Guidance Paper No. 6 on Preventing, Detecting and Remedying Fraud in Insurance

1 In order to foster better understanding and more efficient implementation of point 14, paragraph 1, indent 5) of the Decision on Internal Control and Risk Management Systems in the Operations of Insurers (Official Gazette of the Republic of Serbia No. 12/07), in line with the core principles of insurance supervision promoted by the International Association of Insurance Supervisors (IAIS), the National Bank of Serbia has adopted this GUIDANCE PAPER No. 6 ON PREVENTING, DETECTING AND REMEDYING FRAUD IN INSURANCE I. GENERAL PROVISIONS Fraud in insurance is deemed to be an act or omission intended to gain dishonest or unlawful advantage for a party committing the fraud or for other parties. Addressees This Guidance Paper shall apply to insurance companies, insurance brokers and/or agents, natural persons – entrepreneurs (insurance agents), agencies rendering other insurance services and other companies and other legal entities with a separate organizational unit in charge of other insurance services (hereinafter referred to as insurers). Reasons for adoption of the Guidance Paper Fraud adversely affects the financial result and stability of insurance companies. To compensate, insurers raise premiums and this results in higher costs for policyholders. Fraud may also reduce consumer and shareholder confidence and can affect the reputation of individual insurers. It is therefore vital for insurers to understand frauds and to take steps to reduce their vulnerability to this risk. Objectives of the Guidance Paper This Guidance Paper is adopted to protect the interests of policyholders and beneficiaries and to reinforce public confidence in the insurance system and sector, with a view to creating the conditions necessary for an efficient, fair, safe and stable insurance market and for proper functioning of market discipline. Furthermore, this Guidance Paper purports to suggest ways in which potential fraud risks can be identified and prevented. For this objective to be attained, insurers are expected to observe the rules on preventing, detecting and remedying fraud in insurance, in line with good business

2 practice. The supervisory bodies of insurers are expected, inter alia, to supervise on an ongoing basis the company’s compliance with the AML/CFT requirements, primarily from the aspect of applying adequate and effective policies, procedures and control to prevent, detect and remedy the causes of fraud. General guidelines An insurer’s management and administration should be responsible for fraud risk management and this process must be an integral part of the insurer’s mission, strategy and business objectives. Fraud risk management should be integrated with relevant operating policies and procedures (e.g. product development, customer acceptance, employment and dismissal, outsourcing, claims handling etc.). Internal control aimed at fraud risk management should take into account the dynamic nature of frauds and should strive to improve on an ongoing basis so as to at least minimize the risk of repeating the already identified types of fraud. Fraud can be committed in a virtually unlimited number of ways and it usually involves, without limitation, various misappropriations of assets, deliberate misrepresenting, concealing, suppressing or not disclosing one or more material facts relevant to a financial decision (in connection with a transaction or with the perception of the insurer’s status), abuse of responsibility or a position of trust etc. Insurers should estimate their vulnerability to fraud risk and organize, implement and develop an efficient and effective internal control system. When organizing, implementing and developing an internal control system, it is necessary to take into account the motives of fraudsters (e.g. financial difficulties, a desire to meet unrealistic business objectives etc.), the existence of opportunity (e.g. where the likelihood of detection is small) and rationalization of fraud (e.g. an employee might justify fraud by his/her dissatisfaction with the insurer as the employer or a client might perceive an entitlement to compensation because of premiums paid etc.). Furthermore, the internal control system should also be focused on raising public awareness of the fact that insurance fraud is an indirect fraud against other policyholders. The internal control system should be sensitive to different profiles of fraudsters, including, as a minimum, two groups: “opportunity” fraudsters (persons who see an opportunity to commit fraud) and professional fraudsters. The internal control system should tackle on an equal basis at least the three basic types of fraud: 1) internal fraud, 2) policyholder fraud and claims fraud and 3) intermediary fraud.

