Independent control functions (Risk management, Compliance, Actuarial function and Internal Audit)

Regulatory framework

  1. Solvency II Law: Article 42, § 1, 4°, Articles 54 to 59 (organisation of control functions), Article 82 (Fit & Proper)
  2. Delegated Regulation 2015/35: Articles 268 (general provisions), 269 (risk management), 270 (compliance), 271 (internal audit) and 272 (actuarial function)
  3. Underlying thematic NBB Circulars:
    • Circular NBB 2012_14 on the compliance function as supplemented and amended by this chapter;
    • Regulation of 19 May 2015 and Circular NBB_2015_21 on the internal audit function as supplemented and amended by this chapter;
    • Communication NBB_2018_05 on the report of the statutory governing body with regard to the assessment of the compliance function;
    • Communication NBB_2019_15 on the expectations regarding the content of the statutory governing body’s report on the assessment of the compliance function

  4. EIOPA Guidelines: Guidelines 40 to 51

The Solvency II Law stipulates that the insurance companies must set up four efficient and permanent independent control functions, given that these functions are instruments necessary for optimally fulfilling the tasks allocated to their management bodies: 

  • the risk management function,
  • the actuarial function,
  • the compliance function, and
  • the internal audit function.

These four independent control functions are needed to enable the board of directors to perform its supervision of the management committee.

5.1. General aspects

5.1.1. Three lines of defence

The relationship between the business units and the independent control functions is sometimes described as the insurance company’s ‘three lines of defence’ model:

  • the business units (including the front office) form the company’s first line of defence and are responsible for identifying the risks associated with each transaction and must comply with the established procedures and limits;
  • the second line of defence encompasses the control functions, i.e. the risk management function, the actuarial function, and the compliance function, which must ensure that the risks are identified in accordance with the established rules and procedures and managed by the business units;
  • the third line of defence is formed by the internal audit, which assesses compliance with the procedures by the first and second lines of defence and, more generally, the effectiveness of the internal control system.

The risk management function, actuarial function, compliance function and internal audit function together form a coherent whole of transversal control functions between which coordination is required. Given that these control functions are connected, they shall harmonise their activity and ensure sufficient sharing of relevant information. 

The findings and recommendations of these independent control functions shall be translated by the management committee into measures to reinforce the management structure, organisation or internal control.  There are no areas of activity of the insurance company which may be diverted as a whole from the oversight of the control functions for commercial or financial reasons.

5.1.2. Status, resources and independence

The four control functions shall have a charter/policy which, as a minimum, states their status (place in the organisation chart), their independence (see below), their tasks, their rights and prerogatives, their reporting obligations and their resources. Without prejudice to the specific characteristics of the position of the Chief Risk Officer, the persons responsible for the control functions are in principle at “N-1” level in the organisation chart and report hierarchically to a member of the management committee[1].

They shall have sufficient resources (personal and IT) to be able to fulfil their tasks in an appropriate and independent manner.  The persons responsible for independent control functions shall ensure that their staff possess the necessary qualifications and skills to deliver efficient work, and that they act with integrity, in particular by avoiding conflicts of interest. 

The method and procedures used by these four control functions shall be commensurate with the nature, scale and complexity of the risks inherent to the company’s business model and work, and they shall be clearly explained in writing.  

The four control functions shall be independent, which must at least be reflected in the status of the function concerned in the insurance company (organisational segregation of the functions that could give rise to risks[2]), the prerogatives of this function (resources and access within the company), and the rules for the remuneration of the persons responsible for these functions and of the staff allocated to the performance thereof (for which objectives other than commercial objectives shall be taken into account and that must be separate from the results of the work supervised). 

To guarantee this independence, the persons responsible for independent control functions shall have access to the board of directors, where applicable via the audit committee and/or the risk committee.  This direct access — which therefore entails that they do not first have to go through the management committee (or where applicable the senior management) — is necessary to enable the board of directors to more strictly exercise its supervisory function as regards the execution of the strategy mapped out and the company’s operation.  

In accordance with the Solvency II Law (Article 82), the persons responsible for independent control functions may only be removed from their function by the board of directors.  It is after all necessary that the board of directors be the only body with the power to remove such managers from their functions, given that these functions entail supervision of the way in which the management committee performs its tasks. If someone responsible for an independent control function is considered for removal from their function, the company shall inform the Bank thereof in advance, so that it may determine whether the reasons for the dismissal are founded and where applicable, so that it may investigate whether any special measures must be taken relating to the corporate governance of the company.

As part of its supervisory role, the board of directors shall determine periodically and at least once a year whether the independent control functions work properly.  For this purpose, the board shall receive a report from the management committee at least once a year on the effectiveness of the governance system, without prejudice to the directly relevant information provided by the functions in question.

5.1.3. Fit & Proper checks of persons responsible for independent control functions

The control functions shall be headed up by managers who have acquired specific expertise in the area of the tasks for which the control function concerned is responsible and that meet the Bank’s Fit & Proper requirements. 

