The Solvency II Law contains a number of provisions on the management structure and management bodies that an insurance company should have.

[1]    Point 1 of this Communication, entitled “Derogation from the composition of an audit committee” has become redundant given that the Solvency II Law determines that the audit committee, the risk committee and the remuneration committee may only be composed of non-executive directors.

1.2.1. Composition

a) Majority of non-executive directors

The board of directors shall be composed of non-executive directors and executive directors. For the exercise of supervisory and control tasks, the non-executive members of the board of directors, i.e. the ones that do not form part of the management committee, shall form the majority in the board of directors, and the chairs of the board of directors and management committee shall be two different people. In accordance with the Solvency II Law the (executive or non-executive) members of the board of directors must be natural persons (a legal person is prohibited from being appointed as director).

In terms of social status[1], a position of director of an insurance company cannot be exercised under an employment contract (obliged self-employed status) and a combination of two statuses (self-employed and employee) within the same company is not reconcilable with the principles of sound governance applicable to insurance companies[2].

For listed insurance companies or insurance companies of which the debt securities or subscription rights (warrants) are tradable on regulated markets, it is reminded that according to common law at least a third of the members of the board of directors are of a different sex from the other members (cf. Article 7:86 of the CAC).

[1] By identity of reasons, the same rules apply whether the business enterprise is in the form of a company or of a mutual insurance association.

[2] A link of subordination - supposing it to be proven - would jeopardize the effectiveness of the supervision of the Board of directors on the management of the company.

b) Independent directors within the meaning of the Solvency II Law

The role of independent directors is to ensure that all stakeholders of the company are adequately represented and, where appropriate, to reinforce technical expertise, particularly with regard to risk management.

Before the entry into force of the CAC, the Solvency II Law stipulated that insurance companies required to establish an audit committee, risk committee and remuneration committee[3] should have at least two directors meeting the independence criteria set out in Article 526ter of the former Companies Code, in particular to enable the company to comply with the obligation to have a majority of independent directors in the audit committee.

The CAC limits itself to stating the general principle that a director is considered independent if he does not have a relationship with the company or with one of its major shareholders that could jeopardise his independence. For the definition of the independence criteria, the CAC refers to provision 3.5 of the Belgian Code on Corporate Governance, which is not in itself a regulatory act but a recommendation for sound practices, even if its content is incorporated in the legal order by Royal Decree.

Pending a clarification of the legislation on this aspect, the Bank considers that the old criteria set out in the aforementioned Article 526ter shall continue to apply unchanged to insurance companies even if they do not formally appear in the CAC. The intention is to confirm this approach through an amendment to the Solvency II Law reintegrating the old criteria of Article 526ter but providing for a so-called “comply or explain” system (consequently, independent directors will hereinafter be referred to as “independent directors within the meaning of the Solvency II Law”).

The Bank expects that all aforementioned independence criteria are met and, if not, that the insurance company explains to it why it did not meet one or more of the independence criteria set out in the Belgian Code on Corporate Governance (comply or explain). Specifically, this explanation should be in the form of a formal statement of the board of directors or, where appropriate, the nomination committee, explaining why one or more of the criteria are not met. This statement should be sent with the Fit & Proper file of the director concerned.

The recommended number of independent directors shall depend on the nature, scale and complexity of the risks inherent to the company’s business model and activity. Based on this risk profile, on the structure of the group to which the company belongs and on the other aforementioned factors, it could be considered adequate to have more than two independent directors within the meaning of the Solvency II Law.

In insurance companies that are not obliged to have an independent director within the meaning of the Solvency II Law, it is nevertheless advisable to appoint an independent director meeting the criteria that are set out in provision 3.5 of the Belgian Code on Corporate Governance and that will be included in the Solvency II Law.

[3] Setting up an audit committee, a risk committee and a remuneration committee is not compulsory for insurance companies that fulfil, on a consolidated basis, at least two of the following three criteria: average number of employees during the financial year in question of less than 250, a balance sheet total equal to or less than € 43 million and an annual net turnover (premiums earned less reinsurance) equal to or less than € 50 million.

c) Selection of directors

Apart from a policy on expertise and fitness and propriety (cf. Chapter 2 below), the company shall establish a policy for the composition of its management bodies (board of directors and management committee) and for the selection of the directors and members of the management committee, not only taking into account the Fit & Proper aspects but also, for example, the number of directors, their age, their gender, accumulation of mandates, length and rotation of mandates, rules on conflicts of interest, etc. 

