Policyholders First: How Banks Must Use Insurance to Cover Risks
The Indian banking sector has been attracting lot of public attention of late. Be it the recent fraud reported at a major public sector bank, NPA resolution, the need for recapitalisation and the impact on fiscal deficit or rising cyber-crime. But before we look into various risk issues, let me make a provocative statement on the state of the Indian banking industry and the use of insurance as an effective risk transfer solution: The banking sector in India is largely not buying insurance covers for the risks which it needs to transfer; rather, it is buying insurance for the risks it doesn’t need to transfer. This may sound disturbing for any stakeholder of the bank and I would attempt to explain this below, given my experience of over 15 years as risk and insurance adviser.
We all know that the real value of insurance is to transfer low-frequency and high-severity risks, that is, big risks which could impact the net profit or balance sheet of an organisation. Typically big risks for banks and financial institutions can be categorised as credit risk, market risk and operational risk. Operational risk is most suited for using insurance to transfer the risk. Fraud/crime accounts for almost 85 per cent to 90 per cent of the big losses in the operational risk for Indian banking sector and globally also it remains the biggest threat. Professional indemnity and management liability ranks as another major risk for banks globally. Cyber risk is the biggest emerging risk for the sector. Most banks in India either do not have any coverage for the top three operational risks as stated above or even if they have some restrictive cover, the limits purchased are abysmally low ranging from around INR 20-50 million and in some cases going up to INR 250 million.
Globally, for similar sized banks, it is common to see crime insurance cover of $100 million to $500 million limits and more. Interestingly, the deductibles in such a global insurance programme is around INR 50 million, which is the size of insurance purchased here locally in most cases. Crime/fraud insurance with proper limits remains the biggest risk exposure not covered adequately by Indian banks. There is an inherent legacy when it comes to insuring crime.
Generally, most banks are uncomfortable in sharing data about employee frauds. Besides, a delay in getting a final police report on the fraud acts as an impediment against processing claims. Given the severity of this risk, banks need to become comfortable in opening up with the insurers so that they can provide a meaningful solution to this risk. Cyber security is the biggest emerging risk and not many banks till date have a robust cyber insurance programme. Only four private sector banks and two public sector lenders have cyber risk insurance programmes but the limits in most of them are on the lower side compared to the potential risk exposure. The professional indemnity risk and management liability, which can potentially cause major losses, are not addressed by most banks insurance programmes. Private sector banks with foreign listings have reasonably good protection with directors and officers (D&O) liability insurance.
The new Companies Act in India also empowers class actions. Any major impact on the share price of a bank due to alleged negligence by the management can also trigger class action suits and claims by investors. So the absence of a proper D&O policy in most banks is a cause for concern. The question to ask is, if a major operational risk loss was to happen in India, will the insurance policy protect the investors and other stakeholders? With the current coverage and limits, the answer is clearly “no”. Most banks are buying insurance for small operational risk like theft, burglary, laptop, glass plates etc. with very small limits which they need not buy. Banks, by their, nature is in the business of providing capital and taking risks. Using insurance for such a low-value risk item is a bad financial decision and waste of time and administrative costs. It is simply trading rupees between banks and the insurance company without any real risk transfer. Banks should self-insure such risks. It is interesting that the Reserve Bank of India (RBI) proactively came up with risk mitigation guidelines in 2014 under the Basel-II framework.
It allowed capital relief of up to 20 per cent of the total operational risk capital of a bank, provided the bank carries out a true assessment of their entire operational risk (advance management approach) and buys a prescribed quality insurance programme. The banking sector can have lower capital requirement of several thousand crore with capital relief under these guidelines. Given the challenge on fiscal deficit and a need for recapitalisation post the NPA restructuring under the bankruptcy code, buying adequate insurance cover can considerably reduce the operational risk exposure and help in capital preservation for banks. The recent fraud at a major public sector bank could be a wake-up call for the entire banking sector in India. It is about time for the regulators to revisit banks’ strategies on the operational risk management framework and the use of insurance market capital with minimum level of insurance coverage and limits commensurate with risk exposure. This can be advised by RBI proactively to de-risk the banking system before we are faced with a crisis.
Source: Business Standard
The article was first published in February 20, 2018 edition of Business Standard.