In accordance with the Solvency II Law (Article 81), insurance companies shall inform the Bank of any proposal to appoint someone responsible for an independent control function, so that the Bank may analyse the Fit & Proper nature of that person and make a decision. 

The outsourcing of a control function (both within and outside the group) must be regulated in accordance with the outsourcing rules; however, the company is not thereby exempted from the obligation to appoint someone responsible for the outsourced control function. This person, who is called the ‘contact person responsible’, must be appointed internally and possess the requisite professional integrity and appropriate expertise, and therefore sufficient knowledge of and experience with the outsourced function to put the performance and results of the service provider to the test (cf. section 7.4. below).

5.1.4. Outsourcing of independent control functions

Outsourcing independent control functions may not lessen the responsibility of the insurance company to have and adequate and effective organisation. As a result, the responsibility for these control functions may not be outsourced. 

However, for reasons of efficiency, it is acceptable to outsource the implementation tasks falling under the responsibility of the independent control functions in full or in part to a third party or to another entity belonging to the same group. Outsourcing may in particular be justified, for less significant insurance companies, by the application of the principle of proportionality (cf. Introduction). Outsourcing may also be justified, for significant companies belonging to a group, by the need to optimise the management of the resources needed to perform this function in the various entities of the group.

When outsourcing all or part of the tasks of an independent control function, specific conditions must be met. Please refer to Chapter 7 below for a detailed overview of these conditions. Three elements are of particular importance in this respect: (i) the appointment of a contact person responsible for monitoring the outsourcing, (ii) the direct reporting of the service provider to the company’s management bodies and (iii) the transmission of a detailed case file to the Bank (in particular as regards the service provider).

5.1.5. Combination of functions by the persons responsible for the independent control functions

With regard to the combination of functions by the person responsible for an independent control function, the following legal rules should be complied with:

  • Article 54 of the Solvency II Law, which stipulates that “the persons performing the [control] functions […] shall be independent from the company’s business units and operational functions (…).”
  • Article 56, § 3, second paragraph, 2° of the Solvency II Law, which stipulates that the second-line control functions (the compliance and actuarial functions) for which a CRO who is a member of the management committee is responsible, should be “exercised separately from each other” and cannot give rise to conflicts of interest; and
  • Article 271 of Delegated Regulation 2015/35, which provides for specific rules for the combination of functions by the person responsible for the internal audit function.

 In practice, the Bank expects insurance companies to comply with the following guiding principles:

  • the persons responsible for the compliance, actuarial and internal audit functions (referred to as ‘N1’ in the organisation chart) each only perform their own control function without simultaneously performing another control function, especially a business unit or an operational function; and
  • a person responsible for the risk management function (CRO) who, pursuant to Article 56 of the Solvency II Law, is in principle a member of the management committee (level ‘N’) who can only combine this function, under certain conditions, with hierarchical responsibility for the compliance function and the actuarial function.

However, in accordance with recital 32 of the Solvency II Directive, which stipulates that “in smaller and less complex undertakings it should be possible for more than one function to be carried out by a single person or organisational unit”, this reference situation can be derogated from in less significant companies on the basis of the principle of proportionality. For instance, in less significant insurance companies, the Bank accepts, if certain conditions are met:

  • that a single person simultaneously performs several second-line control functions[3]; and
  • that a single person simultaneously performs an independent control function and serves as member of the management committee.

a) Combination of multiple second-line control functions

A single person may perform two or three second-line independent control functions (the risk management, compliance[4] and/or actuarial function) simultaneously, provided that:

  1. there are no conflicts of interest from a functional point of view between the second-line functions performed simultaneously, which implies that the company should avoid having the person who is developing a service assess the adequacy of the said service (maker/checker principle). An example would be the task to design and develop an internal model, on the one hand, and the task to assess and validate its adequacy, on the other;
  2. the person responsible combining the operational responsibility for multiple second-line control functions possesses the knowledge and expertise needed for the different areas concerned. This is particularly relevant for functions requiring very different basic skills (quantitative risk measurement on the one hand, analysis of the risk of non-compliance with the legal rules on the other);
  3. the person responsible combining the operational responsibility for multiple second-line control functions has the time needed to perform these different control functions correctly.

b) Combination of an independent control function with management committee membership

In cases where it is duly justified by the principle of proportionality in less significant companies and barring the specific case referred to in Article 56 of the Solvency II Law whereby the CRO is a member of the management committee, the operational responsibility for a control function may be combined with membership of the management committee, provided that:

  1. Article 54 of the Solvency II Law is complied with, so that the member of the management committee concerned does combine an independent control function and a risk-generating operational function. In this respect, the (i) legal, (ii) HR and even (iii) IT tasks could be considered to generate less risk.
  2. such a combination is accompanied by specific regulations to avoid conflicts of interest (providing in particular for escalation to the board of directors); and that
  3. the member of the management committee concerned has the time necessary to correctly perform the tasks conferred upon him as person responsible for the operations of a control function.

