The European Insurance and Occupational Pensions Authority (EIOPA) recently published a framework to help EU national supervisors (also known as National Competent Authorities – NCAs) assess conduct risks throughout the lifecycle of insurance products. The framework is designed to foster supervisory convergence amongst EU supervisors, and to “provide input to the types of risks EIOPA and NCAs should focus on.”

Importantly, EIOPA has highlighted conduct themes that have been of growing importance and visibility across EU markets. These include the need for supervisors to assess firms’ culture; the importance of value for money as one of the key outcomes firms must deliver to consumers; and the need to protect more vulnerable groups of customers. Some of these conduct themes are already being pursued, to varying degrees, across the EU. However, EIOPA’s framework shows that they are also gathering momentum at a pan European level, and that EIOPA will, as part of its convergence remit, increasingly push for these issues to be scrutinised by supervisors across the EU.

EIOPA’s approach to conduct risk

EIOPA’s starting point is essentially an outcomes-based one, in which dealing with conduct risk extends well beyond the point of sale interaction that consumers have with firms. It highlights that conduct risks can emerge before any sale takes place (for example, in the product design process), or after a sale has happened (for example, when a consumer makes a claim on a policy). Consequently, it is necessary for supervisors to assess potential conduct risks throughout the product lifecycle.

EIOPA highlights that conduct risk can also be identified through business model or value chain analysis, and that these can add value to and complement a product lifecycle approach.

EIOPA breaks down product lifecycle conduct risks into four constituent groups, illustrated in the diagram below. Of these, “business model and management” forms an overarching category of risks that can affect customers across the product lifecycle, and in this sense is distinct from the other three risk categories.


Source: Framework for Assessing Conduct Risk Through the Product Lifecycle, EIOPA, 2019

EIOPA goes on to identify a number of key areas or drivers of risk for each of these categories. These are summarised in the blog’s Annex.

The framework identifies one such driver as firms’ culture, which EIOPA observes “is often singled out as a key driver of consumer detriment”, and that “having the right culture requires more than simply complying with existing regulation.” In the context of value for money, to which it devotes a separate section, the framework notes that “an excessive focus on profitability may fail to consider the product’s value for the customer and to integrate the customer perspectives when manufacturing products.” There are numerous references throughout to the need to safeguard vulnerable customers and to those in vulnerable target groups for products.

EIOPA also notes that it expects the framework to contribute to the implementation of its conduct supervision strategy, and that it expects to carry out further work to link the identified conduct risks with supervisory tools. EIOPA expects this work to evolve in the future into more systematic ongoing conduct risk monitoring, including through “the development of periodic conduct risk dashboards.

Implications for supervisors and firms

Many of the risks identified by EIOPA’s framework will be not be new to firms, with issues such as product bundling, conflicts of interest and product reviews, already covered by rules under the Insurance Distribution Directive (IDD). However, the framework provides important signposts for firms wanting to understand where the conduct supervisory priorities of EU supervisors may lie.

EIOPA’s coverage of the product lifecycle will also be familiar to most European conduct regulators. However, its focus on culture, value for money and vulnerable customers reflects recent shifts in perspectives and practical approaches to conduct regulation that have featured more overtly in some EU jurisdictions than others. Consequently, whilst these guidelines will reinforce much of the existing approach to insurance regulation in some jurisdictions, in others they are likely to lead to progressive yet ultimately substantial changes in conduct supervisory priorities, as part of EIOPA’s convergence process.

Annex: Summary of key areas and drivers of conduct risks identified by EIOPA

Business model and management risks – risks arising from how firms structure, drive and manage their business and from their relationships with other firms in the value chain.

EIOPA identifies a number of business model features which may be more likely to pose conduct risks. These include:

• Firms involved in complex value chains, either between different firms which operate as part of the same group or between a firm and a third party. These relationships may generate conflicts of interest which lead to consumer detriment.

• Innovation and use of new technologies may raise a range of consumer protection issues (although EIOPA also recognises there will also be benefits for consumers), including through the use of big data.

• Use of third parties or outsourcing for certain activities may pose potential conduct risks, which can be mitigated by appropriate governance arrangements and controls.

EIOPA also identifies three key areas of risk relating to firms’ business management:

Culture, by which is meant the firm’s set of values and behaviours, which in turn drives how its employees act and behave.

Governance and internal structures, including recruitment, induction and on-going training programmes, performance evaluation, remuneration and disciplinary processes. EIOPA highlights firms’ incentive and remuneration schemes as having particular importance, as they can incentivise or deter certain behaviours which drive conduct risk.

