United States General Accounting Office GAO Report to the Ranking Minority Member, Committee on Commerce, House of Representatives April 1999 YEAR 2000 State Insurance Regulators Face Challenges in Determining Industry Readiness GAO/GGD-99-87 GAO United States General Accounting Office Washington, D.C. 20548 General Government Division B-281368 April 30, 1999 The Honorable John D. Dingell Ranking Minority Member Committee on Commerce House of Representatives Dear Mr. Dingell: This report responds to your request that we study the readiness of the insurance industry to meet the Year 2000 date change. Our objectives were to determine (1) what state regulators were doing to oversee the Year 2000 readiness of the insurance industry, (2) how the regulatory oversight of the insurance industry’s Year 2000 readiness compared with the oversight of 1 the banking and securities industries, (3) the current status of the insurance industry’s Year 2000 readiness, and (4) the nature and extent of Year 2000 liability exposures that insurers face and the mitigation efforts taken to address such exposures. The 17 state insurance regulators we visited differed in their approach and Results in Brief level of oversight activity directed to the insurance industry’s Year 2000 readiness. These state regulators also differed in how they assessed and ranked insurance companies in terms of Year 2000 readiness. Such variations raise a question about the extent to which states can rely on one another’s judgments regarding the preparedness of nondomiciled 2 insurance companies doing business in their states. This question is especially applicable to those states where the level of Year 2000 oversight is relatively limited or the criteria for assessing readiness may be considered lax. Variations in oversight approaches among state regulators also made it difficult to ascertain the overall status of the insurance industry’s Year 2000 readiness. Regulatory oversight of the insurance industry’s Year 2000 readiness began later than the oversight of the banking and securities industries. In general, the state insurance regulators we visited were less active in their efforts to 1 Preliminary observations comparing the Year 2000 oversight of the banking, securities, and insurance industries were first reported in a statement for the record, Insurance Industry: Regulators Are Less Active in Encouraging and Validating Year 2000 Preparedness (GAO/T-GGD-99-56, Mar. 11, 1999). 2 Although an insurer can be licensed and conduct business in multiple states, the regulator in the state where the insurer is chartered is its primary regulator. The chartering state is referred to as the state of domicile. Other states where insurers are licensed (but not chartered) generally rely on the supervisory oversight of the company’s primary regulator. Page 1 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 promote Year 2000 readiness and efforts to validate information on the status of companies’ readiness. They were also less active in planning for and pursuing formal enforcement actions against companies identified as inadequately preparing for 2000 and at a high risk of not being ready for the millenium change. In addition, the National Association of Insurance Commissioners (NAIC), which is a key facilitator of states’ oversight efforts, was generally late in providing information and guidance to state regulators about the appropriate Year 2000 regulatory activities to undertake. Regulatory information on the Year 2000 readiness of the nation’s insurance industry, consisting primarily of self-reported information obtained through surveys, does not provide the necessary information to judge whether the industry will be ready for 2000. Nonetheless, insurance regulators and also other observers we contacted generally have a favorable view of the industry’s Year 2000 readiness. These regulators and industry observers expressed confidence that companies were actively preparing for the Year 2000 date change because of competitive pressures and the business need to process date-sensitive information before 2000 (e.g., calculating annuity payments extending beyond 2000). The magnitude of insurers’ Year 2000-related liability exposures cannot be estimated at this time, and the effectiveness of efforts to mitigate these exposures remains uncertain. While not yet estimable, costs associated with Year 2000-related exposures could be substantial for some property- casualty insurers, particularly those concentrated in commercial market sectors, due to potential claims and legal defense costs. Despite efforts to mitigate potential exposures, the Year 2000-related costs that may be incurred by insurers will remain uncertain until key legal issues and actions on pending legislative initiatives are resolved. The insurance industry, with policy reserves of approximately $2.5 trillion, Background is an important component of the financial system. These reserves are held in trust for policyholders, much like bank deposits are held for depositors. While there are important similarities between insurance companies and other financial intermediaries, there are important differences as well. One difference is that policy reserves are paid out when policyholders experience an insured loss. Thus, policyholders may get back more or less than they paid the insurance company. This is unlike a bank deposit, where bank depositors can expect to get their deposits, plus interest. A similarity between insurance companies and banks is that both use the money they receive to purchase income-earning assets until the money is needed. Furthermore, like banks and securities dealers, insurance Page 2 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 companies are regulated to ensure that the money they collect now will be available to meet later obligations. To a large extent, it is the delayed delivery of the contracted product that makes the importance of addressing Year 2000 issues particularly acute in the financial services industry in general and in the insurance industry in particular. The Year 2000 problem exists because the data that computers store and process often use only the last two digits to designate the year. On January 1, 2000, such systems may mistake data referring to 2000 as meaning 1900, possibly leading to numerous errors and disruptions in processing. Financial services institutions are especially dependent upon the accurate transmission of electronic information; thus, the systems they use must be readied to correctly process 2000 dates. To provide a standard gauge for assessing the progress of federal agencies in becoming prepared for the Year 2000 date change, we issued guidance in 3 1997. While this Assessment Guide is directed specifically at federal agencies, the stages of Year 2000 preparation and corresponding milestones can generally be applied to all institutions, including private companies. The Assessment Guide discusses issues that are common to nearly all companies, as well as to the federal agencies, and can be used as a general measure of whether a company is on track to being prepared for the Year 2000 date change. Thus, a regulator of financial institutions could use this, or other similar guidance, as general criteria for assessing the state of preparedness of its regulated institutions. The Assessment Guide divides the process by which an institution could become Year 2000 compliant into five phases—awareness, assessment, renovation, validation, and implementation. Each of these phases is described in appendix I. The final deadline for becoming ready for 2000 is immovable. Furthermore, since the phases of preparation are sequential, it is important to establish intermediate milestones to help ensure that a company will be able to complete all Year 2000 preparations in time. A schedule for measuring progress toward Year 2000 readiness could allow regulators a degree of comfort concerning the status of their regulated companies. As shown in table 1, the Assessment Guide provides a schedule of suggested completion dates for each of the key phases of Year 2000 conversion. 3 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, Sept. 1997). Page 3 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Table 1: Year 2000 Conversion Phases and Suggested Completion Dates Year 2000 conversion phase Suggested completion date Awareness December 1996 Assessment August 1997 Renovation August 1998 Testing and implementation December 1999 Source: GAO/AIMD-10.1.14. Other parties have developed alternative sets of phases and milestones. Subsequent to the issuance of our Assessment Guide, the Office of Management and Budget (OMB) provided standards that federal agencies are expected to follow. OMB’s milestones begin with the assessment phase, which was to be completed by June 30, 1997, followed by renovation, validation (internal testing), and implementation. All entities are to have completed the implementation phase by March 31, 1999. After that date, entities are to be engaged in testing of business processes and planning for contingencies. Throughout the remainder of this report, actions by insurance regulators are compared to the guidance found in our Assessment Guide. Year 2000-related system malfunctions in an insurance company can have serious business interruptions and even solvency implications. Specifically, Year 2000 problems could result in disruptions to processing policyholder payments and investments, insurance claims and payments, annuity payments, and data queries to verify insurance coverage. This means that some policyholders may be unable to obtain policy service, or worse, may be unable to collect on their policies at a time of need. It is also possible that the delivery of health care services could be affected if health insurers cannot readily process claims information. 