In this policy, the company shall establish the principles it will follow for the nomination for appointment, renewal, termination and removal of the directors.

1.2.2. Tasks

The board of directors has the final responsibility for the insurance company. More particularly, this concerns the following two functions.

a) Determining the general company strategy, risk policy and integrity policy

In accordance with Article 44 of the Solvency II Law, the board of directors shall determine “the company’s strategy and objectives and; the risk policy, including the overall risk tolerance; the integrity policy […]”.

Firstly, as regards the company’s strategy and objectives, the Bank expects the board of directors at least to determine and validate:

1. the company’s objectives (especially as regards the sales policy),
2. the main lines of its organisational structure and its internal control structure (which must be in proportion to the intended objectives),
3. the company’s policies on governance sensu stricto, i.e. the Fit & Proper policy, the remuneration policy, the outsourcing policy, the internal rules on external functions, the IT security and continuity policy and the charters of the independent control functions,
4. the reportings intended for the public (particularly the Solvency and Financial Condition Report or SFCR).

Secondly, as regards the risk policy, the board of directors must specifically:

1. determine the company’s risk appetite and general risk tolerance limits for all of its activities (risk appetite policy);
2. approve the company’s general risk management policy (see below for the content of that policy), the specific risk management policies (i.e. the following relevant policies: a) the policy relating to the management of underwriting and reserve risk, b) the asset-liability management policy, c) the investment risk management policy, d) the liquidity risk management policy, e) the concentration risk management policy, f) the operational risk management policy, g) the reinsurance policy, h) where appropriate, the mortgage lending policy, i) the asset and liability valuation policy, j) the profit-sharing policy, k) the ORSA policy, and l) the capital management policy) and the policy guaranteeing that the information submitted to the Bank is always adequate (Article 77, § 7 of the Solvency II Law);
3. be the first line as regards risk-based strategic decisions and be closely involved in the ongoing supervision of the development of the company risk profile (this requires the board of directors, or where applicable the audit committee and the risk committee, to always be in possession of relevant and comprehensive information on the risks the company faces);
4. approve the Regular Supervisory Report (RSR) and the Own Risk and Solvency Assessment (ORSA). In this regard, the Bank highlights the fact that the annual and quarterly Quantitative Reporting Templates (QRTs) should not be approved by the board of directors as Articles 80, § 5, and 202 of the Solvency II Law explicitly state that this task falls to the management committee (except for the QRTs annexed to the SFCR).

Thirdly, the board of directors should also approve the integrity policy, which establishes the company’s fundamental ethical principles and includes at least the following: rules on conflicts of interest, rules on whistleblowing, rules on the prevention of money laundering and terrorist financing, codes of conduct, etc.

b) Supervision of activities

Supervising activities and regularly assessing the effectiveness of the insurance company’s governance system form another important pillar of the responsibilities of the board of directors. The supervision must relate to all of the insurance company’s areas of activity and in particular cover the management committee (supervision of the management committee’s decisions) and compliance with the risk policy.

This supervision on the operation of the company may be exercised through (i) reporting by the independent control functions, (ii) effective use of the investigative powers of the board of directors, (iii) reporting by the management committee on the development of the company’s activity and (iv) access to the minutes of the management committee. 

The Solvency II Law (Article 77) moreover determines that the board of directors as a minimum:

1. must assess the effectiveness of the company’s governance system at least once a year and ensure that the management committee take the necessary measures to tackle any non-conformity;
2. must regularly and at least once a year assess the proper functioning of the four independent control functions. Apart from the assessment it may make by virtue of its regular contacts and the information provided to it by these four functions, the board of directors shall base its assessments on the management committee’s periodic report which includes, in particular, the measures needed to remedy any non-conformity. It should also be noted that, from 2018 onwards and pursuant to the Law of 5 December 2017 modifying the Solvency II Law, the board of directors is required to annually submit a report on the assessment of the proper functioning of the compliance function to the Bank;
3. must determine which measures must be taken as a result of the findings and recommendations in the internal audit and must ensure that these measures are taken;
4. must regularly and at least once a year assess the general principles of the remuneration policy and is responsible for the supervision of the implementation thereof;
5. must assess whether the policy for reporting to the Bank approved by the board of directors on the basis of Article 77, § 7 of the Solvency II Law is complied with; and
6. must bear the responsibility for the integrity of the accounting and financial reporting systems, including the rules for operational and financial control, and ensure that these systems offer a reasonable degree of certainty as to the reliability of the financial reporting process.

