Tag Archives: fiduciaries

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

Supreme Court Decision Means Health Plans Under Fire …

… To Complete ACA-Required Summary of Benefits & Communications & Other Health Plan Updates

The June 28, 2012 Supreme Court National Federation of Independent Business v. Sebelius ruling rejecting constitutional challenges to the Patient Protection and Affordable Care Act (Affordable Care Act) means most health plans, their employers and other sponsors, fiduciaries and administrators, and insurers must rush to update their health plan documents, summary plan descriptions and other communications, administrative procedures and contracts, reporting and other arrangements to meet the “Summary of Benefits & Coverage” (SBC) and other requirements of Affordable Care Act and other federal rules that have, or by year end will, apply to their group health plans.

Final SBC Regulations1 implementing the Affordable Care Act’s summary of benefits and coverage requirements jointly published February 14, 2012 by the Departments of Labor, Health and Human Services (HHS), and the Treasury (the Departments) will require most health plans and health insurers begin providing the SBC and Uniform Glossary meeting Department standards to covered persons and coverage applicants beginning on the opening day of the first enrollment period beginning after September 22, 2012.

Parties responsible for completing these arrangements should expect to need significant lead time to properly tailor a SBC and Glossary to their health plan, and complete other necessary arrangements to comply in a timely manner with the Final SBC Regulations. Most health plans will need significant time to complete the analysis needed to prepare a SBC appropriately tailored to their health plan. In addition, most group health plans and insurers, their sponsors, administrators and fiduciaries also generally want to identify and make changes to their health plan design, documents, summary plan descriptions and other materials and practices in response to the new requirements.

Completing the preparations to meet the deadline for providing SBCs won’t be easy for most health plans and insurers planning to conduct annual or other enrollment periods this Fall. Most employer and other health plan sponsors, fiduciaries, insurers and administrators can expect to experience significant challenges completing the arrangements necessary to comply with the highly technical and extremely rigid requirements of the SBC rules. Most health plan sponsors, fiduciaries and administrators also will want to consider tightening plan document, summary plan description, claims and appeals notices and other plan documentation and associated administrative procedures to coordinate with the SBC language and other Affordable Care Act requirements.

Regulations implementing the SBC requirements published in February, 2012 and subsequent regulatory guidance dictate detailed requirements about the required content of the SBC, as well as dictate that health plans and insurers covered by the SBC rules provide a Uniform Glossary of terms, many of which are likely to differ from definitions of the same or similar terms in plan documents, summary plan descriptions or other plan related documents. To help further clarify these requirements, the Departments on March 19, 2012 published a new FAQ2 that clarifies certain information about the SBC Regulation and its deadline and other requirements. When plans cover a culturally diverse workforce, health plans also will need to make the necessary arrangements to prepare their plans where necessary to comply with the Affordable Care Act’s requirement that health plans and insurers communicate in a culturally and linguistic manner.

Taking time to make changes needed to identify and resolve potential conflicts and other ambiguities between required terms of the SBC and Glossary and existing health plan documentation, communications and procedures is particularly important in light of the United States Supreme Court’s May 16, 2011 ruling in Cigna Corp. v. Amara.

In Amara, the Supreme Court ruled that federal courts may use equitable remedies provided for under the Employee Retirement Income Security Act to give a remedy to individuals hurt because summary plan descriptions or other communication or disclosure documents provided by the health plan contain terms that conflict with the official health plan documents under certain conditions. Health plans, their fiduciaries, sponsoring employers and unions, insurers, administrative service providers and their management also generally will want to carefully craft the SBC and other related plan materials and processes to manage these risks and support the enforceability of the intended plan design.

1See 26 CFR 54.9815-2715, 29 CFR 2590.715-2715, and 45 CFR 147.200, published February 14, 2012 at 77 FR 8668.

2See FAQS About Affordable Care Act Implementation (Part VIII).