II. INTERNAL FRAUD Internal fraud is deemed to be fraud involving an employee of the insurer concerned. Insurers should take into account the factors influencing their vulnerability to internal fraud. For example, internal fraud is more likely to occur in insurers with a complex organizational structure, with higher speed of development, in insurers

3 where an employee’s pay and status depend on meeting certain targets, where status changes are underway (change of ownership or management) etc. Employees pilfering cash or insurer’s resources represent the most commonly encountered fraudulent behavior. Frauds based on more costly schemes usually include bribery and kickbacks. Insurers should identify and develop warning signals. Typical warning signals include: members of staff working late, who are reluctant to take vacations or who seem to be under permanent stress; senior management resigning unexpectedly; living beyond apparent means by members of staff; sudden change of lifestyle of directors of the board, managers or members of staff; members of staff having too much control and autonomy or resisting or objecting to independent review of their performance; conflicts of interest; customer complaints; missing documents; unrecognized transactions; rising costs with no explanation etc. Preventive measures are essential for controlling the risk of internal fraud. They include: creating an organizational culture and values system which place value on the integrity of staff, which foster their identification with the insurer and which put value on staff that call colleagues to account about matters of misconduct; issuing an office manual and internal guidelines on ethical behavior for staff; maintaining adequate supervision of staff; performing pre-employment and in￾employment screening of staff; establishing clear responsibilities in documented job descriptions or role statements; requiring periodical job rotation and mandatory vacations for management and staff in fraud sensitive positions; eliminating potential conflicts of interest; checks by a second person; observing the four eyes principle; establishing efficient physical and procedural safeguards over the handling and availability of particularly sensitive assets (cash, information systems etc.); establishing a transparent and consistent policy in dealing with internal fraud by staff, including policy on notification to the relevant law enforcement agency and dismissal. Internal fraud detection supplements internal fraud prevention measures and demonstrates their effectiveness. Regular risk-based internal audits are a successful tool for detecting internal fraud. Other efficient methods of fraud risk management include the establishment of mechanisms for whistle blowing and disclosure of information on potential frauds. II. POLICYHOLDER FRAUD AND CLAIMS FRAUD Policyholder fraud and claims fraud is deemed to be fraud against the insurer in the purchase and/or execution of an insurance product by one person or people in collusion by obtaining wrongful coverage or payment. This type of fraud can be committed by policyholders at inception of the insurance contract, during the insurance contract or when claiming payment or compensation. Claims fraud can also be committed by third parties involved in the settlement of a claim. Frauds of this type usually involve reporting and claiming of fictitious damage or loss, exaggerating damages or loss covered by the insurance, misrepresenting a fact to create the appearance of an incident being covered by the policy, staging the occurrence of incidents causing damage or loss covered under the policy etc. Insurers should assess the inherent fraud risk of their existing insurance products.

4 Policyholder fraud and claims fraud prevention starts with adequate product development by insurers and continue through the establishment (and periodic review) of an adequate client acceptance policy (including the categorization of expected product-client combinations, with clear indications for each combination whether and under which conditions a client can be accepted and which measures insurers should take to prevent or detect). Furthermore, client acceptance should be based on professional judgment, experience, checks against red flag lists, conduct of peer reviews, checks in internal and external databases etc. If the client acceptance process is delegated to an insurance agent or broker, the insurer nevertheless retains the ultimate responsibility. As a result, insurers should establish and implement a policy on client identification and verification and risk assessment by intermediaries and that the terms of business with intermediaries should be consistent with this policy. Furthermore, Insurers should monitor compliance by the intermediaries with these terms of business and should have access to the identification and verification information concerning the risk assessment of clients. Insurers should draw the attention of their clients to their duties that help prevent fraud, including: damage prevention and minimizing losses, reporting claims in a timely manner, cooperation in the investigation following a claim, authorizing the insurers to assess the extent of the damage prior to any repairs or replacement etc. Insurers should inform both potential clients and existing clients about their policies on preventing, detecting and remedying fraud in insurance. They should consider including in insurance contracts and in other relevant documents provisions which make the policyholder, claimant and beneficiary aware of the consequences of insurance fraud. Insurers should consider the quality and reputation of third parties (such as medical practitioners, service engineers etc.) used for damage appraisal. Insurers should establish and maintain their own incident database. The database would contain, as a minimum, the names of policyholders, claimants, beneficiaries or third parties participating in the processing of a claim. Insurers should organize the internal control system so that the damage appraisal process involves professional judgment based on experience, checks against red flag lists, conduct of peer reviews, checks in internal and external databases, use of modern IT tools, interviews with claimants and, where necessary, special investigations. III. INTERMEDIARY FRAUD Intermediary fraud is deemed to be fraud by legal entities and natural persons engaged in insurance intermediation, damage and risk adjustment and assessment, intermediation in sale and sale of insured damaged property and other intellectual and technical services in connection with insurance, where fraud is committed against the insurer or policyholders. Insurance intermediaries are important for distribution, underwriting and claims settlement and are therefore crucial in insurers’ fraud risk management. The most frequent forms of fraud are withholding of premiums collected from policyholders and backdating of policies.

