (Guidance) outlining sound practices and procedures for insurers’ operational risk management frameworks (ORM) in the rating and underwriting of automobile insurance policies. The Guidance is effective September 20, 2022 and applies to insurance companies underwriting automobile insurance in Ontario (auto insurers). FSRA notes that the purpose of the Guidance is to promote just, reasonable, and accurate automobile insurance rates and to support the fair treatment of consumers engaged in the underwriting process.
For context, the Guidance defines “operational risk” as the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. FSRA’s concerns about operational risk are driven by the negative consumer outcomes and breaches of applicable law that can occur if operational risk (including Model Risk Management, as defined below) is not well managed by auto insurers. As discussed further below, Model Risk Management refers to the potential that certain rating and underwriting models used by auto insurers create unfair outcomes for consumers.
The Guidance was developed through FSRA’s consultation with auto insurers and an analysis of information collected from FSRA’s review of automobile insurance rate filings. In releasing the Guidance, FSRA identified certain gaps in auto insurers’ ORM and Model Risk Management practices. Examples of such gaps include the following:
i. A lack of robust three lines of defence (discussed further below), governance, and control, which may lead to consumers being priced inaccurately for policies of auto insurance;
ii. A lack of processes to understand the impact on individual consumers from the use of models, including machine learning models, which may lead to unfair discrimination and constitute unfair or deceptive acts or practices prescribed by the Unfair or Deceptive Acts or Practices Rule (the UDAP Rule); or
iii. A lack of operational risk management process to identify, mitigate, and report underwriting or rating errors, which may lead to undetected errors and incorrect premiums charged to consumers.
This article summarizes what FSRA identified as sound practices for insurers’ ORM practices and how such ORM practices can be used to minimize the risk that auto insurers’ ratemaking, risk classification, and underwriting models are not applied in a fair and sound manner. In addition, we will discuss the implications of the Guidance for insurers underwriting automobile insurance in Ontario.
II. Foundational ORM practices
The Guidance provides that for an ORM to effectively address risks in the rating and underwriting process, FSRA has observed that an ORM should, at a minimum, include the following foundational practices:
i. Defines operational risk appetite for rating and underwriting
To ensure that operational risks are managed consistently by an entity over time, auto insurers should develop and maintain a comprehensive risk appetite statement for operational risks in the rating and underwriting of automobile insurance. The risk appetite is a statement, or series of statements, that describes the auto insurer’s attitude towards risk-taking.
FSRA notes that the operational risk appetite statement should be succinct and clear and include a measurable component (for example, limits/thresholds). The purpose of having a measurable component is to indicate the level of operational risk that is considered acceptable within the auto insurer’s business. The limits/thresholds may also indicate the level at which operational risk events, near misses, or cumulative patterns are considered necessary for escalation to senior management, the Board of Directors (the Board), or both.
In addition, FSRA notes when formulating a risk appetite statement, insurers may consider elements such as the following: changes in the external environment; material changes in business or activity volumes; the quality of the control environment; the effectiveness of risk management or mitigation strategies; the insurer’s operational risk event experience; and the frequency, volume, or nature of risk appetite limit/threshold breaches.
ii. Clearly defined roles, responsibilities, and accountability mechanisms
For an ORM to be effective, it is essential that all participating stakeholders and their respective responsibilities are clearly documented and defined and that adequate accountability mechanisms are established. FSRA notes that an appropriate governance structure and a “Three Lines of Defence model” (TLD Model) should be implemented to achieve these outcomes. The TLD Model is discussed in more detail below.
a. Governance structure recommendations
The Guidancestates that to install a strong, organization-wide risk management culture, senior management and the Board of the auto insurer should play an active role. In addition, issues related to ORM should be escalated to senior management and the Board when necessary.
FSRA notes that the responsibilities of the Board should include ensuring it has a sound understanding of the auto insurer’s operational risks and whether the ORM is operating as expected. Furthermore, senior management should be responsible for establishing and maintaining the policies and processes that operationalize the auto insurer’s ORM, which promotes appropriate accountability within the auto insurer’s organization.
b. Three Lines of Defence Model (TLD Model)
The TLD Model is one way an insurer can achieve appropriate accountability in managing its operational risk. Insurers should consider factors such as size, ownership structure, the complexity of operations, corporate strategy, and risk profile when determining whether their TLD Model structure is appropriately robust. The three layers (referred to by FSRA as “lines”) of the TLD Model are summarized below.
The first line of defence in the TLD Model is the “business line” (the Business Line). The Business Line comprises individuals involved in the day-to-day operations of the auto insurer. As part of the Business Line, such individuals are responsible for following the insurer’s policies and processes, including those related to reporting, risk appetite, and quality assurance.
The second line of defence (Second Line) in the TLD Model should be an independent function (such as compliance or risk management) responsible for designing and implementing the ORM framework to ensure effective oversight over those in the Business Line. FSRA notes that at a minimum, the Second Line should (i) have an understanding of the Business Line’s processes and procedures and the ability to independently trace the Business Line’s decision-making (which means the Business Line should maintain current, accurate, and complete documentation for review by the Second Line); and (ii) maintain an objective and independent review of whether the Business Line’s management of the auto insurer’s ORM is conceptually sound (and provide feedback in the event it is not).