4 Pursuant to the McCarran-Ferguson Act of 1945, states exercise primary regulatory jurisdiction over the insurance business. Each state has a department of insurance that, among other things, is responsible for monitoring insurance companies’ solvency. Solvency, in turn, can be affected by operational issues, such as the failure to be ready for 2000. Companies that operate and write insurance policies in multiple states comprise much of the nation’s insurance industry. Although an insurance company can conduct business in multiple states, it is incorporated, or chartered, under the laws of a single state, which is referred to as its state of domicile. The regulator in an insurer’s state of domicile represents its primary regulator and is to assume lead responsibility for oversight issues, 4 15 U.S.C. sections 1011-1015. Page 4 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 such as Year 2000 readiness. States where insurers are licensed to operate (but not chartered) generally rely on the companies’ primary regulator to exercise due diligence in overseeing domiciled companies and to voluntarily share information about them. Role of the National NAIC is a voluntary association of the heads of each state insurance department, the District of Columbia, and four U.S. territories. It does not Association of Insurance have any regulatory authority over the state insurance departments. NAIC Commissioners provides a national forum for resolving major insurance issues and for allowing regulators to develop consistent policy on the regulation of insurance when consistency is deemed appropriate. State insurance commissioners created NAIC, in part, to help address problems that differing state-by-state authorities, laws, and regulations can cause as state insurance regulators oversee insurers that operate in more than one state. Although it has no regulatory function, NAIC is responsible for (1) serving as a clearinghouse for exchanges of information, (2) providing a structure for interstate cooperation in examinations of multistate insurers, (3) distributing model insurance laws and regulations for consideration by state legislatures and insurance departments, and (4) reviewing state insurance departments’ regulatory activities as part of a national accreditation program. Regarding Year 2000 issues, NAIC has assumed a key role as facilitator of states’ efforts to oversee the industry’s readiness. This role includes acting as a coordinator of information pertaining to state oversight efforts, the status of the industry’s readiness, and state regulators’ actions to become internally prepared for 2000. To determine what regulators were doing to oversee the Year 2000 Scope and readiness of the insurance industry, we interviewed officials of NAIC and Methodology reviewed available information on the organization’s efforts to facilitate states’ Year 2000 activities and summarize information in the area. We also visited 17 state insurance departments whose domiciliary companies 5 collectively accounted for 75 percent of insurance sold nationally. In late January 1999, we surveyed these 17 state regulators to obtain an update on their Year 2000 oversight activities, including their efforts to set priorities for reviewing domiciled insurers. Unless otherwise indicated, observations throughout this report regarding state efforts and activities pertain specifically to the 17 states included in our review. See appendix II for a 5 Market share information represents a percentage of total net written premium (over $664 billion nationally) for all types of insurance. It represents the percentage of nationwide sales accounted for by all companies domiciled in a state. This information, based on 1997 financial data, was provided by NAIC. Page 5 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 list of the states we visited and their respective domiciled insurers’ market shares. To compare Year 2000 oversight of the insurance, banking, and securities industries, we reviewed relevant documentation from their respective financial regulators, including industry guidance on Year 2000 readiness, related correspondence directed to financial institutions, audit programs for conducting Year 2000 examinations, and proposed rules covering Year 2000 issues. We also used information gathered and knowledge developed by our other teams that had conducted reviews of the Year 2000 preparedness of the banking and securities industries. Finally, we obtained updates on the status of various Year 2000 oversight activities, including conducting examinations that focus specifically on Year 2000 issues (referred to as Year 2000 targeted examinations) and monitoring companies’ actions to test their systems’ readiness. To determine the status of the insurance industry’s Year 2000 readiness, we interviewed regulatory officials who were responsible for Year 2000 oversight in the 17 states and reviewed available documentation on the readiness of the industry. To obtain additional insights regarding the readiness of the insurance industry, we interviewed representatives of key rating companies, including A.M. Best Company, Conning and Company, Standard and Poor’s, and Weiss Ratings, Inc., and reviewed their pertinent studies and reports issued in the area. We also spoke with representatives of and reviewed Year 2000-related documents from a few consulting and research firms, including the Gartner Group, which is a business and technology advisory company that conducts research on the global state of Year 2000 readiness, and Electronic Data Systems (EDS), which is a professional services firm that, among other things, assists financial services companies with becoming ready for 2000. To obtain industry perspectives regarding Year 2000 issues, particularly those involving potential liability exposures, we spoke with several of the largest property-casualty insurers and trade associations, including the Alliance of American Insurers, American Insurance Association, National Association of Independent Insurers, and National Association of Mutual Insurance Companies. Among other things, we inquired about these entities’ efforts to determine the nature and scope of potential liability exposures related to 2000. Finally, we reviewed available literature on various aspects of the Year 2000 liability exposure issue, reviewed relevant federal legislative proposals, and obtained related opinions from officials of the American Bar Association’s Tort and Insurance Practice Section. Page 6 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 We did our work in accordance with generally accepted government auditing standards between September 1998 and April 1999. We requested comments on a draft of this report from the President and other officials of NAIC. NAIC’s written comments are included in appendix III and discussed near the end of this letter. We also discussed the contents of a draft of this report with officials from the Office of the Comptroller of the Currency (OCC) and the Securities and Exchange Commission (SEC). They provided technical comments that we have incorporated as appropriate in the report. Regulatory approaches and the level of oversight activity directed to the Regulatory insurance industry’s Year 2000 readiness varied widely in the states we Approaches Varied visited. The 17 states also differed in how they assessed and prioritized Widely by State, companies for regulatory attention in terms of Year 2000 readiness. Such variations raise a question about the extent to which states can rely on one Creating Year 2000 another’s judgments regarding the preparedness of nondomiciled Oversight Challenges companies doing business in their states. This would be especially problematic when relying on states where the level of Year 2000 oversight activity is relatively limited or the criteria for assessing readiness may be considered too lax. Variations in oversight approaches among state regulators also make it difficult to ascertain the status of the Year 2000 readiness of the insurance industry on a national level. Year 2000 Oversight Varied State regulatory oversight of the insurance industry’s Year 2000 readiness included several types of activities, such as surveying companies, Widely by State reviewing submitted company plans, requiring progress reports, covering Year 2000 readiness during regular financial examinations, and conducting examinations that focused specifically on Year 2000 issues. Which of these activities each state insurance regulator engaged in, and to what extent, varied. The variation ranged from a few states that had actively promoted insurers’ Year 2000 readiness since mid-1997 to a few states that did little in the area until the latter part of 1998 when they conducted their first surveys. A company identified as being behind at this late date could have more difficulty completing all of the necessary phases of its Year 2000 preparations in time. Although they did not initiate Year 2000 oversight actions until 1997, after the time frame suggested in the Assessment Guide for conducting 6 awareness efforts, 2 of the 17 states we visited were comparatively more active than the other 15 in their efforts to ensure that insurance companies become Year 2000 ready. One state regulator stated that it monitored the 6 According to the Assessment Guide, Year 2000 awareness should have been completed during 1996. Page 7 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Year 2000 progress of companies it supervises primarily through quarterly Year 2000 reports that were required since the beginning of 1998 and through targeted Year 2000 examinations that have been conducted since mid-1998. According to state officials, these efforts were conducted by state examiners who had drawn heavily from the expertise, guidance, and training of federal banking regulators. Another state regulator also more actively monitored insurers’ Year 2000 readiness, but used a different approach. In 1997, it hired a contractor to assist with developing, administering, and analyzing a comprehensive, technical survey of about 2,000 insurers (both domiciled and nondomiciled) regarding their Year 2000 preparations. State officials explained that companies were assigned risk scores that were based on an analysis of their survey responses along with various financial and operational factors. This state’s regulatory staff, subsequently supplemented by an available pool of about 20 consultants, has been reviewing hundreds of remediation plans for companies identified as having problems with their Year 2000 efforts, working with these companies to develop or refine their plans, and conducting Year 2000 targeted examinations. These consultants were also to be used to assist company management in correcting system problems. Other state regulators indicated that they focused primarily on occasional surveys or more limited coverage of Year 2000 plans during regular financial examinations, which are to be conducted every 3 to 5 years. One state regulator said it attempted to consistently inquire about Year 2000 issues during informal conferences with company management. Another state regulator indicated that it was focusing its Year 2000 oversight efforts almost exclusively on conducting surveys of its regulated companies. At the time of our review, this state had administered two Year 2000 surveys that requested companies to generally address a few broad areas, such as the estimated impact of the potential Year 2000 problem on their operations, their conversion plans, and their current status of readiness. After experiencing some difficulty administering a survey in 1997, another state regulator said it decided, in early 1998, to conduct targeted Year 2000 examinations in lieu of administering additional surveys or covering the area during regular financial examinations. This state, however, was unable to start its targeted examinations until September 1998. Five of the 17 states we visited did not attempt to develop baseline information on the readiness of their insurance companies until the latter part of 1998, when they conducted their first Year 2000 surveys. Page 8 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Because of the fast-approaching Year 2000 deadline and in an attempt to make up for lost time, some state insurance regulators were beginning to intensify their oversight efforts while there was still a possibility of mitigating possible disruptions. In addition to those state regulators that had recently conducted surveys at the time of our review, several state regulators had just contracted or were in the process of contracting for consultant