Yvonne Lam: Hello Everyone and welcome to the Clyde Conversations podcast. I’m your host of Yvonne Lam and I’m a special counsel in Clyde & Co’s corporate regulatory team. Today I’m joined by Tatiana George, CEO and co-founder of Curium, an insurtech company developing next generation claims technology.

Tetiana George: Thanks Yvonne, pleasure to be here!

Yvonne Lam: So, we’re here today to talk about compliance challenges for the Australian Insurance industry in the post Covid and Financial Services Royal Commission era and also to demystify the requirements and shine a light on some common blind spots in the way that your business may be operating. So, 2021 was a very big year for the industry. as the Royal Commission related regulatory reforms which needed to be implemented last year have substantially changed the insurance industry. There’s no doubt that the compliance burden on the industry has increased going forward.

Yvonne Lam: There are three key regulatory changes which have impacted the industry from an ASIC perspective. The first is claims handling becoming a financial service. The second involves the new complaints handling requirements in ASIC Regulatory guide 271, Internal Dispute Resolution. And the third is the enhanced ASIC breach reporting regime for Australian Financial Services licenses.

Yvonne Lam: So turning first to the claims handling as a financial service change. In essence, this means that claims handling and selling services are now included in the definition of a financial service under the Corporations Act, which results in new financial services licensing obligations and compliance requirements which would then introduce for a part of insurance business which was previously unregulated. And there was a transitional period in 2021 for the industry to apply for licenses from ASIC and from the 1^st January 2022 all claims handling and settling served now require a license to be provided unless an exemption applies. So during the course of 2021, we worked with a number of our clients to assist with the assessment of whether they actually needed a license based on how their business was running or whether they might need to actually vary their licenses, the existing licenses that they have to add an authorization for claims handling and settling services, and most of the time this meant engaging with a number of different stakeholders across their business, so not just their claims team, but also their risk & compliance teams and legal to understand how their existing processes for handling claims and complaints and their training of claims handlers fit into this new regime that ASIC has now rolled out to map against ASIC’s expectations for license holders.

Yvonne Lam: As this was previously an unregulated area of the business due to the carve out of claims handling From the definition of a financial service under the corporations Act, we’ve generally found that the regulatory rigor around the claims teams was less mature than the rest of the business which have been dealing with AISC’s compliance requirements for years such as underwriting and distribution.

Yvonne Lam: Tatiana? Would you agree that that is the case with industry players that you’ve worked with?

Tetiana George: Yeah well previously I ran a claims operation and the funny fact that I have discovered is part of it, so my company had an AFS license before, but a lot of the suppliers and partners that delivered some part of the claim service never had one. So I think that’s a huge challenge and a lot of them would probably be even too small to afford a proper consultation. So a lot of the use cases that I’ve seen these people trying to extend license to someone else and I think by doing so, there’s no other way to do this, probably. But by doing so now in 2022 and going forward we’ll see quite a lot of problems and misunderstandings that resulted from this.

Yvonne Lam: That’s a very good point. I think what we also noticed with the clients that did apply for a license or to vary their existing license that a lot of them had to look at their existing claims handling for philosophies and processes to make sure that they can meet the general obligations in Section 912a of the corporations act to provide claims handling services efficiently, honestly and fairly. And ASIC has said that that means that insurers do need to handle all claims in a very timely way, in the least intrusive and onerous way possible, fairly and transparently. They need to do things like include explanations to customers about the decisions that they might be making for claims, and refer to pulsive wording. So it’s quite clear what the basis of their decisions are.

Yvonne Lam: So it seems that the issues raised by Tatiana about different players in the market having varying levels of understanding of these requirements could be a hurdle to meeting ASIC’s expectations. Organizations which put their license applications in last year during the transitional period ahead of the one January 2022 hard deadline might need to consider if any of the frameworks which were referred to in the applications were considered to be somewhat aspirational in terms of where the claims handling practices were going to work towards rather than where they were at at that time and to see if that has been actually implemented in practice after ASIC has granted the license. And I suppose one of the bigger step changes in this space was that license holders would now need to nominate a responsible manager who is responsible for this part of the business. So this would be someone like the head of claims in a business or, a lead claims handler and they would need to be responsible to show to ASIC that they have organizational confidence to provide claims handling services and to be able to meet that expectation from ASIC that these services are being provided efficiently, honestly and fairly and in practice, that does mean that those responsible managers need to be updating their knowledge and skills on an ongoing basis, having CBD training to make sure that their company can continue to demonstrate that to ASIC.

Yvonne Lam: So Tetiana your previous life as a head of claims. Any thoughts on how this reform has impacted the industry from an operational standpoint and any common blind spots that managers should be keeping in mind?

Tetiana George: Yeah, I think 2021 you can describe as a perfect storm and trying to keep the business going. Managing all kinds of natural catastrophe and normal business as usual things and implementing all of these changes at the same time. And I think you’ve pointed out very, very rightly that I believe a lot of companies that did an aspirational amendments to their processes and what I’ve noticed one of the common blind spots in that process was a lot of people, they either hired somebody external or had dedicated people within their company to actually submit the license that the new application where they will define the new, what they’re going to do, and how they’re going to meet the regulation. However, operational managers were often not part of that. So, sometimes they wouldn’t even know what they’re supposed to do differently, right? I’m not saying it’s a common thing, but it’s definitely a theme that goes through the very, very top of the company that the top management then the one who are signing the application to, either modification or application for the license and then cascading it all the way down to actually frontline staff. A good a good test on this one would be how many hours have you invested training your frontline staff? Have you explained to them what they actually have to do now and how that’s different from before? And have you enabled them to have a two way street communication back with their managers? And let’s say identify any breaches or would change anything and definitely in real people terms, it resulted into a higher workload for them or have you taking it off somewhere else. Are your teams managing it well, right? It’s one kind of big theme that I’ve  been observing.

Tetiana George: The second one as Yvonne was pointing out before. With the new kind of rules and the extension of the license, there are hard deadlines, right? And they’re very, very difficult to handle, especially in claims because a typical claim would involve definitely more than one party, sometimes up to twenty. So if everyone runs their messaging or phones or something in different systems and outlooks and so on, how can you know that you have essentially contacted the customer every twenty days? It’s very hard to record these things in practice. In theory it’s simple, but in practice and if you have a third party claims administrator, a supplier, and then a broker, and then somebody contacted the customer. but you wouldn’t necessarily time it and know when exactly. And if it was a day nineteen or the day twenty one, it actually matters, right, So it’s a second, like a big kind of gap that I’m emerging more and more with the hard deadlines and the just the physical ability to track it.

Yvonne Lam: Yeah, so the systems are not always talking to each other.

Tetiana George: Oh, never!

Yvonne Lam: So it relies on the human personnel who are working in those systems to actually talk to each other and keep each other across.

Tetiana George: Well, I’m sure they’re doing this. The question is are they recording it and does the ultimate license holder, whoever that is either an organization that extended the license or if everyone in the process has one on that particular claim with that particular customer, are they actually tracking it?

Yvonne Lam: Yeah and that comes back to the oversight of the representatives. Anyone who’s in the process of claims handling because there’s a life cycle of a claim and there’s a lot of different touch points along that way.

Tetiana George: Exactly. And then the third part, and that’s more the personal observation that I’ve seen by mostly speaking to AFCA is the vulnerability question. So a lot of the new code, regulation and interpretation is actually focused on vulnerability and to be very honest, nobody calls or informs you about a claim when they are at their best, right? So just the very fact that somebody’s making a claim and then the in-depth conversation and all kind of fact finding that needs to happen is often not capturing essential vulnerabilities. And I believe it’s actually a big problem in the industry. And because again in real terms people are overloaded. The front-line staff, because they have to do the check list and this and timelines and here and there and reporting. They also have to show empathy. It’s kind of sometimes a bit too much to ask and a lot of the times vulnerability can come simply from the fact that somebody’s not native English speaker or something like that. It’s already a vulnerability, right? So that person needs to be treated differently and I think it’s a gap that’s forming slowly around the whole, it’s not even at the point of a complaint, it’s at the point of just receiving a claim and understanding what a person’s going through and wiring them the money quickly enough, not waiting or you know, not delaying things like that. So I think going forward is going to be a very acute topic to address.

Yvonne Lam: Yes, it can be difficult as the definition of vulnerability can capture a very broad range of factors. And as you say, Tetiana it can pick up factors such as language barriers, cultural background, or even remote location which might not be so obvious at first to claims handlers. So training your staff to understand what those factors are as part of the claims handling process is very important, and there is an educational piece here for the industry in this space, it comes with consequences as well because there are more onerous obligations on insurers where the customer is flagged as a vulnerable customer.

