Answer ... When the Solvency II Directive was transposed, common governance rules were adopted for the three insurance families.
Thus, a person may not manage an insurance undertaking, be a member of a collegiate supervisory body, have the power to sign on behalf of an insurance undertaking or body or be responsible for a key function if he or she has been convicted for less than 10 years of certain offences, such as money laundering, tax fraud, personal bankruptcy or bankruptcy, including by a foreign court (Article L322-2 of the Insurance Code; Article L114-21 of the Mutual Insurance Code; Article L931-9 of the Social Security Code).
Operational managers and heads of key functions are subject to competence requirements: they must be of good repute, competent and experienced in their functions. Similarly, the members of the board of directors or the supervisory board must be of good repute, competent and experienced. The ACPR assesses their competence by taking into account their training and experience in a manner commensurate with their duties, as well as the competence, experience and duties of the other members of the body to which they belong (Article L322-2 of the Insurance Code).
The ACPR ensures that such persons collectively have the necessary knowledge and experience of:
- the insurance and financial markets;
-
the company’s:
-
- strategy and business model;
- system of governance; and
- financial and actuarial analysis; and
- the legislative and regulatory requirements applicable to the insurance undertaking, appropriate to the exercise of the responsibilities assigned to the board of directors or the supervisory board (Article R322-11-6 of the Insurance Code; Article R114-9 of the Mutual Insurance Code; Article R931-3-10-1 of the Social Security Code).
This competence requirement is also assessed in accordance with Article 258 of Commission Delegated Regulation (EU) 2015/35 of 10 October 2014, as amended by Delegated Regulation (EU) 2019/981 of 8 March 2019 (Article R322-167 of the Insurance Code).
Managers of Solvency II companies are subject to enhanced requirements. According to the ‘four eyes’ principle, their effective management must be ensured by at least two persons. The heads of key functions report to the managing director or the executive board, and may inform them directly and on their own initiative of any event that occurs. The managing director or the executive board must interview them whenever this is considered necessary, and at least annually. The appointment and renewal of these persons are notified to the ACPR (Article L322-3-2 of the Insurance Code; Article L211-13 of the Mutual Insurance Code; Article L931-7-1 of the Social Security Code).
Rules applicable to companies concerned by Solvency II: The governance system to be put in place should ensure sound and prudent management of the business and be subject to regular internal review. It should be based on a clear separation of responsibilities and include an effective reporting system. It should be proportionate to the nature, scale and complexity of the undertaking’s operations.
Companies should develop and implement written policies on:
- risk management;
- internal control;
- internal audit; and
- where appropriate, outsourcing.
To ensure the continuity and regularity of their activities, they should:
- draw up contingency plans; and
- implement appropriate and proportionate systems, resources and procedures (Article L354-1 of the Insurance Code).
The undertaking must specify whether these written policies are the responsibility of the board of directors or the managing director or, where applicable, the supervisory board or the executive board. These policies should be reviewed at least once a year and adapted to take account of any significant changes. They are subject to the prior approval of the board of directors or the supervisory board, as the case may be (Article R354-1 of the Insurance Code).
The governance system includes the following key functions:
- the risk management function;
- the compliance function;
- the internal audit function; and
- the actuarial function (Article L354-1 of the Insurance Code).
The company’s internal control system includes at least:
- administrative and accounting procedures;
- an internal control framework;
- appropriate reporting arrangements at all levels of the company; and
- a compliance function (Article R354-4 of the Insurance Code).
The purpose of the compliance function is to advise the managing director or the executive board, as well as the board of directors or the supervisory board, on all matters relating to compliance with the laws, regulations and administrative provisions governing access to and the conduct of insurance and reinsurance activities. It assesses the possible impact of any change in the legal environment on the company's operations and identifies and assesses compliance risk (Article R354-4-1 of the Insurance Code).
The internal audit function, exercised objectively and independently of the operational functions, assesses the adequacy and effectiveness of the internal control system and other elements of the governance system. Its findings, recommendations and proposals are communicated to the board of directors or the supervisory board by the managing director or the executive board. The latter ensures that these actions are carried out and reports to the board of directors or the supervisory board (Article R354-5 of the Insurance Code).
The purposes of the actuarial function are as follows:
- to coordinate the calculation of prudential technical provisions;
- to ensure the appropriateness of the methodologies, underlying models and assumptions used to calculate prudential technical provisions;
- to assess the adequacy and quality of the data used in the calculation of these provisions;
- to supervise this calculation; and
- to compare the best estimates with empirical observations (Article R354-6 of the Insurance Code).
The risk management function facilitates the implementation of the risk management system (Article R354-2-3 of the Insurance Code). Undertakings must set up a risk management system based on an internal assessment of risks and solvency (Article L354-2 of the Insurance Code). This assessment is an integral part of the company’s business strategy. It is carried out once a year and in the event of significant changes to its risk profile. The conclusions of these assessments are communicated to the ACPR (Article R354-3-4 of the Insurance Code).
The risk management system includes the strategies, processes and information procedures necessary to identify, measure, monitor, manage and report, on an ongoing basis, on:
- the risks – at both the individual and aggregate levels – to which undertakings are or could be exposed; and
- the interdependencies between these risks.
It is integrated into the organisational structure and decision-making procedures and is carried out by the persons who effectively direct the undertaking or who are responsible for its key functions (Article R354-2 of the Insurance Code).
When outsourcing functions or activities, companies retain full responsibility for meeting their obligations. Such outsourcing must not:
- involve important or critical activities or functions;
- seriously compromise the quality of their governance system;
- unduly increase operational risk;
- compromise the ACPR’s ability to verify compliance with their obligations; or
- adversely affect the quality of the services due to policyholders.
Companies must inform the ACPR of their intention to outsource significant or critical activities or functions, as well as of any subsequent significant developments. They must ensure that:
- they cooperate with the ACPR; and
- the persons responsible for auditing the accounts and the ACPR have access to the data relating to outsourced functions or activities (Article L354-3 of the Insurance Code).
Important or critical operational activities or functions are considered to be:
- key functions; and
-
those functions whose interruption is likely:
-
- to have a significant impact on the business of the undertaking or on its ability to manage risks effectively; and
- to call into question the conditions of its authorisation.
This impact is assessed in light of the following factors:
- the costs of the outsourced activity;
- the financial, operational and reputational impact on the company of the provider’s inability to provide the service within the required timeframe;
- the difficulty of finding another provider or taking over the activity directly;
- the company’s ability to meet regulatory requirements in the event of problems with the provider; and
- the potential losses to policyholders, subscribers or beneficiaries of contracts in the event of the provider’s failure.
In a report dated 15 July 2020, the ACPR recalls that reporting insurance undertakings must inform it of:
- their intention to outsource ‘important’ or ‘critical’ activities or functions; and
- any subsequent significant change in these functions or activities.
This is done by means of a notification form submitted no later than six weeks before the outsourcing takes effect (Rapp ACPR, Implementation of the new governance rules in the insurance sector: assessment and prospects, 15 July 2020).