services to assist with Year 2000 targeted examinations. How States Assessed and The state insurance regulators we visited attempted to prioritize companies in terms of their Year 2000 readiness and the extent of related Prioritized Companies for supervisory attention that they may need. This prioritization was generally Year 2000 Oversight done to determine how best to allocate limited resources to the area. Purposes Varied Responses to our survey indicated that state regulators varied in how they assessed and prioritized companies for Year 2000 purposes—that is, they used different sources of information, review criteria, and regulatory actions to handle identified high-priority insurers. The information that state insurance regulators obtained from their diverse oversight activities can be characterized by varying degrees of credibility. For example, information obtained from an on-site targeted examination conducted by information specialists would be more credible than information obtained from unverified, self-reported insurer responses to a Year 2000 survey. At the time of our review, the state regulators said they used the following sources of information to prioritize companies in terms of their Year 2000 readiness: survey responses; Year 2000 plans; Year 2000 quarterly reports; regular financial examinations with some questions directed to Year 2000 issues; and, in one case, Year 2000 targeted examinations. Eight of the 17 states we visited (representing 24.5 percent of the total market share) indicated that they used survey responses as their primary means for prioritizing companies. Two state regulators said that they had not yet prioritized their companies for Year 2000 oversight purposes when we conducted our survey in late January 1999, but that they were waiting for additional Year 2000 information from their contractors. State regulators also used different criteria to assess and prioritize companies for Year 2000 oversight purposes. The most stringent criteria 7 used by the regulators we visited to identify “priority 1” companies included those companies not expected to be compliant by January 1999. The least stringent criteria used to identify priority 1 companies included 7 The term “priority 1” refers to companies whose Year 2000 efforts were determined by the state regulators to need a high degree of regulatory attention. Page 9 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 only those companies that were not expected to be Year 2000 compliant by December 1999 and that had not developed a contingency plan. Other criteria were broad and vague, such as criteria that simply described priority 1 companies as those that did not adequately address or allocate resources to Year 2000 preparations. Over half of the states surveyed indicated that priority 1 companies were those that would become compliant after June 1999 or that were still in remediation (i.e., in the process of making system changes to become Year 2000 ready) after December 1998. Some states said they identified as priority 1 companies insurers that did not respond to Year 2000 surveys or that did not have formal Year 2000 plans. A few state regulators noted that they also considered the companies’ market share and overall financial condition when they prioritized companies for Year 2000 oversight purposes. As shown in figure 1, 11 percent of the insurance companies domiciled in the states that we surveyed were identified as priority 1 companies for Year 2000 oversight purposes. Appendix IV provides a breakdown, by type, of priority 1 companies relative to total insurance companies. Appendix V provides a breakdown, by size, of priority 1 companies relative to industrywide data. Figure 1: States’ Prioritization of Companies for Year 2000 Oversight Purposes Page 10 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Note 1: The number of insurance companies represented is 3,565. Note 2: Priority 1 refers to companies whose Year 2000 efforts were determined to need a high degree of regulatory attention; priority 2 refers to companies determined to need a moderate amount of regulatory attention; and priority 3 refers to companies determined to need little or no regulatory attention. Source: Summary of state insurance regulators’ responses to GAO survey. Most of the state regulators indicated that they were in the process of conducting targeted Year 2000 examinations for all insurers identified as priority 1 companies. Others indicated that they would require priority 1 companies to submit Year 2000 progress reports, would reassess these companies on the basis of more current information before deciding to conduct any on-site visits, or would confer with company management. Variations Among States Variations in the Year 2000 oversight activities of state insurance regulators raise a question about the reliability of regulatory information Create Year 2000 Oversight on the Year 2000 readiness of insurers and the validity of related Challenges assessments. For example, information obtained through on-site examinations is generally more reliable than survey information. This question of information reliability can pose a challenge for state regulators that depend on one another for supervisory information on the Year 2000 status of their nondomiciled companies. Another related challenge to state regulators involves industry concerns regarding the confidentiality of information on insurers’ Year 2000 readiness. Finally, the regulators, and ultimately the public, lack a comprehensive framework for fully assessing the status of the insurance industry’s Year 2000 readiness due, in part, to different oversight approaches at the state level. Most state regulators we surveyed indicated that they were concerned about the Year 2000 readiness of nondomiciled insurance companies, especially those that do a significant amount of business in their states. The two more active states previously noted said that they were attempting to oversee their nondomiciled insurers in a manner similar to their domiciled insurers. A third state, according to an official, was asking its nondomiciled insurers to confirm whether their projected Year 2000 compliance dates were being met. Most of the remaining states we surveyed said they were relying on the oversight and due diligence of the states of domicile to ensure that their regulated insurers would be Year 2000 ready. For example, a few state regulators said they sent letters to selected state regulators to inquire about the readiness of specific insurers in which they were interested. Other regulators noted that they would depend on informal contacts with the other states, information sharing through NAIC, or the initiative of the states of domicile to alert them about Page 11 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 any potential Year 2000 problems involving insurers that do business in their states. Industry concerns regarding confidentiality posed a challenge to state regulators that are dependent upon one another for supervisory information on Year 2000 readiness. During the past several months, NAIC, state regulators, and the industry have grappled with how to adequately safeguard potentially proprietary information while facilitating information sharing among regulators, which is critical to overseeing the readiness for the Year 2000 date change within the industry. In February 1999, NAIC finalized a standard form, to be used at the states’ discretion, to facilitate information sharing and protect confidentiality. Although, according to NAIC, 39 states have adopted the agreement to date, it is too soon to tell how widely used and effective this form will be in promoting information sharing among the state regulators. Insurance, banking, and securities are different industries with different State Insurance regulatory structures. It may not always be appropriate to make direct Regulators Started comparisons between either the industries or their regulation. However, Their Year 2000 preparing for the Year 2000 date change is a problem that is common to all three industries. Similarly, the solutions to this problem—both from a Oversight Efforts Later business and a regulatory perspective—are also common across all three Than the Banking and industries. Securities Regulators Banking, securities, and insurance regulators have all taken steps to oversee the Year 2000 preparedness of their respective regulated entities. However, state insurance regulators were less active than the other financial regulators in promoting readiness and validating information on companies’ status of compliance and adequacy of efforts to achieve Year 2000 readiness. In general, insurance regulators also were less active in planning for and pursuing formal enforcement actions against companies identified as remiss in their Year 2000 efforts or in danger of not being ready for the date change. Page 12 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Regulatory Approaches to For the institutions that they regulate, banking and securities regulators have provided guidance and direction regarding Year 2000 problems, while Facilitate Financial state insurance regulators we contacted indicated they have provided little Institutions’ Efforts to guidance. Within the banking industry, the Federal Financial Institutions Become Year 2000 Ready 8 Examination Council (FFIEC), through its member agencies, has taken actions to raise the banking industry’s awareness of the Year 2000 problem and provide depository institutions with Year 2000 guidance, including expectations regarding when certain phases of their conversion should be completed. Within the securities industry, SEC regulates broker-dealers, investment advisors, investment companies, transfer agents, and other securities firms. SEC has engaged in similar efforts to promote Year 2000 readiness, both through its own efforts and through the securities 9 industry’s self-regulatory organizations. But, for the most part, state insurance regulators we contacted and NAIC were not as active in this area. 10 Raising Industry Awareness In our Assessment Guide, we stated that Year 2000 awareness efforts should have been completed during 1996. In June 1996, FFIEC began to raise industry awareness by disseminating letters to all federally supervised banking institutions on topics associated with Year 2000 readiness. Also starting in June 1996, SEC sent letters to industry trade associations, and subsequently to firms, informing them of the threat posed by Year 2000 problems and urging them to address these problems. In contrast, individual state regulatory efforts to raise insurers’ Year 2000 awareness generally did not begin in the states we visited until 1997 or, for some of the states, until late 1998. These efforts typically took the form of questionnaires to insurers inquiring about their state of preparedness. NAIC began discussing Year 2000 issues in its quarterly national meetings in early 1997. Since that time NAIC indicated that it has used its quarterly meetings as a forum for raising regulator and industry awareness and for 8 FFIEC was established in 1979 as a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, and to make recommendations to promote uniformity in the supervision of these institutions. The council’s membership is made up of the federal bank regulators—the Federal Deposit Insurance Corporation, the Federal Reserve System, and the Comptroller of the Currency—and the regulators for credit unions and thrift institutions—the National Credit Union Administration and the Office of Thrift Supervision, respectively. 