Conflicts of Interest, and their effective management, is a mainstay of any insurance industry player’s risk register, usually under the Corporate Governance banner. If it’s in the risk register then it will also be in the internal audit team’s IA Universe.
Depending on the risk assessment, Governance and COI will form part of a risk based internal audit plan as a separate topic, or even as part of each topic audit in the IA Plan. E.g., a claims internal audit.
The emphasis is on managing and not prohibiting acceptable conflicts of interest.
Conflicts Management falls into three distinct headings:
- personal COI
- internal corporate COI
- external COI whether personal or corporate
It should also be noted as a foreword that no amount of COI Management will detract from an employee intent on committing fraud through a non-disclosed conflict (this is the INHERENT RISK associated with managing conflicts of interest and cannot be fully mitigated). The control environment for mitigating risk is discussed further, as below.
What is a conflict of interest?
Broadly, a conflict of interest is a position in which the risks and or objectives of two or more parties’ conflict with each other.
For insurers and Lloyd’s Syndicates external COI examples could be:
- between policyholders
- between insurers and other insurers on excess layers of the same risk
- between insurers and other insurers on different years of the same risk
- between brokers bringing in the business, and policyholders.
And internal COI examples might be:
- between internal Underwriting and Claims departments
- between different Lloyd’s syndicates within the same Managing Agency
- between directors and senior decision makers with any external business interests.
For any organisation, personal potential conflicts could take the form of:
- an underwriter is married to an employee of an external broker
- the sister of the CEO is the director of the external software house that runs the software maintenance program for the CEO’s organisation
- a Non-Executive Director (NED) is also a NED of another external syndicate group with a similar business profile.
The importance of COI management
A Conflict of Interest was at the heart of the case against the former CEO, Paul Aspin, of DAS Legal Expenses, a Munich Re subsidiary and leading supplier of Legal Expenses insurance in the UK. Asplin conspired with two of his ex-wives to defraud the business by arranging for the insurer to enter into contracts with companies he held an undeclared interest in.
Between 2000-2014 Paul Asplin dishonestly failed to inform DAS of his one third ownership in Med Report Limited and CW Law, and subsequently took significant financial benefit from the companies through engaging in business with them, via DAS. Mr Asplin had attempted to hide the interests from DAS and showed prejudice to these companies to the detriment of DAS. The financial benefit was deliberately concealed from DAS and that deprived DAS of the ability to hold open and fair negotiations in the contracts they went into.
FCA Principles
Insurers and intermediaries who fail to identify and manage COI fairly may find themselves subject to regulatory action. The key consideration is Fairness. This can be seen in the FCA’s Treating Customers Fairly (TCF) guidance which makes it clear that the insurer or intermediary must ‘pay due regard to the interests of its customers and treat them fairly’. TCF remains core to what the FCA expects of the insurance market.
From the FCA, there is FCA Principle 8 which requires a firm to manage conflicts of interest fairly, both between itself and its clients and between a client and another client. More specifically, highlighted areas include employee conduct, corporate gifts and entertainment, the use of commissions and the treatment of customers.
The 11 Principles are set out at https://www.handbook.fca.org.uk/handbook/PRIN/2/1.html
The SM&CR (Senior Managers and Certification Regime) conduct rules also make individuals more accountable for their own conduct and competence and emphasise that senior managers ‘must pay due regard to the interests of customers and treat them fairly’.
SYSC 10: Conflicts of interest
SYSC 10 (Release 7) of the FCA Handbook (https://www.handbook.fca.org.uk) was published in May 2021. A copy of the full wording is shown at SYSC 10 May 2021
ICOBS Chapter 4
ICOBS Chapter 4 of the FCA Handbook (https://www.handbook.fca.org.uk/handbook/ICOBS/4/) details the requirements for intermediary firms’ disclosure of the nature and scope of the services they provide and their remuneration.
Lloyd’s Minimum Standards
Lloyd’s Minimum Standards are statements of business conduct which Lloyd’s Managing Agents are expected to comply with to operate at Lloyd’s. LMS can be aligned with the internal control environment and incorporated into an internal audit program. LMS is also a useful tool for company market insurers, and their internal auditors, given its comprehensive reach and contemporaneous character (the current LMS were all updated in January 2021). In summary for the COI topic:
- MS4: Governance
- MS9: Customer
- MS10: Regulatory
The LMS can be viewed in full at https://www.lloyds.com/conducting-business/requirements-and-standards/minimum-standards/.
Under ‘MS4: Governance’ there is specific reference to COI at ‘GOV 2.3 Conflicts of interest’. Managing agents shall ensure that effective systems are in place to prevent conflicts of interest wherever possible and that potential conflicts of interest are identified and appropriately addressed.
