Organisational structure and internal control system

Regulatory framework

Solvency II Law: Article 42, § 1, 2° (administrative and accounting procedures and internal control) and 10° (reporting system), Article 61 (central administration), Article 76 (record-keeping) and Article 199 (periodic provision of information and accounting rules)
Delegated Regulation 2015/35: Article 258(1)(b) (organisational structure), (k) (reporting lines), (f) (procedures) and (g) (assignment of tasks)
Underlying thematic NBB Circulars: the ‘internal control’ section of Regulation of 19 May 2015 and Circular NBB_2015_21 on the internal audit function
EIOPA Guidelines: Guidelines 2, 5, 38 and 39

The requirement for insurance companies to have sound and appropriate structures for the organisation of the business to ensure effective and prudent management is further explained in the various provisions of the Solvency II Law and Delegated Regulation 2015/35. Insurance companies are also expected to comply with the following aspects specific to the insurance sector.

4.1. Organisational and operational structure

The insurance company shall have an organisational and operational structure focused on supporting its strategic goals and activity. Whenever there are any changes to the company’s strategic goals or activity or in the business climate relevant to the company, such structures may be adjusted to these changes within a reasonable period of time.

4.1.1. Allocation and segregation of tasks and responsibilities

The insurance company shall ensure that the tasks and responsibilities are allocated, segregated and coordinated based on its policy, and that these are reflected in the descriptions of tasks and responsibilities. The company shall ensure that all important tasks are covered, that unnecessary overlaps are avoided and that the reporting lines are clearly defined (in particular in an organisation chart). Effective cooperation between staff is promoted.

4.1.2. Administrative and accounting procedures and financial reporting

The insurance company shall have appropriate administrative and accounting procedures and internal control, especially including a control system that provides a reasonable level of assurance of the reliability of the financial reporting process. Under the supervision of the board of directors, the management committee shall take the necessary measures to provide the company with reliable financial and prudential reporting. This financial reporting system should enable the company to meet the requests for information made by the Bank, pursuant to Articles 201 and 312 of the Solvency II Law in particular.

4.1.3. Policies, procedures and implementation processes

The insurance company should establish a series of policies, procedures and implementation processes that are efficient and proportionate to the risk.

The policies shall include the fundamental principles to be adhered to in the context of the insurance company’s activities. These principles shall then be translated in detail into procedures and implementation processes (such as IT tools).

The company shall align all of the policies required under the governance system[1] with each other and with the company strategy. Each policy shall clearly specify at least:

the objectives sought;
the tasks that must be carried out and the person or function responsible;
the reporting processes and procedures that must be applied;
the obligation of the relevant organisational units to inform the risk management function, the compliance function, the internal audit function and the actuarial function of all relevant facts necessary for the performance of their tasks.

From a prudential point of view, the Bank expects companies to establish the following policies and be able to submit them to the Bank at the first request of its services.

Policies that must be provided to the Bank at first request	Legal basis for the development of the policies
Risk management policies
Risk appetite policy	Article 259 of Delegated Regulation 2015/35
General risk management policy	Article 259 of Delegated Regulation 2015/35
Policy relating to the management of the underwriting risk and reserve risk	Article 260 of Delegated Regulation 2015/35
Asset-liability management (or ALM) policy;	Article 260 of Delegated Regulation 2015/35
Investment risk management policy	Article 260 of Delegated Regulation 2015/35
Liquidity risk management policy	Article 260 of Delegated Regulation 2015/35
Concentration risk management policy	Article 260 of Delegated Regulation 2015/35
Operational risk management policy	Article 260 of Delegated Regulation 2015/35
Reinsurance policy	Article 260 of Delegated Regulation 2015/35
Mortgage lending policy (where applicable)	Article 261 of Delegated Regulation 2015/35
Asset and liability valuation policy	Article 267(2) of Delegated Regulation 2015/35
Profit-sharing policy	Article 59, § 1, 10° of the Solvency II Law
ORSA policy	Article 91, § 2 of the Solvency II Law
Capital management policy	Article 262 of Delegated Regulation 2015/35
Policy on reporting to the NBB	Article 77, § 7 of the Solvency II Law

Policies on governance sensu stricto
Fit & Proper policy	Article 273 of Delegated Regulation 2015/35
Remuneration policy	Article 42, § 1, 6° of the Solvency II Law and Article 275 of Delegated Regulation 2015/35
Internal rules on external functions	Article 83, § 3 of the Solvency II Law
Outsourcing policy	Article 274 of Delegated Regulation 2015/35
Continuity policy	Article 258(3) of Delegated Regulation 2015/35
Integrity policy covering at least the following subjects: (i) Company goals and values, (ii) Prevention of money laundering and terrorist financing, (iii) Whistleblowing and (iv) Conflicts of interest	Articles 42, § 1, 5°, 8°, and 44 of the Solvency II Law and Article 258(5) of Delegated Regulation 2015/35

Independent control function charters/policies
Risk management charter/policy	Article 54, § 1, second paragraph of the Solvency II Law
Actuarial function charter/policy	Article 54, § 1, second paragraph of the Solvency II Law
Internal audit charter/policy	Article 54, § 1, second paragraph of the Solvency II Law
Compliance charter/policy	Article 54, § 1, second paragraph of the Solvency II Law

[1] ‘Policies required’ should be understood to mean all policies that must be drawn up pursuant to the Solvency II Law, irrespective of whether they relate to aspects of risk management (e.g. general risk management policy and policies regarding the management of underwriting risk and reserve risk, asset-liability management, investment risk, liquidity risk, concentration risk, operational risk, reinsurance, mortgage lending, valuation of assets and liabilities and ORSA) or to aspects of governance sensu stricto (e.g. the Fit & Proper policy, the outsourcing policy, the remuneration policy, internal rules on external functions, integrity policy, rules on whistleblowing, continuity, management of conflicts of interest).

4.2. Internal control system

4.2.1. Internal control environment

The company shall emphasise the importance of the exercise of adequate internal controls by ensuring that all staff are aware of their role within the internal control system. The control activity must be aligned with the risks that arise from the activity and processes to be controlled.

4.2.2. Monitoring and reporting

There are monitoring and reporting mechanisms incorporated within the internal control system, which provide the board of directors and management committee with all relevant information for the decision-making process.

4.2.3. Internal control mechanisms

The company shall implement an internal control system covering all its activities. This system shall be comprised of periodic and ongoing control mechanisms for all employees of the company.

4.3. Central administration in Belgium

The Solvency II Law states as a condition for authorisation that the insurance companies governed by Belgian law must have their central administration in Belgium, i.e. in the same Member State as their registered office. This legal requirement arises from Directive 95/26/EC of 29 June 1995, also referred to as the “post-BCCI Directive”.

The term ‘central administration’ must be interpreted within the meaning of Article 48 of the EC Treaty and therefore relates to the term ‘principal place of business’, or the place where the principal decisions of the company are taken and where the company’s business is actually conducted. This relates to the administrative head office and not the main headquarters. ‘Central administration’ must therefore be understood to mean the place from which the company is managed and where its management bodies meet.

It is established that the means used at present for remote decision-making render it difficult to delimit the term ‘central administration’. To be able to conclude that the “nerve centre” for conducting the business of a company with a cross-border organisation is in Belgium and that the company in question therefore complies with the legal requirement to have its central administration in Belgium, it is recommended at least that:

all persons responsible for independent control functions be included in the staff register (payroll) of the insurance company governed by Belgian law;
the majority of meetings of the board of directors and the management committee take place on Belgian territory and
the members of the management committee are sufficiently present in Belgium.

4.4. Record-keeping

The Solvency II Law (Article 76) stipulates that insurance companies should keep documents relating to their activities at their registered office. Taking into account recent technological developments and the fact that information on insurance and reinsurance activities will from now on be very regularly stored in data centres or on equivalent secure computer storage media (such as clouds), the Bank – after consultation with the FSMA – considers that such a system could be deemed equivalent to storage at the registered office if it meets the following four conditions:

the insurance companies have permanent access to the documents stored at the data centres or on the secure equivalent computer storage media;
the insurance companies are able to fulfil requests for information from the Belgian supervisory or legal authorities completely, adequately and quickly – in principle within two working days after the request is made;
the insurance companies maintain control over important decisions regarding the data centres or equivalent secure computer storage media; maintaining control over important decisions implies that the insurance companies should receive prior notification of important changes and, if they do not accept these changes, they should have the ability to terminate the contract and transfer the information to another system before those changes are implemented;
the data centres or equivalent secure computer storage media used guarantee the confidentiality, integrity and availability of the information transmitted and meet
1. the requirements of the Bank relating to the security of the IT system (cf. Circular NBB_2015_32 for systemically important institutions);
2. the requirements of the Bank relating to the continuity of the IT system (cf. Circular NBB_2015_32 for systemically important institutions);
3. where appropriate, the requirements of the Bank relating to outsourcing.

If information is stored (completely or in part) on paper, the following conditions apply:

The two parties should enter into an agreement to regulate the record-keeping and the related rights and obligations;
Documents pertaining to a single business portfolio should be kept at the same place while ensuring that all protection measures necessary have been taken (e.g. fireproof storage);
The storage space(s) should be accessible to both the FSMA and the NBB;
If not all documents are stored on computer storage media, the storage space(s) should be situated in Belgium; and
The security and continuity measures should be reviewed periodically.