Topic Governance Circular 02/2017 (VA) - Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings
Aufsichtsrechtliche Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen – MaGo
On this page:
- 1 Objectives of the circular
- 2 Scope and definitions
- 3 Relationship of the circular to the EIOPA guidelines and other Federal Financial Supervisory Authority publications/entry into force
- 4 Principle of proportionality
- 5 Material risks
- 6 Overall responsibility of the management board
- 7 Governance requirements at group level
- 8 General governance requirements
- 9 Key functions
- 10 Risk management system
- 11 System of governance requirements in relation to own funds
- 12 Internal control system
- 13 Outsourcing
- 14 Business continuity management
1 Objectives of the circular
1 This circular provides guidelines on interpreting the provisions concerning the system of governance in the German Insurance Supervision Act (Versicherungsaufsichtsgesetz - VAG) and in the Delegated Regulation (EU) 2015/35 (DR). It explains these provisions bindingly for the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin) and thereby guarantees consistent application in relation to all undertakings and groups.
2 The circular takes the basic approach that the management board members of an undertaking bear collective responsibility for the undertaking's proper and effective system of governance.
2 Scope and definitions
3 The circular is concerned with the Solvency II supervisory regime. It applies to all primary insurers and reinsurers with a registered office in Germany or in a third country in accordance with section 1 (1) no. 1 in conjunction with section 7 no. 33 or section 7 no. 34 and 6 of the VAG (referred to hereafter as "undertakings"), unless they are death benefit funds in accordance with section 218 (1) of the VAG, Pensionskassen in accordance with section 232 (1) of the VAG or small insurance undertakings in accordance with section 211 of the VAG. The circular does not apply to reinsurance undertakings that meet the prerequisites stated in section 165 (1) of the VAG, or to primary insurers and reinsurers that meet the prerequisites stated in section 343 of the VAG.
4 The circular applies to groups if all primary insurers and reinsurers belonging to the group have their registered office in Germany. It also affects groups with primary insurers or reinsurers in other member or signatory states in accordance with section 7 no. 22 of the VAG, for which BaFin is the group supervisor in accordance with the criteria stated in section 279 (2) of the VAG.
5 This margin number is superfluous in the translation and has therefore been omitted.
6 The term management board refers to the boards of undertakings. To the extent that undertakings under public law or undertakings in the legal form of the European Company (SE) that fall within the scope of this circular do not have a governing body with this title, then the corresponding management body shall take the place of the management board. The corresponding supervisory body shall take the place of the supervisory board under the same conditions.
3 Relationship of the circular to the EIOPA guidelines and other Federal Financial Supervisory Authority publications/entry into force
7 BaFin uses the EIOPA Guidelines on the System of Governance (EIOPA-BoS-14/253 DE) for the purposes of interpreting the applicable provisions of the VAG and the DR, unless it has stated that it does not apply individual guidelines in full.
8 As regards the requirements related to the professional qualification and propriety of individuals who effectively run the undertaking or have other key functions, and the notification requirements for persons responsible for key functions, reference is made to the Guidance Notice on the fitness and propriety of members of management boards pursuant to the VAG, the Guidance Notice on the fitness and propriety of members of supervisory boards pursuant to the VAG, and the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the VAG.
9 Reference is made to the latest applicable versions of the corresponding interpretative decisions in relation to the requirements regarding the prudent person principle (PPP), as well as the requirements regarding the own risk and solvency assessment (ORSA).
10 Any special requirements imposed by BaFin on risk management (as part of the system of governance) in undertakings within the scope of its publications remain unaffected by the requirements set out in this circular.
This applies in particular to the requirements relating to risk management in accordance with
- Circular 3/2016 (VA) – Trustees for monitoring of the guarantee assets (Sicherungsvermögen),
- Circular 10/2014 (VA) – Cooperation with Insurance Intermediaries, Risk Management in Distribution – together with collective administrative act, dated 10 December 2015,
- Circular 3/2013 (VA) – Minimum requirement for complaints handling by insurance undertakings – together with collective administrative act, dated 20 September 2013,
- Interpretative decision dated 20 December 2016 - Aspects of remuneration (Article 275 of the DR),
- Interpretative decision dated 30 August 2016 – Operation of reinsurance business in Germany by insurers with their registered office in a third country, as well as
- Interpretative decision dated 31 October 2013 - Guidelines on the use of external ratings and on carrying out internal credit risk assessments.
11 This circular comes into force on 1 February 2017. The following interpretative decisions are repealed at the same time:
- general governance requirements for insurance undertakings dated 1 January 2016;
- risk management in insurance undertakings dated 1 January 2016;
- outsourcing by insurance undertakings dated 21 December 2015;
- actuarial function in insurance undertakings dated 21 December 2015;
- internal control mechanisms and the internal audit in insurance undertakings dated 21 December 2015, as well as
- requirements on own funds and the system of governance dated 21 December 2015.
4 Principle of proportionality
12 The principle of proportionality plays a major role in implementation of the system of governance requirements. The requirements are to be fulfilled in a manner which is proportionate to the nature, scale and complexity of the risks inherent in an undertaking’s business activities (section 296 (1) of the VAG). The principle of proportionality is thus based on the individual risk profile of each undertaking. A smaller undertaking may indicate a lower risk profile, while the converse is also true. To the extent that the number of staff can play a role in determining the relevant size, it is not the number of existing staff that is crucial, but the actual requirement for staff. This primarily means that staff capacities which the undertaking benefits from via outsourcing must also be included in the evaluation.
13 Proportionality affects how the requirements can be met. For instance, simpler structures and processes may be adequate in undertakings with a lower risk profile. Conversely, the principle of proportionality may require more sophisticated structures and processes in undertakings with a more pronounced risk profile.
14 The assessment of which form may be regarded as proportionate is not static with regard to the individual undertaking, but adjusts to the changing situation over time. In this respect, both undertakings and insurance groups have to examine whether and how the available structures and processes can, or indeed must, be further developed.
15 The question of which actual structures and processes are appropriate to a particular risk profile, and whether (and if so, which) accompanying measures are required, can only be answered in the relevant context.
16 The individual risk profile determined by the undertaking continues to apply provided no changes have been made to it.
5 Material risks
17 There are individual requirements that only relate to material risks and not to all risks; the term material risks is also used in European legal texts. To be able to identify all material risks using appropriate and comprehensible criteria, the full management board determines individual materiality thresholds appropriate to the undertaking’s risk profile (hereafter referred to as: materiality thresholds). The appropriateness of the materiality thresholds must be ensured on a continuous basis. To this end, the full management board gains an overview of all risks to which the undertaking is actually or may potentially be exposed, both on a regular as well as on an event-driven basis.
18 Separate materiality thresholds are required for the following risk categories at a minimum: underwriting risk, market risk, credit risk, liquidity risk and operational risk.
19 The materiality thresholds may not be based solely on the effects within the scope of accounting or the effects of infringements.
20 The full management board must ensure that the materiality thresholds are applied uniformly. This responsibility can be delegated to one or more of the management board members.
6 Overall responsibility of the management board
21 All members of the management board are responsible for the proper and effective system of governance of the undertaking (see below under 8.2 regarding the regular evaluation of the system of governance by the full management board). The full management board is therefore also responsible to ensure that the undertaking has an appropriate and effective risk management and internal control system. In order to meet their overall responsibility, the management board members must also develop a risk culture appropriate for the undertaking that is actively supported and developed on a continuous basis. Where the requirements of this circular expressly relate to the full management board, the board cannot delegate its responsibility, not even to one or more of its members, unless otherwise stipulated.
7 Governance requirements at group level
22 The requirements on the system of governance for undertakings apply correspondingly at group level. In addition, there are group-specific requirements, for instance with regard to consistent implementation of risk management systems, internal control systems and reporting within the group.
23 To the extent that fulfilment of the governance requirements at group level conflicts with the possibilities available under company and capital market law, the undertaking responsible for fulfilling these requirements and the undertakings belonging to the group must be aware of this, and must take reasonable measures to ensure that the requirements are met. To this end, the undertaking responsible for meeting the requirements at group level must make reasonable use of the existing options for exerting influence. All of the undertakings subject to group supervision must cooperate in fulfilling the governance requirements at group level (section 246 (3) of the VAG).
24 How the undertakings meet the requirements on the system of governance at group level must be reviewed and decided in the first instance by these undertakings themselves. For example, they could consider regular reciprocal exchange of information as well as the establishment of a group committee with specialist panels as necessary. In the event that the smaller entities in a group are not represented, then these must be notified via other methods of the measures that are significant for them, and must provide their consent separately if applicable.
25 Further non-exhaustive details on the governance requirements at group level are provided below, for instance with regard to general governance requirements (8.1.7, 8.3.1. and 8.4.1), the requirements for the system of governance in relation to own funds (11.7) and requirements on outsourcing (13.6).
8 General governance requirements
8.1 Organisational and operational structure
26 The undertakings must decide in an appropriate manner and with due consideration for their risk profile and the scope of the requirements to be met which specific organisational structure is suitable for them.
8.1.2 Determining tasks, responsibilities and reporting lines
27 A transparent organisational structure appropriate to the undertaking's risk profile requires a clear definition and segregation of tasks and responsibilities. There must be clear rules in place regarding who is responsible for tasks in the undertaking and who is accountable for decisions.
28 Rules on representation and reporting lines must also be clearly defined in addition to the tasks and accountabilities. It must be ensured that all individuals in the undertaking receive the information affecting them without delay and are able to recognise its significance, and that exercising the relevant task or responsibility is guaranteed at all times.
8.1.3 Appropriate segregation of responsibilities
29 An appropriate segregation of responsibilities (section 23 (1) sentence 3 of the VAG) up to and including the management board level forms part of an organisational structure that is appropriate to the undertaking's risk profile.
