For those of you who aren’t aware, most UK-based insurance firms (especially those applying to use their own internal models) will currently be concentrating on the FSA Solvency 2 ‘Data Audit’ and whilst they will all be at various stages in the process, they will be focusing on similar pieces of work and experiencing similar challenges. The ‘Data Audit’ is effectively a review requested by the FSA in which each firm is expected to undertake an independent audit (internal, external or a mixture of both) of their data management practices. The findings of this audit will subsequently form part of the FSA’s Internal Model Approval Process (IMAP) and help the FSA in its assessment of whether a firm is compliant with the standards for data as set out in the Solvency 2 directive. The scope of the review has been defined as all data (both internal and external) that could materially impact the Internal Model.
As part of their supportive material the FSA developed a review ‘tool’ to be used as guidance in undertaking the review. It is basically a short document that informs firms on what they could/should be doing in order to satisfy the standards set out in the Solvency 2 directive and also the expectations as to what could be required as supportive evidence to a firm’s application.
After the review is completed the FSA expect the organisation to compile and submit a summary report of findings and be in a position to make available any supportive evidence.
The review schedule has five sections as follows:
- The approach to managing data used in the internal model (i.e. a data policy)
- The level of oversight around the development and implementation of the data policy
- The level of understanding of data used in the internal model
- The impact of data issues on the integrity of the internal model and management decisions
- General IT issues that could compromise the quality of data of the internal model
These sections correspond to the risks that the FSA have called out as being key considerations in ensuring that data used in the internal model meets the data quality requirements of the Solvency 2 directive. Whilst the risks are relatively high level, for each one the FSA have also detailed their expected controls. It is this information along with the suggested assessment approach which, I feel, is some of the most prescriptive and useful guidance we’ve had as to what should be in place for Solvency 2. These risks and expected controls can be summarised as follows:
Risk 1: The approach to managing data for use in the internal model does not ensure consistency in quality and application of the internal model.
Expected controls: An established data policy with relevant procedures and standards. The data policy should as a minimum contain: defined data sets; a definition of materiality; ownership, roles and responsibilities; definition of data quality assessment; process for the use of assumptions; process for data updates to the internal model; and a process for undertaking risk and impact assessments.
Risk 2: Inadequate oversight of the development and implementation of the data policy increases the risk of poorly informed decision-making and non-compliance with the required quality and standards.
Expected controls: Defined and operational Data Governance structures and processes. A system for reporting data quality metrics and a process for the management of data deficiencies.
Risk 3: Lack of a clear understanding of the data used in the internal model, and of its impact and vulnerabilities, can create gaps in ownership and control.
Expected controls: A directory of all data (or a ‘data directory’ as many firms are referring to it as) used in the internal model specifying source, usage and characteristics. Also a completed risk and impact assessment calling out the impact of poor quality data, where failures are more likely to occur and tolerances for when data related issues become material.
Risk 4: Errors, omissions and inaccuracies in the data can undermine the integrity of the internal model and management decision making.
Expected controls: Implementation of data quality controls that include checks for the Solvency 2 definition of ‘completeness’, ‘accuracy’ and ‘appropriateness.
Risk 5: Unreliable IT environment, technology or tools can compromise the quality and integrity of the data and its processing within the internal model.
Expected controls: IT general computer (ITGC) controls such as: access management; change management; IT security; business continuity; and incident management.
For most firms the list of expected controls will pose a fair challenge and, depending on how seriously they have taken data management in the past, there will be any number of gaps to address.
As I stated, I believe this guidance is the some of clearest and most prescriptive to come out from the FSA with regards to the data requirements of Solvency 2; however it is still not entirely free from subjective interpretation. Many of the challenges I have experienced are initially caused by the differing interpretations of stakeholders as to what is actually required. It’s a case of striking the correct balance between the expectations of the FSA, the auditors and the various internal stakeholders whilst also trying to deliver business benefit (or at least trying to minimise operational impact). There’s also the (always fun) challenge of meeting tight timescales, resource constraints and ever-changing requirements; which means establishing the sweet spot of delivering flexible solutions that meet the requirements of Solvency 2 without ending up being convoluted, unachievable or of inhibiting expense. In summary, there is a lot of work to do!
Hopefully a lot of the UK banking firms are taking serious note and following the developments of the insurance firms participating in Solvency 2. The reason I say this is that Basel 3 (Basel III) is coming round the corner and I would imagine that there will be very similar data-related directives coming with it. Of course the smart firms will already have kicked things off; won’t they?