Less significant companies are free to comply with the standard schemes. However, the Bank accepts that the (N-1) persons responsible for the control functions report to a member of the management committee who also performs operational tasks. As indicated above, the following limits should be complied with: (i) there is a strict separation between Risk Management and Investment as well as between Risk Management and Commercial (Underwriting) and (ii) internal audit is assigned to a member of the management committee who is not also responsible for Commercial (Underwriting) but combines this function with operational functions that generate less risk.

Furthermore, the Bank shall be notified of the distribution of tasks between the members of the management committee and any change thereto. As regards the suitability test of the members of the management committee, the Bank may, in the event of an incident, take account of the personal shortcomings of the managers in its individual assessment.

1.3.3. Availability of the Chief Risk Officer in the management committee

The Solvency II Law stipulates that the head of the risk management function shall be a member of the management committee, the risk management function being the only function for which he/she is individually responsible.

Although as a principle, the risk management function is the only function for which the Chief Risk Officer — who is a member of the management committee — is responsible, the Solvency II Law allows the risk management function, the actuarial function and the compliance function, which form the second line of defence of the insurance company, to come under the responsibility of the Chief Risk Officer — who is a member of the insurance company’s management committee—insofar as these three functions (i) are exercised separately from each other[7] and (ii) this does not give rise to any conflicts of interest[8]. For insurance companies with a balance sheet total of less than € 3 billion, the aforementioned accumulation of functions is permitted ex officio. Companies with a balance sheet total of more than € 3 billion must submit a formal written request for such authorisation explaining the reasons for this request and provide evidence that this accumulation does not give rise to issues of conflicts of interest and availability.

By virtue of the nature, scale and complexity of the risks inherent to the company’s business model and activity, and taking into account the appropriate organisation of the function at the level of the group concerned, the Bank may allow the risk management function to be fulfilled by a member of the senior staff (‘N1’), as long as the exercise of this independent control function does not give rise to conflicts of interest vis-à-vis this person, in view of the other functions that he/she would otherwise exercise. In order to be granted such an exception, the insurance company must submit a formal written request to the Bank, explaining in detail why it wishes to be granted such an exception and in what way the aforementioned criteria are complied with.

Where the Chief Risk Officer is a member of the management committee, the company must ensure that this does not compromise the independence of the risk management function. For instance, if the CRO finds himself in a situation where he must choose between “his loyalty to the non-executive directors as independent control function” and “his loyalty as member of the management committee as a collegial body”, the CRO should prioritise his loyalty to the non-executive directors. Furthermore, for the sake of good order, the Bank stresses that the presence of the CRO in the management committee should not lessen the collective expertise regarding risk management expected of the non-executive directors. In this respect, the Bank notes that Article 51 of the Solvency II Law stipulates that non-executive directors who are members of the risk committee should “individually possess the necessary knowledge, expertise, experience and proficiency to understand and comprehend the insurance or reinsurance company’s strategy and risk tolerance”.

1.3.4. Tasks of the management committee

The following tasks come under the responsibility of the management committee (non-exhaustive list):

1. Implementing the strategy laid down by the board of directors and management of the business:

• implementing the strategy developed and approved by the board of directors,
• undertaking the management of the company in accordance with the strategic goals established and with due regard to the risk tolerance limits laid down by the board of directors;
• supervising line management (‘CD1’), and compliance with the allocated competences and responsibilities;
• making proposals and giving advice to the board of directors for determining the general policy and strategy of the company;

1. Implementing the risk management system:

• translating the risk appetite framework, the general risk management policy and the specific risk management policies established by the board of directors into procedures and processes;
• implementing the necessary measures to control risks;
• making sure, based on the reports of the independent control functions, that all relevant risks to which the company is exposed (financial risks, insurance risks, operational and other risks) are appropriately identified, measured, management, controlled and reported;
• supervising the development of the company’s risk profile and overseeing the risk management system;

