Tag Archives: compliance

How to Avoid Snarl of N. Korea Sanctions

The timing was excellent – or unfortunate – depending on your perspective. Just a week before South Korean President, Moon Jae-in, jets to Washington to talk DPRK denuclearization, it was reported that a South Korean oil tanker had been detained.

The P PIONEER – the first local vessel seized by South Korean authorities — is among four detained by Seoul. All are suspected of violating United Nations sanctions on fuel shipments to North Korea.

Just last month, the UN Security Council (which uses Windward technology) published its latest report on North Korea. It laid out in graphic detail Pyongyang’s evolving tactics in evading sanctions, and the maritime compliance risk faced by anyone connected – however unwittingly – to vessels engaged in this kind of activity.

THE P PIONEER

According to reports, the P PIONEER was detained last October on suspicion of shipping oil to North Korea via clandestine ship-to-ship transfers and is “an indicator of the increasing pressure the U.S. is exerting on foreign governments and businesses to crack down on North Korean sanctions evasion,” according to Tahlia Townsend and Joseph Grasso, who head the International Trade Compliance and Insurance Practice Group at U.S. law firm Wiggin and Dana.

A Windward analysis of the vessel’s behavior in the 12 months leading up to its detention reveals a pattern of dark activities in several parts of the East China Sea. In total, we detected 13 separate occasions when this happened – the kind of deceptive shipping practices routinely employed by North Korea, as highlighted by an updated advisory published last month by the U.S. Treasury’s Office of Foreign Assets Control. During our analysis, another notable pattern of behavior emerged: In the 12 months before it was detained, the P PIONEER only visited ports in South Korea. In other words, every voyage the vessel undertook began and ended in South Korea.

Map showing polygons (areas) linked to possible clandestine oil transhipments to North Korea. Source: OFAC, UN.

See also: Can Insurers Stop Financial Crimes? Yes  

Searching in the dark

Detecting such behavior just by searching for “dark activity” won’t get you very far. Indeed, if you use this behavior as a proxy for illicit activity in the East China Sea, you’ll end up with a short list of 20,000 vessels during the past 12 months (the East China Sea is notorious for poor AIS coverage, meaning many vessels that “go dark” don’t do so deliberately). Of these, 1,200 were tankers – a number way too big to differentiate between innocent vessels just passing through and those potentially engaged in illicit oil trading with North Korea. If identifying dark activity was all we could do, compliance officers, charged with ensuring vessels they deal with are complying with sanctions, would probably jump overboard.

Map showing clusters of Dark Activities by vessels in the East China Sea over the past year

Where we can narrow things down for maritime compliance risk is by looking at how frequently vessels went dark – where it was an integral part of a vessel’s modus operandus. As the chart below shows, most tankers had no more than one dark activity in the area; only 3.5% of them did it more than five times. We can look more closely at repeat offenders, to find those that might be evading sanctions (our algorithms can detect which turn-off-transmissions are due to lack of reception and which due to skulduggery).

Distribution of vessel dark activity, highlighting two additional vessels that were mentioned in the recent OFAC advisory regarding DPRK as possibly being involved in illegal transports of petroleum products.

Behavioral Analysis

Another way to whittle down the list of potential miscreants is to look at trade patterns. As discussed above, most vessels passing through this area were heading to ports in the region. The P PIONEER’s voyages always started and finished in South Korea (with a dark activity in between), a pattern we see in just 81 other vessels over the past 12 months.

If we narrow our time window to the past 60 days, we find only 17 vessels were engaged in this pattern of behavior – a much more manageable data set. Within those 17, we find one, very interesting, vessel, called the P CHANCE.

Like the P PIONEER, it’s a tanker; it’s flagged in South Korea; it had 21 dark activities in the region in the past year – including one last month. Oh, and it belongs to the same registered owner (see below).

Looking at the P CHANCE’s economic utilization profile, one can spot the same risk indicators but from a different perspective. With more than 15 dark activities in the East China Sea in 2018, the vessel spent only 31 days in port (compared with 80 days for similar tankers).