30 Among other factors the build-up of risks must be separated from their monitoring and control in a manner appropriate to the risk profile. In the event of a more pronounced risk profile, a strict separation may be required at least between the build-up of material risks and their monitoring and control, while a strict separation may be waived under some circumstances with lower risk profiles. - Example: in the event of a lower risk profile, a management board member may under certain circumstances be responsible both for investment and risk management, together with the other board members (so-called “full management board solution” for risk management).
8.1.4 Determining regulations on the operational structure
31 The operational structure must ensure that processes that involve risks and their interfaces are appropriately managed and monitored. This requires, first of all, that all processes be assessed from a risk aspect.
32 Processes involving risks include, at a minimum, underwriting activities, reserving (both in accordance with Solvency II and with the German Commercial Code (Handelsgesetzbuch - HGB)), capital investment management including asset liability management, ceded reinsurance management and sales. Ensuring appropriate management and monitoring of the risk-bearing processes identified requires clear definition of the individual process steps, including the necessary control activities as defined by the internal control system (see 12) and, if necessary, escalation steps, as well as of the process-specific competences and responsibilities and the information flows.
33 Control activities generally do not imply the implementation of comprehensive controls following each individual process step. However, particularly risk-bearing process steps must always be identified and checked on a regular basis.
34 As part of a sound and prudent management, risk management and internal control practices must be implemented appropriately and consistently throughout the undertaking.
35 If the undertaking has established written policies, the relevant basic rules on the operational structure must be set out in the associated policy (see 8.3). Conversely, the individual undertaking-specific requirements set out in the written policy must be taken into account when specifying individual (sub-)processes.
8.1.5 Implementing regulations on the operational structure
36 To ensure the proper performance of their tasks, it is important that all relevant staff know the work procedures relevant to them, meaning that they must be informed in this regard and be familiar with the relevant content.
37 The management board and the senior management, including the persons responsible for key tasks, must bear in mind that their conduct has a high impact on the careful and conscientious execution of tasks within the undertaking.
8.1.6 Documenting the organisational and operational structure
38 Documentation on the organisational and operational structure must be maintained and kept up-to-date at all times. Previous versions must be archived for a minimum of six years.
8.1.7 Special aspects relating to groups
39 The management board of the undertaking responsible for meeting the governance requirements at group level must have appropriate knowledge of the group's internal organisation, the business models of the different undertakings, the connections and relationships between them and the risks resulting from the group structure.
40 Changes to the organisational and operational structure may be required both at group level and at the level of the individual undertakings in the event of any change to the group structure. It may be necessary, for instance, to determine new competences and reporting lines.
41 Responsibility for changes to the organisational and operational structure at group level lies with the management board of the undertaking responsible for meeting the requirements at group level.
42 Responsibility for changes to the organisational and operational structure at the level of an individual undertaking lies with the management board of the relevant undertaking. Requirements of the undertaking responsible for the group may need to be observed and implemented in an individual undertaking as necessary.
8.2 Internal review of the governance system
43 The full management board assesses the governance system of the undertaking on a regular basis (section 23 (2) of the VAG) with the frequency of assessments to be laid down in accordance with the risk profile, and ensures that any required changes are implemented promptly. Assessments of individual units of the governance system can be made by the management board member responsible for this unit. The full management board must, however, be informed of the outcome of this assessment and manage the resulting implementations. Regular assessment of the overall system of governance is to be set out in an audit plan or similar instrument. The outcome of the assessment along with the implementation of the changes required are to be documented.
44 To be able to carry out their assessment, each management board member must at least understand the material risks to which the undertaking is exposed.
45 For the purposes of the assessment, the management board considers the findings that the internal audit function has obtained during its review of the system of governance, along with the findings that the other key functions have obtained in carrying out their tasks. If necessary, the management board uses additional internal information and findings from other business units. The management board will assess in particular whether the risk strategy and the management of the undertaking are coordinated with each other and are consistent with the business strategy, and whether the system of governance supports the objectives under the business and risk strategies.
46 The management board determines the grounds for extraordinary assessments of the system of governance.
8.3 Written policy
8.3.1 Determining responsibilities
47 In order to support the business and risk strategies to be determined by the board, the full management board must agree on the written policy upon initial adoption at least, as well as in the event of significant amendments. If minor amendments are excluded from the need for agreement, the undertaking must determine beforehand which amendments in the written policy shall be assessed as minor.
48 The written policy agreed at group level does not automatically apply to the legally independent individual undertakings. This also applies if control agreements are in place. Written policies must thereby be issued separately for the legally independent individual undertakings.
49 The written policy is implemented in practice through appropriate work procedures. The level at which the responsibility for these work procedures lies must be determined.
8.3.2 Content of the written policy
50 Aside from guidelines for required actions, the written policy can also include work procedures for all relevant staff. If the written policy does not include any work procedures, it forms the basis for those implementing the policy.
51 The following minimum requirements (up to and including 8.3.4) apply to the written policy on the system of governance within the meaning of section 23 (3) of the VAG. The minimum requirements do not apply directly to the work procedures implementing the policy.
52 The written policy must also clearly present the objectives it pursues, along with the competences and reporting processes for the business units.
53 Corresponding interfaces and segregation must be stated in the relevant written policy in order to avoid duplication of tasks between business units.
54 The written policy to be produced for the key functions (see 9) must outline, inter alia, the powers of the key functions.
55 The written policy of the relevant organisational units must set out which information is relevant for the key functions and state that any such information must be conveyed to the key functions.
56 At a minimum, all written policies belonging to the system of governance must be coordinated with each other and with the business and risk strategies.
8.3.3 Review of the written policy
57 The written policy must be reviewed at least once annually using the methods appropriate to the risk profile. The full management board determines the grounds for ad-hoc reviews of the individual policy. This responsibility can be delegated to one or more of the members of the management board.
58 The review of the written policy requires that the tasks to be executed and the competent persons and responsible organisation units be specified. It must be taken into account that changes to a written policy or to the business strategy can have an impact on the other written policies.
59 The reviews of the written policy must be documented. The findings and recommendations resulting from them are reported to the management board.
60 The decisions taken by the management board as a result of the review of the written policy must be comprehensibly justified and documented together with the justification.
8.3.4 Knowledge of and compliance with the written policy
61 The management board must ensure that the business units operate in line with their responsibilities and duties. Among other items, a written policy is prepared for this purpose with specifications of work procedures.
62 The relevant staff must be notified of the business processes for which there are written policies in place and which duties and responsibilities are established as a result of this. Changes to the written policy must be communicated to the persons concerned without delay.
63 The undertakings must implement internal controls to ensure that all conduct is in accordance with the written policy and that this is not infringed or that any infringements are identified promptly.
8.4 Role of the management board and supervisory board
64 The governance system of an undertaking includes processes for regular and ad-hoc transmission of information and reports from the business units and functions to the management board. On this basis, and based on corresponding advice, the management board carries out its executive responsibilities and takes its decisions. The processes that ensure that the relevant staff members are notified of the decisions made in such a way that these can be implemented in full are equally important as the processes for transmitting information and reports to the management board.
65 The supervisory board appoints the management board members, decides on their remuneration and supervises their activities. Certain types of transactions may only be carried out with the consent of the supervisory board. It is granted rights of information, inspection and review by statute for the purposes of fulfilling its duties. The supervisory board actively exercises these rights and advises the management board on strategic and other issues.
66 The management board and supervisory board are responsible for deciding whether a committee structure is appropriate for the undertaking, and if so which one this should be.
8.4.1 Group level
67 The management board of the undertaking that is responsible for fulfilling the governance requirements at group level will interact as appropriate with the management boards at the other undertakings within the group.
8.4.2 Dual control principle
68 The undertaking must ensure it is effectively run by at least two individuals. This implies that a minimum of two persons who effectively run the undertaking are involved in any of the undertaking's material decisions before the relevant decision is implemented.
69 The undertaking is responsible for the initial assessment as to whether there are any other individuals in the undertaking aside from the members of the management board who also belong to those individuals effectively running the undertaking based on their decision-making powers. This is relevant for instance at the second management level.
70 The undertaking is responsible for determining which decisions need to be categorised as material with respect to the business model and to the individual risk profile. Material decisions are those that will or could have a significant impact on the undertaking or that are unusual given regular business operations.
71 The management board must document its decisions and the manner in which it takes into account the information obtained from risk management (see 10.1).
72 No minimum level of structure can be specified for the documentation as a blanket concept. The scope and level of detail of the documentation for decisions taken by the management board depend on the purpose for the documentation and the risks associated with the relevant decision. The structure of the documentation must be determined, therefore, in the individual case based on a holistic view with due regard to the built-in checks and benefits involved. However, a complete waiver of the documentation cannot be considered.
73 The documentation is adequate provided that it is complete and precise and includes all of the material background information (e.g. formulas, parameters, decisions, crucial justifications for these) to enable a competent person to understand the content of the decision and review this.
74 Preparing a complete set of new documentation is not necessarily required. References to existing documentation with the documentation also appended may suffice, provided that this can be scrutinised and understood
9 Key functions
9.1 General requirements and position in the undertaking
75 The concept of the "key function" comprises the following four functions: the internal audit function, compliance function, independent risk management function and actuarial function. A distinction must be made between this and the additional concept of a "key task"; in addition to the key functions, undertakings can also determine additional key tasks (see Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG)
76 The key functions have an equal ranking. Persons internally responsible for a key function (see 9.1.1) who are not members of the management board are only subject to instructions from the management board in terms of exercising the key function. This also applies if the key function is not directly subordinate to the management board level from an organisational point of view. The full management board represents the escalation level in the event of disputes between key functions that cannot be solved between the relevant management board members answerable.
77 The key functions must be set up in an appropriate manner with due regard to their relevant purpose and the principle of proportionality. Apart from centralised or specialist team structures, decentralised or integrated structures also come into consideration (see 13.4 and 13.5 on outsourcing)
78 Conflicts of interest are to be avoided. The key functions must at all times be free from influences that may compromise the function's ability to undertake its duties in an objective, fair and independent manner. It is crucial for duties to be defined and allocated in a clear and transparent manner, in particular with integrated approaches to the organisation of a key function. This must be laid down in a written policy.
79 Apart from having appropriate resources and powers, the key functions need to have a high status within the undertaking. This must be enshrined in the written policy. A corresponding corporate culture is also required, and the tone at the top is extremely significant here.
80 Undertakings that are part of groups must establish all key functions at the individual level. The undertaking responsible for fulfilling the governance requirements at group level must ensure that the key functions are also established at group level.
9.1.1 Persons responsible for key functions
81 For all forms, including decentralised ones, there must be a natural person who bears responsibility for the relevant key function being fulfilled properly. This is notwithstanding the ultimate responsibility of the full management board. There is an "internally responsible person" for any key function set up internally within the undertaking (see 13.4 and 13.5 on outsourcing). This responsibility may not be allocated wholly or partially to several natural persons. However, there can be many people who work for a key function, i.e. contribute to the key function’s work.
82 A member of the management board can at the same time be the person internally responsible for a key function only on a case-by-case basis (see 13.4 and 13.5 on outsourcing), i.e. in particular if this structure is appropriate to the undertaking's risk profile. Section 23 (1) sentence 3 of the VAG is applicable, which means that there must be a separation of the responsibilities appropriate to the undertaking's risk profile, including in relation to the responsibilities as an internally responsible person and as a member of the management board. Article 258(1)(g) of the DR is also applicable, which means that undertakings must ensure that the assignment of the additional tasks as an internally responsible person does not or is not likely to prevent the relevant management board member from carrying out all of their responsibilities in a sound, honest and objective manner, including responsibilities at other undertakings if applicable. This requires, among other things, sufficient time for the relevant additional task. In all other respects, reference is made to the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG).
83 The principle of proportionality must be observed if a person, whether a member of the management board or a person working below the management board level, is simultaneously internally responsible for multiple key functions. The greater the number of different key functions that are affected the more precise undertakings must be in showing that this structure is appropriate to their relevant risk profile. A further limit to the assignment of multiple tasks to the same person is provided in Article 258(1)(g) of the DR (see margin no. 82). Special conditions apply in relation to the internal audit function (see 9.4).
9.1.2 Information flow
84 The relevant person internally responsible for a key function (see 9.1.1) must report directly to the management board. This also applies if the key function is not directly subordinate to the management board level from an organisational point of view. In accordance with Article 268(3) DR, the relevant internally responsible person also reports ad-hoc to the management board.
85 Conversely, the management board must notify the person internally responsible for the relevant key function reasonably, at its own initiative and in good time of all facts that may be required for them to fulfil their responsibilities. This duty to notify the internally responsible person applies accordingly to other business units.
9.2 Compliance function
86 The compliance function monitors compliance with the laws and regulations, regulatory requirements and other external specifications and standards (hereafter referred to as: external requirements) to be observed in accordance with the following sections.
87 The compliance function monitors in particular whether compliance with the external requirements is ensured based on appropriate and effective internal procedures. This does not necessarily mean that the compliance function implements these procedures itself. Rather, the compliance function is required to monitor whether the relevant units have established appropriate and effective procedures under their own responsibility. The compliance function must be aware of the internal regulations aimed at ensuring compliance with the external requirements so that it can monitor these. To the extent that other teams review whether these internal regulations are being complied with, the compliance function must be aware at a minimum of the type, scope and results of this review and assess these in relation to the compliance aspects.
88 The monitoring includes the areas of law associated with material risks at a minimum. This involves at least the statutes, regulations and regulatory requirements applicable to operating an insurance business.
89 This does not affect the responsibilities and schedule of tasks of any company officer prescribed by statute. Company officers prescribed by statute do not, however, lead to the relevant areas of law being excluded completely from the responsibility of the compliance function. The compliance function must at least monitor whether the company officers are exercising their responsibilities prescribed by statute in relation to areas of law associated with material risks.
90 The compliance function advises the management board in relation to compliance with the statutes, regulations and regulatory requirements applicable to operating an insurance business. It may also support the management board on, inter alia, making the staff aware of compliance issues and work towards ensuring that attention is paid to these in daily work activities.
91 The compliance function evaluates any potential impact of changes to the legal environment. It must observe and analyse developments in the legal environment at an early stage for this purpose. The full management board must be informed of the consequences of any material changes to the legal environment in sufficient time to allow it to implement corresponding precautions and actions.
92 The compliance function identifies and evaluates the compliance risks. The compliance risks include all risks resulting from a failure to comply with the external requirements.
93 The compliance function identifies and evaluates the compliance risks from a risk point of view at regular intervals.
94 The compliance function carries out its activities based on a compliance plan. The compliance plan takes into account all relevant business units. Activities are selected based on a risk-oriented approach. The compliance plan must be reviewed and updated on a regular basis.
95 The compliance function regularly reports to the full management board on current compliance issues. It prepares a report for this purpose at appropriate intervals, and at least annually. See 9.1.2 on ad-hoc reporting requirements for the compliance function in accordance with Article 268(3) DR.
96 The report must explain at a minimum the material compliance risks and the measures mitigating these risks and provide the management board with an overview of the adequacy and effectiveness of the procedures implemented to comply with the external requirements.
9.3 Actuarial function
9.3.1 General requirements for the actuarial function
97 The undertakings must establish an actuarial function as a key function. Aside from the actuarial function, the Insurance Supervision Act continues to stipulate that a responsible actuary be appointed in the case of life insurance, substitutive health insurance, accident insurance with premium refund and third-party liability and accident annuities (see 9.3.7).
9.3.2 Responsibilities of the actuarial function
98 The schedule of the actuarial function's responsibilities is defined in section 31 (1) of the VAG in conjunction with Article 272 DR. The transitional provisions in section 351 and section 352 of the VAG must also be taken into account if these are applicable to the relevant undertaking.
99 It is also generally possible to assign responsibilities to the actuarial function that go beyond the specified schedule of responsibilities if conflicts of interest are analysed and appropriate measures are implemented to handle these.
9.3.3 Coordination of the calculation of technical provisions
100 The decision regarding who carries out the calculation of the technical provisions pursuant to section 75 et seq. of the VAG is left to the undertaking.
101 The decision regarding who carries out the validation pursuant to Article 264 of the DR is also left to the undertaking. This does not affect the actuarial function's responsibilities pursuant to section 31 (1) of the VAG in conjunction with Article 272 of the DR.
102 The calculation of the technical provisions and validation pursuant to Article 264 of the DR are separated appropriately in such a way that avoids conflicts of interest and in particular does not unreasonably impair the independence of the validation. In line with the principle of proportionality, this requirement can be considered fulfilled for undertakings with a lower risk profile if the processes for the validation and calculation are separate. However, the staff carrying out the validation and calculation may need to be separate individuals in accordance with the principle of proportionality.
103 The validation within the meaning of Article 264 of the DR includes the calculation methods and data used, the assumptions made, as well as the complete record of the obligations to be evaluated. The impact must be determined of changes to methods, assumptions and the bases for data from one reporting date to the next.
104 Within the scope of its competence, the actuarial function is responsible for ensuring that an appropriate validation is carried out in accordance with Article 264 of the DR. In this context, the actuarial function fulfils the following responsibilities.
105 The actuarial function evaluates whether the correlations between the method selection, the assumptions and the data quality and availability are observed. The source and intended use of the data are considered for this purpose.
106 The actuarial function takes into account the characteristics of the insurance obligations in its review of which validation process is the most appropriate one.
107 The actuarial function regularly reviews the validation process and ensures that this is refined as necessary. For this purpose, it incorporates the empirical values acquired from previous validations and the changes to market conditions as applicable.
108 The actuarial function ensures that both quantitative as well as qualitative aspects are taken into account in the validation.
9.3.4 Responsibilities in relation to future profit participation
109 The actuarial function ensures that the future profit participation is adequately taken into account in the technical provisions as defined under Solvency II. The actuarial function must consult the actuary responsible in lines of business to see whether the future management rules required for this purpose have been modelled realistically. No additional validation is required in this respect by the actuary responsible.
110 In its opinion on the future profit participation, the actuarial function established at group level must observe the relevant national statutory requirements. For this purpose, it must consult with the local actuarial functions as well as the actuary or appropriate individuals responsible where provided.
9.3.5 Assessment of data quality
111 The statements made in the following margin numbers relate to the data used for the evaluation of technical provisions.
112 For the assessment of the data quality, the actuarial function includes the results of those analyses that were carried out as part of external or internal reviews of the data quality.
113 In assessing the completeness of the data, the actuarial function reviews whether the number of observations and the level of detail of the available data suffice for application of the calculation methods used and segmentation of the insurance obligations.
114 The actuarial function determines material shortcomings in the data as well as the causes for these. For this, it also reviews internal processes and consults with the staff responsible as required. It puts forward solutions for rectifying the shortcomings to the management board.
115 The actuarial function documents the material shortcomings and causes for these. It also outlines the potential material effects of these shortcomings on the calculation.
116 The actuarial function formulates recommendations as necessary for improving internal procedures as part of data management in order to ensure that the undertaking is capable of meeting the relevant requirements under Solvency II.
117 It reviews in which circumstances external and/or market data is additionally required. It also evaluates the quality of this data.
118 The actuarial function assesses whether the reliability of the estimates can be improved by amending the available data.
9.3.6 Opinion on the underwriting policy and reinsurance
119 The actuarial function supports the management board by analysing the interdependencies between the underwriting and assumption policy, the price calculation, the reinsurance policy and the technical provisions. It must assess the compatibility of the underwriting and reinsurance policy with the undertaking's risk profile.
