The story of a player that nobody knows, but who is currently moving billions and why your Governance Risk Compliance (GRC) department should be interested.
Imagine this: You buy an expensive e-bike. Or book the summer vacation you’ve been looking forward to for months. Just before the final click, a small window appears.
“Would you like to insure this directly? Only CHF 4.90 per month.”
You click. Green checkmark. Continue.
The whole thing takes maybe three seconds. It feels like pressing a light switch: banal, reflex-like, without consequences. You think to yourself: “Some big insurance company in the background will be fine.”
Well. That’s the first surprise of the day.
What you have just “completed” in three seconds was not processed by an old, venerable insurance company with a marble facade and mountains of files. But perhaps by an agile, highly specialized tech company that doesn’t have any of its own risk capital on its balance sheet.
That juggles with other people’s money. That settles claims, underwrites policies and calculates premiums, autonomously and in milliseconds, on behalf of someone you’ve probably never heard of.
Welcome to the world of Managing General Agents. In short: MGAs.
And welcome to the question that many C-level decision-makers in the Swiss financial services world and fintech companies have not even asked yet: What does this actually mean for our governance?
The oil tanker and the speedboat
Let me draw you a picture.
Imagine a classic Swiss insurer. As solid as a safe. Rich in tradition like clockwork. Strongly capitalized, regulated, reliable and, in terms of agility, about as agile as a fully loaded oil tanker on Lake Zurich.
Now comes the speedboat.
An MGA does not need a marble façade. No hundred years of company history. No capital base of its own. It needs three things: Technology, specialization and a delegated authority agreement (DAA) from the oil tanker.
The MGA can then drive, maneuver and maneuver in the name of the oil tanker. Fast. Precisely. Invisible to the end customer.
The result: the market is growing like there’s no tomorrow. In the USA, over 114 billion dollars in premium volume was transacted via MGAs in 2024, representing 16% annual growth. In Europe, the volume is expected to reach 50 billiondollars by 2028. In Switzerland, we are facing the same leap in maturity.
Sounds like an elegant division of labor, doesn’t it? The speedboat provides agility. The oil tanker provides capital and license. Everyone is happy.
If it weren’t for a few small details.
The oil tanker, i.e. the carrier, the insurance carrier, is liable foreverything the speedboat does. Every policy. Every damage payment. Every wrong decision. In full. Even if he didn’t know that the speedboat had just run into a sandbank.
This is not a hypothetical scenario. This is the wording of FINMA Circular 2018/3 on outsourcing: You can delegate operational responsibility. The legal responsibility remains with you. Always.
Swiss law: Very precise, but unfortunately on the wrong topic
The revised Insurance Supervision Act (ISA), in force since January 1, 2024, is sharp and precise in many areas. It recognizes tied agents. It recognizes untied intermediaries. It recognizes VAG Article 44, which prescribes clear type constraints: Either you are on the side of the customer or on the side of the carrier. There is no such thing as a bit of both.
What the VAG does not know, however, is the term and meaning of an “MGA”.
That would be like the legislator issuing precise regulations for horse-drawn carriages and then inventing the automobile.
Swiss law is currently watching the speedboat as it maneuvers in the harbour and calls out to the oil tanker: “You are responsible. Good luck.”
An MGA with signing authority is effectively a tied agent with a fiduciary duty to the carrier. At the same time, he typically works for four, five, six or seven different carriers in parallel.
Carriers who have not contractually anchored clear audit rights and governance structures here are operating in a gray area and, according to ISA Articles 86 and 87, with liability of the responsible executives (maximum fine of CHF 500,000 for intentional violations (in case of negligence: up to CHF 150,000), see Art. 86 ISA (violations), prison sentence of up to 3 years for misdemeanors; in case of negligence a fine of up to CHF 250,000 (Art. 87 ISA)).
How the money flows and why this is a problem
A brief excursion into the economics of the model, as it explains the core governance risk very well.
An MGA earns in three ways: Firstly, the basic commission, i.e. 12 to 15 percent of the gross premium, immediately, regardless of what happens to the risk later. Secondly, a profit share if the combined ratio remains low. Thirdly, service fees for additional services such as claims management.
The model is capital-light, but extremely profitable. No wonder private equity money flows into the sector like meltwater in spring.
The built-in field of tension: The basic commission flows immediately. The loss comes later. An MGA that optimizes for volume rather than quality – in other words, one that prefers to write many policies rather than carefully select them – can present brilliant figures in the short term, while an avalanche of claims quietly builds up at the carrier.
This is the classic principal-agent problem. And it is not theoretical. It happens wherever there is a lack of control instruments.
Reality: The sentence that hurts
A Delegated Authority Agreement (DAA) is not a governance instrument. It is a power of attorney. And a power of attorney without control is an invitation to all parties involved to make the wrong decisions.
Is keeping the speedboat on a leash a solution
The good news first: the speedboat is an excellent tool. Fast, specialized, efficient. Cyber risks, parametric covers, niche products for SMEs: MGAs make things possible for which a classic carrier would simply be too slow.