9 In addition to SEC oversight, broker-dealers in the United States are subject to regulation by the various exchanges and the National Association of Securities Dealers, which act as self-regulatory organizations over their securities firm members. These organizations adopt rules and conduct examinations to ensure that these rules, as well as those of SEC and the securities laws in general, are complied with by their members. 10 GAO/AIMD-10.1.14. Page 13 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 sharing information on Year 2000 efforts. In August 1997, NAIC coordinated a national survey of insurers to prompt them, among other things, to take appropriate action to prepare for 2000. NAIC summarized 11 the survey results in a December 1997 report. For some of the state regulators we visited, the NAIC survey was their first regulatory communication with companies about Year 2000 issues. For unspecified reasons, 11 of the 50 states requested that NAIC not send a survey to their domestic insurers. NAIC’s summary report speculated that these states might have been conducting their own survey. Because of state insurance regulators’ late start, less time was available to assess fully insurers’ Year 2000 preparedness and to ensure the public that insurers will continue to operate with minimal disruption into the new millenium. Providing Guidance and Since 1996, FFIEC has issued interagency guidance to federally regulated Milestones depository institutions on Year 2000 topics, such as testing, contingency planning, and business risk. It has also set milestones and formally notified the banking industry of dates when companies were expected to have completed critical phases of Year 2000 conversion (e.g., renovation and validation). Both guidance and milestones were provided to banking institutions as the criteria that would subsequently be used by examiners looking at year 2000 compliance. SEC told us that it has provided some general guidance on Year 2000 problems, and that it has worked with the Securities Industry Association and some of the self-regulatory organizations to develop and issue explicit guidance to their members. In particular, the National Association of Securities Dealers issued guidance on topics such as investor concerns and testing requirements, and the association conducted workshops around the country to raise awareness and provide assistance regarding the Year 2000 problem. Moreover, similar to the banking regulators, the self-regulatory organizations established milestone dates for their respective member organizations. In contrast, state insurance regulators we contacted, with a few exceptions, said that they had not provided insurance companies with formal guidance or regulatory expectations regarding Year 2000 readiness. Some state officials believed that their regulatory role precluded more active efforts in establishing what companies should do to prepare for Year 2000. These officials said that their role was to monitor Year 2000 progress, rather than to be directive with companies regarding Year 2000 solutions. 11 Year 2000 Insurance Industry Awareness, NAIC, December 8, 1997. Page 14 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 A few other officials noted that they lacked the expertise or resources to provide specific guidance on preparing for 2000. In September 1998, NAIC issued guidance on insurance regulatory 12 expectations, regarding due diligence in preparing for 2000, for use by the industry as well as by state insurance regulators. Dissemination of this information to insurance companies was left to the discretion of individual states. Regulators in a few states we visited in late 1998 were still unaware that NAIC had issued the regulatory guidance. Regulatory Verification of Financial regulators have generally focused their verification efforts on the Year 2000 readiness of their regulated institutions by (1) conducting on- Institutions’ Year 2000 site examinations and (2) requiring broadscale testing. Special on-site Readiness (targeted) examinations are to focus primarily on the actions that institutions are taking to prepare for 2000, in other words, on the process up to and including a review of test results and contingency planning. Broadscale tests are to demonstrate whether, after all of the preparations, an entire integrated segment of a financial sector could continue to operate and interact together. Broadscale testing, however, does not cover the potential impact of third-party systems (e.g., those of vendors or infrastructure industries, such as power and communications) that are in some way linked to the institutions nor does it provide information about contingency planning. The structure of the securities industry and, to a lesser extent, of the banking industry lends itself to broadscale testing because there is a significant amount of interconnectedness among industry participants (i.e., industry interdependence that is based on extensive transactions and system links between and among companies in a particular industry). This interconnectedness is limited in the insurance industry. As a result, examinations represent the primary means for insurance regulators to verify the Year 2000 readiness of their companies. To validate the progress and status of their regulated institutions, banking regulators rely primarily on examinations targeted directly at issues related to Year 2000 problems. The first round of such examinations began in May 1997. As of April 1999, regulators had completed their second round of targeted examinations. Bank regulators told us that every institution has now been examined twice for Year 2000 progress. This effort has provided regulators with not only snapshots of the current status of institutions but 12 Insurance Regulatory Statement Regarding Industry Year 2000 Compliance and Remediation, approved by NAIC’s Year 2000 Working Group on September 8, 1998. Page 15 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 also with an indication of their progress over time. Furthermore, regulators plan to return to or contact institutions where questions on the adequacy of their progress remain. Indeed, OCC plans to complete, by July 1999, a third round of on-site examinations of all institutions for which it has supervisory responsibility. The federal banking regulators have also encouraged depository institutions to participate in broadscale testing efforts. The Federal Reserve, for example, has encouraged banks to participate in tests demonstrating their ability to successfully interface with Federal Reserve supplied services (e.g., check clearing). Also, according to an agency official, OCC has worked closely with two bank trade associations in their efforts to coordinate Year 2000 testing among participating banks. Such tests are intended to provide further assurances of the banking industry’s readiness to meet Year 2000 challenges. The interconnectedness of the securities industry lends itself to broadscale testing. With SEC’s support, over 400 institutions were participating in “streetwide” testing at the time of our review. A preliminary test was conducted in July 1998, and a second round of tests began in March 1999 and was scheduled to continue through April 1999. According to an agency official, SEC has an active examination program. For example, during 1998, SEC conducted more than 4,400 on-site reviews of fund and investment advisers, approximately 60 percent of the registered adviser community. The reviews focused on the firms’ timetables for completing and testing their Year 2000 corrections. Similar reviews were conducted for selected transfer agents and broker-dealers. Firms whose timetable lagged significantly behind SEC’s guidance (e.g., that all corrections be completed by December 31, 1998, reserving 1999 for testing) were given a deficiency letter regarding their delay. In addition to SEC examinations, the self-regulatory organizations have conducted ongoing monitoring of their members through telephone contacts. However, unlike banking regulators who said they had conducted examinations of every institution, SEC and the self-regulatory organizations have not examined and do not plan to examine every regulated entity. They are relying on the disclosures mandated by SEC and broadscale tests, as well as targeted examinations, to provide assurances of the readiness of other institutions. State regulators’ efforts to validate the Year 2000 readiness of insurance companies began later than those of the banking and securities regulators. Page 16 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 In most states, such efforts have also lacked the vigor demonstrated by banking and securities regulators. In December 1997, NAIC approved the addition of nine questions on Year 2000 preparations to the Financial Examiners Handbook, which is the required audit guide used by insurance examiners in all states. Most states we contacted said they began coverage of their regulated insurance companies during regularly scheduled financial examinations starting in early 1998. However, state insurance regulators require routine financial examinations once every 3 to 5 years. By the beginning of 2000, many companies’ last regular examination would not have included questions on Year 2000 preparedness. Recognizing this Year 2000 oversight limitation, some state regulators said they have begun or are considering incorporating targeted Year 2000 examinations into their validation programs. One state said it began conducting such examinations in mid-1998. Several more state regulators said they began targeted examinations late in 1998, and others indicated they had either just begun or plan to begin targeted examinations during 1999. Three other states we visited were uncertain as to whether targeted examinations were needed. Representatives of 4 of the 17 state insurance departments we visited told us that they did not plan to conduct targeted examinations. Eight states that were conducting or planning to conduct targeted examinations had no plans to examine all domiciled institutions. Instead, they said their goal was to examine only companies believed to pose the greatest risk. In general, limiting on-site regulatory examination efforts pertaining to Year 2000 readiness would provide correspondingly limited assurances that survey information self-reported by insurers was reliable, especially when these efforts were not supplemented by any other type of validation. Regulatory Enforcement of State insurance regulators have generally been less active than the other financial regulators in planning for (e.g., establishing clear expectations Year 2000 Readiness that insurers can be held accountable for meeting) and pursuing formal enforcement actions against companies that are not responsive to regulatory requirements regarding the Year 2000 date change. Two circumstances, in particular, that may warrant enforcement attention involve insurers’ (1) lack of responsiveness to requests for Year 2000- related information and (2) insufficient actions to prepare for 2000. Most of the state regulators we visited had addressed identified problems related to obtaining Year 2000 information from insurers. However, without having established clear regulatory expectations for their companies, insurance regulators were less prepared than the banking and securities regulators to deal with potential readiness issues. Page 17 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 While the banking regulators used on-site examinations as a primary means of obtaining and reviewing Year 2000-related information, most of the insurance regulators we visited used surveys, which were usually administered under their examination or regulatory access authority, as a 13 key source of insurer information. State officials explained that administering surveys under their examination authority provided them with a greater assurance that they would receive high response rates and with additional leverage to take action if an insurer did not provide requested Year 2000 information. In addition to conducting examinations, SEC required the entities it oversees to provide reports on their Year 2000 efforts and progress. Because SEC issued specific reporting requirements and related guidance, it has been able to take action against companies that failed to comply. For example, at the time of our review SEC had undertaken formal proceedings, involving fines of up to $25,000, against 46 companies for failure to file these required Year 2000 reports in a timely manner. Regarding Year 2000 readiness issues, the banking regulators have taken measures to ensure that they are prepared to pursue enforcement actions against companies identified as not adequately preparing to become Year 2000 compliant. As previously mentioned, banking regulators have set milestones and formally notified banking institutions about when they were expected to have completed certain phases of Year 2000 conversion. Banking regulators have also developed a uniform examination rating system for Year 2000 readiness that they used to help identify when regulatory intervention was warranted. In addition, the banking regulators have included enforcement actions in their Year 2000 supervision program to prompt remedial action by financial institutions that are not making adequate progress. Using these mechanisms, the banking regulators were able to initiate formal actions against some institutions, as early as November 1997, for failing to make adequate progress toward becoming Year 2000 ready. SEC recently proposed actions that may be taken if securities market participants are not deemed to be ready for 2000. In March 1999, SEC released for comment a proposed rule that would require broker-dealers and transfer agents to complete certain actions (e.g., verify remediation efforts through internal testing) to become Year 2000 ready by no later 13 According to state officials, a regulatory survey administered under examination authority places the surveyed companies under the same legal obligation to provide true and complete information as they would be under if examiners were physically present in the company. Page 18 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 than August 1999. According to the proposal, if a broker-dealer cannot ready its systems by October 15, 1999, it would be required to cease conducting securities activities with customers and to transfer its existing customer accounts to another firm. The state insurance regulators tended to be less prepared than the other regulators to institute enforcement actions against companies that were identified to be at a high risk of not being Year 2000 ready. With a few exceptions, the states we visited had not provided insurance companies with specific regulatory expectations (e.g., deadlines for selected phases of Year 2000 readiness) that could be used as a basis for determining when regulatory actions should be taken. According to an NAIC survey of all 14 states, two states had a formal plan that included specific triggers for determining when a regulatory action should be taken against a company, and a few additional states were in the process of developing such a mechanism. The majority of state regulators indicated that some form of intervention could occur if a company’s activities posed a threat to its continued operations or financial solvency. However, some state regulators held divergent views on the fundamental question of whether they had the statutory authority to take action against a company, prior to 2000, for not being prepared for the date change. At the time of our review, 1 of 17 state insurance regulators informed us about a Year 2000-related regulatory intervention involving a company that did not have a remediation plan. Regulatory information on the Year 2000 readiness of the nation’s Information on the insurance industry does not provide the necessary information to judge Year 2000 Readiness of whether the industry will be ready for 2000. Although the state insurance the Insurance Industry regulators we visited have relied primarily on unverified company responses to Year 2000 surveys, the regulators are generally confident Has Limitations, but about the ability of the industry to become Year 2000 ready. They said that the Industry Is Viewed most insurers, particularly the larger ones that are strongly influenced by as Generally on Track competitive market forces, are well under way in their efforts to become Year 2000 ready. Other nonregulatory sources are similarly optimistic about the insurance industry’s Year 2000 readiness relative to the readiness of other U.S. industries. These other sources include rating companies that have reported that the insurance industry appears to be generally on track to Year 2000 readiness. These views should be viewed with some caution, however, because many of these observations are 14 Survey results are summarized in Year 2000 Industry Compliance Status; NAIC; Year 2000 Working Group; Report to Commissioners; December 6, 1998. Page 19 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 based primarily on information that has been self-reported by the insurance companies and that, for the most part, has not been validated. Regulatory Information on Quarterly Year 2000 industry compliance status reports, which NAIC prepares for the state insurance commissioners, represent the only Industrywide Year 2000 industrywide regulatory information in the area. To date, NAIC has issued Readiness Is Limited two such reports. These reports, intended to convey information on insurance company readiness as reported by the state regulators, provide insights on regulatory efforts and industry readiness at the state level. They do not, however, provide an effective gauge for the status of the industry as a whole. Information in these reports comes from different sources and represents different points of time, making it methodologically inappropriate to link the information together as a basis for determining the overall industry’s Year 2000 readiness. The latest industry status report, for example, attempts to provide Year 2000 readiness information for insurance companies in each state. The report presents information from 30 states on the basis of surveys conducted at various periods between July 1997 and December 1998. Compliance information for the remaining 20 states was taken from an outdated industrywide survey that NAIC conducted between August and October, 1997. In both cases, information on Year 2000 compliance represented company responses to surveys that, with a few exceptions, had not been verified. State Regulatory Officials State regulatory officials we interviewed did not identify any major concerns related to the Year 2000 readiness of the insurance industry in Are Generally Confident in their respective states. In general, they were confident that the industry the Insurance Industry’s has been actively preparing for 2000 and would, for the most part, be ready Ability to Be Year 2000 for the date change. Officials explained that the insurance industry is a Ready transaction-driven business that is highly dependent on date-sensitive information and processing. Thus, the Year 2000 issue is not a new one for insurers, especially for the larger, more sophisticated companies that recognize the potential impact it may have on their business continuity and financial stability. Officials believed that, assuming they have obtained the requisite commitment from senior management, most large insurers have allocated sizable resources to and are well under way in their conversion efforts. State officials stated that, in general, the small and medium-sized insurers do not have the same level of appreciation or understanding of the Year 2000 problem as the larger companies. They indicated, however, that they were not significantly concerned. NAIC’s December 1997 report suggests Page 20 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 this “lesser understanding” of the issue could stem from the fact that many of the smaller insurers do not have complicated, internally developed computer systems. To the extent that smaller insurers use vendor software, and to the extent that software is compliant, these insurers will generally have an easier time with their conversion efforts. Some state officials also added that, for smaller insurers, a reasonable and relatively easy way to implement a contingency plan would be to revert to a manual system on a temporary basis. State officials noted that they were generally unconcerned that Year 2000- related problems involving individual insurers would result in systemic disruptions to the industry as a whole. A few officials explained that unaffiliated insurance companies generally maintained stand-alone systems, and that the failure of an individual insurer would have limited effects on other insurers outside of those with which it may be jointly owned. Some officials expressed greater concerns regarding, for example, specific segments of the health insurance industry that may be linked to systems associated with government programs, such as Medicare. Regulatory responses to our inquiry regarding the number of individual insurers that may not be Year 2000 ready were generally consistent with states’ expressed optimism regarding the industry. In our January survey of 17 state regulators, we asked the following question: “Based on your knowledge to date, how many domiciled insurance companies does your state consider to be at a high risk of not being Year 2000 ready?” Five states were confident that none of their domiciled insurers were at a high risk of not being Year 2000 ready. These five states, however, used the less stringent criteria for assessing readiness (e.g., companies not expected to be compliant by December 1999 and without a contingency plan) or relied almost exclusively on survey information as the basis of their assessments. Seven states attempted to estimate the number of insurers thought to be at a high risk of not being ready. The proportion of high-risk companies to the overall number of companies ranged from 4 to 25 percent, with the average being 10 percent. Over 80 percent of these companies perceived to be high risk were categorized as small companies that write policies representing less than $100 million in net premiums. The remaining five states did not respond to the question; a few states noted that additional information was needed. Page 21 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Other Sources Are Similarly Independent sources, such as consulting firms and rating companies, have not identified any major or systemic problems relative to the Year 2000 Confident and Have Not readiness of the insurance industry. Although their observations are based Identified Any Major or almost exclusively on information self-reported by insurers, these sources, Systemic Problems Related like the state regulators, are generally confident in the ability of the to the Insurance Industry’s insurance industry to be Year 2000 ready. Year 2000 Readiness The Gartner Group, for example, has stated that the financial services industries, including the insurance industry, lead all other industries in 15 efforts to become Year 2000 ready. It explained that the insurance industry began having data failures over 10 years ago when, for example, it was required to calculate future payments on 10- or 15-year annuities. Because of such time-driven products and because of the critical impact that information technology systems have on insurers’ business operations, a Gartner Group official indicated that insurers began their compliance efforts early and have since been able to make great strides in the area. The Gartner Group’s research regarding Year 2000 information was largely gathered from interviews and client inquiry meetings covering 27 industries and an estimated 15,000 companies in 87 countries. Key rating companies have not identified any major or systemic problems pertaining to the Year 2000 readiness efforts of the insurance industry, and these companies have, in fact, provided positive critiques of industry efforts in the area. A.M. Best Company, in a February 1999 report, concluded that although most insurers were still in the remediation and testing phases of addressing their Year 2000 readiness efforts, all but a few 16 insurers will be fully operational in January 2000. The company based this conclusion on a Year 2000 survey of 1,709 insurance entities that was conducted in November 1998. According to the report, although only 45 percent of the companies responded to the survey, these companies represented nearly three-quarters of the industry volume. Weiss Ratings, Inc., also addressed the insurance industry’s preparedness 17 in a September 1998 report. On the basis of a survey of 5,096 insurers that resulted in a 22-percent response rate, Weiss Ratings, Inc., reported that 93 percent of the survey respondents indicated they have progressed 15 Year 2000 Global State of Readiness and Risks to the General Business Community and Year 2000 International State of Readiness, Gartner Group testimony before the U.S. Senate Special Committee on the Year 2000 Technology Problem, October 7, 1998, and March 5, 1999, respectively. 16 Seeking Y2K Compliance: A.M. Best’s Insurer Readiness Report, A.M. Best Company, Inc., February 1999. 17 The Weiss Y2K Ratings of Insurance Companies, Weiss Ratings, Inc., Fall 1998. Page 22 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 adequately in their efforts to become Year 2000 ready. Conning and Company also observed that the insurance industry is making good progress in its internal systems efforts for Year 2000 compliance. Standard and Poor’s noted that Year 2000 system issues for most insurers are approaching a resolution and that, as of March 1999, no insurance company rating was downgraded because of Year 2000 problems. Although independent sources have reported that insurers were generally doing well with their internal efforts to become Year 2000 ready, some have also suggested that insurers may face substantial threats from other related sources. Such sources include the Year 2000 compliance problems of external parties with which they do business (e.g., suppliers and government entities) or potential liability exposures arising from Year 2000 problems. Within the insurance industry, major concerns and preparations related to Some Insurers Face the Year 2000 date change are not limited to readiness issues, but also Potentially Large Year include liability exposure issues. Currently, the magnitude of insurers’ 2000 Liability Costs; liability exposures cannot be estimated primarily because a claims history for the event does not exist and answers to key legal issues related to 2000 Effects of Related are unresolved. While not estimable, Year 2000-related liability exposures Mitigation Efforts Are could be significant for some insurers, particularly those insurers Uncertain concentrated in commercial property-casualty market sectors. Insurers’ efforts to reduce these potential exposures include writing exclusionary clauses in insurance policies, performing more stringent underwriting, and educating policyholders to properly prepare their systems and operations for 2000. The effectiveness of these efforts, however, remains uncertain because insurers face various potential marketplace and legal challenges. Uncertainties also remain over the outcomes of several state and federal legislative initiatives that were recently undertaken to address Year 2000 liability exposure issues. Year 2000-Related Liability Industry professionals and observers acknowledge that the magnitude of Year 2000-related exposures cannot be estimated at this time. They also Exposures and Legal Costs indicated that property-casualty insurers, particularly those that write a Are Not Yet Estimable but significant amount of commercial insurance (e.g., policies for directors May Be Significant for Some and officers, errors and omissions, commercial general liability, and Insurers business interruptions), are more vulnerable to Year 2000-related liability exposures than are other types of insurers. Moreover, lawyers and industry professionals have said that insurers may face significant legal costs to resolve Year 2000-related claims and lawsuits. Page 23 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Because of the uniqueness of the Year 2000 event, the potential magnitude and scope of impacts caused by related computer malfunctions are largely unknown. Insurers have little to rely upon in estimating their potential exposures since there is no claims history for such an event and many key legal issues related to coverage and the interpretation of various types of insurance policies are unresolved. Among the many coverage-related issues that may be raised by insurers to limit coverage are those involving “fortuity” and “triggers.” Insurance coverage generally applies to losses caused by “fortuitous events,” that is, events that are unexpected, unusual, and unforeseen. Insurers have generally asserted that because the Year 2000 problem is widely known and timely remedial measures in many cases have been available, Year 2000-related losses sustained by computer users are not fortuitous and therefore would not be covered by some types of policies (e.g., business interruption insurance). Conversely, those seeking coverage for losses are expected to argue that specific Year 2000-related mishaps and their associated losses were unforeseen despite reasonable efforts to prepare for the event, or their losses were so unusual that they were not to be expected. Insurance coverage also depends on what event “triggers” coverage. Under some types of policies, coverage would depend on the point in time that the covered event occurred. For instance, in disputes concerning computer users, sellers, servicers, and manufacturers, there may be questions as to whether the event causing Year 2000-related damages occurred when a system was manufactured or distributed, a system was installed, a Year 2000-related problem was noticed, or damages were incurred. If disputes over insurance coverage are based on trigger issues, the courts may have to decide when coverage was activated for a particular policy. Until these and other questions are addressed in the context of the Year 2000 event, insurers will continue to have difficulties estimating related liabilities. Estimating the magnitude of insurers’ exposures due to the Year 2000 event is also difficult because of the variety of issues and litigants that could be involved in potential lawsuits. As Year 2000 disputes emerge, insurance coverage issues will surface as plantiffs and defendants alike try to recoup alleged losses from insurers. Insurance industry observers frequently categorize anticipated Year 2000-related lawsuits into three “waves” of litigation over: (1) costs to become Year 2000 compliant, (2) losses resulting from Year 2000 problems, and (3) coverage for Year 2000- related losses. Many lawsuits involving disputes over the responsibility for costs to upgrade systems for 2000 have already been filed (e.g., disputes Page 24 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 between vendors and users to remediate software in noncompliant systems). Several legal experts predict another wave of lawsuits associated with actual losses caused by Year 2000 mishaps, such as those seeking compensation for losses arising from the alleged failure of a firm and/or its officers to adequately prepare for and disclose Year 2000 problems. Insurers may be responsible for paying claims on damages incurred by policyholders if coverage is established. In addition, industry representatives and legal experts agree that lawsuits between insurers and policyholders could result from insurers denying coverage. Further complicating the ability of insurers to estimate their exposures for the Year 2000 event are the potential legal costs, including those arising in connection with insurers’ general duty to defend policyholders against liability suits. Insurers expect to incur significant legal costs to defend their general liability policyholders against third-party lawsuits, even when coverage may be questionable. Many industry representatives and observers have indicated that legal costs could exceed claims costs associated with Year 2000 problems. Since insurers are unable to estimate their potential Year 2000-related liabilities, they are also unable to reflect appropriately all of their potential liabilities by modifying their reserve posture. Generally speaking, reserves cannot be reasonably established until the liabilities are both probable and reasonably estimable. Year 2000-related liabilities continue to be inestimable in the insurance industry. Insurer Efforts to Mitigate In light of the uncertain but potentially significant Year 2000-related liability exposures, many insurers have taken steps to limit or reduce their Potential Year 2000 Liability exposures. These measures include the insertion of exclusions into certain Exposures Face Challenges types of policies, more stringent underwriting practices, and educational programs to encourage policyholders to properly prepare themselves for 2000. The effectiveness of insurers’ efforts to mitigate their exposures remains unclear as