The National Association of Insurance Commissioners (NAIC) is moving toward incorporating certain provisions of the federal Sarbanes-Oxley Act of 2002 (SOX) into its Model Regulation Requiring Annual Audited Financial Reports (Model Audit Rule) that is applicable to all insurers, many of which are not currently subject to SOX.
Congress enacted SOX in response to corporate fraud and accounting scandals among publicly traded companies seeking to restore investor confidence and raise baseline standards for corporate accountability. It applies for the most part only to SEC-regulated companies. All insurance companies, including those not regulated by the SEC, will be subject to key provisions, however, if a joint Working Group of the NAIC and the American Institute of Certified Public Accountants has its way.
The Working Group proposes to incorporate several substantive requirements of SOX into the Model Audit Rule. While insurers have voiced opposition to provisions addressing auditor independence and the responsibilities of a board's audit committee, the greatest controversy centers on SOX Section 404, which requires a company's highest management to certify that its internal controls are adequate, and the company's auditors to attest that management's assessment is adequate.
Even though a Working Group subgroup only recently began considering Section 404 specifically, Working Group members clearly aim to incorporate the substance of Section 404 into the Model Audit Rule. "It isn't a question of if we'll do this, it is a question of when," says Working Group member Mike Motil of Ohio.
Pros And Cons
Insurers' strongest objections are to the proposal's cost, its redundant regulation and the legality of the process.
Cost: The enormous cost of Section 404 compliance alarms insurers. A 2004 survey of 224 companies by Financial Executives International found that companies were spending 50 percent more than expected on SOX compliance, averaging $3.14 million each. More recently, that organization reported that the average is now $4.4 million, with large companies paying much more. As to insurers, at a July 2004 Working Group meeting, three large publicly traded insurers described their staggering burden in complying with SOX. The Hartford Financial Services Group reported that while similarly sized, non-insurer public companies averaged 12,000 internal staff hours spent on SOX compliance, its staff had already spent over 100,000 hours and was not finished.
Doug Stolte of Virginia, who heads the Working Group, discounts the insurers' estimates and predicts that in the long run, adopting Section 404 will lower insurers' costs. He anticipates Section 404's certification requirements will permit the NAIC to move to risk-based financial soundness assessments, providing regulators earlier access to indications of financial troubles at individual insurers. This information will allow regulators to intervene earlier and avoid receiverships, lowering state guaranty fund assessments on insurers.
In reality, neither insurers nor the Working Group can predict accurately the ultimate costs, or benefits, of Section 404 compliance. It is clear, however, that management certifications would facilitate regulators' desired move to a risk-based financial assessment structure. Instead of the current periodic, painstaking financial audits of insurers, regulators would prefer to investigate or audit insurers only when risk factors are identified. Requiring management certifications of internal controls would effectively shift to each insurer responsibility for determining the adequacy of those controls and eventually minimize regular financial exams of insurers. Working Group member Jim Armstrong of Iowa stated: "I do believe there is a strong nexus between the Sarbanes-Oxley and the risk assessment. A management attestation to the internal controls is very necessary . . . . We need to have reliance on the internal controls." And in the end, this need alone may be driving the Working Group.
Need: Insurers also question the need for additional regulation. The corporate scandals that lead to the enactment of SOX did not involve insurers, they say, and no one until recently has pointed to any deficiency in current regulation of insurers' finances. (As Mr. Stolte has noted, however, recent developments regarding finite risk reinsurance and other arrangements may weaken this contention.) Unlike most industries, insurers are already extensively regulated for financial solvency. According to William Boyd of the National Association of Mutual Insurance Companies, "[R]egulation of insurance is already stronger than that applied to public companies and [ ] regulators need to justify, via specific cases and cost benefit, what they propose to do." Current requirements include:
Moreover, industry representatives contend insurer failures typically occur because of reserve inadequacies, due to either insufficient reserving or catastrophic claims, rather than because of substandard disclosures. According to Boyd, the insurers' largest liability is reserves, and actuaries already attest to their adequacy. Further, the unique statutory accounting required of insurers is more conservative than generally accepted accounting principles.
Publicly held insurers specifically object to the possibility of being subjected to two similar, but potentially varying, requirements. Phillip Carson of the American Insurance Association has stated, "If the NAIC pursues the current proposal, AIA has stated that it must provide a total carve-out for public companies because they are already subject to the federal Sarbanes-Oxley law."