However, a tool without operating instructions is a danger. And here lies the real mission of governance: not to ban the speedboat, but to ensure that you always know where it is, what it is doing and that you can stop it if in doubt.
Five measures that make the difference:
Firstly, underwriting parameters should be contractually fixed and precise. Not “the MGA underwrites within the framework of usual market standards”. Rather: maximum sums insured, permitted risk classes, geographical limits. Risks beyond these parameters require your approval.
Secondly, introduce sliding-scale commissions as a management tool. Link the remuneration directly to the combined ratio. If the speedboat sails cleanly with good risks and a low loss ratio, the commission increases. If it leaves a mess behind, it goes down. This creates an alignment of interests without daily micro-management. No desk audit. No mistrust. Just a simple, fair incentive system.
Thirdly, monthly reporting is mandatory. Premiums, claims, reserves on your desk every month. Not quarterly. Carriers that rely on quarterly reports notice imbalances nine months too late at the earliest. In a cyber portfolio, this means: too late.
Fourth: Explicitly enshrine audit and instruction rights. FINMA Circular 2018/3 leaves no choice: the carrier must have the right to inspect the MGA at any time. Anyone who does not set out this right in black and white in the DAA will not have it in the event of a dispute. It’s that simple. So important.
Fifth: Know and control the speedboat’s service supply chain. This is the blind spot that most overlook. An MGA rarely works alone: third-party underwriting platforms, external claims management systems, integrated data feeds from scoring partners and more. The MGA is even more likely to have its AI models run by a SaaS provider you’ve never heard of. Each of these players is a sub-outsourcing partner with a direct impact on your regulatory responsibility. Meaning: In practice: 3rd party register.
AI, DORA and the next chapter
One last picture before we come to the end.
AI systems have already reduced the underwriting time for complex risks from three days to three minutes. Not a typo: three days to three minutes. In the cyber sector: minus 65 percent review time thanks to AI assistants.
That sounds impressive. And it is. But it is also the moment when the speedboat is fitted with a rocket engine while the port authority is still discussing the speed limit.
The EU AI Act classifies AI in underwriting as a high-risk application. DORA, the Digital Operational Resilience Act, has also applied to insurance companies and their third-party IT providers since January 2025. An MGA that uses AI for underwriting is a third-party IT provider within the meaning of DORA.
Do you have this MGA in your DORA register? Have you recorded its algorithms in your risk assessment?
If not: you are still liable. The speedboat is moving, only you are at the wheel of the oil tanker and don’t know it.
From the field: When the speedboat hit the sandbank
One carrier I accompanied had chosen his speedboat well. Agile MGA, strong niche product, impressive growth figures. The DAA was signed. The premiums were flowing.
What did not exist: a single contractually anchored inspection right.
No audit of the MGA. No insight into its operational substructure. No register of third-party providers on which the speedboat was quietly dependent. It always went well.
Until it stopped working.
A critical system supplier of the MGA, i.e. the external underwriting platform of an InsurTech, failed. Without warning. Without a transition period. The speedboat suddenly stood still, in the middle of the fairway. Policies could not be issued. Claims could not be settled. Customers demanded what they were contractually entitled to: immediately.
The carrier? Had no alternative. Never needed one.
What followed was manageable, but expensive: reputational damage with key customers, costly damage limitation, legal review of possible breaches of contract. And the sobering part: with an annual audit, the problem would have become apparent nine months earlier. With sufficient room for maneuver to take countermeasures.
The speedboat wasn’t bad. It was just that no one had checked the nautical chart.
The question on your desk
Do you know today which inspection rights your company has actually contractually agreed with its MGA partner or are you relying on the DAA from the previous year?
If you have to think for three seconds, that’s not a knowledge gap. It’s a governance gap. And governance gaps, unlike e-bikes, don’t have theft insurance.
Do you want to turn compliance from a cost driver into a competitive advantage?
Then: TURN REGULATION INTO VALUE!
Thomas Schubert, solexa.ch
Mr. #DeedsCountMore
Thomas Schubert: Mr. #DeedsCountMore. Senior GRC & Transformation Leader with over 20 years of practical experience at the interface between subject and specialist areas and IT in banks, insurance companies and SMEs. National and international: CH, D, GB, Italy, Spain, India. What he does differently: He translates regulation and compliance issues into decision-making power. His work leads to measurable results: Cost savings through optimized governance processes, risk reduction through operational, pragmatic compliance structures, stronger negotiating position through regulatory clarity, successful change not on paper but in the organization.
Schubert is not a GRC alarmist. He is a sparring partner for all those who see regulation for what it is: the strongest strategic lever that you are not yet using. As an ISO standards auditor for QMS 9001, ISMS 27001 and CMS 37301, he is also familiar with the audit side and knows what is important.
Read also: From financial institution to entrepreneur – changing perspectives in the financial sector
Search:
Sponsors:
