This regulation was previously published in the State Register on January 22, 2014 as a proposed regulation.

For the reasons stated above, emergency action is necessary for the general welfare.

Section 82.2 provides that, pursuant to Insurance Law §§ 1503(b), 1604(b), and 1717(b), an entity (meaning an ultimate holding company that directly or indirectly controls an insurer or a domestic insurer registered or required to register under Insurance Law Article 16 or 17) must adopt a formal enterprise risk management (“ERM”) function. An entity must file annually with the Superintendent of Financial Services (“Superintendent”) an electronic copy of the enterprise risk report and also must file one hard copy of the report due in 2014. A domestic insurer that is not a member of an Article 15, 16, or 17 system must adopt an ERM function and file an annual enterprise risk report if its premiums are equal to or greater than a certain amount. Section 82.2 also sets forth the minimum requirements for an ERM function and specifies the items that must be included in an enterprise risk report.

Section 82.3 requires a domestic insurer to conduct an own risk and solvency assessment (“ORSA”), and permits a domestic insurer to satisfy this requirement if the holding company system, Article 16 system, or Article 17 system of which the domestic insurer is a member conducts an ORSA. Section 82.3 also requires such a domestic insurer to submit to the Superintendent, starting in 2015, an electronic copy of an ORSA summary report and one hard copy of the report due in 2015. Section 82.3 also describes which domestic insurers are exempt from the requirements of this section.

Section 82.4 states that an entity or a domestic insurer submitting an enterprise risk report or ORSA summary report may request trade secret protection under the Public Officers Law.

Section 82.5 permits an entity or a domestic insurer to apply to the Superintendent for an exemption from the electronic filing requirement by submitting a written request to the Superintendent at least 30 days before the due date of the particular filing or submission that is the subject of the request.

1. Statutory authority: Financial Services Law §§ 202 and 302 and Insurance Law §§ 110, 301, 309, 316, 1115, 1501, 1503, 1504(c), 1604, 1702, 1717 and Articles 15, 16, and 17.

Financial Services Law § 202 establishes the office of the Superintendent of Financial Services (“Superintendent”). Financial Services Law § 302 and Insurance Law § 301, in material part, authorize the Superintendent to effectuate any power accorded to the Superintendent by the Financial Services Law, Insurance Law, or any other law, and to prescribe regulations interpreting the Insurance Law.

Insurance Law § 110 permits the Superintendent to share with and receive documents from the National Association of Insurance Commissioners (“NAIC”) and state, federal, and international regulatory and law enforcement authorities.

Insurance Law § 309 authorizes the Superintendent to examine the affairs of any insurer doing an insurance business in New York State.

Insurance Law § 316 permits the Superintendent to promulgate regulations to require an insurer or other person or entity to submit a filing or submission electronically.

Insurance Law § 1115 limits the amount of loss on any one risk to which an insurer may expose itself.

Insurance Law § 1501 sets forth definitions relating to holding companies, including the definition of “enterprise risk,” while Insurance Law § 1503 requires a holding company that directly or indirectly controls an insurer to adopt a formal enterprise risk management (“ERM”) function and to file an enterprise risk report with the Superintendent annually. Insurance Law § 1504(c) requires the Superintendent to keep confidential the contents of each report made pursuant to Insurance Law Article 15 and any information obtained in connection therewith.

Insurance Law §§ 1604 and 1702 define “enterprise risk.” Insurance Law §§ 1604 and 1717 require an authorized domestic insurer or a parent corporation to register with the Superintendent, adopt a formal ERM function, and file an enterprise risk report with the Superintendent annually.

2. Legislative objectives: Insurance Law Article 15 sets forth standards for the regulation of holding company systems, while Insurance Law Articles 16 and 17 set forth standards for the regulation of domestic insurers that have subsidiaries. The Legislature enacted the three articles in 1969 as the result of an extensive study conducted by the Superintendent of Insurance. The study found that “[w]hen a non-insurance holding company system includes an insurance company within it, its potential for specific harm becomes greater since tempting reservoirs of liquid assets become accessible to persons without any appreciation of the security needs of the insurance enterprise, and the interests of the policyholders thus become vulnerable.”

On July 31, 2013, Governor Andrew M. Cuomo signed into law Chapter 238 of the Laws of 2013, which amended Insurance Law Articles 15, 16, and 17 to require an Article 15 ultimate holding company, authorized domestic insurer subject to Insurance Law Article 16, and a parent corporation subject to Insurance Law Article 17, to adopt a formal ERM function and file an enterprise risk report with the Superintendent annually.