120 The analysis of the underwriting and assumption policy and price calculation required for this does not generally take place at the individual product level, but rather at an appropriate abstraction level.
121 The analysis of the reinsurance policy required for this includes the effectiveness of the reinsurance agreements under stress conditions.
122 The analyses are also regularly carried out on a quantitative basis.
9.3.7 Relationship between the person responsible for the actuarial function and the responsible actuary
123 Responsible actuaries exercise a protective function for customers. They ensure equal treatment and that surpluses are used appropriately. The responsible actuary also reviews whether the undertaking is in a position to fulfil its obligations under the insurance contracts at all times. If the responsible actuary is at the same time the responsible person for the actuarial function, the undertakings review whether this combination could lead to conflicts of interests.
124 The tasks of the responsible actuary with respect to compliance with the statutory regulations for provisions under the commercial law and the appropriate premium calculation usually do not impair the role of the actuarial function so severely that an organisational separation would be considered necessary.
125 Conflicts of interest between the responsible actuary and the actuarial function are possible in the case of life insurance contracts with profit participation. While the discretionary bonuses are determined by the management board, the latter cannot completely ignore the proposal put forward by the responsible actuary in accordance with section 141 of the VAG (5) no. 4 and (6) no. 2 and no. 3. A profit participation that appears to be reasonable to the responsible actuary can harbour risks that are too high as far as the actuarial function is concerned, while a profit participation that appears appropriate to the undertaking's risk profile from the point of view of the actuarial function may be unreasonable to customers as far as the responsible actuary is concerned. If there is the possibility of conflicts of interest in individual cases, the person responsible for the actuarial function can only be the responsible actuary at the same time if the undertaking implements appropriate and effective measures to ensure that the relevant individual exercises each of the two responsibilities fully and independently.
126 The statements on life insurance under margin no. 125 apply mutatis mutandis to accident insurance with premium refund. The scope of the measures required depends, however, on the quota share of such contracts as a proportion of the entire business volumes and the associated risks.
127 If there is the possibility of conflicts of interest in substitutive health insurance in cases where the person responsible for the actuarial function is at the same time the responsible actuary, involvement of the independent trustee based on his or her statutory responsibilities in SLT health insurance can generally be considered an adequate accompanying measure, provided that the actuarial function is not assigned any tasks that go beyond the specified schedule of responsibilities. The principles stated in the last sentence of margin no. 125 and in margin no. 102 apply if further responsibilities are assigned to the actuarial function.
128 There is generally no conflict of interests if the responsible actuary is at the same time the responsible person for the actuarial function, but is responsible exclusively for the formation of provisions for property/casualty annuities.
9.3.8 The actuarial function’s duties to inform
129 In accordance with Article 272(8) of the DR, the actuarial function submits a written report to the management board at least once a year which contains all of the results achieved (Actuarial Function Report). See 9.1.2 on the actuarial function's ad-hoc reporting obligations in accordance with Article 268(3) of the DR.
130 The Actuarial Function Report will clearly highlight any deficiencies as well as recommendations on rectifying these deficiencies. It will also include details on changes to the underlying assumptions and methods used at a minimum. A simple note to the effect that the situation has not changed compared with the previous year is not sufficient.
131 The Actuarial Function Report cannot be replaced by individual sub-reports. It must be inherently comprehensible for the management board.
132 The actuarial function is free to report separately on individual topics in addition to the Actuarial Function Report. Material aspects from these reports must be incorporated into the next Actuarial Function Report.
133 A separate report is compiled in each case by the responsible actuary and the actuarial function to the extent that a report is envisaged. This also applies if the responsible actuary is at the same time the person responsible for the actuarial function. In the event of overlaps, e.g. in relation to an analysis of data quality, the Actuarial Function Report can also address the findings from the report submitted by the responsible actuary. The actuarial function will ensure that these findings are transferrable to the Solvency II perspective.
9.4 Internal audit function
134 All undertakings must establish an internal audit function. Exceptions to this rule are not permitted.
135 The audit assignment for internal audit relates to the entire governance system of an undertaking, including outsourced units and processes.
136 Compliance with the audit plan, i.e. fulfilling the audit function, takes priority over the consultancy function. The internal audit, therefore, may potentially restrict consultancy activities as applicable.
137 The internal audit in not subject to any influences (controls, constraints or other influences) that could impair its independence and impartiality in completing its tasks (= unreasonable influences).
138 The internal audit must be independent of all business units in the undertaking. This applies to the person responsible for the internal audit function as well as to all individuals who work for the internal audit.
139 In particular, the internal audit must not be impaired, even indirectly, in carrying out the audit, evaluating the audit results or reporting on these results. The internal audit must be able to communicate its results, findings, concerns, recommendations for improvement, etc. directly to the full management board, without any prior alterations through exertion of influence.
140 The management board's right to issue instructions in relation to the internal audit's inspection schedule is not inconsistent with the internal audit's independence. Article 271(3) sentence 2 of the DR remains unaffected.
141 The internal audit is not permitted to carry out any operational functions or activities (section 30 (2) sentence 1 of the VAG). This applies equally to all undertakings; proportionality aspects are irrelevant to this extent.
142 The other key functions are permitted to cooperate with the internal audit. Inappropriate influence exerted by the other key functions must be ruled out by setting out clear remits, among other factors.
143 The person internally responsible for the internal audit function can be at the same time the person internally responsible for other key functions, provided that the conditions stated in Article 271(2) of the DR are cumulatively fulfilled. The more key functions that are affected, the more precise undertakings must be in showing that this structure is appropriate to their relevant risk profile, and that the independence of the internal audit cannot be impaired. Article 258(1)(g) of the DR is also applicable (see 91.1).
9.5 Independent risk management function
144 The independent risk management function (IRMF) is also designated as the "risk management function" in national and European legal texts. Both terms are synonymous.
145 The schedule of the IRMF's responsibilities is defined in section 26 (8) of the VAG in conjunction with Article 269 of the DR. The IRMF significally promotes inter alia implementation of the risk management system. In this context, the IRMF is responsible for implementing risk management operationally.
146 The IRMF assists the full management board and if necessary the responsible management board members as well as other functions in effectively operating the risk management system. In this respect, the IRMF must in particular
a) regularly assess whether the risk strategy is consistent with the corporate strategy;
b) regularly assess whether the written policy is appropriate to the risk management system;
c) promote risk awareness among the staff affected by the risk management system;
d) regularly assess the methods and processes for risk assessment and monitoring and develop these further where appropriate;
e) propose limits and
f) evaluate planned strategies based on the risk aspects.
147 The IRMF monitors the risk management system. In this respect, the IRMF must in particular:
a) develop processes and procedures for monitoring the risk management system; and
b) monitor the adequacy of the risk management system on a continuous basis.
148 The IRMF monitors the undertaking's overall risk profile. In this respect, the IRMF must in particular:
a) identify, assess and analyse the risks at an aggregate level at least;
b) monitor the measures aimed at limiting risk;
c) monitor the limits and the risk at an aggregate level and
d) coordinate implementation and documentation of the company's own risk and solvency assessment (ORSA).
149 The IRMF reports to the full management board at a minimum on material risk exposures, the overall risk profile as well as the adequacy of the risk management system, and advises the management board on risk management issues.
150 The IRMF proactively advises the management board at a minimum of any material deficiencies or potentials for improvement in relation to the risk management system. It assists the full management board in rectifying any deficiencies and in developing the risk management system on a continuous basis.
10 Risk management system
10.1 The role of the management board in the risk management system
151 The full management board is responsible to ensure that the structure and design of the risk management system are appropriate and effective.
152 The responsibility of the full management board does not release the supervisory board from its duty to check whether the entire management board has established an appropriate and effective risk management system.
153 Irrespective of the full management board's collective responsibility, the undertaking's risk profile may require a certain member of the management board to be assigned specifically to risk management.
154 The full management board's collective responsibility for the risk management system, which cannot be delegated to one or more members of the management boards, relates to the managerial functions. These functions include, inter alia, the strategic decisions and determinations for the organisational framework for risk management, and therefore specifically also assuming and managing material risks.
155 The managerial functions also include the development of a common risk culture ("common risk language") which ensures consistent and effective risk management in all business units. This also requires developing a risk strategy, which is to be reviewed at least once a year and adapted as necessary. The risk strategy, review and any amendments must be documented. The risk strategy reflects the risks arising from the business strategy. It must be structured in such a way that operational management of the risks can be linked to it.
156 The full management board or the responsible management board member must consider the information from the risk management system appropriately in their own decisions. This also requires appropriate inclusion of the IRMF as the central unit for risk management. Inclusion of the IRMF does not release the entire management board or the responsible management board member from responsibility for their own decisions.
10.2 Risk management policy
157 The undertaking is free to summarise the written policy for risk management in one document.
158 At a minimum, the written policy on risk management must cover the business processes involving material risks.
159 Aside from defining the responsibilities as well as the status and powers of the IRMF, the written risk management policy must also state the status and powers of the other key functions, provided that these exercise responsibilities within the risk management system. The written risk management policy may refer to any of these responsibilities and powers of the other key functions that are stated in other written policies.
160 The written risk management policy will include specifications on the undertaking's individual stress tests. In this context, the undertakings will state the business units to be included, the reference dates and/or triggers, the processes, assumptions and possible methods. The process for handling any exceeding of the limit determined must also be set out.
10.2.1 Risk management policy for operational risk
161 Operational risks within the scope of risk management include, inter alia, IT risks, irrespective of whether these result from the IT organisational structure, the IT systems or the IT processes.
162 Operational risks within the scope of risk management also include legal risks.
163 Risks of legal changes, at least those linked to transactions concluded in the past, must be appropriately considered based on risk aspects. Risks of legal changes involve risks that arise based on a change to the legal environment, including to the regulatory requirements.
