Regulators worldwide have enforced rules-based compliance for years. But as the United Kingdom has set forth, and the United States is learning, sometimes rules are meant to be broken.

The global financial industry’s regulatory framework has changed in recent years, moving from rules-based to principles-based compliance regulation. Is a similar change in the U.S. market far behind?

In the United States, companies have relied for years on guidelines and rulebooks from the Security Exchange Commission (SEC) in order to ensure they are meeting their compliance obligations. Six years ago, the United Kingdom also had rules-based regulation—until the Financial Services Authority (FSA), the U.K.’s equivalent regulatory watchdog to the SEC, began to overhaul its regulatory processes. 

The United Kingdom began shifting to a more principles-based paradigm, ultimately instituting its risk-based compliance framework, ARROW (Advanced Risk Reporting Operational FrameWork). As one of the world’s most influential financial regulatory bodies, the FSA’s impact will not likely be confined to the United Kingdom. The SEC is watching its transatlantic counterpart closely and is taking cues to reduce rules-based regulation and adopt principles-based regulation, as well.  

But while the benefits might be evident in the long term, the makeover will not be easy. U.S. companies are far from prepared to handle a regulatory overhaul, and it is proving to be a great struggle to gear up to what is already in place.

However, there are ways companies can adjust for the principles-based shift, embrace a risk-based approach (and thus best practices) to business, and meet compliance obligations—all while sustaining profitability during and after the transition.

By the Book
The rules-based model is a prescriptive approach. Regulators lay out a list of rules that all companies, no matter the size, must “check off” and be able to substantiate. For example, companies must manage insurance policy issuance according to defined and inflexible rules, and issue delegated underwriting authority within a set of generic parameters.

In each case, the variables might be so diverse that a unified set of rules is largely inapplicable. What is more, once the checkboxes are filled in, there is little qualitative or contextual data within a checkbox, leaving much open to interpretation.  

The SEC has always operated under a strict and highly enforced rules-based system. When Sarbanes-Oxley came to the table in 2002, it further intensified the issues caused by regulations that often do not address the problems.

For example, some rules are not applicable to all companies but most will just try to get through the checklist without seriously considering the best practice or how to manage the associated risks. Other rules fall short of addressing serious risk situations, so the risks go unacknowledged, unmanaged and financially unsupported.

At the end of the day, companies can pass the SEC’s tests, yet corporate malfeasance persists, rendering rules-based compliance an ineffective means for managing risk. The stories of Tyco, MCI Worldcom, and many others are testimony to this.  

Matters of Principle
The FSA has become a principles-based regulator. It provides a list of high-level obligations, or principles, that firms must fulfill in order to stay compliant. In order to achieve the defined principals, businesses must adopt best practices. They thereby become effective risk managers. 

In acknowledging this approach, the FSA’s ARROW II (the latest iteration of the framework, implemented in August 2006) uses risk as its key tenet. The objective is to focus on the desired outcomes (the principles), and evaluate how well a company manages the risks associated with those principles. Individual companies decide how to meet these principles, and avoid or mitigate risks that will negatively impact them.  So the focus shifts from the means, to the end.

The FSA instituted its 11 Principles of Business in 2001. It states core business precepts, such as:

• A firm must conduct its business with integrity.
• A firm must maintain adequate financial resources.
• A firm must pay due regard to the interests of its customers and treat them fairly.

The list does not give specific instructions for how to comply with each principle, but they are objectives all businesses must meet. Although the FSA has about 8,500 pages of other rules that embellish the Principles, companies must devise their own ways to follow them.

The flexibility to decide how to fulfill the Principles allows management to implement a solution in the most cost-effective manner, aligned to the way the business is run. However, this model increases the burden of measuring, managing and monitoring risk and compliance, placing it on the shoulders of the senior management of individual companies. The ultimate goal is to embed best risk management and compliance practices into the day-to-day operation of the business in order to uphold the Principles.

Going a step further, the FSA also enacted new Individual Capital Adequacy Standards (ICAS) in 2003. (Note that this requirement fits neatly with the Principle, “A firm must maintain adequate financial resources.”) ICAS requires firms to define business risks and how they allocate capital to support them. Regulators want to determine if companies are sufficiently solvent to continue to trade and accept the risks that are inherent in their business.

For example, an insurer faces the risk of the CEO leaving. Let us say it will take the insurer six months to find a replacement, and the company earns $1 million of revenue in six months. If the CEO leaves, the risk the company might have against its capital (assuming the CEO is the company’s major breadwinner) is probably six months worth of revenue, or $1 million.

The insurer can then take action to mitigate this risk, such as buying life insurance for the CEO, or locking him or her into a 10-year contract. The FSA must then approve of the risk assessment and mitigation techniques. The capital calculation is a factor of the probability of the event (CEO leaving), the residual state of the risk mitigation steps (such as the long-term employment contract), and the likely impacts resulting from the event. In most circumstances, a company can reasonably estimate this number.  

Moving in the Right Direction
The FSA did not stop there. ARROW II now integrates capital assessments into the framework, along with a number of other changes, such as an overhauled risk model and improved communication strategies. ICAS requires a company to prove they have sufficient capital allocated for all their business risks on a real-time basis. Previously, the FSA only required a filing twice a year.

The reason for the round-the-clock monitoring is that risk is constantly changing, and therefore, so are insurers’ capital allocation requirements. The aim of ARROW II is to validate that companies continuously measure, manage and monitor their risks, and adjust their capital requirements accordingly. They can then recognize problems faster and address them before they become larger problems, thus, preventing financial loss.

These new approaches to regulation have had mixed reviews in the United Kingdom. While the flexibility gives companies freedom to customize and innovate approaches to comply with principles-based regulations, determining the best path is the biggest challenge. It is not a one-size-fits-all approach, and without a prescriptive plan and checkboxes, companies must build their own roadmap to adhere to the principles.

In addition, a best-practice approach means gathering and managing the large amounts of data in order to properly evaluate risk, and manage and calculate capital allocation. For ICAS requirements, marrying the two processes and the data required can be quite daunting. Transparency is a key component to following the right path, and this requires steps and activities to be clearly apparent.

In order to complete the loop, insurers must then make this data intelligible—a challenge that lends itself to technology, without which a complier is often awash in disparate spreadsheets and meaningless data—or suffer the regulators’ wrath.    

Crossing the Atlantic
No other country has such an influential presence on the global insurance industry as the U.K. market. And the United States has been watching closely. Secretary of the U.S. Treasury Hank Paulson discussed a transition to a principles-based model at a conference in March with industry leaders, including Chairman of Berkshire Hathaway Warren Buffett, SEC Chairman Christopher Cox and former Fed Chairman Paul Volcker.

Paulson agreed that principles-based regulation is a more effective approach to regulation. More importantly, he indicated that the flexibility afforded by principles-based regulation would increase U.S. competitiveness in the global market.  

The SEC also recently voted to ease Sarbanes-Oxley requirements, and adopt a framework based on principles rather than rules. The Public Company Accounting Oversight Board (PCAOB) has proposed a new standard to replace Auditing Standard No. 2 that “will result in audits that are more efficient, risk-based, and scaled to the size and complexity of each company,” according to PCAOB Chairman Mark Olson.

The SEC will help drive the U.S. adoption of principles-based regulation, although it will likely be a slow process. The reason is not so much attitude. In fact, the U.S. market’s initial reaction to principles-based regulations should be even more positive than in the United Kingdom, because American companies have greatly struggled under the SEC’s current impositions. The cost of complying with Sarbanes-Oxley is expected to be $6 billion this year, and annual compliance spending in general for all North American companies is expected to reach $29.9 billion from $27.3 billion last year, according to AMR Research.

Instead, the reason for slow adoption will probably be the ill-preparedness of the United States for the new regulations. The new regulations will likely pose the same challenges as in the U.K. market, and American companies are not equipped right now to handle them. The driving force of best practices—to which businesses must aspire regardless of regulatory imposition in order to be competitive—will be the catalyst to embracing principles-based compliance. This has the opportunity to turn the unwilling into the acquiescent, and ultimately the enthusiast, which is where United States can still excel in a highly regulated climate.

Getting Primed for Principles
It is crucial that companies prepare for the regulatory transition in order to stay competitive. Compliance will mean defining best practices and managing risk, and therefore creating and following clearly defined, repeatable and transparent processes. The complier that takes time to define those processes, the best execution plan and a method to track the results will be successful in the long term. It is a several-step initiative involving people, culture, technology and structure all working in concert to accomplish a unified goal. 

Fortunately, there are some key actions companies can take to prepare for the regulatory transition. First, learn about principles-based regulation and how it works. The more people understand the approach, the more comfortable they will be when regulators change the game.

Next, get CEO, board and senior management buy-in to enterprise-wide compliance and risk management programs and their benefits. One of the biggest hurdles is getting management to understand the rewards to implementing risk management programs, and embedding risk-based decision making throughout the business. Illustrate the cost benefits, the performance improvements and the impact on the bottom line.  

Third, capital adequacy requirements rely on good risk management processes to be in place. If companies do not understand their risks, how can they properly set aside the right level of capital? The ICAS model used by the FSA is a perfect way—with the right technology tools handling the data—to create a model for measurable improvement in financial terms. 

There is no denying principles-based regulations and risk-based assessments are coming to the United States. While the SEC is responsible for regulating publicly traded companies and changing its focus, insurance commissioners throughout the country, in conjunction with the National Association of Insurance Commissioners (NAIC), are not standing back and letting their domiciles be dormant in the face of industrywide and national/federal regulatory changes.

Using best practices and principles-based approaches to compliance will ultimately go against the grain of no one. Beyond the United States and United Kingdom, the European Union is expecting to enact Solvency II legislation in the fall, which is a parallel regulation to ICAS. The world is a shrinking place, and it is only a matter of time until the comparative advantages of the principles-based model emerge. The early adopter is the company that is building best practices to follow the regulations, and more importantly, to be a better businesses. 

Peter Teuten is president and chief technology officer of the business risk management solutions division for the Keane Organization. He has worked in risk management and insurance for more than 20 years both in the U.K. and U.S. markets.