The conservative nature of the vast majority of insurance companies in this country makes regulatory compliance a very straightforward issue for them. The fiduciary responsibilities of executives and officers, as well as the myriad of rules and regulations under which carriers operate, do not make compliance an optional event.Meeting deadlines for filings with state governments, the federal government and industry associations are well known driving forces within the business operations and information technology areas of insurance companies. To be clear, regulatory compliance is much akin to breathing for insurance companies.
Recent events, however, have thrust this otherwise veiled and uninteresting aspect of insurance into the light of public awareness and drawn the attention of software vendors as well. The complexity and depth of some of the more prominent new regulations have caused otherwise staid compliance areas to consider how to optimize their activities.
In addition, the fact that most of these new laws and regulations come from the federal government makes for an additional source of pressure and reporting anxiety. The regulations in question include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Financial Modernization Act of 1999 (a.k.a. Gramm-Leach-Bliley Act or GLBA), the USA Patriot Act of 2001, and Sarbanes-Oxley Act of 2002 (SOX).
Each of these regulations has varying impacts on insurers. The oldest, HIPAA, impacts the information processing functions of life and annuity (L&A) and property and casualty (P&C) carriers only to the extent that they exchange protected health information (PHI) with a "covered entity." A covered entity is the phrase used to identify companies and organizations (such as doctors, hospitals, and health insurers) that are most impacted by HIPAA. The original intent of the legislation was to reduce healthcare costs by standardizing information exchange (by using things like the American National Standards Institute's X12 data format) and administrative procedures.
Most types of insurance providers, except health insurers, are generally regarded as not being a covered entity. However, when dealing with healthcare providers or health insurers that are considered to be covered entities, other insurers will need to comply with HIPAA data standards. The privacy aspect of HIPAA arose when it became clear that the electronic transmission of personal healthcare information was a significant part of making the system more efficient.
The October 16, 2003 implementation date for HIPAA was troublesome for many health care providers, but the government supported temporary contingency plans to allow for delays in compliance with data structures. In addition, the implementation date was extended for smaller providers for a year. Clarifications and modifications to this regulation and its rules, such as those acknowledging the need for life insurers and long term care insurers to receive some PHI, have been issued by the Secretary of Health and Human Services (HHS) and will likely continue for some time.
The overall costs for HIPAA compliance in the healthcare industry are estimated to be more than $17 billion, which HHS says will save almost $30 billion in 10 years through the efficiencies of electronic filing and claims handling, as well as fraud reduction. The costs for the P&C and L&A industries is nowhere near as high, approximately $100 million to $300 million, but could grow as the regulation and rules change over time.
GLBA was intended to modernize the interactions of financial services institutions and change or repeal the laws governing banks, securities brokerages, and insurers. There are many aspects to this legislation that affect various financial service providers. The most significant impact that it has on insurers comes from the reciprocal licensing and consumer privacy provisions.
Operationally, many carriers have had to surmount their own internal barriers of meeting the privacy provisions of GLBA that required notification of privacy policies in regard to personal and financial information. The carriers in question had to coordinate the delivery of privacy notices, and then record the responses that policyholders returned, while controlling the cost of working in siloed environments.
This exercise, which had to be completed by July of 2001, exposed the difficulty that some carriers experience when they need to modify their workflows and operational processes. That effort has made more than a few insurers interested in the concept of enterprise content management and more automated workflow mechanisms. Across the insurance industry, estimates place the cost of the privacy provisions alone of this regulation at greater than $150 million.
In addition to the privacy policy notification, carriers must show that they can control and track with whom they share the information based on the customer's recorded wishes. The reciprocity aspect of the law primarily impacts state departments of insurance, but requires carriers to adopt changes in data formats for their agents and brokers that work in different jurisdictions.
The most recent regulations affecting the financial services community, the USA Patriot Act and the Sarbanes-Oxley Act, have each caused a considerable amount of activity for insurers as they enter into the world of anti-money laundering and more stringent corporate governance. While P&C carriers are currently exempted from the USA Patriot Act for money laundering, it is important to remember that any rule that has been created can also be changed.
Both P&C and life insurers are however working to be compliant with the "know your customer" aspect of the law that requires carriers to actively review the Office of Foreign Asset Control (OFAC) list of Specially Designated Nationals (SDNs) to prevent them from doing business with "undesirables." Many have implemented home-grown systems and may consider commercial systems to relieve themselves of the update and modifications that will periodically be required to keep up with the latest intelligence data.
Other aspects include filing of various reports such as the suspicious activity reports (SARs) and internal audits of compliance programs. As with other compliance issues mentioned, there are stiff fines for non-compliance. Already, there have been financial services firms that have paid fines that range from $10,000 to $3 million for failing to meet reporting requirements of the regulation.
Finally, publicly traded insurance companies are now faced with the additional accounting requirements of the Sarbanes-Oxley Act of 2002. The final rules are still being put together for all sections, but many companies are reacting to what they already know. It amounts to the collecting, indexing and storing of large amounts of data about internal financial and accounting activity to prove that the company is compliant with the various sections of the new law. Two sections of particular importance are 302 and 404, which deal with the responsibility of the corporation to report financial information and the ability for corporate management to assess internal controls and procedures.
Unlike the Year 2000 "bug" problem, these new regulations are not going to be handled by specific fixes to problem code. The overall message to the financial services industry is to make sure that their systems are flexible enough to accommodate what appears to be the ongoing battle to preserve privacy and actively work against malfeasance in whatever forms it may take. Information technology will clearly play a continuing role to provide insurers with the tools needed to carry out these new mandates.