Managing agents shall ensure that:
- procedures are established in order to ensure that those involved with the implementation of the managing agent’s strategies and policies understand where conflicts of interest could arise and how such conflicts are to be addressed; and
- they act in the best interests of syndicate members. Lloyd’s recognises that it is not always possible to avoid conflicts of interest, and it is therefore important to ensure that any conflicts are identified and dealt with in an appropriate manner. The types of conflicts that may arise include, but are not limited to:
- internal – director’s interests;
- corporate – related parties;
- capital – third party capital; and
- group conflicts.
Conflicts of interest policy/procedure – To ensure that conflicts of interest are identified and appropriately addressed agents should have in place a conflicts of interest policy/procedure. The purpose of the policy should be to ensure that all conflicts of interest are declared and that decisions are taken in full knowledge of those conflicts.
Institute of Internal Auditors (IIA)
The Institute of Internal Auditors (IIA) Standards and other best practice advises internal audit to include governance processes in its scope. Therefore, in order to provide assurance that the organisation can meet its objectives, internal audit should consider including an audit of corporate governance in its risk-based plan. Corporate governance should be included in the audit universe, where this is in place, and audits should be planned in accordance with the organisation’s risk-based planning methodology.
When assessing corporate governance in an organisation, the IIA advises that it may be appropriate to undertake a specific review of corporate governance, organisation reviews of specific subject areas and/or incorporate aspects of corporate governance into other reviews which form part of the audit plan.
Specific references to ‘Conflict of interest’ and audit topics are:
- Is there a policy covering conflict of interest?
- Are conflicts of interest declared at board and board committee meetings and are these documented?
- Does the process include independent director support?
- Is there evidence that declared conflicts are managed appropriately?
- Is there an attendance log to provide transparency as to which members attend on a regular basis i.e., commitment?
Control environment
Risk & Control Matrix – Extract an example is shown at Risk & Control Matrix – Board – Conflicts of interest
Of course, no amount of policies or logging of potential conflicts of interest will mitigate against the risk of non-disclosure in an employee wishing to defraud its employer. However, a mixture of Preventative controls (e.g., pre-employment vetting of prospective directors and employees such as Companies House and FCA Register searches) and Detective controls as follows:
COI Policy
Organisations must ensure the COI Policy reflects their level of conflict-of-interest risk. This includes undertaking a risk assessment to ensure high risk activities and functions are appropriately covered. Other expected headings might be:
- Definitions
- Regulatory Requirements
- Staff Responsibilities
- Reporting
- Breaches
- Record Keeping
- Training
- Contact details for Officer responsible for COI.
COI Register
The organisation must maintain a COI Register. The Register should be maintained by a second line of defence function such as the Compliance Department. An extract might look like:
- Type of COI – 1- Internal Corporate, 2 – External Corporate, 3 – Personal
- Interest
- Is the interest current?
- From
- To
- Action taken to mitigate risk
- Latest review by Compliance
- Last approval by board committee
Gifts & Hospitality Policy
The organisation should have a clear policy that considers the intent behind gifts, entertainment and hospitality, in particular whether these actions are to induce or reward someone to improperly perform their duties with a view to obtaining a business advantage. Some of the expected Policy headings are:
- The introduction should give a clear definition of what bribery is: an offer, promise, financial or other reward to a person with public or private responsibilities as an inducement or reward for doing something (or not, as the case may be) improperly, i.e., in bad faith or in breach of trust. Explain that one way in which bribes could be paid or received is via gifts or corporate hospitality.
- How, and to what extent will the policy be applied and who has the ultimate responsibility for ensuring that the business adheres to the policy? This section should also make clear the company’s policy on expenditure and that all expenditure must be recorded.
- Any suspicion that an individual is offering or asking for a bribe must be reported to a designated person in the organisation. In the policy, it should be made clear what is be considered suspicious activity according to the Bribery Act 2010.
- What is your company’s reporting procedure? A form should be provided for staff to complete should they have any concerns. You must also state in the policy who is responsible for processing suspicions and judging whether or not a Subject Access Request needs to be made to the National Crime Agency.
- It is usual to see a de-minimus level of spending which does not need to be disclosed. E.g., £100.
- The Policy should distinguish and include both Gifts & Hospitality Inwards and Outwards.
And of course, a policy is not a control unless it’s kept up to date, has change control, is appropriately authorised by at least a committee of the Board, and is subject to regular monitoring techniques such as interviews with a cross section of staff to test their knowledge understanding and expectations made upon them.
Gifts & Hospitality (G&H) Register
The organisation must maintain a G&H Register. The Register should be maintained by a second line of defence function such as the Compliance Department. An extract might look like:
- Nature of gift or hospitality
- Inwards or Outwards
- Company, Individual or Department
- External persons/organisation
- Value
- Date
- Latest Review by Compliance
- Action needed
- Last approval by Board Committee