See also: Europe’s New Data Breach Requirements  

To be sure, this analysis isn’t a smoking gun – it just means that out of the thousands of vessels transiting the East China Sea every month, this vessel stands out, indicating that further investigation may be warranted.

Maritime Compliance Risk

The deceptive shipping practices discussed in this article were once only relevant to intelligence agencies and NGOs that monitored and enforced sanctions. But as we’ve seen in the recent OFAC advisory, and the UN Panel of Experts report, sanctions enforcement is no longer something only bad actors need worry about; counterparty due diligence (CDD) teams in every industry that interacts with shipping now need to up its game considerably. Indeed, when list managers or compliance officers consume data feeds and black lists, the recent OFAC advisory might now require them to prepare and consume a global daily review of dynamic sanctions evasions tactics, to mitigate compliance risk. With the right technology, they can do so – while keeping their businesses running as usual.

What GDPR Means for Insurance Companies

GDPR (General Data Protection Regulation) took effect in Europe on May 25 — and is expected to create a ripple effect that affects U.S.-based organizations, regardless of whether they have European operations.

This is the most significant data privacy regulation ever – the EU views this as a human rights issue. The recent Facebook issues will accelerate GDPR acceptance here in the U.S., and it is up to insurance agents and carriers to be sure they are in compliance with all applicable laws and regulations in the U.S. and in Europe.

GDPR was enacted to further protect the rights of individuals in controlling how their personal data is shared. Many expect further regulations to come to the U.S., along with stiffer financial penalties for those organizations that do not comply.

But there are those in the insurance industry who see this as the “starting gun” not “the finish line.” The reality for most U.S. business, insurance companies and others is that GDPR will become the global standard for how businesses must handle consumer data, and it will set new benchmarks for consumer data privacy.

GDPR will have a positive impact for both the business/marketer and the consumer.

This can become an incredible opportunity for U.S. companies that choose to embrace GDPR. Instead of something scary and negative, it can become a great opportunity that they can use to challenge themselves to build tools and processes to maintain smarter marketing and more personalized and predictive communications with customers.

As consumers begin to understand the advantages to them, they will likely prefer to work with and share their consumer data with compliant companies. Rather than waiting and wondering, companies need to take the steps necessary to comply. If it’s great for the customer, and if businesses lead the way, it will end up being great for the company.

See also: How GDPR Will Affect Insurance 

First, insurance companies will need to take steps to comply with the legislation so they will not be open to stringent financial penalties. They must begin by working with their legal team and GDPR experts to appoint a company representative who is established in an EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.

Not all organizations need one, but if it’s required, appoint a Data Protection Officer who has the expertise needed. This person can help redesign what consent and disclosure looks like for customers. Consumers will need to check a box (or its equivalent) for every single use case of their data. They need to be able to select those they agree with and decline those they don’t, and companies need to be able to comply and track their preferences in their systems.

Insurance companies also need to consider third-party providers, as well. If a third party is not able to prove GDPR compliance, the EU work it does is illegal. Companies should audit their third-party providers and reevaluate service level agreements.

Companies also need to work within the GDPR regulations and still be able to have a “good client experience” and grow and find and retain new customers with the new law that is a game changer for the way they do business now.

Moving forward, companies will need to be much more aware of their audiences’ tolerance for marketing. Companies that have been careless by oversaturating their audiences with irrelevant marketing will lose the privilege to market to those customers.

Consumers want information and marketing that is timely and relevant. Technology companies have tools available for clients that account for marketing saturation modeling and use dynamic marketing workflows. Their audiences should receive the “Goldilocks” amount of marketing – not oversaturated, but enough to maintain brand awareness and positive disposition when they are in the position of making a buying decision.

The positive impact for insurance industry will be that GDPR compliance forces companies to implement data storage and processing and marketing “best practices.” Once a consumer asks to be forgotten, companies must remove all the person’s data. Not just take people off an email list, or a call list, but delete all their preferences, history and contact information.