Steve Broadie of the Property Casualty Insurers Association of America identifies two fundamental questions the NAIC Working Group still has not answered: "Whether there is a problem with insurer financial reporting that needs to be addressed and, if so, what are the potential solutions and their costs and benefits." Former NAIC President Ernie Csiszar, who resigned from that post last year to head the Property Casualty Insurers Association of America, objected to the proposal while NAIC President, and continues to object in his current position. He recently wrote each insurance commissioner, "Because the NAIC continues to refuse to assess either the need or the cost, PCI is urging you and other commissioners to become more involved in the process now underway. We ask that you raise these issues with the regulators and staff working on this project before new, unnecessary and potentially very costly requirements are added to an already heavy regulatory burden."
Regulators do not controvert these arguments, although Mr. Stolte characterizes insurer insolvencies as resulting from deficient financial disclosures, rather than reserve inadequacies. NAIC President Diane Koken of Pennsylvania asserts a general need to improve the quality of insurer accounting practices so that regulators can better assess solvency, contending that management certifications will add another weapon to regulators' regulatory arsenal. Again, the NAIC's real agenda may be wanting the buck to stop with the insurers rather than regulators. If so, insurers would ask is there a less burdensome means than Section 404?
Legal Process: In reality, the crucial question may be whether the NAIC has the legal authority to apply Section 404 requirements to insurers by amending the Model Audit Rule. The NAIC, as a non-governmental association, cannot require any state legislature to enact any model statute or any state commissioner to adopt any model rule. Each state will proceed independently and, potentially, differently. However, most commissioners, under their rulemaking authority to implement state insurance laws, have adopted the Model Audit Rule in furtherance of their statutory responsibility to monitor insurers' financial condition. Because the proposed amendments change a rule rather than a statute, they could be adopted by each commissioner. Most dramatically, were the amendments made, as has been considered, to the instructions for filing annual statements with the NAIC, arguably not even the consent of individual commissioners would be needed.
Even putting aside the drastic approach of altering only the annual statement instructions, some contend insurance commissioners' rulemaking authority is insufficiently broad to allow imposing substantive fiduciary obligations on insurance companies by amending the Model Audit Rule, which addresses the specifics of insurer financial reporting. The National Conference of Insurance Legislators (NCOIL) opposes the amendment on just these grounds. NCOIL President Rep. Craig Eiland of Texas wrote to NAIC President Koken: "NCOIL believes that the creation of new corporate structures and audits certifying adequate internal controls represent non-delegable, substantive public policy judgments. The process proposed by NAIC improperly infringes on the rights of state legislatures to establish public policy in each jurisdiction." This stance has significant legal support. As one court has noted,
An administrative body may not use the device of promulgating [or amending] rules to change or add to the law; [rules] are not to be taken as law in themselves, but must be reasonable and used for the purpose of carrying out the legislative enactments.
Holland v. State of Iowa Ins. Depar't, 115 N.W.2d 161, 163-164 (Iowa 1962).
Mr. Stolte, however, has recently denied that the Working Group might adopt Section 404 by incorporation into the NAIC's annual statement instructions. He also reassured NCOIL that "the working group is in no way trying to impinge on any state's legislative process by making substantive policy judgments." Some industry groups remain skeptical, however.
Mr. Stolte says that the Working Group hopes to have final recommendations on Section 404 by the end of this year, but assures that the industry will have plenty of time to come in to compliance, probably between 18 and 24 months after finalization. The provisions based on SOX Titles II and III are more likely to be finalized this year, if considered separately from Section 404.
In the meantime, the Working Group plans in May 2005 to review Section 404 reports filed by public companies, consider SEC's April 13, 2005 Roundtable on Implementation of Internal Control Reporting Provisions, review NAIC staff research concerning the banking industry's management attestation requirements and consider comments from the public.
Industry groups, and some individual insurers, submitted comments to the Working Group when the idea of incorporating portions of SOX into the Model Audit Rule was first raised. The Working Group made some modifications in response to those comments, but the core proposal of management attestation requirements remains pending, and the NAIC authority to impose them through amendments to the Model Audit Rule remains unresolved. Insurers with opinions about these issues should consider commenting further in their own names. The alternative may be to begin gearing up for compliance.
Cynthia T. Andreason, a Partner in WRF's Insurance, Privacy and Litigation Groups, has more than 20 years of experience representing insurers in complex litigation in federal and state courts throughout the country and in administrative and regulatory proceedings before numerous state insurance commissions. She also counsels insurers on compliance and litigation avoidance in connection with various federal privacy, security and credit laws, and on the federal agencies responsible for implementing and enforcing those laws. She can be reached at 202.719.7364. A version of this article appeared in the inaugural issue of the WRF publication "Washington Perspective: The Changing Climate of Insurance Regulation."