Yvonne Lam: And I think that segues nicely into the second reform that impacted the industry last year, which is the changes to the Internal Dispute Resolution Requirements from ASIC, RG271 has replace the former RG165, which governs the various complaints management requirements for retail client complaints. And now there are different time frames that are required for licensees to respond to these retail client complaints. And also a requirement for licensees to be monitoring and reporting on complaints data to senior management and boards so that they can identify systemic trends and issues in the organization. So this does tie into the claims handling changes that we’ve just discussed. It’s one of the requirements for licensees who handle claims for retail clients is to have a compliant internal dispute resolution process. And one of these key changes that has been included in RG271, which was not in RG165 is that there are now enforceable provisions within the guide, which is the first time that ASIC as a regulator has used their power to identify particular provisions which will be enforceable. So ASIC guidence previously didn’t really have the force of law, but now they’re saying that particular provision which are identified within the guide will be enforced by ASIC if there is non compliance. And that’s tied together with an expanded definition of what constitutes a complaint. So now there’s a broader universe of what can be captured and subject to this new regime. So now any expression of dissatisfaction which is made to or about an organization which is related to its products, services, staff, or the handling of a complaint, where a response or resolution is explicitly or implicitly expected or legally required will be considered a complaint and should be captured.

Yvonne Lam: So Tetiana do you think that the implementation of new systems for these updated complaints handling requirements across the industry have gone smoothly?

Tetiana George: So I think short answer is no and there the long answer is that it has many layers of what happened. So effectively, I think everybody went through the formal almost a box ticking exercise to comply and reposted the guides and the procedures on websites and public resources. What I think has not happened in reality is the actual kind of “so what?” and for each organization, it will mean something completely different and then coming back again to this complex licensee regime. right? Not everybody is a license holder. However, one complaint can involve multiple stakeholders and even if a complaint is made, let’s say to a TPA again, or against an underwriting agency, it has to go to the right person and I don’t think people actually worked out practically those mechanisms. So a lot of these complaints kind of get stuck in different places. And since the regulation only gives you thirty days to figure it out, no matter who the party is you say it can be made to or about a party, it’s really, really critical to get it to the right person and the right organization that’s supposed to solve it pretty quickly. So I think this process is extremely complicated and again, technologically companies are not fit to do this. Sending emails back and forth, giving all the concepts and all the backgrounds and sending documents – it’s a nightmare to enforce. This is one thing, and that leads again inherently to…Because it’s such a hard process, different companies went differently about it. Some of them said, okay, let us be pragmatic. let’s look at what ASIC actually requires because there’s a new data dictionary that’s been introduced, not enforced, but introduced. And they said, let’s just do what ASIC wants and then see how we implement that. There’s some other companies who went about it and kind of over engineered added instead of seventeen fields like some fifty fields. Added departments, moved her responsibilities and made everything a lot more complex than probably it should be. And as a result of all of that, there’s one big tendency that I’m seeing emerging because kind of in my company I can see lots of complaints happening, people are under reporting what essentially the definition of the complaint is not enforced, right? So I think this is like one of the major blind spots and problems and just to give a practical example: If you just go, let’s say and check your written communication for the word “frustrated” or anything indicating dissatisfaction about anything, I would say that frequency for every a hundred claims, it should not be less than ten where people actually express some kind of dissatisfaction. Now a good practice in ASIC’s eyes would be recorded and try to resolve it, even if it’s a nice call, an apology for something, right, a delay or something like that, that would be a good practice. But because of all this horrendous, complicated practical process, I can see why a lot of front line staff is probably hesitant to do that or not even trying to do that. They have to do with so many other things.

Yvonne Lam: Yes, that is an issue and I suppose the quality of the data that’s being recorded also informs parts of what the new enforcement provisions in the ASIC guide which require boards to be regularly analyzing complaint data sets to identify if there are any systemic issues. So if they’re not being recorded at the front line, then…

Yvonne Lam: If you record one, how do you identify a systemic issue, right?

Tetiana George: Yeah, so I mean that is, you know, a potentially problematic area for organizations. So it is worthwhile doing a bit of a health check to see whether complaints volumes have gone up since the definition change occurred last year in October 2021 and whether there is a bit of a trend towards an increase which is not surprising given the expanded definition, but also to see what that has flowed through the rest of organization, escalated appropriately as required under the new enforceable provisions in the ASIC Guide and that good news and bad news is being shared and moved to the right parts of the business for further action where necessary.

