Good morning. Thank you very much to Bob Haken and colleagues at Norton Rose Fulbright for hosting today’s session this morning to discuss the PRA’s supervisory priorities for the insurance sector. I am planning to speak for around 15 minutes on the topics you have highlighted from our 12 January letterfootnote  to the CEOs of UK insurers.
Our priorities are set in the context of our statutory objectives to ensure safety and soundness and to protect policyholders. They play an important role in focussing our effort towards those risks that we see putting those objectives at highest risk – whether from the perspective of urgency, importance or both. They also help provide a framework for decision making when we need to respond to events.
The priorities letters, which we now prepare annually, are a product of the PRA’s sector risk assessment and horizon scanning. The risk assessment is formed partly through adding up what we are finding in individual firms; and partly through a review of the external environment, including information from external analysts and analysis by colleagues on the macro prudential side of the Bank of England (Bank). The latter is one of the benefits of being able to join up macro and micro prudential assessment.
We are not expecting the issues in our letters to be particularly surprising but they give some context for the kinds of topics we may explore through our continuous assessments. They also give boards – and those who advise Boards - an idea of the prudential risk topics covered by supervision and those matters that we think are most important at a given point in time. The value of a session like this is to test our views – are these similar to the priority risks your boards are considering now?
Norton Rose Fulbright selected four themes from the letter – climate change and ESG, diversity and inclusion, operational resilience and the PRA’s approach to third country branches. From very macro to a bit nearer micro, I’ll take them in that order.
Climate change and Environmental, Social, and Governance (ESG)
Climate change and ESG tend, quite reasonably to be linked. Our role here, with reference to the ‘have regards’footnote  in the HM Treasury recommendations letter to the PRA, is to satisfy ourselves that regulated firms are able to identify and manage the financial risks arising from climate change. This includes both physical and transition risks, which are underpinned by liability risk. The latter refers to the challenges that firms can face from claimants who have suffered loss from climate change.
The PRA published supervisory expectations for banks and insurers on climatefootnote  in 2019, asking firms to consider how they can assess the climate-related financial risks associated with their clients and counterparties and have a clear high-level strategy for adapting to the range of potential climate outcomes.
More recently in October 2021, the PRA published a Climate Change Adaptation Reportfootnote . This report provided an update on how regulated firms are responding to the risks from climate change, as well as the PRA’s updated supervisory strategy from 2022.
The Climate Change Adaptation Report indicated that that firms have made progress against our supervisory expectations, although some have gone further than others. In light of this, from 2022, we will shift to actively supervising climate risks. The Climate Biennial Exploratory Scenariofootnote , in which twenty-one insurers are participating, will be a key exercise in helping firms and the PRA better understand the climate risks facing the industry. We recently launched a focussed second phase of the CBES, with qualitative questions focusing on firms’ management actions in response to the stress. Participants are due to respond by the end of March and we will publish a report on the CBES in May.
The Climate Change Adaptation Report also considered the role of capital requirements as a part of the supervisory toolkit. In 2022, we will continue to explore whether the current capital framework is fit for purpose or if there are changes required in order to capture climate risks adequately. We recently launched a call for research papers and will host a conference on the topic later in the year.
While climate change risks are a significant component of at least the E in ESG, the PRA does not have an explicit ESG remit. There is, however, considerable overlap in the Governance elements with our prudential supervision requirements and expectations: good governance is fundamental to effective risk management and to delivering good outcomes for policyholders. And an important aspect of Social is diversity and inclusion.
Diversity and Inclusion
Our focus in relation to diversity and inclusion in supervising insurers is on ‘diversity of thought’, also known as ‘cognitive diversity’; and we explained this in a joint discussion paper (DP 21/2)footnote  published last July by the PRA, the Financial Conduct Authority (FCA) and the Bank as the supervisors of Financial Market Infrastructure. Our aim with DP 21/2 was to gather views on how we can most helpfully accelerate the pace of meaningful change across the sector. We see a clear link to our objectives: research shows evidence of correlations between diversity and inclusion and positive outcomes in risk management, good conduct, healthy working cultures, and innovation. The 2008 global financial crisis highlighted the risks of unhealthy cultures and groupthink, where views, actions, and decisions go unchallenged. The London Market has not been immune to misconduct issues, though I would acknowledge the work Lloyd’s is leading to encourage market players to tackle problems. We will engage with firms on the issue of diversity and inclusion through our continuous assessment process.
This is not just a case of do as we say: the PRA and the Bank of England have plenty of room for improvement on diversity and inclusion, and have committed to make changes to achieve the same positive aims for ourselves that we seek in the wider financial sector.