164 An analysis of the operational risks must also be carried out before products, processes and systems are implemented or are subject to a significant change. The results of this analysis must be included in the decision-making process.
165 Undertakings must implement a suitable process in order to identify and monitor potential operational risks that at a minimum records and evaluates the internal loss events. Appropriate thresholds must be determined for this purpose. The process steps required must be documented appropriately.
166 Undertakings must also take into account known external loss events when identifying potential operational risks.
167 The undertakings will review whether to introduce key risk indicators or key performance indicators as part of an early warning system.
168 Material loss events resulting from operational risks must be reported both to the management board and the IRMF without delay and analysed in relation to their causes. The loss events that are covered by this shall be determined individually for each undertaking. The full management board will decide whether additional measures need to be implemented in the event of material loss events and which measures these are. Implementation of the measures must be monitored.
10.2.2 Asset-liability management policy
169 The risk management system comprises an effective asset-liability management (ALM) that analogously is defined as the coordinated management of the risk from variations of the economic value of assets and liabilities. In addition to this economic perspective, undertakings also take into account the balance sheet perspective on book values in accordance with the individual undertaking's ALM objectives.
170 The coordinated management stated above does not necessarily mean that assets and liabilities need to be matched with respect to the risk factors examined. On the contrary, an undertaking can deliberately permit mismatches that are in line with its risk strategy and the related limits.
171 An effective ALM process must be established as part of ALM. The ALM process must be clearly regulated and must be appropriate for the purposes of monitoring and managing the undertaking's asset and liability positions in order to ensure that the assets are appropriate in terms of the undertaking’s liabilities and risk profile.
172 The following must generally be taken into account with regard to the ALM process.
a) The objectives of the ALM must be consistently derived from the specifications of the risk strategy. The objectives of the ALM must be clearly defined. Different importance can be attached to the ALM depending on the line of business operated due to the different insurance obligations. Undertaking-specific target and control parameters must be determined in order to operationalise the objectives of ALM.
b) All material risks that may arise from an undertaking's assets and liabilities must be identified and recorded as part of the ALM along with the causes and interdependencies for these. Risks arising from embedded options or guarantees must also be considered.
c) It is not sufficient for the risks merely to be estimated based on past data or experience. Rather, a forward-looking analysis must be performed, which includes assumptions on the development of the environment and the undertaking. A suitable observation period must be selected for this. Both short and longer-term considerations are generally required. Longer-term projections are necessary in order to reflect the effects of creeping developments.
d) The risk analysis must quantify the degree of risk exposure using appropriate ALM methods. In this context, the effects of alternative investment portfolios as well as risk-policy instruments on the target parameters must also be examined. The objectives set for the ALM must be reflected in the methods employed.
e) The risk analysis must include, inter alia, sensitivity analyses of the investment portfolio in relation to a series of capital market scenarios and investment conditions (in particular changes in interest rates, stock and real estate markets and currencies in relation to various time horizons) as well as the impact on coverage of the technical provisions.
f) The assumptions made within the scope of ALM must be based on a plausible selection. These assumptions, as well as the methodology, must be reviewed on a regular basis and adjusted as necessary.
g) The results of the ALM analysis must set out concrete alternatives for action and include corresponding recommendations to the responsible management board members. There are different options for risk management with this, e.g. hedging of the risks identified, asset reallocation and the determination of internal limits or the use of derivatives, along with adjustments to the profit participation or products.
h) The decision on the measures to be applied lies with the responsible members of the management board. Decisions that deviate from the results of the analysis must be justified and verifiably documented. The management rules implemented in the model must be checked and adapted as necessary.
i) At a minimum, target/actual analyses must be carried out between the target specifications and the results actually achieved in order to check and verify the implementation of the measures. This includes analysing the reasons for any variances. The effect of the risk-policy measures must also be reviewed. The measures taken must be corrected as necessary. The findings from these checks must be incorporated into the subsequent planning phase.
j) The handling of the ALM process, the setting of objectives, the assumptions made as part of the analysis, the methods and management rules applied and the results and measures decided must be verifiably documented.
k) Undertakings must perform the ALM process and carry out an ALM analysis at regular intervals (generally once a year) so that the strategic investment policy can be verified and the impact of any changes to the framework conditions or strategic decisions can be appropriately evaluated and analysed.
l) The information and findings generated through the ALM must be forwarded through appropriate reporting to those business units that are involved in the individual process steps (including the IRMF).
m) The ALM process must be embedded within the organisation. This includes linkage points with the business units that are responsible for the insurance obligations, as well as the units charged with investments and other units involved in ALM as applicable. The competences and functions within the ALM process must be clearly defined and regulated, as well as communicated within the undertaking and verifiably documented.
173 ALM may be outsourced to third parties. The general requirements in accordance with Chapter 13 apply in this regard.
10.2.3 Investment risk management policy
174 The investment risk management policy must include the information required for handling the operational side of investments.
175 The investment risk management policy must include both the guarantee assets (Sicherungsvermögen) and the entire assets, and must at a minimum set out the points listed in guideline 25 of the EIOPA Guidelines on the System of Governance. References may be made to special documentation.
176 The information on the level of security, quality, liquidity, profitability and availability in relation to the entire asset portfolio requires a description of the individual undertaking's grading system. This must also cover the interdependencies of the individual characteristics stated in this margin number and aggregation of the portfolio.
177 Internal quantitative limits must be set for each type of investment and exposures in which the undertaking has invested or intends to invest, and compliance with these must ensure the level of security, quality, liquidity, profitability and availability sought. The definition and, if necessary, any aggregation of a type of investment must be individual to the relevant undertaking. The risk management will evaluate whether the quantitative limits are appropriate with respect to the obligations. Stress tests must be carried out regularly for this purpose. The procedure to be followed in the event that one or more limits are violated must be outlined in the investment risk management policy.
178 The investment risk management policy must include an appropriate escalation process which stipulates, inter alia, that violations of limits must be documented promptly along with details of the measures implemented, with the effectiveness of the measures also being evaluated. The process must also include details on the procedure for a repeat violation of the limits.
179 There must also be a stipulation that the risk management system monitors compliance with the internal quantitative limits. These limits must also be set out for items not on the balance sheet and focus on a number of different factors (e.g. counterparty, geographical region, industry, etc.).
180 The process for identifying, assessing, monitoring and controlling investment risks must be based on the risk profile using appropriate and recognised methods. With due regard to the freedom to select the methods, evidence must be provided upon request of an understanding of the methods applied on the part of the responsible member of the management board through to the responsible management levels below the management board and staff members at the operational level. Only a very general understanding of the essential methods is required on the part of the management board to enable it to reactappropriately to the results, while the relevant individuals at the operational level must be proficient in all of the methods used.
181 The review processes required for the investment risk and documentation of these must be set out in the investment risk management policy. A description is required here of how it is ensured that investment decisions are in all cases taken with due regard to the investment principles and procedures approved by the management board. In addition, a description is required of how it is ensured that the review is appropriate to the risk profile. This should include, inter alia, risks from the following areas:
- coordination between the front and back office;
- compliance with (trading) limits and certificates of authorisation;
- agreements with transaction partners;
- prompt documentation of transactions and
- reviews of rates and prices (review of consistency with market conditions).
182 The investment risk management policy must also take into account the financial market environment. The financial market environment includes all relevant factors outside the control of the undertaking that have an impact on the value, return and security of investments which the undertaking holds or intends to acquire.
183 The undertaking shall also describe the conditions in the investment risk management policy under which assets are provided or may be accepted as collateral. This must take into account the extent to which securities tendered meet the requirements of the internal investment schedule. This affects repo transactions, securities lending, collateral transactions and other hedging transactions. The extent to which the business practices described comply with section 15 of the VAG must also be documented.
184 The description of the correlation between the market risk and other risks (including the credit risks, concentration risks, liquidity risks, operational risks and underwriting risks) as part of a stress test requires the definition of the material scenarios considered adverse by the undertaking.
185 Together with the description of the procedure for the appropriate assessment and review of investments, specification is required of the frequency of the review of the adequacy of the insurance portfolio and of the criteria on which the appropriateness test is carried out.
186 The risk management policy must include a description of the procedures for monitoring the performance of investments and the revision of the policy. For the purposes of the investment, it must also include a description of what is understood as being in the best interest of the policyholders and beneficiaries. This applies in particular to unit-linked insurance business.
187 The existing investment policy can be merged into the new policy.
10.2.4 Liquidity risk management policy
188 The special requirements for liquidity risk management with capital redemption operations must be observed for the purposes of managing the liquidity risk (see section 7 no. 19 of the VAG).
189 The expected payments received and made by the relevant reference dates are one of the factors that must be ascertained within the scope of liquidity risk management. These cash flows result in particular from investment activities, the direct insurance business and the ceded and assumed reinsurance business. The cash flows must generally be recorded before offsetting (gross statement) so that the sources of the relevant payments can be identified. The expected payments received and made must be compared with each other (analysis of potential liquidity gaps). Any imbalance between cash in- and out-flows is the difference between the expected payments received and made as at the relevant reference dates (liquidity surplus or liquidity deficit). The ratio of the payments received expected by the relevant reference dates including the realisable liquid assets (liquidity sources) to the payments made expected in this period (liquidity needs) is the relevant liquidity coverage ratio. Both the liquidity surplus or deficit and the liquidity coverage ratio must be ascertained.
190 The liquidity risk management must also include unit-linked insurance.
191 Liquidity stress tests must also be performed in order to be able to determine an appropriate liquidity buffer. These must take into account adverse events related to both the assets and the liabilities.
192 The liquidity risk management must also take into account the liquidity level. The liquidity level states the quota share of liquid assets available within a certain period (maturity band) as a share of the overall investments. In this context, it is useful to provide corresponding liquidity indicators for all assets (as a classification characteristic) in accordance with their level of convertibility into cash.
