August 2022
An integral part of any robust corporate governance framework
Self-reporting of material breaches and incidents to the Insurance Authority (“IA”), should be a core part of the corporate governance and control framework of every authorized insurer, licensed insurance broker company or licensed insurance agency (collectively “regulated entities”). Along with the periodic inspections carried out by the IA and the communications that take place through the day-to-day supervisory process, self-reporting on material matters forms an important part of the regular engagement between the IA and the regulated entities which are subject to its supervision, ensuring that problems are being identified, addressed and rectified in a timely manner and policyholder interests are being upheld.
The Benefits of Self-Reporting
Self-reporting material breaches and incidents to the IA (and other relevant regulatory bodies), brings with it the following potential benefits:
Self-reporting demonstrates that the detection controls which are part of the regulated entity’s governance have operated effectively to detect the problem being self-reported;
Self-reporting a matter to the IA, serves as an opportunity to relate to the IA the remediation steps which have been taken to fix the problem;
The discipline of self-reporting promotes early detection and isolation of the problem, by enabling steps to be taken to limit the spread of the problem (through, for example, mechanisms such as audit calls);
A regulated entity can also, through self-reporting, show how it has identified the root cause of the problem and made improvements to address that root cause.
By these means, through self-reporting matters to the IA, a regulated entity can give confidence to the IA that its corporate governance and controls are working as they should do.
By contrast, the absence of self-reporting could have a significantly detrimental effect on a regulated entity. For example, a reluctance to self-report a material breach of the insurance regulatory framework (i.e. the Insurance Ordinance, or the rules, regulations, codes and guidelines administrated or issued by the IA) in order to seek to avoid disciplinary action being taken, will result in more severe disciplinary action being taken when the matter is eventually discovered. Indeed, if a regulated entity has covered up a breach, this itself would serve as a breach meriting severe disciplinary action being taken (where none might even have been contemplated had the original matter been self-reported). Further, depending on the circumstances, a repeated failure to self-report incidents may raise systemic questions about the adequacy of entity’s entire governance and control system, prompting the IA to have to carry out an immediate inspection or investigation. After all, if the regulated entity has sought to hide one particular breach, it begs the obvious question as to what other breaches it may have hidden or turned a blind eye to.
If, however, a breach is self-reported this would at the very least serve as a mitigating factor capable of reducing the level of disciplinary sanction to be applied (or indeed it may avoid disciplinary sanction altogether). Indeed, self-reporting may serve as a means of demonstrating to the IA that the breach occurred, not because of any weakness in the entity’s governance and control system, but in spite of having adequate and reasonable governance and controls in place, which served to detect the problem and resulted in its remediation. A key person in control function who is able to demonstrate this, would certainly have discharged his or her duties!
For these reasons, from the regulatory perspective, regulated entities which have in place robust self-reporting mechanisms and which engage transparently with the IA when problems arise, tend to be viewed as being better run than those which do not. Hence, self-reporting should be taken seriously and considered as an integral part to any robust corporate governance and control system.
What type of incidents should regulated entities self-report to the Insurance Authority?
Licensed Insurance Broker Companies and Licensed Insurance Agencies
The Code of Conduct for Licensed Insurance Brokers and the Code of Conduct for Licensed Insurance Agents (“the Codes”) set out in their respective Part IX, requirements for the matters which broker companies and agencies should self-report to the IA. Essentially, these consist of two types of matters.
Firstly, there is a prescribed list of incidents which must be reported to the IA when they occur to the broker company or agency. These are: (i) the filing of a petition to wind-up the entity; (ii) the bankruptcy of any directors, controllers, partners or licensed technical representatives of the entity; (iii) a disciplinary action taken against the entity or its technical representatives by the Hong Kong Monetary Authority, the Securities and Futures Commission or the Mandatory Provident Fund Schemes Authority; or (iv) any criminal conviction (other than a minor offence) of the entity or its directors, controllers, partners or technical representatives by any court in Hong Kong or elsewhere.
Secondly, broker companies and agencies are required to self-report to the IA, “material” breaches of the insurance regulatory framework, or “material” incidents.
