Insurance companies are quite accustomed to living with regulations. With each state promulgating its own requirements, carriers consider investments of time and resources for state filing and reporting as a fundamental cost of doing business.But several federal laws enacted over the last few years are ratcheting up the costs and complexity of regulatory compliance for the insurance industry, which is forcing carriers to consider a broader role for technology in their compliance programs.
This is a conclusion drawn in a report released by The TowerGroup Inc., a Needham, Mass.-based research and advisory firm. "The complexity and depth of some of the more prominent new regulations have caused otherwise staid compliance areas within insurance companies to take a hard look at how to optimize compliance-related activities," says Jamie Bisker, research director and author of the report, titled "Recent Regulations Affecting The Insurance Industry."
Not horsing around
Specifically, the Health Insurance and Portability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA), the USA PATRIOT Act of 2001, and the Sarbanes-Oxley Act of 2002 have raised the stakes of compliance for insurers.
HIPAA requires "covered entities," which includes health insurers, to standardize electronic information exchange on the American Standards Institute's X12 data format, while also protecting the privacy of consumers' personal health information. And GLBA also requires insurers to protect the privacy of consumers' personal and financial information.
The PATRIOT Act affects insurers that offer products that can be used to launder money. It requires those companies to track customers to determine suspicious monetary transactions.
And, Sarbanes-Oxley demands that publicly traded insurance companies provide clear, timely and accurate financial reporting-with the threat of criminal and financial penalties.
The challenges associated with these regulations make purchased solutions or services more attractive to compliance areas than ever before, Bisker says. "These laws are too important and too onerous to make mistakes. The government is not horsing around here."
In fact, Bisker cites several fines levied by the U.S. Treasury Department's Financial Crimes Enforcement Network for OFAC or PATRIOT Act compliance violations, including a $50,000 fine imposed on Guy Carpenter & Co., a division of Marsh McLennan, for "failure to regain funds in an interest bearing account" and some "unauthorized payments."
Several technologies, such as enterprise content management and data warehousing, lend themselves to the record-keeping and information retrieval requirements of several of these federal laws, and enterprise resource planning systems can help with the financial reporting requirements of Sarbanes-Oxley, Bisker adds.
In addition, he says, adaptive and flexible architectures can enable insurers to make operational changes quickly when existing regulations are modified or when new ones are adopted.
"An example of a good architecture is one that is table-driven or one that exposes business processes to the business units-and doesn't require the hands-on work of the IT shop," he says.
Canned solutions
Currently, few vendors offer canned technology solutions for most of the new regulations, but many provide outsourcing services, according to Bisker.
"We recommend a buy-versus-build, or a buy-and-build strategy to address compliance and infrastructure issues," he says.
The primary reason to use purchased software or to outsource parts of compliance rather than building solutions internally is to reduce costs associated with software maintenance and compliance failures, according to TowerGroup.
Organizations are beginning to understand the stakes involved in information management compliance, according to another report, this one released by the AIIM International, a Silver Spring, Md.-based association for enterprise content management.
More than 80% of respondents to an AIIM survey this year indicated they have already made changes to the way they handle information assets or are actively considering such changes.
When asked why they had made a change or were considering a change, 36.7% of those surveyed cited Sarbanes-Oxley, 26.4% cited HIPAA, and 15.7% mentioned a regulatory action of penalty.