If a less significant insurance company wishes to be granted one of the two aforementioned derogations, it should contact the Bank to verify which conditions must be met and provide the Bank with a file containing the information requested.

5.1.6. Reporting by the independent control functions

The Solvency II Law lays down the following with respect to reporting to the board of directors and management committee by the independent control functions:

  • The persons responsible for the risk management function, the actuarial function, the compliance function and the internal audit function shall report at least once a year directly to the board of directors on the performance of their task, and shall inform the management committee. This activity report addressed to the board of directors can, where applicable, occur through a sub-committee: for the internal audit function through the audit committee (Article 54, § 1, third paragraph), for the risk management function and the actuarial function through the risk committee, for the compliance function through the audit committee and/or the risk committee. Without prejudice to the provisions under 5.3.3. regarding the activity report of the actuarial function, the (at least) annual activity report of the independent control functions should (i) document all tasks performed by the independent control function during the preceding period, (ii) clearly indicate all shortcomings identified and (iii) provide recommendations to remedy these shortcomings;
  • The person responsible for the compliance function shall regularly inform the board of directors and management committee on compliance with the legal and regulatory provisions governing the insurance or reinsurance activity, especially the rules pertaining to integrity and conduct that apply to that activity, and address recommendations on this subject to these bodies (Article 55, § 2);
  • When justified by specific circumstances, the persons responsible for the risk management function and the compliance function[5] may, of their own accord and without needing to refer the matter to the management committee, inform the board of directors of their concerns, and where applicable alert it, where specific developments related to risk have or could have a negative influence on the company, or in particular could be damaging to its reputation (Article 57, first paragraph);
  • Without prejudice to the annual activity report referred to in Article 54, § 1, third paragraph of the Solvency II Law, the person responsible for the internal audit function shall share his/her findings and recommendations as regards the quality of the internal control to the board of directors and the management committee (Article 58, § 2). In accordance with Article 77, § 9 of the Solvency II Law, however, it is the board of directors that decides which measures must be taken as a result of the findings and recommendations of the internal audit and ensures that these measures are taken. The board of directors and/or the audit committee approve the audit plan and the recommendations made in the context of the audits performed and monitor the implementation of these recommendations. The role of the management committee with regard to the internal audit function is limited to, on the one hand, defining the human and IT resources that are needed for the function to be able to perform its tasks correctly, in consultation with the board of directors and/or the audit committee and, on the other hand, implementing the recommendations made by the internal audit function that are relevant to the management committee, in accordance with the decisions made by the board of directors and/or the audit committee.

[1]  The reporting to the management committee of the person responsible for the internal audit is limited to the aspects specified in point 5.1.6. of this Circular.

[2] Article 54 of the Solvency II Law more specifically lays down the following: “The persons performing the [control] functions shall be independent from the company’s business units and operational functions”.  In significant insurance companies, the Bank expects these persons to be both operationally and hierarchically independent. This implies that the persons responsible for the control functions should not only be fully independent from the business units and operational functions, but should also report to a member of the management committee who is not subject to conflicts of interest due to simultaneously performing multiple tasks, including risk-generating tasks of units or functions. In less significant companies, the persons responsible for the control functions are only required to be operationally independent, which means that they cannot perform any other operational functions within the company. In application of the proportionality principle, the solution that consists of those responsible for the actuarial function and the compliance function reporting to the Chief Risk Officer contributes to guaranteeing an appropriate hierarchical separation, insofar as the conditions of Article 56 of the Solvency II Law are met.  Given that Article 77 of the Solvency II Law determines that the board of directors decides which measures must be taken as a result of the findings and recommendations of the internal audit, hierarchical reporting by the person responsible for internal audit to the Chair of the management committee could ensure that the necessary checks & balances are carried out, insofar as this person does not have any commercial responsibilities. The reporting in question largely relates to the organizational circumstances (sufficiency of the staffing and IT resources allocated to the internal audit function).

[3] The Bank considers that a risk of conflicts of interest arises by definition between the exercise of second-line control functions and the third-line internal audit control function. Operational responsibility for second-line control functions may never be combined with responsibility for the internal audit function.

[4] With regard to the compliance function, it should be noted that point 3.4.4. of Circular NBB_2012_14 recommends not having employees of the risk management function perform tasks falling under the compliance function. If the company nevertheless wishes to combine these tasks, it should specifically demonstrate that it will take alternative measures to avoid neglecting the compliance aspects compared to the other risks managed by the risk management function.

[5] While the actuarial function is not explicitly mentioned in Article 57 of the Solvency II Law, the final paragraph of section 5.3.3. below stipulates that the actuarial function should inform the company’s board of directors and management committee of the risks that have or could have a negative influence on the company, which also implies that it has a certain alert function for the performance of its tasks.

5.2. Risk management function

5.2.1. Tasks

The risk management function shall ensure that all of the company’s significant risks are detected, measured, managed and duly reported. It shall be actively involved in mapping out the insurance company’s risk strategy as well as in all management decisions that have a significant influence on the risks, and shall be able to provide a full picture of the whole range of risks run by the institution.

More particularly, the risk management function shall take on at least the following tasks:

§1. Tasks referred to in Article 269 of Delegated Regulation 2015/35

  1. assist the board of directors, the management committee and the other functions in the effective operation of the risk management system; 
  2. monitor the risk management system; 
  3. monitor the general risk profile of the company as a whole;
  4. report in detail on risk exposures and advise the board of directors and the management committee on risk management matters, including in relation to strategic affairs such as corporate strategy, mergers and acquisitions, and major projects and investments. In this respect, the risk management function informs the board of directors and the management committee of risks identified as potentially material and acquires information on other specific risk areas, at its own initiative or at the request of the board of directors and the management committee; and 
  5. identify and assess emerging risks.

The Bank also recommends identifying and assessing sustainability risks[1].

§2. Extra tasks when using an internal model

  1. For insurance companies that make use of an internal model or partial internal model approved in accordance with Articles 167 and 168 of the Solvency II Law, the risk management function shall also fulfil the following extra tasks:
  2. designing and applying the internal model;
  3. testing and validating the internal model;
  4. keeping information on the internal model and any changes made thereto;
  5. analysing the operation of the internal model and drawing up summary reports thereon; and
  6. providing information to the board of directors and the management committee on the operation of the internal model and stating where improvements need to be made, as well as keeping these bodies informed of the progress made with remedying the weaknesses previously established.

In this context, the risk management function must maintain close contact with the users of the outputs of the internal model.

§3. Extra task relating to the coordination and coherence of the RSR

If the company decides to refer to internal documents in the chapter on “Governance system” of the RSR (cf. Chapter 15 of this Circular), the risk management function should, without prejudice to the task of the compliance function to coordinate the RSR in accordance with point 5.4. below, coordinate and ensure the coherence of the aspects of the RSR other than governance in the strictest sense which are referred to in this Circular, such as financial management, continuity and IT infrastructure.

This coordination task consists of ensuring (i) that the RSR remains comprehensible and coherent, (ii) that the references made actually correspond to detailed information, and (iii) that these references are made to existing documents that are sufficiently detailed/accurate so the underlying information can be retrieved quickly.

If the company has decided to apply the rules for referring to internal documents set out in Chapter 15 of this Circular to chapters of the RSR besides the chapter on the governance system, the risk management function should also carry out the coordination task described above.

5.2.2. Management of the risk management function

In principle, the Solvency II Law requires the head of the risk management function to be a member of the management committee with no functions other than this responsibility. For further details on this matter, please consult point 1.3.3. above. 

[1] For a definition of the concept of “sustainability risks”, please refer to paragraph 24 of the “Technical Advice on the integration of sustainability risks and factors in the delegated acts under Solvency II and IDD” published by EIOPA on 30 April 2019, which defines sustainability risks as follows: “sustainability risks should be understood as risks that could affect the insurance and reinsurance undertakings’ risk profile, on the investments and liabilities side, due to ESG factors, i.e. (i) Environmental (E) issues relate to the quality and functioning of the natural environment and natural systems; (ii) Social (S) issues relate to the rights, well-being and interests of people and communities; and (iii) Governance (G) issues relate to the governance of companies and other investee entities”.

5.3. Actuarial function

The Solvency II Law determines that the insurance companies must continuously have an appropriate actuarial function.  As an independent control function, the objective of the actuarial function is to offer the management committee and the board of directors a certain degree of quality assurance in a number of areas described below for the actuarial calculations and underlying assumptions.

5.3.1. Tasks of the actuarial function

5.3.1.1. Tasks relating to the technical provisions

§1. Tasks included in the Solvency II Law

The Solvency II Law leaves it to the insurance company to assign the person or department responsible for calculating the technical provisions.  This Law also requires the actuarial function to provide for the coordination and the supervision of this calculation.

Article 59 of the Solvency II Law requires the actuarial function to:

  1. coordinate the calculation of technical provisions;
  2. ensure that the methodologies, underlying models and assumptions used for the calculation of the technical provisions are suitable;
  3. assess the sufficiency and quality of the data used in the calculation of technical provisions;
  4. compare best estimates against experience;
  5. inform the board of directors and the management committee of the reliability and adequacy of the calculation of technical provisions;
  6. oversee the calculation of technical provisions in the cases set out in the Solvency II . Law.

As specified in Article 126, § 1 of the Solvency II Law, the value of the technical provisions is equal to the sum of the best estimate and the risk margin. The risk margin (Article 127, § 2 of the Solvency II Law) is calculated on the basis of the solvency capital requirement needed to settle the insurance and reinsurance obligations over the lifetime thereof (SCR of the reference company as described in Article 38 of Delegated Regulation 2015/35). The actuarial function’s task to coordinate and monitor the calculation of the technical provisions pertains to all elements of the technical provisions [4].

(i) Coordination of technical provisions

Delegated Regulation 2015/35 (Article 272) sets out that in coordinating the calculation of the technical provisions, the actuarial function includes all of the following tasks:

  1. applying methodologies and procedures to assess the sufficiency of the technical provisions and to ensure that their calculation is consistent with the requirements set out in Articles 123 to 139 of the Solvency II Law;
  2. assessing the uncertainty associated with the estimates made in the calculation of technical provisions;
  3. ensuring that any limitations of data used to calculate technical provisions are properly dealt with;
  4. ensuring that the most appropriate approximations for the purposes of calculating the best estimate are used in cases referred to in Article 137 of the Solvency II Law;
  5. ensuring that homogenous risk groups of insurance and reinsurance obligations are identified for an appropriate assessment of the underlying risks;
  6. considering the relevant information provided by financial markets and generally available data on underwriting risks and ensuring that it is integrated into the assessment of technical provisions;
  7. comparing and justifying any material differences in the calculation of technical provisions from year to year;
  8. ensuring that an appropriate assessment is provided of the options and guarantees included in insurance and reinsurance contracts.
(ii) Control of methodologies used

Delegated Regulation 2015/35 sets out that the actuarial function assesses whether the methodologies and assumptions used in the calculation of the technical provisions are appropriate for the company’s specific lines of business and for the way the business is managed, having regard to the available data. 

The actuarial function shall identify any inconsistencies with the requirements of the Solvency II Law as regards the calculation of the technical provisions and where necessary proposes corrective measures.  It shall justify, and where applicable clarify any potential material effect of changes in data, methodologies or assumptions between valuation data on the amount of technical provisions.

(iii) Data quality control

Delegated Regulation 2015/35 sets out that the actuarial function assesses whether the IT systems used in the calculation of technical provisions sufficiently support the actuarial and statistical procedures.

The actuarial function shall review the quality of the internal and external data used in the calculation of the technical provisions against the standards in the Solvency II Law. Where applicable, the actuarial functions shall issue recommendations on internal procedures to improve data quality, to ensure that the company is able to comply with the requirement from the Solvency II Law that applies in this context.

(iv) Comparing best estimates against experience

Delegated Regulation 2015/35 sets out that the actuarial function, when comparing best estimates against experience, reviews the quality of past best estimates and uses the insights gained from this assessment to improve the quality of current calculations.  Comparing best estimates against experience includes comparisons between observed values and the estimates underlying the calculation of the best estimate, in order to draw conclusions on the appropriateness, accuracy and completeness of the data and assumptions used as well as on the methodologies applied in their calculation.

The actuarial function shall report to the board of directors on potential material deviations between experience and best estimates. In this report, the causes of the deviations shall be explained and, where applicable, proposals shall be made for the adjustment of the assumptions and changes in the valuation model to improve the calculation of best estimates.

(v) Informing the board of directors and the management committee of the reliability and adequacy of the calculation of technical provisions;

Delegated Regulation 2015/35 sets out that the information submitted to the board of directors and the management committee on the calculation of the technical provisions includes at least a reasoned analysis of the reliability and adequacy of their calculation, and on the sources and degree of uncertainty of the estimate of the technical provisions. That reasoned analysis is supported by a sensitivity analysis that includes an investigation of the sensitivity of the technical provisions to each of the major risks underlying the obligations covered by the technical provisions.  The actuarial function shall clearly state and explain any concerns it may have regarding the adequacy of technical provisions.

§2. Tasks associated with the calculation of technical provisions based on the annual accounts (Belgian standards)

Apart from the tasks associated with the calculation of technical provisions on the basis of the Solvency II regulation, the actuarial function has two additional tasks relating to the annual accounts:

  1. ascertaining whether the calculation of the level of technical provisions as included in the annual accounts complies with the rules of Royal Decree of 17 November 1994 on annual accounts of insurance and reinsurance companies (‘accounting decree’);
  2. verifying the calculation of the ‘flashing-light provision’, if the company must form such a provision.

As regards this latter point, the task of the actuarial function consists in verifying that the flashing-light provision is calculated in accordance with the Royal Decree of 17 November 1994.

5.3.1.2. Tasks relating to the underwriting and pricing policy

The Solvency II Law (Article 59) requires the actuarial function to express an opinion on the insurance company’s general underwriting policy.

Regarding the underwriting policy, Delegated Regulation 2015/35 stipulates that this opinion must at least include conclusions regarding the following considerations:

  1. the sufficiency of the premiums to be earned to cover future claims and expenses, notably taking into consideration the underlying risks (including underwriting risks), and the impact of options and guarantees included in insurance and reinsurance contracts on the sufficiency of premiums;
  2. the effect of inflation, legal risk[2], change in the composition of the company’s portfolio, and of systems which adjust the premiums paid by policy-holders upwards or downwards depending on their claims history (bonus-malus systems) or similar systems, implemented in homogenous risk groups; 
  3. the progressive tendency of a portfolio of insurance contracts to attract or retain insured persons with a higher risk profile (anti-selection).

The Bank also recommends including sustainability risks in this opinion.

In other words, the actuarial function includes the following tasks:

  1. at the time of launch of new products or changes in existing products that could influence the company’s returns, giving an opinion on the pricing, formation of reserves and reinsurance;
  2. analysing the annual profitability of the different products in a context of a consistent market and as part of the annual accounts;
  3. analysing the existing underwriting limits;
  4. making recommendations and providing advice on risk acceptance.

As part of this task, the actuarial function is especially responsible for the following: (i) the coherence between the underwriting policy and the risk profile and risk appetite of the company; (ii) the appropriate nature of the product pricing; (iii) evaluating the assumptions used to calculate the future returns from the products to which the underwriting policy relates and (iv) the main risk factors that determine the profitability of the activity.

5.3.1.3. Tasks relating to reinsurance

The Solvency II Law (Article 59) requires the actuarial function to express an opinion on the adequacy of reinsurance arrangements. 

Delegated Regulation 2015/35 sets out that this opinion must include an analysis of the adequacy of:

  1. the company’s risk profile and underwriting policy;
  2. reinsurers, taking into account their credit rating;
  3. the expected cover under stress scenarios in relation to the underwriting policy;
  4. the calculation of the best estimate of the amounts recoverable from reinsurance contracts and special purpose vehicles.

In other words, the actuarial function must issue a technical opinion on the appropriate nature of the company’s reinsurance agreements, taking into account the risk profile of the company, the reinsurance policy and the connections between these agreements and the technical provisions. 

If the company forms part of a group, the actuarial function moreover shall take into account any reinsurance within the group. If it is a group governed by Belgian law under the supervision of the Bank, the actuarial function allocated to the group at the level of the entity responsible for the group shall also issue an opinion on that group’s reinsurance policy and reinsurance programme (reinsurance assigned within the group or to a company not belonging to the group’s consolidation perimeter).

5.3.1.4. Tasks relating to the implementation of the risk management system

The Solvency II Law (Article 59) sets out that the actuarial function must contribute to the effective implementation of the risk management system, especially with respect to the risk modelling underlying the calculation of the capital requirements, and as regards the ORSA.  This is without prejudice to the fact that the risk management function and the actuarial function are two separate control functions, which along with the compliance function must form a coherent and coordinated whole of second-line control functions (with no gap or overlap). 

The contribution of the actuarial function to the risk management system is more specifically limited to two specific domains: the risk modelling and ORSA.

For companies that develop an internal model, the use of which must be submitted for the Bank’s approval, the actuarial function shall help determine which of the risks that fall under its area of expertise are part of the internal model.  It shall also contribute to the way in which the mutual dependencies of these risks and other risks are derived.  This contribution is based on a technical analysis and reflects the experience and expertise of the actuarial function.

As regards the assessments conducted as part of the ORSA process, the actuarial function has the following tasks:

  1. acquiring input on the question of whether the company permanently complies with the requirements for the calculation of the technical provisions;
  2. establishing the potential risks arising from uncertainties relating to this calculation.

5.3.1.5. Tasks relating to the profit-sharing and rebate policy

The Solvency II Law (Article 59) determines that the actuarial function must issue an opinion on the profit-sharing and rebate policy as well as on compliance with the legislation and regulations on the matter.

The Royal Decree also sets out, as regards the distribution of profit-sharing and the granting of rebates for insurance transactions, that the actuarial function must at least explain the following:

  • that the amount of the profit-sharing is in line with the policy drawn up in writing and approved by the statutory governing body;
  • that correct account was taken of this written policy in the calculation of the best estimate.
  • the amount of variation of the inactive zillmerisation value, given that this data is not included in the detailed life profit and loss account.

5.3.1.6. Tasks relating to the transitional measures referred to in Articles 668 and 669 of the Solvency II Law

§1. Transitional measure relating to the risk-free interest rates

As regards the transitional measures relating to the risk-free interest rates referred to in Article 668 of the Solvency II Law, it should be noted that the transitional matching adjustment must be recalculated on a quarterly basis.  The best estimate of the admissible portfolio must be recalculated with the new interest rate term structure. Where applicable, the assumptions relating to the conduct of the policy-holders must be adjusted to this new interest rate term structure to leave the relevance of these assumptions unchanged.

On a monthly basis, EIOPA shall issue the post-shock risk-free interest rate term structure that must be used for the calculation of the SCR interest rate risk submodules. If a transitional interest rate term structure is used for the calculation of the best estimate of the admissible portfolio, a post-shock interest rate term structure must be used for the calculation of those submodules. The company must release these new post-shock transitional interest rate term structures itself. It must also calculate the impact of the transitional matching adjustment on the best estimate, own funds and SCR.

Given the frequency, scale and complexity of the additional calculations relating to this transitional measure, companies that wish to make use of this are expected to document in detail the calculation of the transitional matching adjustment and the impact thereof on the various balance-sheet items and the SCR.

This documentation must be validated by the actuarial function and must be included in the application file. 

§2. Transitional measure relating to the technical provisions

As regards the transitional measure relating to the technical provisions included in Article 669 of the Solvency II Law, the Bank requires the amounts of technical provisions, where applicable including the amount of volatility adjustment, used for the calculation of the transitional deduction to be recalculated every two years. These calculations must be sufficiently documented to be able to be verified.

With each recalculation of the transitional deduction, account also needs to be taken of the development of the additional provision (flashing-light provision). This provision depends on the decisions of the Bank as regards exemption. This should be on the basis of the principle that the Bank will adjust its exemption criteria to the accounting policy criteria (see § 2 above).

In this context, the actuarial function must validate the amounts of the technical provisions, which must be recalculated every two years, and its report must be included in the file for the application for approval of the transitional measure referred to in Article 669 of the Solvency II Law.

More information can also be found in Circular NBB_2015_30 of 9 December 2015 on the requirements for submitting information to the Bank for applications for approval for the use of one or more measures as referred to in Article 308bis of Directive 2009/138/EC.

5.3.1.7. Allocation of additional tasks

If the company decides to add additional tasks or activities to the tasks and activities of the actuarial function, it shall take appropriate measures to tackle potential conflicts of interest   The company in particular shall see to it that the actuarial function does not have to express an opinion about its own work, work for which it is responsible or work that used to be performed by one of its members of staff.

5.3.2. Management of the actuarial function

The actuarial function shall be managed by a manager who does not only meet the legal requirements as regards professional integrity, but also has specific skills in the area of actuarial mathematics, commensurate with the nature, scale and complexity of the risks inherent to the appointing company’s business model and activity. 

In accordance with point 5.1.3. hereinabove, the expertise and professional integrity of the manager of the actuarial function to be appointed will be assessed by the Bank in advance.  From a hierarchical point-of-view, the manager of the actuarial function shall report to a member of the management committee (N1).  If the hierarchical responsibility for the actuarial function is combined with other responsibilities, it is ensured that this does not give rise to any conflicts of interest.  It should for example be ensured that the member of the management committee to whom the actuarial function reports is not also responsible for business units that take care calculating technical provisions. 

If the manager of the actuarial function exercises other activities or functions, especially in the case of an insurance company with a not very evident risk profile, the company must in particular ensure that no conflicts of interest occur with these other activities or functions.

5.3.3. Reporting by the actuarial function to the board of directors and management committee

The Solvency II Law determines that the manager of the actuarial function, just like the manager of the other independent control functions, must report at least once a year directly to the board of directors on the performance of the tasks of the actuarial function and inform the management committee thereof.

Delegated Regulation 2015/35 (Article 272) specifies that this (annual) report must

  1. document all tasks that have been undertaken by the actuarial function and their results
  2. clearly identify any deficiencies, and
  3. give recommendations on how these deficiencies should be remedied.

This activity report should at least contain the following elements for the above-mentioned points:

  • the technical provisions pertaining to the past financial year (cf. point 5.3.1.1.)
  • the underwriting policy (cf. point 5.3.1.2. above)
  • the reinsurance policy (cf. point 5.3.1.3. above)
  • the profit-sharing and rebate policy (cf. point 5.3.1.5)

as well as the follow-up to the recommendations made by the actuarial function in previous reports.

It is advisable to base the structure of the activity report on the task descriptions specified in point 5.3.1.

Additionally, the activity report of the actuarial function presented to the board of directors should contain (in annex) the relevant technical documentation, including the detailed analyses and tests conducted on the basis of which it performs its tasks and formulates its opinions.

In addition to this activity report, the Bank advises the actuarial function to regularly report to the board of directors, where applicable through the risk committee.  This reporting may occur at various periods, for example:

  • at the time of launch or change of a product that has an impact on the company’s profitability (cf. point 5.3.1.2. above on the tasks relating to the underwriting policy);
  • when entering into a new reinsurance agreement (cf. point 5.3.1.3. above on the tasks relating to reinsurance);
  • when transferring portfolios of insurance or reinsurance contracts;
  • at the time of any other significant events requiring intervention or validation by the actuarial function.

The actuarial function must in any case inform the management committee and the board of directors if specific developments related to risk have or could have a negative influence on the company, or in particular could be damaging to its reputation.

 

[4] While it is the responsibility of the risk management function to calculate the different individual risk modules comprising the solvency capital requirement, the actuarial function is expected to conduct a minimum of checks relating to the models referred to in Article 38 of Delegated Regulation 2015/35 as part of its task to coordinate and monitor the calculation of the risk margin (professional scepticism).

[5] The analysis of the legal risk occurs in consultation with the Legal and Compliance departments.

5.4. Compliance function

In accordance with the Solvency II Law (Article 55), the compliance function is tasked with supervising compliance with the legal and regulatory provisions governing the insurance business, especially the rules pertaining to integrity and conduct that apply to that activity. The compliance function must prevent the insurance company from suffering the consequences — in particular a loss of reputation or credibility, that could put it at a serious financial disadvantage — of non-compliance with the legal and regulatory provisions or the ethical provisions that apply to the banking profession (compliance risk).  Article 270 of Delegated Regulation 2015/35 also sets out that the compliance function is responsible for testing the soundness of the measures the insurance company has taken to prevent non-compliance.