Businesses that comply with GDPR will reap the benefits of better consumer confidence. Additionally, the practice of impeccable data security demands migrating customer data to the latest network technology. The long-term benefit of storing and running data using the best and most current technology reduces overall digital footprint.

But how companies use technology to retain brand awareness and win and keep customers without becoming a nuisance at a permanent cost will be a challenge. Achieving and retaining brand awareness without irritation becomes a balance of just the right messaging, via the right channel at the right time.

See also: How to Avoid Being Bit by GDPR (Part 1)

We are proponents of human engagement and realize that all the AI in the world cannot replace human connections. We also realize that the human connection is invaluable and that marketing communications coming from a trusted adviser versus a faceless organization elevates the message.

More than ever, companies need to rely on marketing acceleration models that induce a repeatable pattern of activity, garnered from AI and machine learning to create marketing workflows that enable individuals at a company to have personal connections, smarter marketing, more personalized and predictive customer experiences and better sales outcomes.

Technology can help companies achieve one-on-one interactions and make them more confident that what they say and show is relevant and tailored to their client.

How to Get Ahead of the Watchdogs

The compliance and ethics functions within insurance organizations face continued regulatory pressure. But, nowadays, they must also deal with new threat vectors that are shaping a higher-stakes global compliance environment. More and more, investigative journalists are analyzing big data to spot fraud as well as compliance violations. Third-party agencies are increasingly using technology to identify incidents and monitor corporate behavior. Enforcement agency whistleblower programs are motivating employees to speak out about perceived violations. And, rapidly escalating grassroots campaigns, such as the #metoo movement, are making strong corporate culture and rapid-response capabilities even more critical. When these watchdogs form the genesis of a complaint, social media channels and the round-the-clock news cycle can rapidly increase awareness of the incident – in some cases even before the company itself is aware.

Compliance functions need the agility to adjust to business changes and to the inevitable surprises inherent in a dynamic business climate. But, without a strong technological underpinning to help them operate efficiently in real time, it will be challenging, if not impossible, to get ahead of new threat sources and changing business dynamics. From dashboards for improved decision-making, to sophisticated tools for monitoring employee compliance, to training informed with data from compliance monitoring, technology-based capabilities are now cornerstones of effective compliance management. By using the best available tools and information to protect their organizations and to scan the horizon for new requirements, trends and risks, compliance functions can keep pace with their organizations’ changing compliance needs.

But as a group, insurance sector compliance functions have some work to do on the technology front. According to the PwC 2018 State of Compliance study, only 41% of insurance organizations use policy management technology within the compliance department (compared with 44% across industries and 54% in banking, for example). Just 47% use technology to monitor employees’ compliance with ethics and compliance-related policies and procedures (compared with 50% across industries and 52% in banking). While progress is being made, it lags that of certain other industries.

See also: How to Collaborate With Insurtechs  

However, our study identified 17% of insurance survey respondents as “Leaders,” where executives were very satisfied with the effectiveness of their organization’s compliance program. This is on par with other industries in the study. The study’s overall Leader group shares a common denominator: Leaders take a more comprehensive and current approach to compliance risk management as enabled by technology. Leaders differ substantially from their peers in many of the operational aspects of compliance risk management, including executing differently in four key ways.

Leaders invest in tech-enabled infrastructure to support a modern, data-driven compliance function. Technology helps organizations manage compliance in a dynamic and expansive risk universe. Leaders more often use data analytics tools, dashboards and continuous monitoring than their peers. More than half (54%) of Leaders in the study use data analysis tools, and nearly half have dashboards (49%) and engage in continuous compliance monitoring (48%). The effective use of cloud infrastructure, machine learning, advanced analytics and natural-language processors help organizations quickly analyze vast amounts of data and gain insights into business and customer behaviors, assess potential compliance issues and cost-effectively meet risk and regulatory challenges.

Leaders increase compliance-monitoring effectiveness through the use of technology and analytics. Analytics, together with automation technologies, make the continuous monitoring of employee compliance across many areas of the business far more feasible. Two-thirds (66%) of Leaders use technology to monitor employees’ compliance with ethics- and compliance-related policies and procedures. And they more often use technology to monitor specific risk categories, such as fraud, gifts and entertainment, privacy, social media and trade compliance. Leaders are also gleaning more benefits from technology use in monitoring efforts – compared with their less effective peers, they are more responsive and even proactive in mitigating compliance issues.

Leaders streamline policy management to increase responsiveness and boost policy and procedure effectiveness. Leaders take several steps to strengthen their policy management. They more often keep their codes of conduct, policies and procedures current and make them easily accessible across the organization. They also more often enable this streamlining through policy management technology, such as GRC tools, and measure the effectiveness of policies and procedures more comprehensively. Nearly two-thirds use technology to facilitate the policy management process.

Leaders take advantage of information and technology to provide targeted, engaging and up-to-date compliance training. Leaders’ compliance training and communications are more comprehensive and current. They are often using multiple sources of information to inform and target their training and are thinking creatively about new ways to digitally engage employees in training activities. Leaders’ approaches to training positively affect their organizations’ overall risk profile as they aim to minimize activities that potentially place the organization at higher risk.

See also: Guide for Insurtech Work With Carriers  

Effective compliance risk management must be grounded in strategy and business engagement. Establishing the right tone at the top, assessing compliance and ethics risks and building governance structures that provide high levels of confidence in regulatory matters are all critical to effective compliance leadership. But operational aspects of compliance are where the rubber meets the road. With multiple new, highly motivated watchdogs now providing their own forms of oversight, the case for strengthening compliance risk management through technology is strong. Technology is more critical than ever in building programs that boost compliance program value, better manage risks and drive cost-effective compliance.

Global Trend Map No. 14: Regulation

Following on from last week’s post on investment management, today we tackle that omnipresent question for carriers old and new: regulation. Regulation affects absolutely every part of the insurance business, from how customer data is held and used to how insurers reinsure themselves and invest the premiums they gather.

The time and money cost of complying with regulation is often significant, with recent estimates suggesting that 10% to 15% of the total workforce in financial organizations is currently dedicated to governance, risk management and regulatory compliance. The opportunity for greater efficiency here is so large that a whole new tech-powered industry – regtech – has sprung up around it. And, with demand for regulatory, compliance and governance software expected to reach a massive $120 billion by 2020, this is a space to watch.

The following stats and perspectives are taken from our Global Trend Map; a full breakdown of our survey respondents, and details of our methodology, are included as part of the full report, which you can download for free at any time.

See also: New Regulations for Disability Claims  

Assessing the Impact of Regulation

Regulation is a serious issue not just for (re)insurers but for the insurance ecosystem more generally. Out of all our survey respondents (unfiltered), 20% indicated that regulation had impeded progress “a lot.” As we see from our our burden chart below, the impact is evenly spread across different ecosystem players.

Here, 24% of brokers and agents state that regulation has impeded progress “a lot” within their organization, along with 17% of technology partners and 22% of insurers. The trend is the same when we use a weighted score (one point for “a little,” two points for “somewhat” and three points for “a lot”), giving us an overall “burden score” of:

  • 186 for brokers/agents
  • 159 for technology partners
  • 175 for insurers

While regulation is a concern for insurance companies across the whole globe, it manifests itself differently in different regions. Our stats suggest that regulatory burden is above trend in Europe and below trend in Asia-Pacific (in terms of respondents answering that regulation is impeding progress “a lot”). Regulatory compliance certainly remains a daily issue in APAC but may, for structural reasons, be easier to deal with there on a big picture level.

In Asia-Pacific, industry participants have the advantage of dealing, in the main, with large national markets (bigger than any U.S. state, for instance) but without the complexities of an overarching regional regulator (like we find in Europe with the E.U. and Solvency II). That said, carriers wishing to be active across the region still have a multitude of different regimes to comply with.

Additionally, we asked survey respondents to indicate, via an open-text response, which regulations were currently the greatest cause for concern. There were too many responses to list everything, but some that stood out were Solvency II and the Insurance Distribution Directive (IDD) from respondents in Europe, and the DOL fiduciary rule from respondents in North America.

“Currently the focus is on protecting personally identifiable information, personal health information and personal credit information. Regulations in the future may evolve, requiring companies to ensure that they are using information in a fair and just fashion. For example, much can be inferred from the data from an individual’s smartphone, but it may not be fair and just to act on those inferences.” — Cindy Forbes, EVP and chief analytics officer, Manulife Financial

Regulatory Burden: A Growing Challenge

There is a marked trend toward rising regulatory burden, and we found this to be consistent across our different ecosystem players and regions.

89% of insurers and reinsurers believed regulation was posing a greater challenge to their organizations than during the previous 12 months.

“Increased regulation” was one of the external challenges we explored in our industry challenges section, coming in sixth place out of 12 (based on all respondents). Drilling down into different carrier departments reveals that its impact is not evenly distributed across the business: “Increased regulation” was among the top three external challenges for carrier staff working in actuarial, analytics, capital management (where it took the top slot), investment, risk, senior leadership, strategy and treasury.

The overall balance of these departments suggests the greatest burden from increased regulation within (re)insurers is falling on the investment and risk-modeling side of the business. Europe has certainly been a case in point over the past couple of years, with Solvency II subjecting carriers to more rigorous capital requirements.

See also: Aggressive Regulation on Data Breaches  

Regulation’s growing prominence in the eyes of high-echelon staff (senior leadership) indicates just how seriously it is viewed within the ecosystem. This, along with the other measures we have presented in this section, creates a perfect storm for the rise of regtech over the coming months and years.

Interview with Nick Gerhart (Part 3)

I recently sat with Nick Gerhart to discuss the regulatory environment for U.S. insurance carriers. Nick offers a broad perspective on regulation based on his experience: after roles at two different carriers, Nick served as Iowa insurance commissioner and currently is chief administrative officer at Farm Bureau Financial Services.

Nick is recognized as a thought leader for innovation and is regularly called on to speak and moderate at insurtech conferences and events. During our discussion, Nick described the foundation for the state-based regulatory environment, the advantages and challenges of decentralized oversight and how the system is adapting in light of innovation.

This is the last installment of a three-part series. The first focused on the regulatory framework insurers face (link). In the second part (link), Nick provided the regulator’s perspective, with a focus on the goals and tactics of the commissioner’s office. Here we discuss the best practices of the insurers in compliance reporting as well as future trends in compliance reporting.

From my experience in speaking with carriers, I’ve been struck by the challenges of reporting data in various different reports to so many different entities. A lot of carriers struggle just with the process, and the quality of the data reported suffers. So, to dive into the quality of the filings for a moment, what are you looking for?

Garbage in, garbage out, obviously.

The most obvious issues start with the outliers. And it would come back to the state catching the company filing some bad data. So, for instance, on the life and annuity side, how you define “replacement” can trigger a percentage up or down that maybe you shouldn’t have in there.

If you think about it, from the company side, a lot of MCAS data is probably gathered on an Excel spreadsheet, or in Sharepoint, or a shared drive, and it’s someone’s job to pull the data. And, he or she is often not the subject expert of the report to be filed.

Overall, companies make a commendable effort in terms of timeliness and accurate data. But, to the extent that a carrier does not pay close attention to what’s going into the file, it can be a problem. You really don’t see the output very well from a 30,000-foot view; a carrier is far more likely to have issues unless it has a really solid data entry process in place or someone who owns it on the executive team who actually knows what is going into the report.

Any examples you can share?

One that comes to mind was a company that reported an unbelievably high replacement ratio. And when we dove into it, we realized they had pulled the wrong file to calculate the rate. Now, it worked itself out, and the ratio was actually much lower, which is a good thing, but again I think companies need to pay more attention to how they are filing this data and where they’re pulling it from.

