Our global pagesClose
Insurance Broker e-Briefing – keeping you up to date
- United Kingdom
- Insurance and reinsurance - E-briefings
Welcome to our regular Insurance Broker e-Briefing which will keep you up to date with developments in regulation, law and practice relevant to your business. We advise insurance intermediaries on all manner of issues and have a long track record of helping businesses flourish in an ever-changing regulatory and business environment.
The following E-briefing covers:
The new Senior Managers and Certification Regime (SM&CR) has applied to insurers from 7 March 2016 and will be extended to insurance brokers in the first half of 2018.
The FCA has provided feedback on how well or not so well firms such as banks, building societies and insurers have implemented aspects of the new Senior Managers and Certification (SM&CR) regime to date. This feedback provides an opportunity to alert insurance brokers, who are not yet part of the regime, what lies in store for them.
The new regime introduces requirements for firms and their senior managers particularly relating to statements of responsibilities and responsibility maps covering the roles of the most senior individuals within the firm and the governance arrangements it has in place, all of which will need to be submitted to the FCA as part of an expected grandfathering approach. Whilst it is anticipated that the FCA will set out a revised proportionate approach for many of the firms impacted, such as intermediaries and brokers, this is not due to be published until the start of the new year. Firms will need to start to consider undertaking an assessment of how the regime will impact them and so lessons learnt from how the regime has been implemented to date are useful.
There are some common themes running through the FCA feedback and, whilst there are nuances depending on the type of organisation, there is a degree of consistency in the “problem” areas. The FCA has noted that, in some firms, there has been a failure to allocate functions or responsibilities to sufficiently senior individuals, particularly it seems in relation to the roles covering financial crime. In addition the FCA has also found: unclear or even lack of allocation of business functions and activities; insufficient detail about individuals' actual responsibilities; or that statements of responsibility are not clear enough or do not reflect what is referred to in the responsibilities map in terms of governance arrangements. These are all issues which will frustrate the FCA in their ability to supervise those firms going forward.
An issue that received attention prior to implementation of the regime revolved around the sharing of responsibilities and generally the fact that the regulator did not necessarily favour sharing or, at the very least, the clarity around the sharing had to be very clear and unequivocal. The FCA has again referenced this point in their feedback statements and challenged firms where the sharing is opaque or on how firms can demonstrate that the sharing of the responsibility works in practice.
We are anticipating the regulators gearing up their supervisory techniques over the coming months so we should be able to glean more information around expectations for firms as they plan how to implement the regime. We have shown below in an infographic the various elements of starting a project and tailoring it to their specific circumstances which hopefully assists firms with their initial planning activities. One key learning we have seen is the earlier the planning starts the better given the impact the regime has on all staff and the need to ensure that people are aware of what the regime means to them particularly as new conduct rules are likely to come in to force for all individuals.
The processing of personal information by brokers is integral to the proper functioning of the insurance industry. A new data protection Regulation (Regulation (EU) 2016/679 known as “GDPR”) will apply across the EU from 25 May 2018. This will be less than 2 years from when Article 50 is triggered, meaning the UK will still be part of the EU when GDPR applies. Once Brexit is complete, the likelihood is that the UK will not take a step back to the current Data Protection Act 1998 regime and that the core protections in the GDPR will persist. Otherwise, the UK will be unlikely to provide “adequate protection” for personal data and data flows from the EU to the UK will be impacted.
The GDPR will alter a number of the existing requirements and it will create several entirely new obligations. Here is a flavour of some of the key changes. Watch out for further briefings once the ICO’s guidance on implementation becomes available later this year/next year.
The GDPR creates obligations on brokers when the act as ‘data processors’ or ‘data controllers’. Whether a brokers is acting as a data processor or data controller when using and processing personal data about insured persons and associated individuals (known as “data subjects”) will be a question of fact under the GDPR regime, just as it is under the current DPA regime. The likelihood is that a broker will act as a data controller in its own right for the majority of its use of personal data (in particular, where it determines the manner and purpose of that use). The broker may also be a data processor when it uses personal data for the ultimate provider of the insurance product. The broker may itself appoint and work with third parties, such as underwriters, who will themselves be data controllers and/or data processors. All this is relevant to the broker’s risk profile under the GDPR.
• Direct obligations on data processors: For the first time, data processors will have certain direct obligations under data protection law. They will be directly responsible under the GDPR for ensuring the security of the personal data when they process it. They must also upon awareness notify security breaches to the relevant data controller without undue delay. They are prohibited from appointing other processors except with the specific or general authorisation of the data controller.
• Mandatory security breach reporting to the Information Commissioner’s Office: Currently, the ICO indicates in its guidance when it expects to be told of incidents involving personal data. Under the GDPR, the data controller must within 72 hours of awareness notify the ICO of the security breach (except where the breach is unlikely to result in risk to the rights of data subjects – additional guidance from the ICO on this topic is awaited).