Tetiana George: Just to give you a quick, pragmatic example in this one. It’s very good to treat a complaint as a voice of the customer because customers actually never tell you what they really think until they’re you know, disappointed and frustrated. And the best thing that an insurer or anyone handling a claim could do is listen, record, and then analyze in real time. You don’t even need to wait until it goes to the board or somewhere higher if let’s say throughout the day you receive 10 complaints saying I’ve been waiting for too long on the phone. Maybe the technical problem you can resolve pretty quickly and you don’t need to escalate it. It happened to me many times in real life. In my previous life and that’s a very good and healthy discipline around. Record everything, analyze in real time, and solve it. This is the holy grail of this.

Yvonne Lam: And I think what I’m hearing is that companies that do invest the time in that data collection exercise, the recording, documenting, analyzing the data are going to be more easily able to demonstrate that they are complying with this new enforceable provision. If anything does arise in the future, and ASIC does look into it because it’s going to happen more effectively and efficiently as a matter of your business, rather than something that you try to reverse engineer down the track if there is an issue.

Tetiana George: Yeah, and the secret is, make it easy right? Make it super easy and do not punish your front line staff. If they raise many complaints, it doesn’t mean they’re bad operators, it means they’re just honest in recording what’s going on.

Yvonne Lam: That’s right.

Yvonne Lam: From one October 2021, a new enhanced Breach reporting regime for Australian Financial Services Licensees, under a new Section 912d of the Corporations Act started to apply and this section sets out requirements for reportable situations about core obligations which are linked to significance tests. In additional reportable situations, where conduct involving gross negligence or serious fraud are also to be reported to ASIC. Now, one of the more practical changes under this enhanced breach reporting regime is where an investigation by a licensee into whether there is a core reportable situation and that investigation runs for more than thirty calendar days, the license is still required to lodge a report to ASIC even if the investigation discloses that there is no such reportable situation. One of the more practical changes under this Enhanced breach reporting regime is where an investigation by a licensee into whether there is a core reportable situation and the investigation runs for more than thirty calendar days, the licensee will be required to lodge a report to ASIC even if the investigation discloses that there is no such reportable situation.

Yvonne Lam: So the point of this reform was to remedy any inconsistent, inadequate, delayed reporting by licensees to ASIC because ASIC had found that on our rituals taking one hundred and fifty days from the start of an investigation through to the lodgement of a breach report and actually some licensees were taking over four years to actually identify that some incidents were significant breaches and therefore reportable under the old regime. So you can see that ASIC is really trying to encourage a much more proactive and streamlined approach to the reporting of breaches and even investigations into potential breaches so that they can reach an outcome and get that report into the regulator to consider even if it is a “no problems here” kind of report. If it goes on over the thirty calendar day investigation time frame, ASIC still wants to know about it, and that has meant for a lot of our clients that they’ve had to review their existing breach reporting frameworks to try and streamline stakeholders who are involved in the escalation processes because the previous regime might not be efficient enough to meet this thirty day time frame for the investigation because the time starts ticking as soon as you start investigating now. And while things like breach registers are not expressly required by ASIC to be maintained by the licensees, i think with the changes to the enhanced breach reporting regime, a tool like that is going to become a lot more important to document when a breach is potentially identified and then when the investigation starts because that’s when you can more easily calculate that thirty calendar day time frame and when you actually due to report to ASIC more clearly.

Yvonne Lam: So Tetiana, are there any areas that you think that operational managers should be more careful with when they’re looking into the investigations for any potential actual breaches and whether they need to actually lodge a breach report?

