The new Form F requirement for insurers

As part of the National Association of Insurance Commissioners (NAIC) Solvency Modernization Initiative, which continues to move toward convergence with International Insurance Supervision principles, three major themes have emerged: implementing an Own Risk Self-Assessment (ORSA), stress testing capital adequacy models, and emphasizing corporate governance. The newest revision to the Insurance Holding Company System Model Regulation (the Act) has added the annual filing requirement of Form F - Enterprise Risk Reporting. Form F focuses on risk created by non-regulated entities, while ORSA primarily focuses on regulated entity risk.

Form F filing requirement

The new Form F requirement has insurers trying to determine what needs to be disclosed in the filing and how regulators plan to use the information. The Act already included annual filing of Form B - Annual Registration Statement. This form requires notification of transactions that materially impact the company, such as mergers and acquisitions, reinsurance, dividends, and litigation. Under the proposed revision, Form F requires only information regarding the risks associated with those transactions; to the extent they would materially change the overall risk profile of the insurer.

There is an overlap between Enterprise Risk Reporting and ORSA. One component of the ORSA self-assessment is an evaluation of capital adequacy and solvency risk from a group perspective, including an evaluation of the risk that transactions within the insurance group pose for the insurer’s ability to carry out its business objectives.

There is no minimum size exception for Enterprise Risk Reporting in the NAIC model law. Therefore, even a small insurer with a single subsidiary will need to make an annual Form F filing.

The updated Form F requirements also mandate that each insurer’s annual registration include a statement that "the insurer’s board of directors is responsible for overseeing corporate governance and internal controls and that the insurer’s officers or senior management have approved, implemented, and continue to maintain and monitor corporate governance and internal control procedures."

This requirement will have an impact on ORSA reporting, as it specifically emphasizes addressing risks generated within a given regulated entity. However, the statement of officer and director responsibility is also relevant to the aspects of the Enterprise Risk Reporting related to corporate governance and internal controls.

Information held in confidence

Revisions to the Act significantly strengthen the requirement that regulators hold information provided under the Act, including Form F filings, in confidence (Section 8 of the Act).

Form F filings are not subject to disclosure under state freedom of information laws, or open record laws, and may not be obtained pursuant to subpoena. The filing also is not discoverable or admissible in a private civil action. Disclosure of privileged or confidential material to the regulator pursuant to the Act is not a waiver of any applicable privilege or confidential status.

The regulator may share confidential information with the NAIC, other state regulators, and supervisory colleges, provided that the recipient agrees in writing to maintain the confidentiality of the information and verifies in writing that it has the authority to maintain the required degree of confidentiality. The revisions also prohibit a regulator from sharing confidential information and privileged documents with the insurance commissioner of a state that has not adopted the revisions to the Act, even where the commissioner has agreed in writing to hold the information in confidence.

Effective date

The effective date of the Enterprise Risk Reporting requirements of the Act was July 1, 2013. Because Form F will be filed with the annual Form B registration statement, the first Form F is due April 30, 2014, for most insurer groups.

Preparing to implement the new Form F requirement is an opportunity for insurance companies to review their existing risk management policies and procedures. Fortunately, many companies will find that most of the information needed to fulfill Form F and ORSA requirements will already be in place.