The Covid-19 pandemic has had a significant impact on both the PRA and the firms we regulate, bringing business recovery and continuity to the fore. The structural shifts accelerated by the last two years means operational resilience remains one of our priorities. There have been challenges directly attributable to the pandemic, such as mass working from home, and indirect challenges including major disruption caused by cyber-attacks and ransomware. Cyber risk continues to haunt all businesses and having a cyber-insurance policy does not substitute the need for a robust framework to manage cyber risk. We have been doing some in-depth work using our CBEST threat intelligence assessments as well as holding robust technical discussions with insurers about their cyber risk management.
The disruption caused by the pandemic has shown why it is critically important for insurance firms to understand the services they provide and invest in their resilience to protect themselves, their consumers, and the financial system from disruption. Some of the changes made to cope with the pandemic will be permanent, and need to be incorporated into operational resilience planning. With the PRA’s complementary policies on operational resilience (SS1/21)footnote , and outsourcing and third party risk (SS2/21)footnote  coming into force from 31 March 2022, we look forward to continuing to working with firms as they implement our policies and improve their operational resilience.
Insurers are accelerating the migration of existing processes or the deployment of new processes to cloud service providers. Providing that it is configured and overseen properly, cloud can offer firms better operational resilience than on-site information technology infrastructure. There are risks however, and the Financial Policy Committee has recently stated that the increasing criticality of the services that third parties provide, as well as the concentration risk from a small number of providers, poses a threat to financial stability in the absence of greater direct regulatory oversight. Regulated firms currently have, and will continue to have, primary responsibility for managing the risks from their outsourcing arrangements and other third party dependencies. We also remain focused on this area, with PRA and FCA intending to publish a joint discussion paper in 2022 on how financial regulators can tackle the risks posed by critical third parties.
So looking forward, our teams will continue to work on the subject of operational and cyber resilience, outsourcing and third party risk management. We expect firms to be able to demonstrate their operational ability to withstand and recover from severe but plausible scenarios such as ransomware attacks.
Approach to Third Country Branches
We have long attracted international insurers looking to establish operations in the UK to take advantage of concentration of skills, proximity of fellow insurers, and strong legal and regulatory systems. As at end 2020 over 600 EU insurers held passporting permissions to write business in the UK although not all passports were actually in use. 190 of those firms from 20 countries chose to enter the Temporary Permissions Regime (TPR), with many of these insurers expected to apply for permanent authorisation. The TPR granted transitional relief for quantitative reporting, to allow firms time to put systems and processes in place. However, this relief is due to expire at the end of this month, March 2022.
In line with the PRA’s openness to insurers seeking to operate in the UK, we will assess applications against a clear and consistent set of criteria. This includes hosting business on a cross-border basis both from the EU and further afield, provided, among other things, that we are satisfied that the level of “supervisability” of the EU branch and its parent entity is commensurate to the level of risk it poses to the PRA’s statutory objectives.
We are, however, also conscious of the need to ensure a level playing field among all insurers operating in the UK: insurance branches are not held to lower standards, which would distort competition and potentially increase the risks to safety and soundness and policyholder protection. We have also been clear that some overseas insurers have UK liabilities that that represent too great a risk to PRA objectives to rely on branch supervision with its inherent limitations, even with strong co-operation from home state regulators. We have set limits based on the level of retail insurance liabilities and our expectation remains that those insurers with very large exposure to the UK retail market will establish subsidiaries to operate here, giving the UK more direct oversight over their operationsfootnote .
The PRA is required to assess authorisations applications against our objectives, with the level of detail in our assessment, and the level of intensity of our subsequent supervision, proportionate to our view of the potential impact of the branch. As we proceed, it is important that firms continue to submit high quality applications and prioritise engagement with us during the review process.
The priorities letter covers a number of other areas, which can be wrapped up under a broad heading of financial resilience in the face of multiple external uncertainties, of which climate change is just one. We are all acutely aware of geopolitical risk at this time. And the long term impacts of the pandemic and ensuing structural economic changes are not yet known. Our 2022 insurance stress test is a key piece of work to assess both asset and liability exposures and firms’ oversight and risk management. Our mission is to secure the insurance sector’s continued ability, including in stressed conditions, to support the wider economy by providing financial protection and security to policyholders. While the mission is timeless, this year, Boards’ engagement in the four issues I have outlined is critical to the effectiveness of insurers:
- Taking steps to support an orderly transition to net zero – through implementing and embedding the expectations of our supervisory statement, completing the climate scenario test and increasing our combined knowledge of the risks.
- Gaining a range of perspectives to improve decision making and risk management through cognitive diversity.
- Working through the important business services, impact tolerances and scenarios that will support insurers remaining operationally resilient.
- And, for relevant firms, making progress with third country branch applications.
I welcome your thoughts on these and other priorities.
I would like to thank Alan Sheppard, Santosh Pandit, Anooj Dodhia and Liam Hoare for their assistance in the preparation of these remarks.