CBI's Dear CEO: Assessment of Consumer Protection in Insurance

This marks a significant update to the regulatory framework, aimed at enhancing consumer trust and safety in the insurance sector. The CPRA focuses on assessing how well insurance companies manage consumer risks and maintain high standards of conduct and governance, emphasising the need for stronger protections and oversight.

The CBI's CPRA scrutinised the consumer protection risk management frameworks across various insurance firms. The assessment is part of a broader effort by the CBI to ensure that insurance companies are not only aware of but also adept at managing the risks their consumers face. 

A key aspect of this assessment is the emphasis on cultivating a consumer-focused culture within insurance firms. The CBI expects firms to demonstrate a strong commitment to high standards and effective risk management. Since the introduction of the CPRA Model in 2017, there has been a noticeable shift towards more rigorous supervisory assessments, aimed at enhancing conduct and consumer protection.

The CPRA Guide, published alongside the 2017 model, outlined the CBI’s expectations for firms to build and refine their consumer protection frameworks. It highlighted the need for robust compliance and risk management processes to anticipate, avoid, and manage consumer risks. 

This ongoing scrutiny is crucial as it helps ensure that insurance firms not only comply with regulatory standards but also actively work to improve their risk management practices.

Findings

1. The CBI highlighted that there was no clear ownership for the identification, assessment, mitigation and monitoring of consumer protection risk and that they were unable to demonstrate how they are delivering good customer outcomes.
2. Identified risk for assessment: There is a risk that the control functions may not effectively support the identification, monitoring, and management of consumer protection risks. As a result, these functions might fail to influence the firm’s behaviour in a way that ensures fair customer outcomes. If firms do not adequately resource and ensure the effectiveness of control functions, they risk neglecting the consumer in their day-to-day activities and decision-making processes.
3. The CBI highlighted a risk that the Management Information (MI) used to monitor and track consumer outcomes may be limited, insufficient, or inadequately focused, and/or not utilised effectively to drive consumer protection risk management. If firms fail to collect and monitor the appropriate MI, they risk being unable to identify current and future consumer protection risks affecting their business.

Key actions to take

Firms must review the expectations, findings, and best practices outlined in the "Dear CEO" letter and the 2017 Guide, assessing their consumer protection risk management frameworks. They should conduct a gap analysis to identify weaknesses in governance and controls, develop plans to address these gaps and obtain Board approval.

The plan must be presented to the Board by November 30, 2024, with implementation completed by June 30, 2025. As per the individual sections.

Consumer Protection Risk Management (Element 5)

Firms should ensure that there is clear ownership for the identification, assessment, mitigation and monitoring of consumer protection risks.

Control Functions/Consumer Monitoring (Element 3)

Firms must align control functions with their overall strategy, emphasising consumer protection. Clearly define roles, ensure collaboration, and prioritise consumer interests in monitoring. 

Regularly review resources and effectiveness, demonstrating how control functions mitigate risks and influence actions to protect consumers. Rigorous committee oversight is essential.

Consumer Reporting (Element 6)

To comply with these requirements, firms should enhance systems and processes to increase the use of automated consumer management information (MI), supplemented by manual analysis when needed. 

This approach ensures MI effectively addresses current and emerging consumer protection risks, with a focus on outcomes. Regularly review and update Key Risk Indicators (KRIs) to align with risk appetite, ensuring they are measurable, challenging, and comprehensive.

Conclusion

The CBI’s latest "Dear CEO" letter underscores the importance of a well-governed and consumer-centric insurance sector. While the CPRA revealed significant progress in how firms manage consumer risks, it also highlighted varying levels of maturity across the industry. Some firms have advanced their frameworks effectively, while others still have considerable work to do.

Insurance firms should review their current frameworks in light of this Dear CEO letter. They must complete a gap analysis, present improvement plans to their boards by November 30, 2024, and implement necessary changes by June 30, 2025. The CBI will continue to engage with firms to monitor progress and ensure that consumer protection remains a top priority.Top of Form

Grant Thornton Ireland is ideally suited to assist your firm in navigating the complexities of this Dear CEO letter and the revised Consumer Protection Code by evaluating its impacts and adapting your practices accordingly. 

Our seasoned regulatory team specialises in performing comprehensive gap analyses and devising detailed compliance plans and strategic roadmaps. With international expertise in managing cases involving vulnerable customers, we excel at implementing change initiatives.

Our proven track record includes collaborating with retail banks on mortgage arrears cases, and our experienced complaint management team is adept at developing customised solutions for large-scale projects in both the banking and insurance sectors.