Article 270 of Delegated Regulation 2015/35 also sets out that the compliance function draws up a compliance policy as well as a charter (cf. point 5.1.2. above), defining the planned activities of the compliance function.

Reference should also be made to Circular NBB_2012_14

As regards the specific tasks expected from the compliance function relating to the Solvency II Law, without prejudice to the tasks of the compliance function included in Circular NBB_2012_14, the Bank expects the compliance function at least to: 

  1. make a list of all the policies required by the Solvency II Law and ensure that the structure of these policies complies with the requirements under point 4.4. of this Circular; and
  2. if the company decides to refer to internal documents in the chapter on “Governance system” of the RSR (cf. Chapter 15 of this Circular), and without prejudice to the task of the risk management function in accordance with point 5.2.1. above, oversee the coordination and coherence of the subjects pertaining to governance in the strictest sense included in the RSR, i.e. the following subjects: shareholdership, management structure, Fit & Proper, incompatibility of mandates, loans, credits and insurance for managers, independent control functions, remuneration, conflicts of interest and outsourcing. More specifically, this coordination task consists of ensuring, as regards the aspects of governance sensu stricto, (i) that the RSR remains comprehensible and coherent, (ii) that the references made actually correspond to detailed information, and (iii) that these references are made to existing documents that are sufficiently detailed/accurate so the underlying information can be retrieved quickly.

5.5. Internal audit function

In accordance with the Solvency II Law (Article 58), the internal audit function shall provide the board of directors and the management committee with an independent assessment of the quality and the effectiveness of the company’s internal control, risk management and governance system.  Article 271 of Delegated Regulation 2015/35 sets out that the internal audit function fulfils all of the following tasks: (a) establishing, implementing, and maintaining an audit plan setting out the audit work to be undertaken in the upcoming years, taking into account all activities and the complete system of governance of the insurance or reinsurance company; (b) taking a risk-based approach to set priorities; (c) reporting the audit plan to the management or supervisory body; (d) issuing recommendations based on the result of work carried out in accordance with point (a) and submitting a written report on its findings and recommendations to the management or supervisory body on at least an annual basis; (e) verifying compliance with the decisions made by the management or supervisory body on the basis of those recommendations referred to in point (d).  If necessary, the internal audit function may conduct audits not included in its audit plan.

Article 271 of Delegated Regulation 2015/35 also sets out the following:

  1. The persons carrying out the internal audit function do not assume any responsibility for another function.
  2. Notwithstanding this, and in particular with due regard to the principle of proportionality, the persons carrying out the internal audit function may also carry out other key functions, where all of the following conditions are met: (a) this is commensurate with the nature, scale and complexity of the risks associated with the company’s activity; (b) no conflict of interest arises for the persons carrying out the internal audit function; (c) the costs of maintaining persons for the internal audit function that do not carry out other key functions would impose costs on the company that would be disproportionate with respect to the total administrative expenses.

Reference is also made to Regulation of 19 May 2015 and to Circular NBB_2015_21 on the internal audit function, which is supplemented by the following documents:

5.5.1. Independence of the internal audit function

The company shall ensure that the internal audit function does not carry out any operational functions and is free from inappropriate influence by any other function, including the independent control functions. The company shall ensure that the internal audit function is not influenced by the management committee when carrying out an audit and when evaluating and reporting audit results to such an extent that this could limit the independence and impartiality of that internal audit function.

5.5.2. Conflicts of interest within the internal audit function

The company shall take appropriate measures to limit the risk of conflicts of interest. 

It shall ensure that the auditors taken on internally do not audit any activity or functions that they have previously carried out within the time frame encompassed by the audit.

5.5.3. Internal audit policy

The company shall have an internal audit policy that covers at least the following areas:

  1. the conditions under which the internal audit function can be asked for advice or support or asked to conduct other special tasks;
  2. where applicable, the internal regulation describing the procedures that must be followed by the manager of the internal audit function before providing information to the Bank;
  3. if applicable, the criteria for rotation of tasks.

5.5.4. Internal audit plan

The company shall ensure that the internal audit plan is based on a methodical risk analysis, taking into account all activity and the entire governance system as well as expected developments in the activity and innovations, including all major activities that must be audited within a reasonable period of time.

5.5.5. Internal audit documentation

The company shall keep data on the work of the internal audit to be able to assess the effectiveness of its work, and document the audits well enough to be able to trace the audits conducted and the conclusions therefrom.

5.5.6. Tasks of the internal audit function 

The company shall ensure that the internal audit function states in its report to the board of directors, about which the management committee is informed, the period of time that is expected to be needed to remedy the deficiencies identified and provides information on the completion of earlier audit recommendations.