193 The requirement under guideline 26 (d) of the EIOPA Guidelines on the System of Governance to identify alternative financial tools and their costs (in accordance at least with their type, e.g. overdraft interest, brokerage, costs of the issue, costs of legal advice) in the risk management policy applies without exception, i.e. not just when a liquidity stress has occurred.
194 The prohibition against borrowing funds in accordance with section 15 (1) of the VAG must be observed when determining alternative financial tools.
195 If liquidity surpluses are supposed to be transferred, either in current or in stressed situations between undertakings belonging to the same group whether horizontally or vertically, the groups must ascertain and account for the legal and economic restrictions in this regard beforehand as part of their liquidity analysis.
10.3 Undertaking-specific stress tests
196 Undertaking-specific stress tests are an integral part of an appropriate early warning system in the risk management system. They examine the undertaking's resilience in the face of adverse events or scenarios. Undertaking-specific stress tests may involve sensitivity analyses, scenario analyses and reserve stress testing.
197 The undertakings must carry out undertaking-specific stress tests as part of the ORSA in accordance with section 27 (3) sentence 2 of the VAG. Such stress tests must also be performed in other risk management areas in accordance with Article 259(3) of the DR if appropriate. The guidance notes on undertaking-specific stress tests within the scope of ALM as well as in relation to the investment and liquidity risks (see 10.2.2, 10.2.3 and 10.2.4) remain unaffected by this. The type, scope and frequency of the undertaking-specific stress tests must be appropriate to the risk profile. They must cover at a minimum the essential drivers for the material risks. Standardised stress tests specified externally, e.g. EIOPA stress tests, are not generally suitable as undertaking-specific stress tests.
198 The undertaking-specific stress tests must take into account the essential risk concentrations and diversification effects between the risks.
199 The undertaking-specific stress tests reflect events or scenarios with different degrees of severity. Appropriate historical and hypothetical events or scenarios form the basis for these stress tests. The undertakings also assume in particular extraordinary yet plausible events or scenarios that could endanger the undertaking's risk-bearing capacity.
200 The adequacy of the undertaking-specific stress tests including the underlying assumptions must be reviewed regularly.
201 Implementation of each stress test application must be documented appropriately. The assumptions, evaluations of the results and measures implemented must be stated at a minimum.
202 The management board must take appropriate account of the results of the undertaking-specific stress tests in its decisions.
11 System of governance requirements in relation to own funds
203 Undertakings must ensure that they have at all times sufficient eligible own funds to cover at least the solvency capital requirement (SCR) and minimum capital requirement (MCR). Continuous monitoring of the coverage and monitoring of the movements in the SCR/MCR along with proactive management of the own funds are required in order to ensure this. The extent to which monitoring of the changes to the regulatory capital requirements needs to take place in order to be appropriate and the extent to which proactive measures are required in order to ensure that sufficient amounts of eligible own funds are available at all times depend on the undertaking's own specific circumstances, such as fluctuations in the levels of the SCR and MCR and the own funds situation.
204 Given the fluctuations in the regulatory capital requirements in a system for economic valuation of assets and liabilities, ensuring continuous compliance with the regulatory capital requirements is only possible if undertakings have sufficient own funds that enable them to avoid short-term shortfalls, including in the event of sudden changes to the assets or liabilities. The extent to which undertakings require additional own funds to be able to absorb potential fluctuations at any time, taking into account their current SCR, depends on their risk profile and must therefore be determined by the undertakings individually.
205 Undertakings must develop procedures, establish processes and prepare plans aimed at managing their own funds situation and at ensuring that they have eligible own funds to the required extent and of the required quality at all times. The competences, procedures and intentions related to handling own funds must be set out in writing.
206 In addition, the calculation of the own funds, including their classification, the result of the application of the eligibility limits and the treatment of holdings must also be documented with justifications provided in each case.
11.2 Classification of own funds
207 The undertakings must ensure that all own-fund items comply with the requirements of the tier into which they are to be classified. This applies to both the time of the issue/entry or initial classification as own funds and any subsequent period. Undertakings must therefore ensure that the own-fund items are structured appropriately in line with the requirements and refrain from any actions that could prevent the desired classification. "Encumbrances" within the meaning of section 91 (4) no. 3 of the VAG that conflict with the ability of the items to count as own funds and that, therefore, must be subject to careful consideration could arise, for instance, from other agreements or transactions or as a result of (changes to) the group structure.
208 The procedures used to ensure and monitor that own-fund items meet the requirements for the desired/needed classification at all times must be outlined in the capital management policy.
11.3 Eligibility limits
209 In order to ensure that the applicable eligibility limits do not result in insufficient coverage, undertakings must not only be aware of and document the current reduction in available own funds with regard to eligible own funds, but also include the impact of any potential losses on account of the eligibility limits on the eligible own funds into their capital management considerations. The amount of eligible own funds may be reduced by an amount that is higher than the amount of the loss that has been incurred. Even if an undertaking has a certain amount of available own funds that are not eligible own funds, the medium-term capital management plan must therefore include, where applicable, information on how the eligible own funds of the required tier are to be regenerated.
11.4 Capital management policy
210 Undertakings must have a capital management policy for the purposes of actively managing their own funds. A capital management policy is a written policy within the meaning of section 23 (3) of the VAG, and as such is subject to all of the requirements imposed on written policies. It is used to regulate procedures and set out the associated competences in order to ensure that the undertaking's own-fund items meet the requirements for their classification at all times and that new own-fund items of the required tier are procured in good time as necessary. The minimum content of the capital management policy arises from guideline 36 of the EIOPA Guidelines on the System of Governance.
211 The level of detail in the capital management policy, as well as the methods and resources used for its implementation and observance, must be appropriate with respect to the nature, scale and complexity of the undertaking's risks. The capital management policy may have a less comprehensive structure in line with a less complex own funds situation.
212 The capital management policy must be enacted by the management board and reviewed at least once a year. The policy must be adjusted as required following approval from the full management board.
213 To the extent that guideline 36 (g) of the EIOPA Guidelines on the System of Governance concerns contractual terms and conditions, these primarily relate to the contractual regulations for hybrid capital. However, rules in the articles of association on the share capital or initial capital may also come under the scope of this policy. The procedure aimed at ensuring that these terms and conditions are clear and unambiguous in relation to the criteria for the applicable capital regulations must provide at a minimum that the contractual terms and conditions are subject to legal review with regard to their compliance with the applicable own funds criteria and that it is checked whether they have been formulated in a comprehensible and clear manner. This is aimed at meeting the regulatory requirements and also at regulating the individual items of the contract so clearly that future legal disputes between the parties to the contract can be avoided. This review may in particular be completed by the undertaking's own legal department or the compliance function.
214 In relation to guideline 36 (j) of the EIOPA Guidelines on the System of Governance, undertakings must deal with the fact that a distribution of dividends or interest payments have to be deferred or suspended if the capital requirements are not covered, so that the instruments can also actually be qualified as own funds. This non-payment of dividends or interest can in some cases aggravate the own funds situation. Undertakings must consider, therefore, the scenarios that could lead to further aggravation in the own funds situations due to a deferral or suspension. To the extent that undertakings take into account management rules, i.e. actions to be taken beforehand, in calculating the own funds, these must also be set out in the capital management policy together with the associated justification.
215 In terms of the own funds treatment of holdings, the capital management policy must state the process for dealing with financial and credit institutions within the meaning of Article 92 of Directive 2009/138/EC when calculating the basic own funds and how deductions should be made. The process for determining strategic holdings must also be set out.
11.5 Medium-term capital management plan
216 The capital management plan must state which own-fund items are available to the undertaking in which time frame in the various tiers, how the capital requirements are developing and what measures are planned at what time to ensure compliance with the regulatory requirements at all times. The medium-term capital management plan must be updated on a regular basis and adapted to changes in circumstances if necessary.
217 Undertakings that raise capital eligible for inclusion as own funds must prepare a medium-term capital management plan, which must be monitored by the undertaking's full management board. The medium-term capital management plan is used to ensure that the capital requirements are covered at all times. There should never be a coverage gap under any circumstances through repayments of subordinated loans. Undertakings that are exposed to future repayment obligations must therefore deal thoroughly with the issue of whether additional own funds should be raised after repayments and how any corresponding emissions can be implemented.
218 In the event of repayment obligations of hybrid capital that is eligible on account of the transitional provision in accordance with section 345 of the VAG, any reduced eligibility incurred in accordance with section 53c (3) (b) sentence 1 no. 4 of the VAG (old version) must also be respected since it is not eliminated through Solvency II and the intervention of the transitional provision. This reduced applicability applies in the event of rights of cancellation if there are no regulations in the contractual terms and conditions to the effect that cancellation is only possible with the prior consent of the supervisory authority or following replacement of the capital.
219 The aspects that must be considered at least in the medium-term capital management plan are given in guideline 32 of the Guidelines on the System of Governance.
220 The scope of the medium-term capital management plan and the methods and resources used to implement and fulfil the capital management plan must be appropriate with respect to the nature, scale and complexity of the risks to which the undertaking is exposed. The medium-term capital management plan may have a less comprehensive structure in line with a less complex own funds situation. For example, if the undertaking has not issued any hybrid capital, it is not required to make any statements on potential capital outflows. However, it must consider in all cases whether raising additional own funds on the capital market may be required within the planning horizon. This forward-looking planning, which needs to cover even potential emissions that may be required, must be taken into account by the undertaking when preparing the capital management plan.
221 "Medium-term" corresponds with the undertaking's relevant corporate planning period. Determination of the period here is also dependent on the ongoing contracts for capital instruments and corresponding cancellation options.
222 To the extent that undertakings are able to apply contractual rights of cancellation with regard to issued capital, the medium-term capital management plan must outline whether and to what extent cancellation rights ought to be applied. Various scenarios that could arise must be considered here, and the issue of whether, on the whole, a capital replacement through new issues is more beneficial and economically better for the undertaking must also be covered.