Addressing Objections to a Second Look at a Reinsurance Recovery

Most ceding companies avail themselves of catastrophe reinsurance, a product that pays anywhere from 90 to 100% of aggregated event loss after the ceding company’s retention up to the limits obtained. Generally the retention is determined as some fraction of the company’s surplus and the exposure profile of the company from any one catastrophe. The ceding company wants that retention high enough to not merely be swapping dollars with the reinsurer for frequency events, but low enough that the “shock” of the sudden demand for cash to pay claims does not impair the company.When a broker tells a ceding company what the rate-on-line is for a catastrophe treaty … (the rate for a limit of coverage) or the inverse of a payback period, that number is not assuming any reinstatement of limits occurring. The reinsurers have now worked it that the reinstatement premium will in effect accelerate the payback period and increase the actual rate-on-line by requiring 100% as to time in reinstatement calculations. This was not always the case — at one time the reinsurer only charged for the reinstatement limits at a pro rated factor of the time remaining on the treaty.

Catastrophe reinsurance is somewhat unique in that its limits must be reinstated, but reinstating those limits now generally comes at a price higher than the original limits costs. This is so because the reinstated limits are only good for the remainder of the treaty period, not for the entire annual contract period as were the original limits. For example, suppose a Texas ceding company had a catastrophe treaty for the period from Jan 1, 2012 to December 31, 2012 and a hurricane came through Houston on October 1, 2012, exhausting the cedant’s treaty limit. The cost to reinstate that entire limit is the same dollars as it was to initially secure the original limit, but the second limit is good only from October 1, 2012 to December 31, 2012. Thus, the limits costs are the same for a three-month period reinstatement as they were for a twelve-month original limit of the same amount.

Reinsurers may tell ceding companies at renewal time that they are renewing at the expiring rate, but what the ceding company must be aware of is that a reinsurer’s practice is not unlike the federal government saying it will not raise tax rates, but then taking away some deductions so that the net effect is to increase the tax owed. At renewal, the ceding company may find that because of some change in the treaty definitions initiated by the reinsurer, it will have to pay more for the treaty even thought the “rate” stayed the same. The net effect may be that while the rate did not change, the measurement against that rate did change, making the actual treaty costs increase or coverage decrease.

Consider also that if the ceding company had been carrying its original limits equal to the one in one hundred year storm, and such limits were appropriate, the reinstatement limit is now being carried for a second one in one hundred year event occurring in the same year, but happening again in the next three months, a highly unlikely scenario. The reinsurer is actually making the ceding company reinstate the catastrophe limit at a higher cost for an event that is even less likely to occur … but never fear, the reinsurer will offer to sell the ceding company yet another product that will cover the reinstatement costs … a treaty now for a charge slightly below the reinstatement costs that will pay the reinstatement premiums for the catastrophe treaty so that the ceding company will have reinstatement limits available in the event a second one in one hundred year catastrophe strikes within the next three months. (A pre loss, pre pay option treaty so to speak, where the ceding company can prepay the reinstatements now at a discounted rate!)

One of the primary attributes making for sound-rating analysis is the law of large numbers. That is, enough units are insured providing that sufficient losses are experienced in order to provide predictability to an event. By its very nature, catastrophes are generally unusual events as far as the individual ceding company is concerned. Regional ceding companies may experience an event that exceeds its retention only once every several years. Reinsurers thus, by in large, do not price catastrophe treaties for ceding companies on the individual cedant’s catastrophe experience.

Rates for catastrophe insurance are based on “cat models.” Cat models are used against the ceding company’s risk locations and dollars of exposure at those locations. That is, all other things being equal, having 5 billion dollars of insurance exposure along the coast where the models predict a hurricane will strike will cost the ceding company more to reinsure than 5 billion dollars of inland exposure, where the models show the effects of a hurricane are less intense.

During any catastrophe, claims are filed in multiples of what the ceding company may be used to dealing with on a normal basis, and the ceding company may be required to utilize the services of independent adjusters to augment their own claims personnel services. The combination of high volume, tyranny of the urgent, and utilization of temporary staff provides ample opportunity for mistakes in coding, reinsurance reinstatement premium calculations, and event identification.

Event identification is simply the realization that the loss may not be correctly identified to the named event covered. Not all policyholders may immediately turn in a claim, and a claim that is turned in months after the event may be miscoded and missed in reinsurance recovery. Additionally, not all reinsurance recovery is utilized because the cedant did not realize that certain subsequent events are covered.