some mitigation measures face legal and marketplace challenges. Many insurers, particularly those writing commercial general liability policies, are attempting to limit their exposures by incorporating exclusions into their policies. The state insurance regulators have generally approved of some form of Year 2000-related exclusions developed by the Insurance Services Office for commercial lines of Page 25 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 18 insurance. However, although exclusions are intended to limit coverage for Year 2000-related mishaps, uncertainties remain as to the effectiveness of such practices. According to legal experts, the courts may be asked to decide whether Year 2000 coverage exclusions are legitimate. Some experts have expressed uncertainty over whether courts will uphold the Year 2000 exclusions due to public policy concerns. Moreover, where such exclusions are upheld, specific coverage questions could remain as courts typically interpret exclusions narrowly. Some insurance and legal professionals also have said that the use of an exclusion could be viewed as evidence that a standard policy without the exclusion was intended to cover losses from a Year 2000 failure. To avoid this risk, some insurers have opted not to use exclusions, emphasizing that their policies have never covered direct Year 2000 losses. Nevertheless, insurance professionals explained that standard policies may cover losses arising in connection with a Year 2000-related mishap that causes an insured event resulting in a loss, such as a fire or an auto accident, irrespective of whether the incident was caused by a Year 2000 glitch. For instance, a standard automobile policy may not cover expenses to fix a car that failed because of a Year 2000 problem, but the policy could cover damages for an accident caused by a Year 2000-related vehicle malfunction. Some insurers are also attempting to mitigate their liability exposures through more stringent underwriting practices and educational programs that encourage policyholders to prepare their operations and contingency plans for the Year 2000 event. Assessing their policyholders’ Year 2000 preparation efforts, writing policies that reflect each policyholder’s Year 2000-related risks, and sending policyholders guidance materials to emphasize the importance of Year 2000 preparation efforts are other techniques used by some insurers to mitigate their potential liabilities. Such loss control efforts are aimed at reducing the insurers’ potential exposures due to Year 2000-related coverage claims and lawsuits. The extent to which mitigation measures can be effectively employed also depends on the competitive marketplace and the individual business relationship insurers have with their policyholders. Industry professionals 18 The Insurance Services Office is an organization that assists property-casualty insurers by collecting and generating data on the loss experience of the industry as a whole. This organization also prepares generalized policy forms to be used by insurers at their discretion. For example, one Year 2000 exclusion form developed for liability policies excludes liability damages associated with computer system-related failures “due to the inability to correctly recognize, process, distinguish, interpret, or accept the year 2000 and beyond.” Page 26 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 and observers indicated that some policies covering Year 2000-related damages may still be available and acknowledged that the use of exclusions was not always practical in the marketplace. For instance, one commercial property-casualty insurer indicated the company had lost accounts to another insurer that was willing to offer insurance without a Year 2000 exclusion. Effects of Regulatory and We observed in the states we visited that state regulatory efforts to help companies address and mitigate their potential liability exposures have Legislative Efforts Are generally focused on the consideration and approval of exclusionary forms Uncertain that some companies want to place on their policies. These states have generally approved the standard exclusionary endorsements proposed by the Insurance Services Office, or similarly worded forms, that identify coverage exclusions for Year 2000-related losses. A spokesperson for the Insurance Services Office indicated that all of the states had approved of certain exclusions for commercial lines of insurance. Beyond these exclusionary approvals, we found that the regulatory efforts of the states we visited to address companies’ potential liability exposure problems have generally been limited. Some state regulators included questions related to Year 2000 liability exposures in the surveys that they sent companies to help raise awareness about the issue. Most of the regulators we visited did not indicate any specific efforts to identify potential liability exposure issues among their regulated companies. Other uncertainties remain over how several state and federal legislative initiatives will affect insurers’ potential Year 2000-related liability exposures. Legislative actions to address the resolution of Year 2000- related disputes, thus far, have consisted primarily of sovereign immunity laws passed by several states to protect themselves from Year 2000-related lawsuits. Many other state and federal legislative initiatives are currently being considered, some of which propose alternative dispute resolution methods to help resolve disputes involving Year 2000-related mishaps. A number of pending legislative initiatives also seek to limit Year 2000- related liabilities in a variety of ways. Among other things, proposed measures include special rules for liability standards and class action lawsuits, liability caps, prohibitions on punitive damage awards, and waiting periods to give potential defendants an opportunity to remedy noncompliant systems before lawsuits can be filed. Uncertainties continue as numerous legislative initiatives addressing resolution methods and damage awards for Year 2000-related disputes are still being debated. Page 27 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Generally, state insurance regulators’ responses to the Year 2000 challenge Conclusions started late and, with a few exceptions, were limited in scope. Also, the level of regulatory activity to promote and assess insurance companies’ Year 2000 readiness and to validate self-reported information on readiness varied widely by state. As a result, it is sometimes difficult, both for other regulators and for the public, to know how much confidence they can have that specific insurers or the overall insurance industry will be able to continue operations with minimal disruptions into the new millenium. Generally, insurance regulators have not been as active in encouraging, validating, and enforcing Year 2000 preparation efforts as the banking and securities regulators. NAIC, which assumed the role of facilitator of state regulators’ Year 2000 oversight efforts, has also been late in many of its actions. Among those actions were NAIC’s August 1997 survey, which was its first attempt to formally notify insurance companies about the Year 2000 problem and to encourage state regulators to take action. Similar actions were taken by banking and securities regulators beginning in 1996. Furthermore, NAIC did not incorporate Year 2000 questions into the Financial Examiners Handbook until prior to examinations done in 1998, despite a normal examination cycle in the states of 3 to 5 years for insurance companies. NAIC also did not issue Year 2000 guidance, including recommended regulatory and industry expectations, until September 1998. At that time, the guidance was disseminated to the state regulators but not necessarily to all insurance companies. Finally, state insurance regulators were generally less prepared than the other financial regulators to pursue formal enforcement actions against identified problem companies due, in part, to the lack of clearly established and well- communicated expectations (e.g., milestone dates for specific phases of the Year 2000 conversion) for insurers. State regulators and industry observers report that the insurance industry is in reasonably good condition with respect to Year 2000 readiness. However, this assertion is based primarily on self-reported information that has not yet been verified. Furthermore, the state regulatory data available through NAIC do not provide an effective gauge to assess the status of the industry as a whole because of large differences in the dates that information was collected by the states. Moreover, these data on industry compliance were based almost exclusively on survey responses. At present, the magnitude of costs associated with claims and legal defenses for Year 2000-related mishaps is not yet estimable but has the potential to be substantial for some property-casualty insurers. Although many insurers have taken actions to reduce their potential liability Page 28 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 exposures, the effectiveness of these mitigation efforts remains uncertain. Ultimately, insurers’ Year 2000-related liability exposures will depend on decisions made to resolve key legal questions and numerous pending legislative initiatives. Until then, insurers will continue to face challenges in estimating their Year 2000-related liabilities and modifying their reserve posture, as warranted. NAIC provided written comments on a draft of this report. A reprint of NAIC Comments and NAIC’s letter can be found in appendix III. Our Evaluation NAIC stated that its members have been proactively addressing Year 2000 issues since 1997, and it provided a Year 2000 chronology of NAIC activities. However, based on the suggested milestones in our Assessment Guide, as well as our comparison of insurance regulators to other financial regulators, we continue to believe that regulatory efforts to oversee the insurance industry’s Year 2000 readiness began late and have generally been limited. Specifically, the state insurance regulators we visited were less active in their efforts to promote Year 2000 readiness and efforts to validate information on the status of companies’ readiness. They were also less active in planning for and pursuing formal enforcement actions against companies identified as inadequately preparing for Year 2000 and at a high risk of not being ready for the millenium change. In addition, NAIC was generally late in providing information and guidance to state regulators about the appropriate Year 2000 regulatory activities to undertake. Our concern is that, given the time-consuming process of becoming Year 2000 ready, any company identified by regulators at this late date as being behind could have difficulty completing all of the necessary phases of its Year 2000 preparations in time. NAIC also stated that much of the data used to develop the draft report was out of date, citing, for example, NAIC’s recent initiative to coordinate a focused review of nationally significant companies. As discussed in the scope and methodology of this report, our noted observations are based on actions taken by state insurance regulators through January 1999. As the Year 