A breach or an incident is considered material if:
it adversely impacts or is likely to adversely impact the entity’s ability to carry on regulated activities;
that the entity’s controls or procedures are inadequate to ensure compliance by the broker company/agency or its technical representatives with the requirements under the insurance regulatory framework; or
it has caused or may cause loss to a client or to the entity itself.
Licensed insurance broker companies and licensed insurance agencies are therefore required to establish a process for assessing whether a breach or an incident is material in line with the above factors and should self-report such material breaches or incidents to the IA. Indeed, the Codes encourage broker companies or agencies, if they are in any doubt as to whether a breach or incident is material, to err on the side of caution and to report it to the IA. As outlined above, there are significant benefits to doing this in terms of the confidence it may give the IA in the broker company’s or agency’s corporate governance system in detecting and remediating such issues, or in terms of mitigating either the prospect, or extent of any disciplinary action.
In its enforcement approach against intermediaries, when considering whether to address a breach by way of disciplinary action or by other means (such as a letter of concern), the IA has already been taking into account whether or not the matter was self-reported. Self-reporting is, therefore, generally encouraged.
Authorized insurers
As regards the self-reporting obligations for authorized insurers, the IA’s general expectation is as follows:
Firstly, an authorized insurer should have in place systems and procedures to capture and record any breaches of requirements under the insurance regulatory framework, by the insurer or its licensed individual insurance agents or licensed insurance agencies. An authorized insurer should make this record available for inspection by the IA when requested (for example, as part of a formal inspection or as part of a periodic supervisory request).
Secondly, an authorized insurer needs to self-report material breaches and incidents to the IA when they are discovered. A “material” breach or incident is one which (i) adversely impacts the insurer’s ability to carry on business; (ii) indicates systemic deficiency in the insurer’s governance, controls and procedures; (iii) potentially causes undue loss or prejudice to policy holders; (iv) causes reputational risk or significant financial consequences to the insurer; or (v) adversely impacts the fitness and properness of its controllers or key persons, or any of its licensed individual insurance agents or licensed insurance agencies.
For these purposes, therefore, an authorized insurer is expected to have in place:
Processes for identifying breaches of the insurance regulatory framework by the insurer or by any of its appointed licensed insurance agents or agencies;
A process for assessing whether such breaches (or other incidents) are “material” in line with pre-set materiality criteria;
A process for capturing non-material breaches in, say a dashboard or spreadsheet format for inspection by the IA upon request; and
A process for investigating and reporting to the IA on “material” breaches.
When should such matters be self-reported to the IA?
In terms of timing, material breaches or incidents should be reported to the IA as soon as reasonably practicable. In this regard, the following should be borne in mind:
Generally, material breaches or incidents should be self-reported to the IA as soon as the regulated entity is in a position to inform the IA what the material breach or incident is, how it occurred, the potential adverse impact and the steps being taken to remediate.
The obligation to self-report is not intended, however, to interrupt or divert resources away from the regulated entity in addressing or remediating the matter.
If the internal investigation of the matter by the regulated entity is going to take significant time to carry out, the matter should be self-reported to the IA well in advance of its completion, setting out the main facts discovered, steps taken up to the time of the self-report and indicating the way forward. This may be followed by updating reports as the investigation progresses through to completion (addressing any questions the IA has arising from the initial self-reports provided).
The more severe or widespread the matter (for example, in terms of number of policy holders potentially adversely impacted) the earlier and more immediately it should be self-reported to the IA.
It would be more beneficial (for example, to the regulated entity) to self-report the matter to the IA before the IA learns of the matter through another source.
Template for self-reports
The IA does not prescribe a template which must be used to make self-reports. However, to ensure consistency and to provide an indication of the level of detail expected in a self-report, the IA encourages regulated entities to use for the purpose of self-reporting, the same template of report used when reporting on complaint matters. We referred to this template in our previous edition of Conduct in Focus (4th edition dated March 2022).
If you require a copy of this template, or if you have any questions about self-reporting generally, please contact us via [email protected].