The Australian Prudential Regulation Authority (APRA) has mandated Auto & General Insurance Company Limited (Auto & General) to undertake a risk remediation program and has increased its capital requirements in response to concerns about its risk governance.
APRA’s decision follows a prudential review that identified significant weaknesses in Auto & General’s risk governance, risk management and compliance practices. These included capability and capacity weaknesses in the risk function, ineffectiveness of the “three lines of defence”1 model, and weak risk reporting. The review also revealed unclear accountabilities and responsibilities across the business, and overall, an immature risk culture.
In addressing APRA’s concerns, Auto & General is required to undertake a root cause analysis to identify the drivers that have contributed to the weaknesses, and to develop and implement an APRA-approved risk remediation program. Execution of the program is to be subject to assurance by an independent third party.
Given the heightened prudential risk arising from the identified weaknesses, APRA has also imposed an additional $50 million capital requirement in the form of an operational risk charge. The capital requirement will take effect from 1 February 2024 and will remain in place until APRA is satisfied the concerns have been remediated.
APRA acknowledges that Auto & General has accepted the findings from the review and is committed to the risk remediation program.
In announcing the action, APRA Member Suzanne Smith said: “Insurance plays a critical role in the lives of Australians to minimise risks and provide financial stability. Last financial year, APRA-regulated general insurers paid almost $40 billion in claims to their policyholders so it is essential that consumers can have confidence that insurers are meeting their regulatory obligations, and in their ability to honour their commitments. APRA continues to engage with the industry on appropriate risk governance and will take suitable action if companies do not meet these expectations.”
Three lines of defence: The first line of defence comprises the business management who have ownership of risks. The second line are the specialist risk management function(s) that are functionally independent of the first line. The third line is responsible for providing independent assurance to the board on the effectiveness of the first and second lines; this includes internal and external audits.