For example, suppose a claim is paid and closed, and a recovery is made from the reinsurer for the event. Two years later the ceding company receives a suit alleging bad faith and deceptive practices and other allegations that the claim was mishandled. Many insurance companies will put its Errors and Omissions carrier on notice of the allegation being made. However, not all will notify the reinsurer of possible additional development under the treaty for the catastrophe under the ECO/XPL* portion of the cat treaty, which treaty has already been tapped. The ceding company will likely have a per claim retention under its Errors and Omissions policy, plus it is responsible for the stated limits of the policy it issued to the insured before its Errors and Omissions coverage kicks in. Whereas the cat treaty retention has already been met, meaning the ECO/XPL coverage of the cat contract will essentially provide Errors and Omissions coverage sooner to the cedant.

Additionally, depending on the definition of net retained loss under the treaty, it is possible under given circumstances that the ceding company could collect twice for the same Errors and Omissions loss, once under the treaty’s ECO/XPL and if large enough, additionally under its Errors and Omissions policy. An argument by the reinsurer that a collection under the Errors and Omissions policy inures to the treaty should be challenged with a claim that then the premium of the Errors and Omissions policy must similarly reduce the measure (earned premium) against the rate the reinsurer is charging. In other words the reinsurer does not get the inuring benefit of the Errors and Omissions without a corresponding allowance for its costs to the cedant. However, the cedant may be better off arguing the definition of retained loss under the treaty than to argue for the inuring costs.

During the turmoil of a catastrophic event, it is entirely likely that other reinsurance treaties will be overlooked or receive lesser attention. Most per risk treaties have a single occurrence limit, so that the per risk treaty is not used for catastrophic events. However, in many instances the per risk treaty inures to the cat treaty, so that the costs of the per risk treaty reduces the measure against which the cat rate is multiplied. In other words the costs of the per risk treaty reduces the costs of the cat treaty, because technically, the per risk treaty is supposed to be used up to the measure of its occurrence limit before the cat treaty is utilized; the recovery paid by the per risk treaty reduces the catastrophe loss.

As well, premiums may be missed or double paid, inuring contracts overlooked, or checks directed to the wrong reinsurer. I have seen the case during a catastrophe where a premium payment check was directed to the wrong Lloyds Syndicate, and such Syndicate was either so disorganized or so unethical, that it did not return the misdirected funds until after a formal request was made by the ceding company for the return over a year later. You can’t tell me the Syndicate thought that it was entitled to the money or did not realize it was not in the ceding company’s program.

The reinsurers are not your “friends.” They are not in the business to watch out for the interests of the ceding company — reinsurers are in business to make money, just as ceding companies are in business to make money. In 2010, just the top five reinsurers wrote over 98 billion dollars in premiums.

In a brokered market, the intermediaries do not only work for the interests of the ceding companies — they are in many cases dual agents. The word “intermediary” means go between, and for purposes of finances, intermediaries are the agent of the reinsurer, as provided in a standard intermediary clause ever since the federal case of 673 F.2d 1301; The Matter of Pritchard & Baird, Inc., which held that for purposes of money transfer, the broker is the agent of the reinsurer. Money received by the intermediary from the ceding company is considered money to the reinsurer, but money received by the intermediary from the reinsurer is not considered money to the ceding company.

Even all these years after Pritchard and Baird, I have recently witnessed where an unscrupulous reinsurer told the ceding company that it must collect from the intermediary the refund funds portion representing the intermediary brokerage fees. I have also witnessed where this same ceding company signed and agreed to placement slip terms but some 9 months later when the contract wording was finally provided, change the minimum premiums to equal the deposit premiums within the contract, successfully slipping this change by the cancer chemo patient general manager of the small ceding company and then arguing that it had no record of any change. Such behavior is inexcusable and would never have been caught without an independent reinsurance recovery review.

If reinsurers did things right, then the National Association of Insurance Commissioners would not have needed to adopt a rule requiring that final contract wordings must be signed within 9 months of the contract’s effective date to allow for accounting treatment as prospective, as opposed to retroactive, reinsurance.

It’s absurd to think that this type of rule should be necessary in the first place. The 9-month rule, which really comes out of Part 23 of SSAP 62, requires that the reinsurance contract be finalized — reduced to written form and signed within 9 months after commencement of the policy period. In effect the reinsurers being remiss in generating a timely reinsurance contract punishes the ceding company. The National Association of Insurance Commissioners also found it necessary to adopt the so-called 90-day rule. This rule requires the US ceding companies to take a penalty to surplus in an amount equal to 20% of reinsurance recoverables on paid losses 90 days past due. The rule also requires a 20% penalty to surplus for all recoverables due from so-called “slow payers.”