This rule accords with the public policy objectives that the Legislature sought to advance in Insurance Law Articles 15, 16, and 17 by setting forth specific requirements for an ERM function and enterprise risk report, and requiring certain domestic insurers to conduct an own risk and solvency assessment (“ORSA”), to minimize the potential for specific harm to an insurer and its policyholders.

3. Needs and benefits: By enacting Insurance Law Articles 15, 16, and 17, New York has recognized the need for group supervision in order to protect insurers and their policyholders. During the 2008 financial crisis, group supervision was tested when a holding company system that included insurers and financial service entities nearly collapsed because of risky investments made by one of its financial service entities. This experience has caused state regulators and the NAIC to reevaluate the current group supervision framework. In 2010, the NAIC amended its model Insurance Holding Company System Regulatory Act (“model Holding Company Act”) and Insurance Holding Company System Model Regulation to require the ultimate controlling person to adopt a formal ERM function and file an enterprise risk report. The NAIC also adopted a new Risk Management & Own Risk and Solvency Assessment Model Act (“ORSA Model Act”) and an accompanying ORSA guidance manual, which requires a domestic insurer (or its holding company system) to complete a self-assessment of its risk management, stress tests, and capital adequacy annually. Chapter 238 of the Laws of 2013 incorporated the model Holding Company Act’s requirement that an ultimate holding company or a domestic insurer with subsidiaries adopt a formal ERM function and file an enterprise risk report. It also is important that large domestic insurers that are not part of an Article, 15, 16, or 17 system (“stand-alone insurers”) adopt a formal ERM function in order to manage their material risks and file an enterprise risk report so that the Department is aware of and can monitor these risks.

This rule sets forth specific requirements for an ERM function and enterprise risk report for holding companies, domestic insurers with subsidiaries, and certain stand-alone insurers. The rule also requires certain domestic insurers to conduct an ORSA and file an ORSA summary report to minimize the potential for specific harm to the insurer and its policyholders.

4. Costs: This rule imposes compliance costs on certain stand-alone insurers that this rule requires to adopt a formal ERM function and to file an annual enterprise risk report. The costs are difficult to estimate and will vary from insurer to insurer because of several factors, such as an insurer’s organizational structure, its size, and whether it already has an ERM function in place.

In addition, Chapter 238 amended the Insurance Law to require an Article 15 ultimate holding company or a domestic insurer that has subsidiaries, to adopt a formal ERM function and file an enterprise risk report annually. With respect to such companies, this rule merely implements Chapter 238 by setting forth the minimum requirements for an ERM function and specifying the information that must be included in the enterprise risk report. Therefore, the rule itself should not impose compliance costs on these holding companies and domestic insurers.

Also, because this rule requires most domestic insurers to conduct an ORSA and file an ORSA summary report with the Superintendent annually, compliance costs may increase. Those costs are difficult to estimate and will vary depending upon numerous factors, such as the complexity of a domestic insurer’s organizational structure.

The Department may incur costs for the implementation and continuation of this rule, because Department staff will need to review the enterprise risk reports and ORSA summary reports that insurers and holding companies will be submitting to the Superintendent annually. However, the Department anticipates that each ultimate holding company will file the report on behalf of the insurers in its holding company system, which should reduce the total number of reports filed with the Superintendent. Therefore, any additional costs incurred should be minimal and the Department should be able to absorb such costs in its ordinary budget.

This rule does not impose compliance costs on other state or local governments.

5. Local government mandates: This rule does not impose any program, service, duty, or responsibility upon a county, city, town, village, school district, fire district, or other special district.

6. Paperwork: This rule requires most domestic insurers or ultimate holding companies to file enterprise risk reports and ORSA summary reports with the Superintendent annually.

7. Duplication: This rule does not duplicate, overlap, or conflict with any existing state or federal rules or other legal requirements.

8. Alternatives: The Department considered requiring every stand-alone authorized insurer to have an ERM function and file an annual enterprise risk report with the Superintendent. However, after considering comments received from industry, the Department amended the rule so that the ERM function and enterprise risk reporting requirements apply only to larger stand-alone domestic insurers that have premiums that are equal to or greater than a certain amount. Requiring only larger stand-alone domestic insurers that have premiums that are equal to or greater than a certain amount to have an ERM function and file an enterprise risk report should minimize any adverse impact that the rule may have on smaller insurers that may be small businesses and will limit the impact of the rule to those insurers, namely domestic rather than foreign insurers, whose solvency the Department is primarily responsible for ensuring. In addition, the Superintendent always could request an enterprise risk report from an insurer, if necessary.