Systems and processes, which are necessary to identify and report ongoing conduct risks that may emerge.

Manufacturing risks – risks arising from how products are created and manufactured prior to being marketed to consumers, and from how products are targeted to consumers.

EIOPA identifies three key drivers of risk relating to firms’ product development and manufacture:

• Product development and design – including:

(1)The need to ensure that a product fits with the firm’s overall strategy and growth plan, and that the firm has sufficient expertise to be able to deliver the product effectively. Firms’ expansion into new geographies or market segments may pose particular risks. 

(2) The need to consider consumer outcomes and undertake rigorous product testing, and the risks of products being sold to the wrong consumers. 

(3) The need to balance tailored or differentiated products, which may be more complex and consequently harder to understand, with the need to offer simpler or more standardised products, which may not meet specific consumer needs. 

(4) Ensuring that products do not exploit specific consumer biases, with this being a particular concern for investment products.

• Value for money and pricing – firms should ensure that consumers’ perspectives are incorporated into the design of their products so that they are able to deliver good value. Excessive or high profits can point to poor conduct in the product design process, but supervisors should not confuse high prices with poor value, as low prices may simply reflect that a product has fewer features and benefits for consumers.

• Market targeting – firms’ marketing and sales efforts should take into account the characteristics, risk profile and complexity of the products/services they are selling. They should have a clear target market and also take steps to ensure they identify “vulnerable market segments” which may be especially at risk of detriment in the event of poor conduct.

Delivery risks – risks arising from how products are brought to market and from the interaction with consumers at the point of sale.

EIOPA identifies three key drivers of risk relating to the delivery of firms’ products:

• Marketing – Marketing can give rise to conduct risks through both poor internal governance and poor culture. EIOPA also argues that the bundling of insurance products can lead to conduct risks, as it “affects the way people make decisions”. Typically, a consumer will focus on the primary product in the bundle and so pay less attention to other parts of the bundled product’s features and details. This can amplify traditional consumer protection issues relating to product suitability and understanding. Tying, bundling, and cross-selling can also raise competition-related concerns.

• Distribution – EIOPA stresses the importance of insurers selecting suitable distributors for their products, and of ensuring that these relationships are subject to robust governance processes. Insurers should take steps to ensure distributors understand their products’ characteristics and their target markets, while distributors should ensure they obtain all appropriate information from the insurance manufacturer and check that the products are well designed and suitable for the needs of the identified target market.

• Sales – EIOPA notes that information asymmetries, misleading product information, unfair practices and unsuitable products can all result in consumer detriment. With information asymmetries, issues can arise from insurers’ and distributors’ greater knowledge of the products they are selling, and from a better understanding of their customers’ risk profile than the customers themselves. Mis-selling can also occur if consumers do not receive adequate, timely information about a product, or if information is presented in a confusing or deliberately misleading way. Consequently, it is important for firms to disclose information in a tailored and readily understandable way, while also avoiding information overload for consumers. EIOPA also suggests that certain sales practices, such as commission-driven sales models, can be a source of conduct risk.

Product management risks – risks arising after the sale of the product, relating to how products are managed and how firms interact with and service customers.

EIOPA identifies four key areas of risk relating to the management of firms’ products:

• Product monitoring and review – EIOPA says that firms should take steps to ensure that their products continue to meet the needs of their target markets, that their distribution strategies mean their products are reaching their target market, and that their products continue to remain suitable for the end consumer, even if the consumers’ circumstances have changed.

• Ongoing product disclosure – EIOPA stresses the importance of the continual disclosure of information about a product, noting that consumers should be provided with information about a product at regular intervals, and on an ad hoc basis where events or other circumstances may affect the product in question. EIOPA notes that customers may also gain from the provision of information beyond that required to meet regulatory or contractual commitments.

Claims handling – EIOPA says that it is important for firms to ensure that their claims handling process is not unreasonably long and burdensome, that there are not unjustifiable delays to claims, and that good reasons are provided if a claim is rejected.

• Complaints handling and redress – EIOPA notes that the handling of complaints may lead to consumer detriment beyond any detriment in the original complaint. It is therefore important for firms to ensure that there are not barriers to consumers expressing their dissatisfaction, that a firm is not culturally hostile to complaints, and that complaints are listened to, acted upon, and receive appropriate escalation so that where relevant they result in changes to product design, distribution, or sales processes.