In effect reinsurers have been so remiss in generating timely contracts and paying bills in a timely manner that the National Association of Insurance Commissioners had to create rules to prod them into doing the right thing by punishing the ceding company if they don’t.

It also never ceases to amaze me the attitude of ceding companies in their thrill of receiving a 25% ceding commission from the reinsurer in a proportional treaty for business that costs the ceding company 33% to generate. Or how the reinsurer now “did them a favor” by allowing a 27% ceding commission in the renewal. Or how that so called quota share treaty that the reinsurer is supposedly a “partner” in has a catastrophe cap included for the benefit of the reinsurer. If this represents what it is like to partner and be the “friend” of ceding companies, then the plaintiff’s bar should certainly also be considered a friend of ceding companies.

Reinsurance intermediaries are required to be licensed in most states. Penalties are imposed on unlicensed intermediaries. In some states, led by New York through its Rule & Regulation 98, reinsurance intermediaries must have written authorization from a reinsured before procuring reinsurance for the reinsured. The reinsurance intermediary must provide the reinsured with written proof that a reinsurer has agreed to assume the risk. The reinsurance intermediary also must inquire into the financial condition of the reinsurer and disclose its findings to the reinsured and disclose every material fact that is known regarding the reinsured to the reinsurer.

Record keeping requirements also exist, mandating that the reinsurance intermediary keep a complete record of the reinsurance transaction for at least 10 years after the expiration of the reinsurance contract. Reinsurance intermediaries under these regulations are now responsible as fiduciaries for funds received as reinsurance intermediaries. Funds on reinsurance contracts must be kept in separate, identifiable accounts and may not be comingled with the reinsurance intermediaries’ own funds.

Most of the time the intermediary’s sales pitch to the ceding company emphasizes how it has a great relationship with the reinsurers, the inference being that such a relationship will ultimately provide for a better price for the ceding company in the negotiation process, as if the reinsurer will do a “favor” for the intermediary which will directly benefit the ceding company. Such fairy tale thinking is best left to children’s books and not in the board rooms of ceding companies. The truth is the intermediary is more dependent for its success on the relationship it has with the reinsurer than it is on the ceding company, and the intermediary is not about to alienate the reinsurer for the sake of a ceding company.

In the brokered market, the ceding company typically has no say in the treaty terms. What most small to medium ceding companies fail to realize is that just as an insurance policy that it issues is subject to being a contract of adhesion by virtue of the legal maxim of contra proferentem, so too is the reinsurance treaty to the reinsurer.

The Latin phrase “contra proferentem” is a standard in contract law, which provides that if a clause in a contract appears to be ambiguous, it should be interpreted against the interests of the person who insisted that the clause be included. In other words, if you speak ambiguously in a contract, your words can literally be used against you. This is designed to discourage people from including ambiguous or vague wording in contracts because it would run against their interests. This is a decisive advantage for many ceding companies in what are often ambiguously defined treaties produced by reinsurers.

All too often the ceding company simply falls in line with what the reinsurer says is the proper interpretation of the treaty language. Whether such complicity is reflective of the incorrect notion that the reinsurer is their “friend” and operates in its best interests or just ignorance, the fact is that ceding companies are often not fully utilizing the product for which they have dearly paid.

The services offered by such entities as Boomerang Recoveries, LLC provide for the ceding company a second look at the treaties it purchased and how it structured its recoveries from its various treaties. Every “touch point” along the recovery process provides for possible missed opportunity. An expressed reluctance by a ceding company to have its recoveries reviewed by an independent reinsurance professional represents misplaced loyalties. The loyalty of a ceding company is to its policyholders or its stockholders, not to its reinsurers.

Good faith and fair dealing owed by a ceding company to the reinsurer does not include foregoing rightful reinsurance recoveries or agreeing with every position of the reinsurer. In this day of increased litigation for Errors and Omissions and Directors and Officers issues, ceding companies should be more concerned with demonstrating their due diligence and exhibiting fiduciary responsiveness by trying to recover every dollar that they are entitled to receive under the treaty contracts, than in worrying about what reinsurers may think about an independent review of its reinsurance recovery process.

Think of it this way, if the ceding company obtained some tax advice on a return it had filed which showed that by refiling, it would be refunded $1,000,000 on the taxes it paid to Uncle Sam, will the officers of that company argue that filing an 1120X (Corporate Amended Tax Return) is a bad idea because it might look like an admission that the company had not taken every deduction entitled to it when it was originally filed or that the IRS might think poorly of the company? That would be absurd, but so too are the arguments that recasting and review of past reinsurance recoveries is a bad idea.