• Significantly increased fines against data controllers: Currently the ICO can fine up to a maximum of GBP 500,000. Under the GDPR fines will be up to EUR 20 million or 4% total worldwide annual turnover in the preceding financial year, whichever is higher, where data subjects’ rights under the GDPR or the rules about lawfulness of processing or data transfers to certain other countries are infringed. Fines will be up to EUR 10 million or 2% total turnover (as above) for breaches of the GDPR’s security obligation.
• Governance, including Privacy Impact Assessments (“PIAs”) and Data Protection Officers (“DPOs”):
o The Data Controller must conduct a PIA before conducting more risky processing, for instance profiling (which is of particular relevance to the sector), automated processing and large scale processing of sensitive personal data. DPOs must be appointed where an organisation conducts systematic monitoring of data subjects or where its core activities consist of large scale processing of sensitive personal data.
o There are further record keeping burdens more generally, such as creating and maintaining a data record of processing of personal data, for both controller and processor roles.
• Additional rights against data controllers: A new “right to erasure” will mean the data subject can insist on the erasure of his personal data without undue delay in certain circumstances, such as where the data subject withdraws his consent to the processing and where no alternative legal ground justifies continued processing. There is a new “right to data portability” whereby the data subject can call for a copy of his personal data from the data controller in order to transmit it to another data controller without hindrance. This right applies in particular circumstances, including where the processing is based on a consent and is carried out by automated means.
• Fair processing notices: Data Controllers must include additional information in their notices to relevant individuals. For instance, data protection notices issued by brokers to applicants/insured customers will need to contain additional information. For instance, where the justification for use of the personal data is “legitimate interests” (this must be made clear and the legitimate interest must be explained). Where personal data is not obtained directly from the data subject then the categories of data collected must be identified.
• Consents: In practice the GDPR will make it much more difficult to rely on consent as a valid lawful reason to justify the processing. Brokers will, as with all other players in the insurance industry, be looking to rely on alternative justifications as a reason to use personal data.
In this article we take a look at some recent developments in relation to the law on fraud, the f-word most likely to offend insurers whenever it is uttered. The Association of British Insurers estimates that fraudulent claims add £50 to the annual cost of each policyholder’s insurance bill and the market is constantly looking at new ways to combat fraud – in fact the use of Blockchain and data analytics in fraud detection are currently being considered at the Post magazine Insurance Fraud Summit.
Of course the law has at least an equally important part to play, as has been thrown into focus by the new Insurance Act and two recent Supreme Court decisions on the subject. The Act makes it clear that if a fraudulent claim is made:
• the insurer does not need to pay any sums in respect of the claim, including any non-fraudulent parts;
• the insurer may recover any sums already paid; and
• the insurer may terminate the policy from the time of the fraudulent act, provided it gives notice.
The Act does not explicitly cover a deliberately or recklessly untrue statement made in support of a genuine claim i.e. a so-called “fraudulent device” or “collateral lie”, for example a lie told to hasten payment of a genuine claim or a receipt fabricated in support of a genuine claim. However, the Supreme Court has now provided clarity in Versloot Dredging BV v HDI Gerling Industrie Versicherung AG. Reversing the decision of the Court of Appeal it decided that a collateral lie does not defeat a genuine claim. The Court emphasised that any dishonestly exaggerated claim remains subject to the ordinary rules, but that extending those rules to collateral lies would be “disproportionately harsh” on the insured.
Whilst Versloot may be viewed as a softening of the Court’s approach to claims which are tainted by fraud in some way, the overarching message to insureds should remain that they should expect to be penalised if they bring fraudulent claims. Further, the distinction between a collateral lie and a dishonestly exaggerated claim is often blurred, and if the lie is suspicious it will almost certainly cast doubt on the claim as a whole and delay the claims-handling process as a result.
Brokers negotiating policies need to be alive to circumstances where insurers may seek to contract on terms more favourable to them than as provided for under the common law following the Supreme Court’s decision, ie, where the policy provides that the insurer’s remedy in relation to collateral lies is the same as its remedy in relation to fraudulent claims, consider negotiating amendments to the policy.
In Hayward (Respondent) v Zurich Insurance Company plc (Appellant) the Supreme Court considered the different question of the extent to which fraud can unravel a settlement, a question which is of wider relevance beyond the insurance community. Zurich had settled a claim which at the time it suspected but did not consider itself able to prove, was fraudulent. It subsequently acquired more definitive evidence and then sought to have the settlement agreement set aside based on fraudulent misrepresentation. The Supreme Court, again reversing the Court of Appeal’s judgment, ruled that the settlement agreement should be set aside. It was not relevant that Zurich did not believe the claimant’s misrepresentations at the time, although the misrepresentations must have been at least one cause which induced it to enter into the agreement.
