Implementation of Solvency II rules at the level of the administrative body and the compliance function: the last act

In the process of implementing the rules of Solvency II, EIOPAon 31 October 2013 published guidelinesrelating to the following areas: the system of governance; prospective assessment of risks (based on ORSA principles); the transmission of information to the competent national supervisory authorities (reporting); the preliminary procedure for internal models (pre-application) to enable each company to calculate the solvency capital requirement.

These guidelines have been issued under art. 16 of EU Regulation no. 1094/2010 (the “EIOPA Regulation”) and are addressed to the supervisory authorities of the various countries. They anticipate parts of the future Solvency II prudential supervisory regime.

These guidelines are aimed (inter alia) at:

  1. ensuring that insurance and reinsurance undertakings that will be subject to the Solvency II regime prepare in good time for their initial application (envisaged for 1 January 2016) and
  2. ensuring that the approach to the new Solvency II regime is harmonized in the various Member States.

The guidelines take into account the principle of proportionality referred to in the Solvency II Directive (2009/138/EU) and require account to be taken, when applying them, to the nature, scale and complexity of the risks related to the company/group activity.

Based on the aforementioned guidelines, by way of its bill (the ‟Provvedimento”) no. 17 of 15 April 2014, IVASS (‟Italian Insurance Supervisory Authority”) approved (a) amendments and integrations to ISVAP Regulation no. 20/2008 (relating to internal controls, risk management, compliance and outsourcing of the activities of insurance undertakings), and (b) amendments and integrations to ISVAP Regulation no. 36/2011.

While some provisions were immediately effective and the large majority of the remaining one entered into force on 30 June 2014, the last three articles of the Provvedimento will become effective by the end of this year.

Art. 4, art. 16, and art. 24 supplement art. 5, art. 19-bis, par. 5, and art. 27, par. 5, of Regulation no. 20 of 26 March 2008.

The amendment of article 5 of Regulation no. 20 (Administrative Body) is particularly significant.

The new provision is designed to ensure a growing awareness and participation by the administrative body in the decision-making process and to strengthen the risk management system, on a forward looking basis and guaranteeing the protection of assets even in a medium and long-term perspective.

More specifically, in preparation to the deadline of 31 December 2014, the Board of Directors shall, inter alia:

  1. review the undertaking’s organizational set-up, including the assignment of tasks and responsibilities to its operational units;
  2. revise the directives relating to the system of internal controls to include also the policy about the risk management, compliance and internal audit functions, verifying that the system of internal controls is consistent with the established strategic policy and risk appetite, and that it is able to capture the evolution of corporate risks and the interaction between them;
  3. approve the policy for the current and forward looking assessment of risks, establish the undertaking’s risk appetite and approve the risk management policy and strategies;
  4. approves, on account of the strategic objectives and consistently with the risk management policy, the underwriting, reserving, reinsurance and other techniques of risk mitigation as well as of operational risk management policies;
  5. approve the corporate policy on the assessment ofrequirements of suitability for office, in terms of professional integrity and professionalism not only for the members of corporate bodies but also for those in charge of the internal audit, risk management and compliance departments, or for those who hold “key positions” in the management of the company;
  6. approve the reporting policy for IVASS.

In summary, the Board of Directors shall therefore be asked to approve further management policies in addition to those already envisaged in relation to outsourcing and investment.

Also in order to ensure the transparency of the undertaking’s management and the ensuring clear definition of roles and responsibilities within the undertaking, provision was made for the approval and dissemination to all interested parties of a document in which the administrative body describes the duties and responsibilities of the corporate bodies, the board committees and the risk management, compliance and internal audit departments and also the information flows between the aforementioned bodies.

Also the Head of the compliance function is affected by changes in the Regulation n. 20.

By the year end, the new regulatory framework will burden the Head of compliance with the duty to submit to the administrative body, at least yearly, a scheme of operations illustrating the actions he/she intends to take in relation to the risk of non-compliance with regulations. The scheme of actions shall also take account of any deficiencies found during the previous assessments and of any new risks.

Also, in the new regime he shall draft a report, at least once a year, for the administrative body on the adequacy and effectiveness of the safeguards adopted by the undertaking for the protection against the risk of non-compliance with regulations, about the activity performed, the assessments made, the results and the critical situations found, and illustrating the status of implementation of the relevant improvement actions, if taken.