1. Introducing, monitoring and assessing the organisational and operational structure:

• Implementing the governance policies sensu stricto established by the board of directors (Fit & Proper policy, remuneration policy, outsourcing policy, internal rules on external functions, security and continuity policy, integrity policy) by translating them into concrete procedures and processes;
• setting up an organisational and operational structure to support the strategic goals and ensuring uniformity with the framework established by the board of directors for risk appetite, especially by determining the powers and responsibilities of each section of the company and specifying the reporting policies and procedures;
• setting up appropriate internal control mechanisms at every level of the company and assessing the appropriateness of those mechanisms,
• implementing the necessary framework for the organisation and the proper functioning of the independent control functions, and assessing — based on the work of those control functions — the effectiveness and efficiency of the policies on risk management, internal control and governance established by the company;
• supervising the correct implementation of the remuneration policy;
• setting up an internal reporting system that gives a reasonable degree of certainty as to the integrity of the financial information and prudential reporting;

1. Implementing the integrity policy established by the board of directors (covering in particular conflicts of interest, whistleblowing, rules on the prevention of money laundering and terrorist financing) by translating them into concrete procedures and processes;
2. Reporting to the board of directors and the Bank

• communicating the relevant information and data to the board of directors and/or where applicable to one of its sub-committees, to allow them to monitor the company’s activity;
• implementing the policy established by the board of directors for reporting to the Bank (Article 77, § 7 of the Solvency II Law) and, in this context, submitting the expected prudential information to the Bank. In this respect, the Bank highlights the fact that it is the task of the management committee to approve and provide the Bank with the reporting on the annual and quarterly Quantitative Reporting Templates (QRTs) in accordance with Articles 80, § 5, and 202 of the Solvency II Law. Moreover, the management committee should formally declare annually and half-yearly that the information provided to it in accordance with Articles 312 to 316 of the Solvency II Law (i) is complete, (ii) accurately reflects the situation of the company, taking into account its risk profile, and (iii) is established in accordance with the legal rules and the instructions of the Bank; and
• providing a report at least once a year to the board of directors, the accredited statutory auditor and the Bank on the effectiveness of the governance system (cf. Chapter 14 of this Circular). 

1.3.5. Exemption from the obligation to set up a management committee/senior management

The Bank may grant less significant companies an exemption from the obligation to set up a management committee by virtue of their size and risk profile or of the group to which they belong. Insurance companies that request such an exemption must submit a request, including the reasons, and providing evidence that a ‘senior management’ model is appropriate in view of the nature, scale and complexity of the risks inherent to their business model and their activity.

The company’s management model must in any case pass the test of the following general quality requirements regarding sound governance:

• there is an appropriate segregation between the functions that manage the company’s business and those that supervise it;
• the function of management is entrusted to at least two persons who, without prejudice to an adequate distribution of tasks, operate on a collegial basis[9];
• the specific delegation of competences related to senior management is clearly regulated (for example in the articles of association);
• there is a structured dialogue between the functions that determine the general policy, those that manage the company’s business, and those that supervise it.

[7] The requirement to have the functions exercised separately from each other must be applied proportionally. For significant insurance companies, this means that the three independent control functions should be separated from an organisational perspective (no single person holding multiple control functions simultaneously) and that Chief Risk Officers who are members of the management committee should only be responsible for the compliance function and the actuarial function in a hierarchical sense. For less significant companies, this means that the functions must be separate but that they can be held simultaneously by a single person who is thus appointed as person responsible for multiple control functions, provided that (i) there are no conflicts of interest between these control functions (e.g. avoid having a single person be both ‘maker’ and ‘checker’, and (ii) that this person meets the fitness requirements.

[8]    In the event of accumulation, except in the case of outsourcing, the person responsible for the compliance function (‘N1’) as the person with the most senior operational responsibility for the compliance function, the person responsible for the actuarial function (‘N1’) as the person with the most senior operational responsibility for the actuarial function, and, for the function of risk management, the Chief Risk Officer member of the MC (‘N’) shall be subjected to the Bank’s Fit & Proper screening.

[9] The concept of “senior management” means persons who participate at the highest level in the management of the company, i.e. the executive directors as well as persons who, without having the as directors, are considered by the company to be effective managers because of the direct and decisive influence they can exercise on the management of all or part of the activities of the insurance company. In terms of their social status, senior managers who have the status of director are subject to the same rules as those set out in point 1.2.1. above. The other senior managers will necessarily have employee status, except in the capacity of ‘delegate for daily management’ (for corporate forms where it exists or may exist) and that their quality of senior manager derives exclusively from this quality of ‘delegate to the daily management’.

1.5.1. Tasks

The audit committee has an essential role to play as regards the supervisory function carried out by the board of directors. In accordance with the Solvency II Law (Article 49), which was amended by the Law of 7 December 2016 on the organisation of the profession and the public supervision of auditors, the audit committee is at least responsible for the tasks listed in Article 7:99, § 4 of the CAC, namely:

1° notifying the board of directors of the results of the statutory audit of the annual accounts and, where appropriate, of the consolidated annual accounts as well as clarifying the manner in which the statutory audit of the annual accounts and, where appropriate, of the consolidated annual accounts contributed to the integrity of the financial reporting, and specifying the role of the audit committee in this process;

2° monitoring the financial reporting process and formulating recommendations or proposals to guarantee its integrity;

3° monitoring the effectiveness of the company’s internal control and risk management systems[10] and monitoring the internal audit and its efficiency if there is any;

4° monitoring the statutory audit of the annual accounts and the consolidated annual accounts, which includes following up on the questions and recommendations formulated by the statutory auditor and, where appropriate, by the external auditor responsible for the audit of the consolidated annual accounts;

5° assessing and monitoring the independence of the statutory auditor and, where appropriate, of the external auditor responsible for the audit of the consolidated annual accounts, particularly regarding the merit of providing additional services to the company. The audit committee, together with the statutory auditor, specifically analyses risks to its independence and the safeguards applied to mitigate these risks when the total fees received from a public-interest entity as referred to in Article 1:12 of the CAC exceed the criteria laid down in Article 4(3) of Regulation (EU) No. 537/2014;

6° making recommendations to the company’s board of directors with regard to the appointment of the statutory auditor and, where appropriate, of the external auditor responsible for the audit of the consolidated annual accounts, in accordance with Article 16(2) of Regulation (EU) No. 537/2014.

Additionally, Article 7:99, § 5 of the CAC specifies that the audit committee should report regularly to the board of directors on the performance of its tasks, in any case when the board of directors establishes annual accounts, consolidated annual accounts and, where appropriate, summarised financial statements for publication purposes.

1.5.2. Specific skills profile

In addition to the aforementioned general rules, Articles 48 and 49 of the Solvency II Law stipulate that:

(i) the majority of the members of the audit committee should be independent within the meaning of the Solvency II Law;

(ii) the members of the committee must have collective expertise in the field of the company’s activity as well as in the area of audit and accounting; and

(iii) at least one member of the audit committee must be an expert in the field of audit and/or accounting.

[10]    As regards the relationship between the task of the audit committee to assess the effectiveness of the risk management system and the tasks of the risk committee, it should be noted that these two committees work from a different perspective and base their assessments on different reports: (i) the audit committee assesses the suitability of the internal control processes and procedures, especially on the basis of the reports of the internal audit function and in this respect ensures that the internal control measures contribute to an effective risk management, while (ii) the risk committee is responsible for the assessment of the risk strategy used by the company, the appropriateness of the process for monitoring the risks, the quality of the reports provided by the risk management function (etc.). The tasks of the audit committee and the risk committee that relate to the assessment of the risk management system thereby complement each other: the risk committee assesses the company’s risk strategy and the proper functioning of the risk management function, whilst the audit committee assesses the effectiveness of the internal control system (assessment of the appropriateness of the existing arrangements), as part of the notion of “risk management system”.

1.7.1. Tasks

The remuneration committee shall provide advice to the board of directors so that the incentives created by the remuneration policy are not of a nature so as to induce excessive risks being taken within the company, or behaviour that pursues interests other than the interest of the company and its stakeholders. In accordance with the Solvency II Law, the remuneration committee has the following tasks:

1. giving advice on the company’s remuneration policy;
2. preparing decisions on remuneration, in particular decisions that have consequences for the risks and risk management of the company and on which the board of directors must decide; and
3. exercising direct supervision of the remuneration of those responsible for the independent control functions.

1.7.2. Specific skills profile

In addition to the aforementioned rules, the Solvency II Law stipulates that the remuneration committee must be composed in such a way so as to be able to form a competent and independent opinion on the remuneration policy and supervision thereof. If no remuneration committee has been set up (because the company is not obliged to do so or because it is eligible for an exemption), the board of directors takes on the tasks that would otherwise have been allocated to the remuneration committee, and prevents conflicts of interest arising.