Tetiana George: So, I think for anyone who is a manager or even let’s say a simple employee, a word breach is scary. And ideally in a common kind of psychology, you’d want to stay clear of that word or happening as much as you can. I believe there’s a whole methodology of something like a near bridge or an incident, and then when it becomes a bridge when it’s a reportable bridge and so on. So from my experience, that’s not really clear to anyone running the business except for maybe the trained and dedicated compliance persons and explaining people what it is a great thing. The second kind of blind spot or shortcoming that I see happening quite a lot is there’s no easy way to let someone know that something’s wrong, right? So before Covid and when we were all in the offices, it might be like just an informal conversation over coffee “look, I’ve noticed…” and then so on and so forth. Right now, I think it’s a little harder. So, you probably want to introduce some tools that are even anonymous or something like that, but a very easy way for people to report if something’s wrong. And again, it’s not a voice of the customer, but it’s a voice of an employee, right? So before you know that something is really a breach and really, let’s say, a reportable breach and you need to investigate, you’d actually want to have as many things telling you that something is not going quite right and in some situations are reportable, which is a frequency of things. It’s not necessarily a one kind of gross breach, right? It can be just a frequency. Something is systemically wrong and then different people pick it up and they say okay, something’s not working. So, a lot of that is around, again, it’s a very human thing. It’s an education of people and it’s kind of training them on real life examples. What is actually a breach but also even before the breach just let us know if something’s wrong and enable a very simple way to do this and for everyone. And again, it should not be like a taboo which I believe is now. You don’t want to go and raise a red flag and something, but it should be a very easy situation. I’ve been talking to someone who work for large Insurer for 27 years in compliance and he was saying probably 95 of reportable things that they’re not going to result in any investigation or anything. But it’s good to have them and only 5% is where people, compliance people or managers or somebody will actually look into that. So it’s not that scary in the end, it’s just more you need to kind of make it demystified for people.

Yvonne Lam: Yeah, that is good discipline and practice to put into organizations with this new surveillance from ASIC on this front. So while it’s clear that a lot of hard work has already been put in by the insurance industry over the last year to update their compliance processes in time for the wave of regulatory reform last year, a lot of the work is only the start of a new era. Now, the challenge is to continually monitor these new processes and frameworks to make sure that they do stay compliant with these new regulatory requirements and that you don’t fall foul of the enhanced breach reporting regime that ASIC is now enforcing, and I think Tetiana, from what we’ve discussed today, it’s quite clear that compliance is not just as simple as documents that set out policies and processes, and organizational discussions about things like that. It’s actually about the human behaviour and that does require the human touch to make sure that the people within your organization who are responsible for different aspects of complaints handling, claims handling, breach reporting, and all of that are actually up to date with their training. and they actually know what to do when something crops up. Any alerts or red flags pop up in the system and that things are getting escalated and moving forward within the organization in the appropriate places.

Yvonne Lam: As a result of the Financial Services Royal Commission, ASIC’s new breach reporting regime is now much more focused on the reporting of breaches, which a link to misconduct on a human level such as gross negligence or serious fraud. So, companies which invest upfront in understanding what this means in practice for their businesses can get ahead of the regulatory curve if a potential or actual breach of this nature occurs and needs to be reported to ASIC.

Tetiana George: Yeah, look, I fully agree. In the end, compliance is a bad behaviour, but also let’s be very honest, ASIC has not made it easy by introducing hard deadlines and it’s a little hard to navigate in an operational way, so I would usually take a double approach to compliance. I would say there are hard facts, right, operational especially deadlines and then there are soft facts. And the soft facts are all related to human behaviour so you know that to actually be successful with it as a company you might want to separate the two. And unfortunately, today because a lot of the processes are complex and so on, both of these loads are a kind of put on people and essentially those are not the best paid people in the company. And those are the people with the highest workload and fresh at it, to comply at all times and be empathetic and be the everything on time and notice and flag and so on. So, what I’m typically advocating and what I’ve noticed while I was running, I was the responsible manager myself, right? You could easily spend 70% of your time writing reports and forget about the humans. So, what would really have helped me back then is to have some really, really great tech that takes care of my hard part of the compliance right? That just helps me surface any kind of systemic issues and complaints. Any breaches in terms of the number of days something took that would be really helpful because then any manager or a front-line person can actually focus on that soft part, right? The behaviour, the enforcing the correct behaviour monitoring and educating yourself and others how to find the situation, what’s okay, what’s not okay? What’s vulnerable customer? What’s not. Where do I need to dig deeper? Or where do I just kind of cash settle and move on.

Yvonne Lam: Yeah, so technology is not the solution to everything. It has to go hand in hand with your experienced personnel who do have that judgment to make and also to decide how best to upskill the workforce that is going to be actually at the front line of all these changes and actually doing things in practice.

Tetiana George: Yes, technology is just an enabler. It’s not going to solve your entire problem, but it will allow you the time to think and solve it because it should take care of all the manual mechanical things that that you might not even be able to control. Like how many days have passed since you sent the last email to the customer?

Yvonne Lam: Absolutely well. Thank you very much Tetiana for joining us here today and for your insightful comments and observations on the industry. So, until next time.

Tetiana George: Thanks Yvonne, Thank you.

Yvonne Lam: Thank you.