In our view these are welcome and sensible clarifications of the law which should assist the fight on fraud.
Although general insurance brokers are not subject to the FCA’s Anti-Money Laundering Rules and the Money Laundering Regulations, they still need systems and controls to prevent financial crime. Brokers are also subject to the Bribery Act 2010, Proceeds of Crime Act 2002 and the Terrorism Act 2000. Without having effective controls, brokers are at risk of committing criminal offences under these Acts.
Bribery Act 2010 (“BA”)
There are four categories of offence under the BA:
• offering, promising or giving a bribe to another person;
• requesting, agreeing to receive or accepting a bribe from another person;
• bribing a foreign public official; or
• failing to prevent bribery (the “Corporate Offence”).
The first three offences carry up to 10 years imprisonment and/or an unlimited fine and all offences apply equally to individuals and companies.
Brokers should be conscious of the following in respect of bribery:
• Commission: If a broker improperly performs his duties by placing business with an insurer with whom he has agreed some form of commission arrangement instead of other more suitable insurers, this may be considered a bribe under the BA.
• Corporate hospitality: Brokers may be in breach of the BA if any form of gift or hospitality which may inappropriately influence a decision maker is provided. Factors which might render whether such a gift or hospitality is considered to be inappropriate include the level of hospitality offered, the way in which it was provided, the number of times hospitality has been provided and the timing of the gift.
Proceeds of Crime Act 2002 (“POCA”)
Insurance brokers are subject to Part 7 of POCA which provides for various money laundering offences. A broker commits an offence if it:
• conceals, disguises, converts or transfers criminal property or remove it from England and Wales or Scotland or Northern Ireland (s.327);
• enters into or becomes concerned in an arrangement which it knows or suspects facilitates the acquisition, retention, use or control of criminal property (s.328); or
• acquires, uses or has possession of criminal property (s.329).
The provision of POCA will apply to insurance transactions where there has been some form of criminal conduct, whether that conduct links to tax evasion or in respect of unauthorised insurance business for example. There are a number of defences available to brokers, but the most common one available will be the making of a Serious Activity Report (“SAR”) to the National Crime Agency (“NCA”).
Part 7 of POCA requires financial institutions and businesses in a regulated sector to report to the UK Financial Intelligence Unit, which is part of the NCA, any suspicions about criminal property or money laundering (s.330). This is done via reporting to a nominated officer within the business. The nominated officer must then consider whether a report to NCA is necessary based on all the information at their disposal and, if so, make a Serious Activity Report (“SAR”) to the NCA as soon as is practicable.
It is important that once a SAR is submitted brokers remember their obligations not to make any disclosures which might constitute an offence of ‘tipping off’ (s333A).
A person guilty of an offence under POCA is liable to imprisonment for a term not exceeding 14 years or a fine or both, depending on the section of the act breached.
Terrorism Act 2000 (“TA”)
TA applies to dealing with funds used to finance or otherwise support terrorism. The primary terrorist finance offences are set out in sections 15-18 and are similar (but not identical) to the POCA primary offences.
The main terrorist finance offences are punishable by fines and up to 14 years’ imprisonment.
A risk-based approach to anti-money laundering (“AML”)
A risk based approach must be adopted to avoid committing money laundering offences. Brokers should focus AML resources where the risks will have the biggest potential impact, in a proportionate way, taking into account such factors as their nature, size and complexity.
Senior management should actively engage in a firm’s approach to addressing financial crime risk. The level of seniority and degree of engagement that is appropriate will differ based on a variety of factors, including the management structure of the firm and the seriousness of the risk.
Ongoing monitoring of transactions should be in place to spot potential money laundering. While it is expected that a global broker that carries out a large number of client transactions would need to include automated systems in its processes if it is to monitor effectively, a small firm with low transaction volumes could do so manually.
Businesses applying a risk-based approach should be proactive in seeking out information about money-laundering trends and threats from external sources. Issues to consider include:
• What risk is posed by clients?
• What risk is posed by a client’s behaviour?
• How does the way the client comes to the firm affect the risk?
Customer Due Diligence (“CDD”) and Ongoing Monitoring
Whilst there are no prescribed rules for brokers to adhere to in relation to CDD, both the JMLSG guidance and FCA Guidance provide helpful pointers.
Effective CDD should include:-
• identifying the client and verifying their identity on the basis of documents, data or information.
• identifying any beneficial owner and taking adequate measures, on a risk sensitive basis, to verify the identity of any beneficial owner; and
• obtaining information with regard to the purpose of a business relationship.