223 In the event that an application is made for ancillary own-fund items in accordance with Article 4 paragraph 2(i) of Commission Implementing Regulation 2015/499, a copy of the medium-term capital management plan must also be submitted to the supervisory authority. Statements are also required on how the requested ancillary own-fund item will contribute to the undertaking's existing capital structure and how it may enable the undertaking to cover its existing or future capital requirements. The capital management plan must take into account the additional own-fund item as well as its classification and outline why the ancillary own fund item should be raised.
11.6 Ancillary own funds
224 Undertakings that have applied for approval from the supervisory authority to include ancillary own-fund items must put a process in place which enables them to determine future changes to the total loss-absorbing capacity of the relevant own-fund items (see Article 62(1)(d) of the DR and Article 4 paragraph 8 of Commission Implementing Regulation (EU) 2015/499). This process must also include the internal escalation via the management board until the supervisory authority is notified of the changes identified and state when and how the escalation is triggered. The process must be described in the capital management policy.
225 The process for monitoring the loss-absorbing capacity must be appropriate for the purposes of identifying any changes that may affect the recoverability of the ancillary own-fund items and have an impact on the status of the relevant counterparties, i.e. the default or increased risk of a default of a counterparty. Changes to the structure of the ancillary own-fund items or their contractual terms and conditions must also be considered. If ancillary own-fund items are cancelled, expire or are partly or fully used or called up, then this must be recorded as part of the monitoring and the information must be forwarded as required.
226 Undertakings are under an obligation to implement validation processes to the extent that they have applied for approval for a method to determine the amount of an ancillary own-fund item (see Article 3 paragraph 3(d) of Implementing Regulation (EU) 2015/499). These processes must ensure that the method used continues to reflect the loss-absorbing capacity of the ancillary own-fund item in an appropriate manner. Any validations carried out must be documented.
11.7 Group aspects
227 Undertakings belonging to a group must also prepare a capital management policy at solo level and, if necessary, a medium-term capital plan. If there are capital flows between the companies belonging to the group, the ultimate parent undertaking in the group must compile such policies and prepare a medium-term capital management plan for the whole group with due consideration of the situations at solo entity level. The undertakings' capital management policies and capital management plans must be fully consistent with the group's corresponding policy and the group capital management plan and remain within the framework for these.
228 A review is required at group level regarding the extent to which eligible own funds of related undertakings are available to cover the SCR at group level. The capital management policy at group level must therefore state the process for reviewing this availability and in particular cover:
- the lack of legal and regulatory restrictions;
- the transferability and
- the fungibility of the eligible own funds of related undertakings, as well as
- the deduction of diversification benefits (with application of method 1 to calculate the group solvency);
- the classification of the own funds into the various tiers (with application of method 2 to calculate the group solvency) and
- the prohibition on reciprocal financing.
229 In accordance with Article 330(3) paragraph 2 of the DR, certain own-fund items of related undertakings, which are not considered to be effectively available, may be included in the own funds available to cover the SCR at group level if the undertaking can demonstrate to the satisfaction of the supervisory authority that this is appropriate as an exception in the specific circumstances of the group. In such cases the supervisory authority must have accepted the participating undertaking's argument before the inclusion of the own-fund items of the related undertakings into the group SCR is permissible. If the participating undertaking generally intends to include such own funds items, it must therefore provide a procedure in the capital management policy for obtaining prior recognition by the supervisory authority of the own-fund items not considered prima facie to be effectively available.
12 Internal control system
230 Undertakings must structure their internal control system in accordance with their risk profile. The internal control system must be incorporated appropriately into the organisational and operational structures and processes so that it fulfils its purpose.
231 The internal control system must also take into account any outsourced units and processes.
12.2 Internal control framework and reporting arrangements
232 Undertakings must set out the principles, procedures and measures related to the internal controls in the internal control framework. The internal control framework must be appropriate to the risk profile.
233 The nature, frequency and scope of the internal controls in particular must be based on the risks of the relevant units and processes.
234 The individuals appointed to implement the internal controls must have all of the necessary information available. Corresponding information and communication systems must be established for this.
235 The adequacy and effectiveness of the internal controls must be monitored on an ongoing basis using appropriate procedures.
236 The results of the monitoring must be reported to the full management board on a regular basis, and at least once a year. Ad-hoc reports are also required in specific situations, particularly in the event of significant deficiencies in the internal controls. The management board must ensure that the required adjustments are implemented in good time.
237 This circular uses the term outsourcing when services are outsourced to a service provider. When services are passed from one service provider to another service provider this is referred to as sub-delegation. In accordance with section 7 no. 2 of the VAG, one defining feature of outsourcing is that the outsourced process, service or activity would otherwise be provided by the undertaking itself.
238 All typical insurance functions or activities outsourced by an undertaking are subject to the specific outsourcing controls exercised by the supervisory authority. The supervisory authority's supervision of impropriety also covers all further circumstances that could be a risk to policyholders' interests. This also includes service relationships that are not typical to insurance and are therefore not subject to the outsourcing requirements. - For example: canteen operations by an external service provider are not subject to the outsourcing concept because they are not a typical insurance activity and are therefore not subject to the specific outsourcing controls exercised by the supervisory authority either. However, if there are repeated staff absences as a result of hygiene issues that thereby result in a risk to proper business operations, then this could represent an irregularity which entitles the supervisory authority to take action.
239 The criteria for the segregation of outsourcing and other service relations include the content of the relevant activity, and especially the scope and duration of this along with the frequency with which the service provider is used. The terms cannot be generally quantified and instead depend on how substantial the activity is for the relevant undertaking.
240 The more substantial or frequent a third party service or consultation is from a third party, then the more likely it is that this involves outsourcing. The thresholds applied for assuming durability or frequency must be lower the more substantial the relevant area is for the undertaking. Operational or consultative use of a service provider on a merely occasional basis is not generally considered to be outsourcing. However, repeated appointment of the same service provider or frequent use of the same service provider for the same type of activity with a framework agreement in place could be an indication of outsourcing. Conversely, sets of circumstances are also conceivable, although rare, whereby typical insurance activities are outsourced and the duration and frequency criteria for use of a service provider are also met, but the unit outsourced is of minor significance to the undertaking. Circumstances such as these could provide grounds for the assessment that no outsourcing has taken place.
241 The agreement required between the outsourcing undertaking and a service provider does not need to have a specific format, be a certain type of contract or have a particular contract name in order to qualify as an outsourcing agreement.
13.2 Permissible scope
242 Outsourcing of all key functions and functions defined as key tasks by the undertaking is possible in principle for any undertaking, with due regard to the provisions in this section.
243 The management board bears ultimate responsibility in all cases in the event of outsourcing, including cases of intra-group outsourcing and sub-delegation. Primary managerial functions including responsibility for establishing and developing the risk management system and internal control system may not be outsourced. Service providers can only provide support and advice in these areas. This also applies to intra-group outsourcing where there is a control agreement in place.
244 Outsourcing certain sub-areas of the risk management system or internal control system is conceivable following careful consideration of the risks. The duty of the management board to set out the strategic framework conditions and the organisational and operational structures for the key functions and the functions defined as key tasks by the undertaking, in turn, remains unaffected by this.
245 The responsibility of the full management board to comply with the governance regulations also requires an appropriate segregation of functions in the event of outsourcing. For the service provider and the undertaking, this also applies in relation to the organisational location of the outsourcing manager.
246 The undertaking must pay special attention to the control framework in particular if the service provider is located outside of the EEA. The undertaking must also be able to effectively control such service providers so that it can react swiftly to any breach of the provisions in the outsourcing agreement. The undertaking must ensure that the service provider's local supervisory authority or the national regulations do not, in particular, restrict access to information on the functions and insurance activities outsourced or to the service provider's business premises.
13.3 Risk analysis in the context of outsourcing
247 The risks associated with outsourcing must be identified, analysed, evaluated and managed appropriately both before and after the outsourcing. A distinction must be made between this and the risk analysis that is required before any outsourcing takes place.
248 Undertakings must first determine in an independent and risk oriented manner whether transferring an activity is covered by the definition of “outsourcing”. The additional assessment as to whether it is an important function or insurance activity that is to be outsourced is also a sub-area of the risk analysis that must take place before any outsourcing.
249 Along with the strategic reasons, economic and operational factors and quantitative and qualitative aspects, the risk aspects must also play an appropriate role in any fundamental decision in favour of or against outsourcing. The relevant risk categories are normally the strategic, operational and reputational risks. Particular attention must be paid to concentration risks if multi-client service providers are used.
250 The relevant organisational units must be involved in the preparation of the risk analysis. The level of intensity required for the risk analysis and involvement of the relevant organisational units must be decided based on proportionality aspects.
251 The results of the risk analysis must be documented. A new risk analysis is required in the event of essential changes to the risk profile due to outsourcing circumstances with a decision to be made on continuing or ending the outsourcing.
13.4 Outsourcing of important functions and insurance activities
252 A distinction must be made in the typical insurance functions or activities between important and other activities. To the extent that European legal texts refer to "critical" functions or activities in connection with outsourcing, the requirements for "important" functions or insurance activities also apply a fortiori to "critical" activities.
253 In the event that important functions or activities are partially outsourced, then the crucial issue is whether the sub-area scheduled to be outsourced is considered important in its own right.
254 The full management board must approve all outsourcing of important functions or insurance activities beforehand.
255 To the extent that requirements for outsourcing important functions or insurance activities in accordance with Article 274(2) to (5) of the DR are universal in nature, they are also transferrable and must be applied to the outsourcing of other functions and insurance activities. Examples include the requirement for the outsourcing agreement to be in written format, the incorporation of the outsourcing into risk management and the internal control system and the guarantee that no statutory regulations will be breached through the outsourcing. These standards are aimed at ensuring that proper business management is not impaired during the outsourcing.