As we have seen:

  1. Every touch point in the recovery process is a potential to miss recovery … its just human nature to make more mistakes at the time of crisis than otherwise.
  2. Catastrophe treaties are not priced for individual company experience, but by models, so that additional recoveries will not directly impact the future rate charged the ceding company.
  3. Reinsurers are not in business to be your friend. Ceding companies pay sufficient premiums to collect all that they are entitled to collect under the treaty.
  4. Reinsurers will not tell ceding companies when a mistake is made or that it owes a ceding company more money.
  5. Intermediaries do not make a commission and are not paid to assure that the ceding company appropriately and fully utilizes the treaties that are placed.
  6. Reinsurance treaties are esoteric and a ceding company cannot rely on an intermediary to watch out for its best interests or interpret contracts in its favor.
  7. Increasing Directors and Officers exposures demand that officers and managers demonstrate their due diligence and the full filling of fiduciary duties. Even if no additional funds are shown as recoverable after a review, the effort is demonstrative of duties fulfilled.
  8. Intermediaries are dual agents and primarily “sell” their services to ceding companies by emphasizing the great relationship they have with reinsurers. Ceding companies need to understand that great reinsurer relationships do not mean better terms for ceding companies or that the intermediary is willing to sacrifice that relationship for the sake of the ceding company. Indeed, intermediary relationships with reinsurers are an extension of and built upon their loyalty to those reinsurers, not the ceding companies.
  9. Reinsurance treaties follow the legal maxim that ambiguities are construed against the drafter of the contract. Ceding companies need a truly independent expert that is not tied to the reinsurer, as is the intermediary, to argue for them and review recoveries on their behalf.

Cronyism has no place in today’s economy. Insurance managers are not reinsurance recovery experts, and utilizing the services of independent reinsurance recovery experts should be thought of as no different than utilizing the services of legal or tax experts to maximize the financial position of the ceding company. The deference ordinarily given to a reinsurer by a ceding company is substantially more than it would ever give to say, an insurer that carried its fleet auto coverage or its Directors and Officers coverage. Ceding companies should stop thinking of reinsurance as some sort of friendship pact and start considering it as they would any other insurance protection it purchased for its financial stability.

* Excess of policy limits, extra contractual obligations

ERISA Bonding Reminder

Employers And Plan Fiduciaries Reminded To Confirm Credentials And Bonding For Internal Staff, Plan Fidiciaries And Vendors Dealing With Benefits

Businesses sponsoring employee benefit plans — along with officers, directors, employees and others acting as fiduciaries with respect to these employee benefit plans — should take steps to confirm that all of the appropriate fiduciary bonds required by the Employee Retirement Income Security Act of 1974, as amended (ERISA) are in place. They should also confirm that all employee benefit plans sponsored are appropriately covered, and that all individuals serving in key positions requiring bonding are covered and appropriately qualified to serve in that capacity under ERISA and the terms of the bond.

Adequate attention to these concerns not only is a required component of ERISA's fiduciary compliance, it also may provide invaluable protection if a dishonesty or other fiduciary breach results in a loss or other exposure.

ERISA generally requires that every employee benefit plan fiduciary, as well as every other person who handles funds or other property of a plan (a “plan official”), be bonded if they have some discretionary control over a plan or the assets of a related trust. While some narrow exceptions are available to this bonding requirement, these exceptions are very narrow and apply only if certain narrow criteria are met.

Plan sponsors and other plan fiduciaries should take steps to ensure that all of the bonding requirements applicable to their employee benefit plans are met at least annually. Monitoring these compliance obligations is important not only for the 401(k) and other retirement plans typically associated with these requirements, but also for self-insured medical and other ERISA-covered employee benefit plans.

This process of credentialing persons involved with the plan and auditing bonding generally should begin with adopting a written policy requiring bonding and verification of credentials and that appropriate bonds are in place for all internal personnel and outside service providers.

Steps should be taken to ensure that the required fiduciary bonds are secured in sufficient amounts and scope to meet ERISA’s requirements. In addition to confirming the existence and amount of the fiduciary bonds, plan sponsors and fiduciaries should confirm that each employee plan for which bonding is required is listed in the bond and that the bond covers all individuals or organizations that ERISA requires to be bonded.

