Protecting Irish consumers: a deep dive into the Central Bank’s recent ‘Dear CEO’ letter

The Central Bank of Ireland (CBI) issued a “Dear CEO” letter to Irish insurance CEOs on August 29, 2024, demanding a shift towards more robust consumer protection risk management frameworks. This follows the Central Bank of Ireland’s recent completion of a targeted Consumer Protection Risk Assessment (CPRA), focusing on Module 1, which evaluated the effectiveness of insurance companies’ risk management frameworks. The letter outlines a series of specific expectations and time pressured requirements for insurers to strengthen their frameworks and prioritize consumer interests.

What are the CBI’s expectations?

The CBI expects Firms to complete a gap analysis of all elements set out in Module 1: Governance and Controls of the 2017 Guide, and, put a plan in place to mature their frameworks if applicable. These plans must be presented to the Board for approval no later than 30 November 2024, with timelines for implementing the required changes to be no later than 30 June 2025.

Firms are also expected to provide the Central Bank with the name of an individual in a PCF role with accountability for delivery of the expectations set out in the letter by 30 September 2024.

In addition, firms should consider including assessment against the 2017 Guide for Modules 2, 3, 4 and 5, as a matter of good practice, in their future audit and compliance plans.

This article provides a deeper look into the expectation’s set out in the CBI’s letter across Module 1, Risk Management, Control Functions and Consumer Reporting.

Risk Management

The CPRA found significant gaps in many firms’ frameworks, specifically a lack of clear ownership for identifying, assessing, and monitoring consumer protection risks. This lack of ownership weakens the effectiveness of frameworks, potentially leading to firms failing to identify and mitigate consumer protection risks.

• Action required: Insurance firms must conduct a thorough gap analysis, identifying weaknesses in their frameworks compared to the CBI’s expectations outlined in the CPRA model and the 2017 CPRA Guide. They should establish clear ownership for risk identification, assessment, and monitoring, and define consumer/conduct risk within the firm’s overall risk management framework. Ensuring risk appetite statements explicitly address consumer protection risk is also crucial.  Firms must submit their plan to the Board by 30 November 2024, with implementation of changes completed by 30 June 2025.

Control Functions

The CPRA emphasizes the importance of well-defined control function strategies aligned with the firm’s overall strategy. These strategies should have clear responsibilities and documented linkages between functions to foster collaboration and engagement. The CPRA notes that while most firms demonstrate clear roles and responsibilities, some firms’ monitoring plans lack sufficient challenge and engagement.

• Action required: Firms should review and document control function strategies to ensure they are well-defined and aligned with the firm’s overall strategy. Strengthening processes for setting and approving monitoring plans, emphasizing consumer considerations, is also critical. Control functions should be adequately resourced, having the necessary expertise and skills to effectively challenge business units and influence decision-making.

Consumer Reporting

Effective consumer reporting is essential for understanding and managing consumer protection risks. The CPRA calls for comprehensive management information (MI) systems that focus on consumer outcomes and drive effective risk management.

While most firms have implemented consumer-specific MI reporting, some have limited, insufficient, or poorly focused MI systems. The maturity level of consumer reporting, including Key Risk Indicators (KRIs) and metrics, varies significantly across firms. While most firms demonstrate their ability to identify and mitigate consumer risks, some lack the depth and actionable insights in their reviews and reporting.

• Action required: Firms should conduct a comprehensive review of MI systems and reporting processes, ensuring they are comprehensive, consumer-focused, and drive effective risk management. They should enhance the use of automated consumer MI, leveraging manual intervention to support analysis and commentary. Regular review and updates to consumer KRIs and metrics should ensure they accurately reflect the firm’s risk appetite, are measurable and challenging, and provide a full coverage of consumer protection risks.

What is next?

Insurers need to act quick to implement these changes within the tight timelines set out.

4most’s actuarial team are here to help you navigate the ever-evolving regulatory landscape. Get in touch if you are interested in learning more about how we can support your organisation – info@4-most.co.uk.

References: https://www.centralbank.ie/docs/default-source/regulation/consumer-protection/compliance-monitoring/themed-inspections/industry-letter—targeted-consumer-protection-risk-assessment.pdf