The Department also considered requiring all domestic insurers to conduct an ORSA and file an ORSA summary report with the Superintendent annually. However, the Department decided not to deviate from the ORSA Model Act in this respect. As a result, the rule exempts smaller domestic insurers from having to comply if the premium of the domestic insurer, and if the domestic insurer is a member of a holding company system, Article 16 system, or Article 17 system, the premium of its system, is no greater than a certain amount.

9. Federal standards: The rule does not exceed any minimum standards of the federal government for the same or similar subject areas.

10. Compliance schedule: A holding company and an insurer must comply with the rule upon publication in the State Register.

1. Effect of rule: Insurance Law §§ 1503(b), 1604(b), and 1717(b) require an ultimate holding company and a domestic insurer with subsidiaries to adopt a formal enterprise risk management (“ERM”) function and file an annual enterprise risk report. The rule expands upon the law by setting forth specific requirements for an ERM function and enterprise risk report. It also requires certain domestic insurers that are not part of an Insurance Law Article 15, 16, or 17 system (“stand-alone insurers”) to adopt a formal ERM function and file an enterprise risk report, and requires certain domestic insurers to conduct an own risk and solvency assessment (“ORSA”) and file an ORSA summary report. As such, it should not affect local governments.

In addition, this rule is in part directed at holding companies, which the Department does not believe fall within the definition of a “small business” as defined by State Administrative Procedure Act § 102(8), because in general they are not independently owned and do not have fewer than 100 employees.

Industry asserts that certain domestic insurers, in particular co-op insurers and mutual insurers, subject to the rule are small businesses. The Department believes that the exemptions set forth in the rule for certain stand-alone domestic insurers, with regard to ERM, and for certain domestic insurers, with regard to ORSA, will exclude any insurers that may be small businesses from being subject to those requirements. With respect to domestic insurers with subsidiaries, the requirement that they have a formal ERM function and file an annual enterprise risk report is required by law, not by the rule. The rule cannot vary a requirement imposed by law.

A domestic insurer with subsidiaries that may be a small business that is subject to the rule may incur additional costs as a result of this rule. The costs are difficult to estimate and will vary depending upon numerous factors, such as an insurer’s organizational structure, its size, and whether it already has an ERM function in place. However, the Department in promulgating this rule has sought to accommodate any such small business by providing flexibility as to its ERM function in stating that an ERM function must be appropriate for the nature, scale, and complexity of the risk and must adhere to certain objectives, as relevant.

2. Compliance requirements: A local government will not have to undertake any reporting, recordkeeping, or other affirmative acts to comply with the rule since the rule does not apply to a local government. However, a domestic insurer with subsidiaries that may be a small business will need to file an enterprise risk report with the Superintendent of Financial Services (“Superintendent”) annually pursuant to the Insurance Law.

3. Professional services: A local government will not need any professional services to comply with this rule since the rule does not apply to a local government. A domestic insurer with subsidiaries that may be a small business and must have an ERM function and file an annual enterprise risk report pursuant to the Insurance Law may need to retain legal and auditing services to comply with the rule.

4. Compliance costs: A local government will not incur any costs to comply with this rule since the rule does not apply to a local government. Any domestic insurer with subsidiaries that may be a small business and must have an ERM function and file an annual enterprise risk report pursuant to the Insurance Law may incur costs to comply with the rule. The costs are difficult to estimate and will vary depending upon an insurer’s organizational structure, its size, and whether it already has an ERM function in place.

5. Economic and technological feasibility: There should not be any issues pertaining to the economic and technological feasibility of complying with the rule with regard to a local government since the rule does not apply to a local government. The rule requires a domestic insurer with subsidiaries that may be a small business to file annual enterprise risk reports with the Superintendent electronically. However, the rule permits such a domestic insurer to request an exemption from electronic filing based upon undue hardship, impracticability, or good cause.

6. Minimizing adverse impact: There will not be an adverse impact on a local government since the rule does not apply to a local government. However, there may be an adverse impact on a domestic insurer with subsidiaries that may be a small business and must have an ERM function and file an annual enterprise risk report pursuant to the Insurance Law.

The Department considered the approaches suggested in State Administrative Procedure Act (“SAPA”) § 202-b(1) for minimizing adverse impacts. Originally, the proposed rule required all authorized stand-alone insurers to have an ERM function. However, the Department amended the rule so that only larger stand-alone domestic insurers that have premiums that are equal to or greater than a certain amount must have an ERM function. The Department also amended the rule to state that an ERM function is to be appropriate for the nature, scale, and complexity of the risk and adhere to certain objectives, as relevant, thereby providing flexibility for any domestic insurer with subsidiaries that may be a small business.