2000 deadline approaches, NAIC’s most recent initiatives, such as the focused review of nationally significant companies, may offer a practical approach to ensuring the readiness of the nation’s largest insurance companies. NAIC projected that the first phase of this initiative will be completed by mid-May, with preliminary results to follow. We plan to address the results of this initiative as well as other NAIC and state regulatory actions when we provide you with updated information on the insurance industry’s Year 2000 readiness as requested in your March 11, 1999, letter. Page 29 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 In addition, NAIC noted that our draft report reflected dates when policies were adopted by NAIC, but did not recognize the many meetings and discussions among regulators, industry, and trade associations that led to the adoption of a policy. In this report, we acknowledged that preliminary meetings to discuss and develop policies provided a mechanism among regulators and the companies involved for raising awareness and promoting a dialogue about important issues, such as preparing for 2000. However, we focused on the date that a policy was formally adopted by NAIC, rather than on the beginning of discussion. Formal adoption of a policy is a more relevant date because it signifies when agreement is reached and actions are expected to commence. Finally, NAIC acknowledged that the state insurance regulators have developed different approaches to addressing Year 2000 problems, but NAIC viewed these oversight variations to be a significant advantage for state regulators. In our view, variation in the regulatory oversight of Year 2000 preparations across states is a concern because of the high degree of interdependency required by the state-by-state regulatory system. We found that state regulators depend on each other for the regulation of nondomiciled companies. In fact, in May 1998, NAIC recommended “…that states concentrate their evaluation efforts on domestic insurance entities.” We also found that the level of Year 2000 oversight is substantially weaker in some states than in other states. In our view, this raises questions about the extent to which states can rely on other states regarding the preparedness of nondomiciled insurance companies doing business in their states. Moreover, variations in oversight approaches among state regulators also made it difficult to ascertain the overall status of the insurance industry’s Year 2000 preparedness. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 10 days from its issue date. At that time we will provide copies to Representative Thomas Bliley, Chairman, House Committee on Commerce, and Senator Robert Bennett, Chairman, and Senator Christopher Dodd, Vice Chairman, Senate Special Committee on the Year 2000 Technology Problem. We will also provide copies of this report to other interested parties and will make copies available to others on request. Page 30 GAO/GGD-99-87 State Insurance Regulators Face Challenges B-281368 Major contributors to this report are listed in appendix VI. Please call me on (202) 512-8678 if you or your staff have any questions. Sincerely yours, Richard J. Hillman Associate Director, Financial Institutions and Markets Issues Page 31 GAO/GGD-99-87 State Insurance Regulators Face Challenges Contents Letter 1 Appendix I 34 Phases of Year 2000 Preparation Appendix II 35 States Visited and Market Share of Their Domiciliary Insurance Companies Appendix III 36 Comments From the National Association of Insurance Commissioners Appendix IV 47 Priority 1 Companies Relative to Total Insurance Companies, by Type Appendix V 48 Priority 1 Companies Relative to Industrywide Data, by Size Page 32 GAO/GGD-99-87 State Insurance Regulators Face Challenges Contents Appendix VI 49 Major Contributors to This Report Tables Table 1: Year 2000 Conversion Phases and Suggested 4 Completion Dates Table I.1: Description of Key Phases of Year 2000 34 Preparation Table II.1: States We Visited and Market Share of Their 35 Domiciliary Insurance Companies Figures Figure 1: States’ Prioritization of Companies for Year 10 2000 Oversight Purposes Figure IV.1: Priority 1 Companies Relative to Total 47 Companies, by Type Figure V.1: Priority 1 Companies Relative to Industrywide 48 Data, by Size Abbreviations EDS Electronic Data Systems FFIEC Federal Financial Institutions Examination Council NAIC National Association of Insurance Commissioners OCC Office of the Comptroller of the Currency SEC Securities and Exchange Commission OMB Office of Management and Budget Page 33 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix I Phases of Year 2000 Preparation Table I.1: Description of Key Phases of Year 2000 Preparation Key phases Description of activities conducted Awareness Define the Year 2000 problem and gain executive level support and sponsorship. Establish Year 2000 program team and develop an overall strategy. Ensure that everyone in the organization is fully aware of the issue. Assessment Assess the Year 2000 impact on the enterprise. Identify core business areas and processes, inventory and analyze systems supporting the core business areas, and prioritize their conversion or replacement. Develop contingency plans to handle data exchange issues, lack of data, and bad data. Identify and secure the necessary resources. Renovation Convert, replace, or eliminate selected platforms, applications, databases, and utilities. Modify interfaces. Validation Test, verify, and validate converted or replaced platforms, applications, databases, and utilities. Test the performance, functionality, and integration of converted or replaced platforms, applications, databases, utilities, and interfaces in an operational environment. Implementation Implement converted or replaced platforms, applications, databases, utilities, and interfaces. Implement data-exchange contingency plans, if necessary. Source: Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, Sept. 1997). Page 34 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix II States Visited and Market Share of Their Domiciliary Insurance Companies We conducted site visits of 17 state insurance departments whose domiciliary insurance companies collectively accounted for 75 percent of insurance sold nationally. This included the top 12 states, each having domiciled companies with a combined market share of more than 3.0 percent, plus 5 states with relatively smaller market shares ranging from 0.3 to 2.6 percent. Table II.1: States We Visited and Market Share of Their Domiciliary Insurance Percentage of Companies States total market share Illinois 14.3 New York 11.2 Connecticut 6.5 Pennsylvania 5.1 California 4.3 Wisconsin 4.3 Texas 4.2 Ohio 4.0 Massachusetts 3.9 New Jersey 3.8 Michigan 3.5 Delaware 3.4 Indiana 2.6 Iowa 2.0 Arizona 1.0 Oregon 0.9 Utah 0.3 Total market share 75.3 Note: Market share information of each state’s domiciliary insurance companies represents the percentage of net premium volume written nationwide (over $664 billion) for all types of insurance. A domiciliary insurance company is one incorporated under the laws of the state in which it is doing business. Source: Extracted from information provided by NAIC, based on its 1997 financial database. Page 35 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 36 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 37 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 38 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 39 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 40 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 41 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 42 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 43 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 44 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 45 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix III Comments From the National Association of Insurance Commissioners Page 46 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix IV Priority 1 Companies Relative to Total Insurance Companies, by Type Priority 1 companies represent those companies whose Year 2000 efforts were determined by state insurance regulators to need a high degree of regulatory attention. Thirteen of the 17 states we visited identified priority 1 companies, 2 states did not identify any priority 1 companies, and the remaining 2 had not completed their ranking process. The following figure presents a breakdown, by insurer type, of priority 1 companies, identified by the 13 states, relative to a similar breakdown of the total number of domiciled insurance companies in those states. Figure IV.1: Priority 1 Companies Relative to Total Companies, by Type Note: “Other” may include such entities as fraternals, employee welfare funds, and title companies regulated by the state insurance departments. Source: GAO summary of state survey responses. Page 47 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix V Priority 1 Companies Relative to Industrywide Data, by Size Priority 1 companies represent those companies whose Year 2000 efforts were determined by state insurance regulators to need a high degree of regulatory attention. Thirteen of the 17 states we visited identified priority 1 companies, 2 states did not identify any priority 1 companies, and the remaining 2 had not completed their ranking process. The following figure presents a breakdown, by size, of priority 1 companies, identified by the 13 states, relative to a similar breakdown using available industrywide data. Size is based on estimated net premiums written nationwide, with large companies writing more than $1 billion, medium companies writing $100 million to $1 billion, and small companies writing less than $100 million. Figure V.1: Priority 1 Companies Relative to Industrywide Data, by Size Source: GAO summary of state survey responses. Industrywide data by size was taken from an NAIC report, Year 2000 Insurance Industry Awareness, December 8, 1997. Page 48 GAO/GGD-99-87 State Insurance Regulators Face Challenges Appendix VI Major Contributors to This Report Lawrence D. Cluff, Assistant Director, Financial Institutions and Markets General Government Issues Division, Washington, D.C. Paul G. Thompson, Senior Attorney Office of the General Counsel, Washington, D.C. Barry A. Kirby, Senior Evaluator Chicago Field Office Evelyn E. Aquino, Evaluator-in-Charge San Francisco Field Alexandra Martin-Arseneau, Senior Evaluator Office May M. Lee, Computer Specialist Page 49 GAO/GGD-99-87 State Insurance Regulators Face Challenges Page 50 GAO/GGD-99-87 State Insurance Regulators Face Challenges Page 51 GAO/GGD-99-87 State Insurance Regulators Face Challenges Page 52 GAO/GGD-99-87 State Insurance Regulators Face Challenges Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Order by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 th th 700 4 St. NW (corner of 4 and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touch-tone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested (233608)
Year 2000: State Insurance Regulators Face Challenges in Determining Industry Readiness
Published by the Government Accountability Office on 1999-04-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)