The third line of defence in the TLD Model (the Third Line) should be administered by the insurer’s internal audit function, providing independent assurance to senior management and the Board on the effectiveness of the insurer’s ORM. The Third Line should be independent of the Business Line and the Second Line.
iii. Having data governance in place
Auto insurers should outline how their data governance practices fit into their ORM, ensuring that the data used is appropriate, accurate, complete, and timely. FSRA recommends that such data governance policies include assessments to ensure the quality of data; identification of issues and opportunities related to improving the quality of current and future data; identification of the specific limitations of insurers’ data; and designating persons to own each data source to create accountability for data quality.
iv. Maintenance of the operational risk management
FSRA identified the following as sound practices in connection with maintaining and continuously improving auto insurers’ ORMs:
a. Adequate staff training
Auto insurers should outline in their ORM the policies and processes used to ensure that staff is adequately trained on an ongoing basis. In addition, the ORM should include direction on how the auto insurer reviews the adequacy of its training programs.
b. Current, accurate, and complete documentation
The Guidance states that auto insurers should have current, accurate, and complete documentation of their entire ORM. This includes items like a risk registry, risk appetite statements, model risk management policies, model documentation, key decisions, process documentation, interactions among the TLD Model, and the use of key risk indicators. Auto insurers should also ensure they log the materialization of any operational risks or near misses and any exercises used to learn from such events, should they occur.
c. Periodic reviews
An auto insurer’s ORM should outline how it will monitor the appropriateness of all elements of its ORM policies and procedures and, if deemed necessary, how the auto insurer will adjust them.
III. Model Risk Management
The Guidance outlines certain sound practices for auto insurers’ management of models (Models) related to ratemaking, risk classification systems, and underwriting, also known as model risk management (Model Risk Management). FSRA takes the position that ORM can be leveraged to ensure that Models are developed and implemented in a manner that is sound and fair to consumers. It is important to note that FSRA acknowledges that insurers may already possess standalone risk management frameworks and that the practices noted in the Guidance should be adopted having regard to the proportionality principle, considering the materiality of the applicable Models, as well as the size and complexity of the auto insurer.
Under the Guidance, FSRA expects auto insurers’ Model Risk Management to include, at a minimum, the following: (i) clearly defined model materiality, (ii) a TLD Model applied throughout a Model’s lifecycle, (iii) details regarding the Model’s approval function, and (iv) processes to assess the fairness of the Model. Each of the foregoing is discussed in greater detail below.
i. Clearly defined model materiality
The auto insurer’s ORM should outline a process to assess and classify the materiality of its Models and also outline the corresponding governance requirements, depending on the Model’s materiality. Both quantitative and qualitative measures, when possible, should be considered.
ii. Application of the TLD Model
Based on the materiality of a Model, the TLD Model should be proportionately applied, and the corresponding documentation should be current, accurate, and complete in each step of the Model’s lifecycle, which generally includes the following stages: development, implementation, and monitoring/review.
iii. Model approval function
To ensure clarity and accountability in deciding which Model is implemented by an auto insurer, a Model approval function (a MAF) should be created for the purpose of approving new/revised Models for operational use. The MAF may be a “senior accountable person,” a standalone internal committee, or a function incorporated into an existing internal committee (the composition of the MAF will depend on the size and complexity of the auto insurer). The MAF should be presented with not only the Model intended for implementation but also details about the other Models used in the proposed Model’s development.
iv. Process to assess Model fairness
Auto insurers should have processes and tools to ensure there is no unfair discrimination in a Model used for rating and underwriting. To achieve this, FSRA notes that throughout the modeling process, (i) insurers must ensure they are not using prohibited variables, (ii) that the goal of the modelling process should not be only to maximize predictive performance but to do so subject to a fairness constraint, and (iii) that insurers should implement measures so they may assess and track the fairness of its Models’ outputs.
In addition, the Guidance notes that the complexity and automated nature of artificial intelligence and machine learning can increase the risk of Models being developed in an unfair manner. To mitigate this risk, the Guidance states that auto insurers should establish tools that provide them with the ability to (i) understand a Model’s mechanics, its results, and whether such results meet its developer’s objectives; and (ii) convey a Model’s results and its drivers to stakeholders not involved in its development (including to consumers, business partners, and the FSRA). The Guidance states that an auto insurer’s ability to effectively communicate a Model’s results and the factors driving such results is particularly important, as it provides consumers with clear information to make informed decisions about their automobile insurance (consistent with the FSRA’s Fair Treatment of Customers guidance).
IV. Next steps and implications for auto insurers conducting business in Ontario
It is important to note that the Guidance has been produced as part of FSRA’s broader strategy to reform the regulation of automobile insurance rates and underwriting in Ontario. In releasing the Guidance, FSRA noted that it plans to release a second phase of ORM-related guidance to provide greater auto insurer accountability for fairness in rates and underwriting while enhancing regulatory effectiveness. A date for the release of such further guidance is not yet known.
Auto insurers underwriting business in Ontario should review their internal risk management practices and policies related to rate setting and underwriting and update the same to ensure compliance with the Guidance. It is important to ensure that such practices and policies are consistent with other applicable guidance, including FSRA’s interpretation of Sections 237 and 238 of the Insurance Act (Ontario), otherwise known as the “Take-All-Comers Rule.” Auto insurers should also review their ORM policies and procedures against the deficiencies identified by FSRA from its review of Ontario auto insurers’ ORM and Model Risk Management practices (as discussed in Part I of this article) and make any necessary updates and corrections. Lastly, auto insurers should review their risk management practices and procedures against the ORM best practices and Model Risk Management guidance highlighted by FSRA in the Guidance (please refer to Parts II and III, respectively, of this article).
A member of Dentons Canada’s Insurance group would be pleased to assist with reviewing your company’s internal risk management policies and procedures in light of this Guidance.