5 Typical warning signs for intermediary fraud include: the policyholder lives outside the region where the intermediary operates; an intermediary has a small portfolio, but high insured amounts; premiums received and commissions paid are above the industry norm for the type of policy; the policyholder is asked to make payments via the intermediary; the policyholder and the intermediary are represented by the same person; there is a personal or other close relationship between the client and the intermediary; there are unexpected developments or results (e.g. a high claim ratio, an increase in production, a significant number of policy substitutions, a high level of early cancellations or surrenders, a high number of unsettled claims); a high share of policies particularly vulnerable to fraud (e.g. the commission is higher than the first premium, there is an arrear on premium payments, a payment is made shortly after inception, a high amount of claims fraud has been identified, there is a disproportionate number of high risk insured persons etc.); the intermediary often changes address; there are frequent changes in control or ownership of the intermediary; there are a number of complaints; the intermediary insists on using certain loss adjusters and/or contractors for repairs; the intermediary is in financial distress; there is a conflict of interest; the intermediary is involved in other illegal activities etc. Insurers should take all reasonable steps to confirm that the intermediaries they use meet fit and proper standards and have adequate safeguards for the sound conduct of business. In order to achieve this effectively, insurers should only grant terms of business to regulated intermediaries and should consider: having in place a documented policy and procedure for the appointment of new intermediaries; having an application form and terms of business agreement that have to be completed and signed by the intermediaries and ensuring the application form requires applicants to disclose facts about themselves relevant for fraud risk management and effective measures in case access to these facts is denied; checking the financial soundness of the applicant and checking references etc. IV. OTHER ACTIVITIES Other activities carried out in support of insurance fraud prevention and detection include in particular: staff training, reporting suspicions of fraud and information exchange between insurers. а) Staff training Insurers should organize training on fraud matters for their staff. As a minimum, training should be provided to those who deal with: management; new business and acceptance of new policyholders, collection of premiums and settlement and payment of claims; business with intermediaries; product development; recruitment of staff; legal affairs; internal auditing; fraud risk management and fraud investigations. Furthermore, all employees should, as a minimum, receive a general explanation of the insurer’s policies, procedures and controls aimed at preventing, detecting and remedying fraud in insurance.

6 b) Procedures for reporting suspicions of fraud Insurers should have internal procedures requiring members of staff to report suspicions of fraud to a designated person. Depending on the type of fraud, the designated person may be a member of senior management, a person responsible for fraud risk management or a compliance officer. Employees should have adequate legal protection from responsibility for violating any confidentiality requirements under a contract or under any law, regulation or administrative provision if they report their suspicions in good faith, even if they were not aware of the actual type of fraud and regardless whether there was any (attempted) fraud. Insurers should have a policy on keeping records of suspicions of fraud and fraud cases. This policy should provide for the criteria for the cases for which records should be keptthe type of the information that should be recorded, the period for which information should be kept, access to the information and safeguards for retaining the information securely. c) Information exchange Fraudsters may target different insurers simultaneously or consecutively. Therefore, insurers should establish a joint database containing information on fraudsters. Furthermore, insurers are recommended to share experiences with fraud in insurance. Exchange of information should not be limited only to insurance; instead, it is recommendable to view the financial sector as a whole. *

---

Responsible, transparent and market-oriented insurers of good business repute which operate in a competitive and modern market are the aim pursued by the National Bank of Serbia in the field of insurance supervision. Such insurers and market will give our citizens access to higher-quality insurance services in connection with various risks, while at the same time enabling them to lucratively invest their free assets with absolute certainty that their interests will be safeguarded. The National Bank of Serbia, as a supervisory body, will not enforce this Guideline in insurers, but the implementation and proper understanding of the Guideline will, however, result in improvements in other fields under direct and indirect supervision and prevent situations in which insurers might be subjected to specific supervision measures.