256 Key functions and functions defined as key tasks by the undertaking are always considered to be important activities.
257 In addition, the following units are also generally considered to be important functions or to carry out important insurance activities:
- portfolio management
- claims processing
- calculation of the technical provisions in accordance with Solvency II and the German Commercial Code
- investment products and management
- electronic data processing in relation to important typical insurance activities.
The point stated under margin no. 253 also applies to cases of partial outsourcing falling under margin no. 256 and this margin no. 257.
258 In all other respects, undertakings are responsible for determining whether the relevant function or insurance activity is important and must document this. The issue of whether a function or insurance activity is important can only be assessed on a case-by-case basis.
259 The assessment regarding whether a function or insurance activity is or is not important must be reviewed and adjusted if the underlying circumstances have changed significantly.
260 The criteria and the process for categorising a function or insurance activity as important must be set out in the written outsourcing policy and adjusted for any changes in circumstances.
261 In accordance with section 47 no. 8 of the VAG, an immediate duty of notification with submission of the draft contract applies to the intention to outsource important functions or insurance activities.
262 The notification, as well as all documentation to be appended, must generally be submitted in German. The documents can also be submitted in English following consultation with the relevant BaFin division. If necessary, BaFin may request at a later point that the undertaking provide a certified translation.
263 The draft contract must also be submitted together with the signed notification.
264 The notification must state:
- the name of the service provider;
- the address of the service provider;
- a description of the scope of the outsourcing;
- the reasons for the outsourcing;
- and in the event that a key task is being outsourced, in particular one of the four key functions stipulated by statute, the name of the competent person at the service provider side.
265 If a key task is being outsourced, no documentation (e.g. CV, certificate of good conduct) needs to be submitted in relation to the competent person at the service provider side.
13.5 Outsourcing manager
266 The role of an outsourcing manager includes/involves monitoring and assessing. Without prejudice to the ultimate responsibility of the full management board for each outsourcing arrangement, the relevant outsourcing manager is responsible for the proper implementation of the outsourced functions. The outsourcing manager is a responsible person within the meaning of section 47 no. 1 of the VAG (see the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act.
267 The outsourcing manager must evaluate and scrutinise the service provider's performance independently and objectively. If a key function is outsourced (see 9.1.2), the reporting process to the management board of the outsourcing undertaking is as follows. The service provider submits the reports to the outsourcing manager who can add to or comment on these as part of their monitoring role before submitting them to the management board. The management board, in turn, must appropriately notify the outsourcing manager at its own initiative and in good time of all facts that may be required for them to fulfil their responsibilities.
268 There must be an outsourcing manager in all cases where key functions and responsibilities defined by the undertaking as key tasks are outsourced. If other important functions or insurance activities are outsourced, the outsourcing undertaking must check whether it is appropriate to deploy an outsourcing manager also in these cases given the ultimate responsibility of the full management board for the function or activity outsourced.
269 Assignment of the function as outsourcing manager to a person working below the management board level at another undertaking supervised by BaFin and belonging to the same group (with the exception of the firm to which the activity is outsourced) may be permitted on an exceptional basis, if this person is subject solely to the instructions of the management board of the outsourcing undertaking as far as their tasks as outsourcing manager are concerned. Moreover, measures to avoid any conflicts of interest must be taken where needed.
270 BaFin currently believes that it is acceptable for a member of the management board of the outsourcing undertaking to act at the same time as the outsourcing manager for a key function or a function defined as key tasks by the undertaking without this structure having to be justified based on proportionality considerations. However, section 23 (1) sentence 3 of the VAG is applicable, meaning that there must be a separation of functions appropriate to the undertaking's risk profile, including in relation to the responsibilities as an outsourcing manager and as a member of the management board. Article 258(1)(g) of the DR is also applicable, meaning that undertakings must ensure that the assignment of the additional task as an outsourcing manager does not or is not likely to prevent the member of the management board from carrying out all their functions in a sound, honest and objective manner, including functions at other undertakings if applicable. This requires sufficient time capacities, among other factors. It should also be noted that a significantly greater monitoring intensity is required from the outsourcing manager than from the management board. Reference is also made to the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act.
271 The fact that a member of the management board of the outsourcing undertaking acts at the same time as an outsourcing manager is also relevant if this manager also works for the group undertaking to which the key function or function defined as key tasks by the undertaking has been outsourced (these cases differ from those covered in margin no. 269). However, measures to avoid any conflicts of interest must be taken where needed. The outsourcing manager cannot in any case be the same as the competent person at the service provider side.
272 Whether a member of the management board or a person working below board level can, at the same time, be the outsourcing manager for multiple key functions or functions defined as key tasks by the undertaking depends on the circumstances of the individual case. The more key functions/tasks that are affected, the more precise undertakings must be in showing that the structure selected is appropriate in the relevant case. A further limit to the assignment of multiple tasks to the same individual is provided in Article 258(1)(g) of the DR (see margin no. 270).
273 The conditions stated above also apply to the outsourcing manager for the internal audit function. Article 271 of the DR is not applicable to this extent because the outsourcing manager does not exercise the internal audit function within the meaning of this provision.
13.6 Intra-group outsourcing
274 The regulations on outsourcing also apply to intra-group outsourcing. The following requirements for intra-group outsourcing apply accordingly throughout the entire affiliated group.
275 Intra-group outsourcing may not generally involve less care or less intensive monitoring. Further, intra-group outsourcing cannot be categorised automatically as not important.
276 Nevertheless, intra-group outsourcing may justify some exemptions, the characteristics of which will be based on the relevant individual case. A few examples are provided below.
277 A written agreement which sets out the rights and obligations of both parties in relation to the outsourcing may take the form, for instance, of a service level agreement, provided its contents were not addressed in formal contract negotiations, as is normally the case before a contract is concluded with an external service provider.
278 Under certain circumstances, the review of the intra-group service provider prior to the outsourcing decision may be less detailed than the review required for a service provider from outside the group. However, it must always be checked whether a conflict of interests exists.
279 Undertakings must avoid any automatic recourse to an intra-group service provider since there is the risk also with intra-group service providers that they provide highly standardised services without taking the special features of the individual undertaking appropriately into account.
280 If functions or insurance activities are outsourced within the group, there must be precise documentation regarding which legal entity has outsourced which function or insurance activity and to which service provider.
13.7 Outsourcing to insurance intermediaries
281 Although they are normally of a permanent duration, typical intermediation activities (not involving underwriting powers or authorisations related to claims adjustments) are not subject to the outsourcing requirements.
282 The transfer of underwriting powers or authorisations related to claims adjustments to insurance intermediaries always represents outsourcing of important functions or insurance activities. To this extent, undertakings have no freedom to evaluate the situation. It should be noted that insurance brokers cannot be responsible for claims adjustments in accordance with the civil case law of the German Federal Court of Justice (Bundesgerichtshof, ruling dated 14 January 2016, I ZR 107/14).
283 The statements made under 13.4 apply to the issue of whether a partial outsourcing is a significant outsourcing. If an undertaking transfers underwriting powers or authorisations related to claims adjustments to a large number of insurance intermediaries, then an assessment of the overall situation is required.
13.8 Outsourcing policy
284 A written policy is required for the entire outsourcing area. This must cover the impact of outsourcing on business operations and the procedural and quality standards to be applied to each individual undertaking in outsourcing cases, along with the reporting and monitoring obligations to be implemented from the start to the end of the outsourcing process.
285 The written policy must be consistent with the undertaking's business strategy.
286 The written policy must include a process for reviewing the relevant service providers. The following aspects of the process must be covered at a minimum in the written policy:
- the service provider's financial performance;
- the service provider's technical abilities;
- the service provider's ability to provide the services outsourced;
- the control framework;
- any conflicts of interest.
287 Undertakings must also determine whether any further aspects within the scope of the review processes should be taken into account independently in the written policy. These aspects must be adjusted to changes to the undertaking's internal or external circumstances.
288 The outsourcing policy must show how the continuity and undiminished quality of the functions and insurance activities outsourced can also be ensured in the event that the contract with the service provider is terminated.
289 The written policy must include the duty to develop emergency plans for important functions and insurance activities outsourced that deal with the problems occurring with the service provider. The policy must also describe the process and accountabilities for creating these emergency plans. The plans must specifically account for how the important functions and insurance activities outsourced can be assigned to a different service provider in an emergency situation or how they can be reincorporated into the undertaking's business operations once again.
290 The principles stated under 8.3 apply in all other respects to the written policy on outsourcing.
291 Sub-delegation is generally permitted. The conditions for this must be outlined in the written outsourcing policy. Sub-delegation of an important function or insurance activity must be approved beforehand by the full management board or at a minimum by the management board member responsible.
292 The statements on service providers apply mutatis mutandis to sub-service providers in all other respects.
14 Business continuity management
293 The business continuity management increases the resilience of units and processes in undertakings in order to guarantee that business activities continue in potential crises based on processes defined beforehand.
294 The management board is responsible for operational business continuity management. The full management board must agree on the contingency planning.
295 Contingency plans must be created for those units and processes where an unforeseeable disturbance could represent a risk to continued business activities. The units and processes outsourced must be taken into account for business continuity management purposes. The adequacy and effectiveness of the contingency plans must be ensured on a permanent basis. Regular test runs and exercises must be carried out for this purpose in accordance with the risks of the relevant unit or process.
296 The contingency scenarios underlying the contingency plans must take adequate account of the individual risk profile.
297 Both the contingency planning and the completion of a contingency plan must be incorporated appropriately into the organisational and operational structures and processes. Tasks, accountabilities, duties to inform and escalation processes must be set out and documented clearly and comprehensibly.
298 The individuals affected must be familiar with the contingency plans. Availability of the contingency plans must also be ensured in any emergency situation.