And that’s where every company could do a little bit better job. I’ve had roles in three insurance companies now, and you can look at something as a check-the-box exercise, or hey-let’s-do-it-right. In my view, if you’re a bigger company, all of this does build into your ORSA filing in some respect.

See also: Why Risk Management Certifications Matter  

Your Own Risk and Solvency Assessment is just a picture of where you are on a risk basis. But a lot of your risks are related to market issues. Every company can probably do a little bit better job of making sure the data you submit is timely, relevant and the right data.

And, when you’re looking at specific data with a report, the replacement rate within MCAS, for instance, how do you come up with that benchmark data? Are you looking at trending analysis in the context of industry benchmark data or trending within the company?

That’s a really good question. It’s more art than science; there isn’t one right way to do it. If you had a 75% replacement ratio, but you only sold four annuities, that may or may not mean anything. If you have a 75% replacement ratio, and you sold 25,000, that’s a different issue.

You start to look at it from a benchmarking of industry, a standard across the industry. Whether you can get that data from LOMA, LIMRA or WINK. Regulators have all of those same data points and benchmark studies, so you have a gut feel for what is an industry number.

Then beyond that, to your point, you’d have to dig down for context. For example, Transamerica sells a lot more life insurance and annuities than EMC National Life. A benchmark is a benchmark, but it doesn’t differentiate from a small mutual carrier or small stock carrier.

This is why context is really important. If you see a disturbing relationship or ratio develop on complaints, you have to look at the line of business, how much business they write, whether or not it’s an agent issue, or a producer issue, or home office issue, or a misunderstanding issue. You really have to dig in. Benchmarking is a start, and it’s certainly helpful.

Iowa has 216 carriers, and the vast majority are small or midsize, sometimes just county mutual carriers. You have to look at each carrier on its own, as well. The benchmark helps, but it’s not the end all and be all.

Did you look at consistency of data? For instance, premiums written is a component, in some form, of the financial reporting, market conduct and premium tax filings.

Certainly. Our team would look for consistency of data across filings. Our biggest bureau at the division was on the financial side. And that’s really where I spent a lot of my time to develop staff.

If we start to realize that a premium tax number doesn’t line up with premiums written, they start to ask questions. And sometimes there are good answers, and, other times, it’s a miss. And so, again, it’s data consistency and quality across all the reporting to make sure we have a clear picture.

Because oftentimes, it’s something we didn’t understand, or the carrier filed but didn’t pull the right number. The sophistication of the models that the companies use – as well as the sophistication of the reporting – varies greatly from small carriers to big carriers. Some have home-grown systems; some have ad hoc processes. It’s all done differently.

Do you have a sense – both from your time in industry as well as your role as insurance commissioner – how feasible it is to have a meaningful review process? To put this question in concrete terms: If you’re the CFO, you’re signing off on a lot of reports. Based on the volume of reports you’re signing, are you truly reviewing the data that’s being reported?

That’s a great question.

You’ve got reporting requirements for Sarbanes-Oxley if you’re public. You’ve got other reporting requirements under corporate governance at the state level. It’s impossible to dig into every single report for every single data point. So, you do have to rely on your staff, on your auditors and your chief accounting officer. And that’s why you have those controls in place leading up the reporting structure of those organizations.

That being said, a CFO would want to have a clear picture from a benchmarking dashboard. There are a lot of tools for people in the C-Suite for tracking and visualizing data that call out for attention when a metric is out of place or not reported.

The CFO relies on the team and the controls in place for the data to be correct in order to sign off. But, having a snapshot that showed what is filed, and when, and different data points and sources would be of immense help.

What are the consequences, from a regulator’s standpoint, of poor quality or inconsistent data? Is it reputational? Does it add to question marks around a company?

There are several things. Yes, it’s possibly reputational. But that’s in the longer term. Most immediately, the carrier is going to have to commit resources to resolve the issue.

