Dutch market faces ongoing ‘integrity risk’ scrutiny

In early 2015, the Dutch Central Bank (De Nederlandsche Bank, DNB) launched a thematic investigation into integrity risk analyses (integriteitsrisicoanalyses) in the Dutch financial sector. As part of its investigation, DNB investigated over 170 integrity risk analyses of insurers, banks, payment institutions, trust offices and pension funds. In the summer of 2015, DNB concluded that over 80 per cent of the integrity risk analyses performed were deemed inadequate by DNB.

In February 2016, DNB stated that it will continue to focus on integrity risks for various financial institutions, including insurers. In particular, DNB indicated that corruption through conflicts of interest and bribery continues to pose a significant integrity risk to insurers, but is often underestimated or insufficiently addressed. DNB concluded this on the basis of the outcome of its thematic investigation into corruption in the Dutch insurance sector. According to DNB, corruption poses a serious threat to insurers’ integrity and ethical and sound business operations.

In this article, we first provide a brief overview of the requirement for Dutch insurers to perform an integrity risk analysis and what DNB considers such an analysis should entail. Following this, we will discuss DNB’s findings and good practice guidance on how insurers should be dealing with corruption.

Pursuant to the Act on the Financial Supervision (Wet op het financieel toezicht, AFS), both life insurers (levensverzekeraars) and non-life insurers (schadeverzekeraars) must ensure a systematic analysis of ‘integrity risks’. An integrity risk is defined as a:

‘threat to the reputation of, or the current or future threat to the capital or the results of a financial institution due to insufficient compliance with the rules that are in force under or pursuant to the law.’

Examples of integrity risks are market manipulation, fraud, terrorist financing, money laundering, unethical behaviour of the insurer’s personnel (or third parties hired by or affiliated to the insurers), cybercrime and corruption (bribery).

In order to be able to map, and subsequently mitigate, integrity risks and to achieve risk-based compliance with integrity legislation, insurers need to perform an effective integrity risk analysis. This will require a thorough overview of the insurer’s entire organisation, which includes, amongst other things, the roles that departments or staff members play within the organisation, the market(s) in which the insurer operates and the third parties (customers, agent, suppliers) that the insurer deals with. It is apparent that insurers will only be able to create effective procedures and take effective measures if they are fully aware of the integrity risks that they are, or may possibly be, facing.

DNB published a document entitled ‘Integrity risk analysis – More where necessary, less where possible’ (the Good Practices Document).

In the Good Practices Document, DNB sets out how financial institutions, including insurers, should make an integrity risk analysis, perform the analysis and the consequences that must be attached to the outcome of the analysis. According to DNB, an insurer needs to take the following steps to ensure that an integrity risk analysis is comprehensive and effective:

Step 1: preparation and identification

• Make an inventory for each business unit, branch office, subsidiary of the organisation with respect to customers, countries, products, staff and third parties. This will require mapping of the different areas of the insurer’s organisation.
• Assess which integrity risks the insurer is likely to face, which factors play a role for each risk and what form they may take.
• Develop a scoring system, allowing it to determine how to assess the likelihood and impact of each integrity risk.

Step 2: risk analysis

• Determine the likelihood of each risk manifesting itself and the resulting impact of each risk.
• Assess the gross risk and verify whether this is within the boundaries of the insurer’s risk appetite. Likelihood and impact together constitute gross risk. The insurer’s risk appetite is a framework that is developed by the insurer’s board and senior management, which prescribes the type and level of risk that the institution is prepared to accept.
• List and assess the control measures that are necessary for each scenario/ gross risks.

Step 3: assessment and measures required

• Determine the net risks for each scenario by subtracting the level of control from gross risk. The net risk is the residual risk remaining despite having fully effective control measures in place.
• Determine whether the net risk is within the boundaries of the insurer’s risk appetite.
• If the net risk is not within the boundaries of the insurer’s risk appetite, the integrity risk in question should be reduced or, if that is impossible due to the nature of the risk, additional measures should be taken.

At the end of February 2016, DNB emphasised that corruption through conflicts of interest and bribery continues to be underestimated by insurers. This is based on its thematic investigation into corruption in the Dutch insurance sector. It has, amongst other things, become clear that almost all insurers fail to identify third party risks. For example reputational risk for insurers as a result of their connection with relevant third parties such as tied agents and consultants. DNB expects insurers to be able to identify this corruption risk and take suitable measures in order to control this risk. However, according to DNB, third party due diligence is still not a standard practice in the insurance sector.

The investigation also revealed that large insurers, in general, inadequately monitor conflict of interest risks connected to the personal networks of their directors. According to DNB, there is a risk that directors through their additional functions and in particular because of their individual financial interests end up or appear to end up in situations whereby their individual interests prevail over that of the insurer.

DNB has published measures in the Good Practices Document that insurers could take to control their integrity risks:

• Creating the right tone from the top. Senior management should invariably emphasise the importance of compliance and integrity, and corruption in particular.
• When engaging new employees (particularly for positions with a higher risk of corruption), attention should be paid to personality characteristics affecting corrupt behaviour. The brochure mentions the following examples: narcissism, self-confidence, independence and emotional instability ‘combined with the social circumstances of employees’.
• Screening employees (periodically) with regard to any criminal and financial antecedents, where it concerns employees who are in a position to affect the bank’s sound conduct of business.
• Giving training with regard to integrity, fighting corruption, conflict of interest and related topics.
• Establishment of a whistleblowing policy and an incident reporting scheme.
• Investigation (due diligence) of the background, activities and reputation of third parties before engaging them.

In the Good Practices Document DNB has supplemented the above measures with some additional good practices. DNB attaches significant value to internal communication about integrity and the insurer’s anti-corruption policies. It is for instance recommended that firms communicate the right tone from the top to all employees via newsletters and awareness e-mails. Furthermore, DNB notes that it should be clear for all employees what the sanctions are for corrupt behaviour.

DNB attributes an important role to senior management. The tone at the top referred to above is an example of this, but also the recommendation to let senior management play an active role in anti-corruption training and the subsequent discussions. It is proposed to let senior management also sign the code of conduct, in addition to all other employees.

Several good practices relate to (the hiring of) new employees. For instance, it is proposed to establish a separate job application panel focussing on the suitability of the applicant from an integrity perspective. DNB suggests further that extra background checks should be performed on applicants for integrity-sensitive jobs. In addition, it is recommended to give anti-corruption training to new employees shortly after commencement of their employment. These training sessions should be repeated periodically.

With regard to reporting corruption, DNB makes clear that it should be clear throughout the entire organisation who is responsible for the implementation of the anti-corruption policy and that integrity incidents should be recorded (including near misses). In periodic compliance reports attention should be paid to the anti-corruption theme. These reports should also be provided to the supervisory board or the audit committee (if in place).

In relation to third party risk, DNB states that all payments to third parties should be approved by two persons and that these payments should be reviewed and assessed whether they are in accordance with market conditions.

The continuous attention that DNB is giving to the integrity risk analyses performed by insurers (and other financial institutions active in the Dutch financial sector) shows the importance of the requirement to have a solid integrity risk analysis in place and to translate this into effective policies. We expect that financial institutions, including insurers, will continue to face regulatory scrutiny in 2016 when it comes to integrity risks and that if insurers do not take appropriate action, DNB will consider imposing enforcement measures.