Some practical questions to consider (on a risk sensitive basis) might include:
• Has the full name and current residential address or date of birth been obtained and verified. For example, in relation to the client's name, is there a passport, photo card driving licence or national ID card on file?
• In relation to the client's address, is there a current council tax demand letter or statement, current bank statement or credit/debit card statement or utility bill on file?).
• Has the client’s name (and beneficiary of any payment) been screened against sanctions and politically exposed persons lists?
For corporate clients, consider (again, on a risk sensitive basis):
• Has the existence of the client company been verified? This should include the company's full name, registered number, registered office in country of incorporation and business address. The verification of existence should be from either confirmation of the company's listing on a regulated market, or a search of the relevant company registry, or a copy of the company's Certificate of Incorporation.
• If the company is private or unlisted, have the following been provided: names of all directors (or equivalent); names of individuals who own or control over 25% of its shares or voting rights; and names of any individuals who otherwise exercise control over the management of the company?
• Is there evidence to confirm that the company is not in the process of being dissolved, struck off or wound up?
• Has the identity of one or more directors been verified?
• Has the source of funds been identified? For example, if a client is proposing to make a purchase, did the funds come through a bank account belonging to the client or from an external source?
• Has the beneficial owner (where applicable) been identified and have adequate measures been taken to verify their identity when deemed necessary?
• Has the source of wealth of a beneficial owner been established?
• Is there evidence of any intelligence checks having been carried out? (e.g. Factivia, Google, Worldcheck) If any adverse information has been obtained, is there evidence to show how it has been dismissed/escalated?
• Using the information on file, is there evidence of due diligence/identification of politically exposed persons (PEP) associates?
• Firms should take appropriate steps to be reasonably satisfied that the person the broker is dealing with is properly authorised by the client.
• Some consideration should be given as to whether documents relied upon are forged. In addition, if they are in a foreign language, appropriate steps should be taken to be reasonably satisfied that the documents in fact provide evidence of the client’s identity.
The file should be reviewed on an ongoing basis and scrutiny of transactions undertaken throughout the course of the client's relationship. It is prudent for brokers to have an investigation and approval process where unusual transactions are identified.
Enhanced Due Diligence (“EDD”)
Brokers should conduct EDD and enhanced ongoing monitoring in higher-risk situations. Situations that present a higher money-laundering risk might include, but are not restricted to:-
• clients linked to higher-risk countries (countries defined as high risk by the Financial Action Task Force (“FATF”) include Iraq and Syria and others) or higher-risk business sectors such as extractive industries, government procurement and defence;
• clients who have unnecessarily complex or opaque beneficial ownership structures; and
• transactions that are unusual, lack an obvious economic or lawful purpose, are complex or large or might lend themselves to anonymity.
EDD measures should also be applied:
• where the client is not present; and
• for PEPs.
What does EDD entail?
The broker must be able to demonstrate that the extent of the EDD measures it applies are proportionate to the money-laundering and terrorist financing risks. Examples of EDD include the imposition of additional items from the list above, as appropriate to the risk in question.
EDD should give the broker a greater understanding of the client and their associated risk and the purposes of the business relationship. In this regard, brokers, and specifically their compliance officer should consider:
• Which parts of the business present greater risks of money laundering? What are the risks associated with different types of client or beneficial owner, product, business line, geographical location and delivery channel, for example, internet, telephone, branches?
• The extent to which these risks are likely to be an issue. How does the risk assessment inform broker’s day-to-day operations? For example, does it inform the level of CDD brokers apply to decisions about accepting/maintaining relationships?
Examples of Good Practice
• identify and use good sources of information on money-laundering risks, such as FATF mutual evaluations and typology reports, NCA alerts, press reports, court judgements, reports by non-governmental organisations and commercial due diligence providers;
• have appropriate reporting structures in place (for example having a person within the firm to whom staff would report and suspicious activity to) to deal with, and escalate if required, the matter effectively; and
• consider whether CDD procedures are applied in a risk-sensitive way, examples include:
o Is there an understanding as to the rationale for beneficial owners using complex corporate structures?
o Are procedures sufficiently flexible to cope with clients who cannot provide more common forms of identification?
o Do key AML staff have a good understanding of, and easy access to, information about high-risk clients?
o Alert thresholds on automated monitoring systems are lower for PEPs and other higher-risk clients. Exceptions are escalated to more senior staff.
It is important that brokers adopt good record keeping policies. Copies or references to the evidence of the client’s identity should be kept for 5 years after the business relationship ends and keep transactional documents should be kept for five years from the completion of transactions.
The Supreme Court has recently handed down judgment in the case of AIG Europe Limited v Woodman and Others  UKSC 18 regarding the scope of an aggregation provision in the Law Society’s Minimum Terms and Conditions of Solicitors’ Professional Indemnity Insurance.
For more information contact
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.