7. Small business and local government participation. The Department complied with SAPA § 202-b(6) by publishing the proposed rule in the State Register on January 22, 2014, posting the proposed rule on the Department’s website in January 2014, and meeting on March 11, 2014 with trade organizations and attorneys that represent insurers that may be small businesses.

1. Types and estimated numbers of rural areas: Holding companies and insurers affected by this rule operate in every county in this state, including rural areas as defined by State Administrative Procedure Act § 102(10).

2. Reporting, recordkeeping and other compliance requirements; and professional services: The rule imposes additional reporting, recordkeeping, and other compliance requirements by requiring certain domestic insurers that are not part of Insurance Law Article 15, 16, or 17 systems, including domestic insurers located in rural areas, to adopt a formal enterprise risk management (“ERM”) function and file enterprise risk reports with the Superintendent of Financial Services (“Superintendent”) annually.

With respect to an Article 15 holding company or a domestic insurer that has subsidiaries, this rule merely implements Chapter 238 of the Laws of 2013, which requires an Article 15 ultimate holding company or a domestic insurer that has subsidiaries to adopt a formal ERM function and file an enterprise risk report with the Superintendent annually, by setting forth the minimum requirements for an ERM function and specifying the information that should be included in an enterprise risk report.

In addition, this rule requires most domestic insurers, including insurers located in rural areas, to conduct an own risk and solvency assessment (“ORSA”) and to file an ORSA summary report with the Superintendent annually.

An insurer or holding company in a rural area may need to retain professional services, such as lawyers or auditors, to comply with this rule.

3. Costs: The rule may result in additional costs to insurers, including insurers located in rural areas, because it requires certain domestic insurers that are not part of Article 15, 16, or 17 systems to adopt a formal ERM function and file an enterprise risk report with the Superintendent annually. This rule also requires most domestic insurers, including insurers located in rural areas, to conduct an ORSA and file an ORSA summary report with the Superintendent annually. Such costs are difficult to estimate because of several factors, such as the insurer’s organizational structure, its size, and whether the insurer already has an ERM function in place.

However, any additional costs to insurers in rural areas should be the same as for insurers in non-rural areas.

With respect to an Article 15 holding company or a domestic insurer that has subsidiaries, this rule merely implements Chapter 238 of the Laws of 2013 by setting forth the proper components of an ERM function and specifying the information that must be included in an enterprise risk report. Therefore, the rule itself should not result in additional costs to holding companies or domestic insurers.

4. Minimizing adverse impact: This rule uniformly affects holding companies and insurers that are located in both rural and non-rural areas of New York State. The rule should not have an adverse impact on rural areas.

5. Rural area participation: Regulated parties in rural areas had an opportunity to participate in the rule making process when the proposed rule was published in the State Register on January 22, 2014. The Department also posted the proposed rule on its website prior to January 22, 2014. This rule contains certain changes as a result of the public comments that were received after the proposal was published. The Department did not receive any specific comments regarding the rural area impact of the rule.

This rule should not adversely impact jobs or employment opportunities in New York State. With regard to Insurance Law Article 15 holding companies and domestic insurers that have subsidiaries, the rule merely implements Chapter 238 of the Laws of 2013 by expanding upon the statutory requirements for adopting an enterprise risk management (“ERM”) function and filing an enterprise risk report. These prudent requirements ensure the solvency and continued operation of insurers. For this reason, the rule also imposes ERM requirements on certain domestic insurers that are not part of an Article 15, 16, or 17 system and own risk and solvency assessment (“ORSA”) requirements on most domestic insurers.

The New York State Department of Financial Services (“Department”) received comments from an organization that represents life insurers, an organization that represents United States insurers, an organization that represents mutual insurers, an organization that represents property/casualty insurers in New York, an organization that represents property/casualty insurers nationally, an organization that represents New York health care plans, a national organization representing the health insurance industry, a national federation of 37 independent, community-based and locally operated health insurers, an organization that represents property/casualty reinsurers, a property/casualty insurer, an insurer that writes property/casualty and life insurance, an insurance committee at a bar association, and an attorney, in response to its publication of the proposed rule in the New York State Register.

Many of the comments were requests to exclude “small” holding companies and domestic insurers from the enterprise risk management (“ERM”) provisions of the rule. Other comments pertained to the lack of incorporation of the lead-state concept with regard to both ERM and the own risk and solvency assessment (“ORSA”), and confidentiality of enterprise risk reports and ORSA summary reports. The Department amended the rule to address some of these comments and provide greater flexibility for holding companies and domestic insurers. The Department has posted on its website a complete assessment of the public comments that the Department received regarding the proposed rule.