For this purpose, the review should verify the sufficiency and adequacy of bonding in effect for both internal personnel as well as outside service providers. In the case of internal personnel, the adequacy of the bonds should be reviewed annually to ensure that bond amounts are appropriate.

Unless a service provider provides a legal opinion that adequately demonstrates that an ERISA bonding exemption applies, plan sponsors and fiduciaries also should require that third party service providers provide proof of appropriate bonding as well as to contract to be bonded in accordance with ERISA and other applicable laws, to provide proof of their bonded status or documentation of their exemption, and to provide notice of events that could impact on their bonded status.

When verifying the bonding requirements, it also is a good idea to conduct a criminal background check and other prudent investigation to reconfirm the credentials and suitability of individuals and organizations serving in fiduciary positions or otherwise acting in a capacity covered by ERISA’s bonding requirements.

ERISA generally prohibits individuals convicted of certain crimes from serving, and prohibits plan sponsors, fiduciaries or others from knowingly hiring, retaining, employing or otherwise allowing these convicted individuals during or for the 13-year period after the later of the conviction or the end of imprisonment, to serve as:

  • An administrator, fiduciary, officer, trustee, custodian, counsel, agent, employee, or
    representative in any capacity of any employee benefit plan;
  • A consultant or adviser to an employee benefit plan, including but not limited to any entity whose activities are in whole or substantial part devoted to providing goods or services to any employee benefit plan; or,
  • In any capacity that involves decision-making authority or custody or control of the moneys, funds, assets, or property of any employee benefit plan.

Because ERISA’s bonding and prudent selection of fiduciaries and service provider requirements, breach of its provisions carries all the usual exposures of a fiduciary breach.

Bonding exposures can arise in audit or as part of a broader fiduciary investigation. The likelihood of discovery in an audit or investigation by the Labor Department in the course of an audit is high, as review of bonding is a standard part of audits and investigations. The Employee Benefit Security Administration (EBSA) Enforcement Manual specifies in connection with the conduct of a fiduciary investigation or audit:

… the Investigator/Auditor will ordinarily determine whether a plan is in compliance with the bonding, reporting, and disclosure provisions of ERISA by completing an ERISA Bonding Checklist … These checklists will be filled out in fiduciary cases and retained in the RO workpaper case file unless violations are uncovered, developed, and reported in the ROI.

In the best case scenario, where the bonding noncompliance comes to light in the course of an EBSA audit where no plan loss resulted, the responsible fiduciary generally runs at least a risk that EBSA will assess the 20 percent fiduciary penalty under ERISA Section 502(l).

If the bonding lapse comes to light in connection with a fiduciary breach that resulted in damages to the plan by a fiduciary or other party, the bonding insufficiency may be itself a breach of fiduciary duty resulting in injury to the plan and where this breach left the plan unprotected against an act of dishonesty or fiduciary breach by an individual who should have been bonded, may spread liability for the wrongful acts of the wrongdoer to a plan sponsor, member of management or other party serving in a fiduciary role who otherwise would not be liable but for deficiencies in the bonding or other credentialing responsibilities.

Under ERISA Section 409, a fiduciary generally is personally liable for injuries to the plan arising from his own breach (such as failure to properly bond) or resulting from breaches of another co-fiduciary who he knew or should have known through prudent exercise of his responsibilities.

Of course, in the most serious cases, such as embezzlement or other criminal acts by a fiduciary of ERISA, the consequences can be quite dire. Knowing or intentional violation of ERISA’s fiduciary responsibilities exposes the guilty fiduciary to fines of up to $10,000, imprisonment for not more than five years, or both. Even where the violation is not knowing or willful, however, allowing disqualified persons to serve in fiduciary roles can have serious consequences such as exposure to Department of Labor penalties and personal liability for breach of fiduciary duty for damages resulting to the plan if it is established that the retention of services was an imprudent engagement of such an individual that caused the loss.

When conducting such a background check, care should be taken to comply with the applicable notice and consent requirements for conducting third party conducted background checks under the Fair Credit Reporting Act (FCRA) and otherwise applicable law. As such background investigations generally would be conducted in such a manner as to qualify as a credit check for purposes of the FCRA, conducting background checks in a manner that violates the FCRA credit check requirements itself can be a source of significant liability.