If a commissioner’s officer is asking questions, he or she has found something. You’ve got to commit resources to adjudicate and resolve the issue. And, it could very well lead to a targeted exam, which, in turn, could end up as a full-blown market conduct exam.

It could also create a number of other issues during the triennial exam or the five-year deeper dive exam, which would require additional resources. These exams can cost quite a bit of money. And so, that’s a hard dollar cost. But, there is also the soft dollar cost of staff time, resources expended and opportunity cost in that it kept the carrier from have done something more productive.

How does this work in practice?

I can think of when I was commissioner once or twice when we had targeted exams based on filings that ultimately led us to say, “Okay, there is a problem here.” Both times were out-of-state companies.

To your point earlier, you can call an exam on any company that is doing business in your state, certainly on the market side. On the financial side, you’re going to have more deference. But, on the market side, every commissioner’s office is reviewing the data, as well.

Often for us, we would start with the complaints that are coming in, and then identify a trend with a carrier. And if you start to see a number of complaints, then you pull the data.

Some insurers have a cynical view of regulators, particularly in some states. I’ve heard them refer to this as “the cost of doing business.” They feel that, if you’re going to write policies in some states, you’re going to get fined from time to time. And then, if you get fined by one state, then you’re going to see fines from other states as well. How does this work in practice?

A carrier has an obligation to report a fine in all states in which it’s licensed. On top of that, there is this thing called the internet. When a state issues a fine – Commissioner Jones or Director Huff was famous for this – it would be followed by a press release, as well.

So, there is some truth to the idea that if an insurer has trouble in one state, it might have it in multiple states. But there is some right to have a level of cynicism. There are some states where you’re much more prone be fined. Whether this is a cost of doing business, that’s a decision for that management team. But, if there is a fine in one state, the chances that of it in multiple states is high

Our view of the world, in the Iowa division, was not necessarily to gang tackle but rather how to resolve the issue in our state. If there was a problem, we asked, “Did you make customers whole?” I would look at a systems issue with billing differently from an issue in which someone was ripped off. We tried to use judgment and look at the issues based on the facts and circumstances.

Currently, data flows from carriers to commissioners in a defined cadence. What do you think of the promises of regtech – the concept that software and system automation will allow for data to flow to regulators seamlessly, in real time and without the need for insurers to prepare and curate data for filings?

Right now the NAIC is the hub of a lot of this. And the idea that a state would get this directly from the insurer is a stretch.

What about through the NAIC?

Through the NAIC, I could see it happening. They’ll go to a cloud-based system, I’m guessing. As they make that shift, could that happen? Possibly.

I always joke that for the state of Iowa, and most states, you have the best technology from 1985. Some states are ‘95. It is a stretch to think that this could happen without the NAIC leading.

See also: The Current State of Risk Management  

The NAIC really is the hub. If you’ve been to Kansas City, you’ve seen how impressive their system is, and their folks are. NIPR, for instance, I would always joke, is a technology firm. It’s not a producer licensing firm. The NAIC has tremendous resources. Their CTO has ideas on how to streamline it further. I could see this happening in 10 years or less. The reality is that a state could never do this.

So, a state has to rely on the NAIC. Going back to why this system works, well it works because you have an association – the NAIC – that has the ability to upgrade and transform quicker than any state ever could.

Is it possible that the states could innovate on their own, outside the NAIC?

It would be hard, at best. If you think about the state-based system, if Iowa doesn’t transform as quickly as California, or Montana as Wyoming, that starts to be a problem.

The NAIC can take care of that in one fell swoop and we, as state regulators, all benefit from that work.

I could see data delivery and reporting being quicker, more meaningful, real-time. I could even see, down the road, machine learning processes put in place to help on policy review form, financial review form. I think you could get there. I don’t know if it’ll be five years, 10 years or 15 years, but it will certainly happen in my career, where it’s going to be a continuously improving process.

The NAIC is the best way that regulators keep up with the demands that are happening, through leveraging the NAIC tech and personnel.