The set-up of a Solvency II insurer's key functions, including allocation of the responsibilities for those key functions, at least meets the following three criteria to safeguard their operational independence:
a) Key functions are segregated from each other and from other functions.
b) Key functions are not structured hierarchically in relation to each other or in relation to other functions, except to a member of the administrative and management body (typically the management board).
c) Key functions are at all times and without intervention by others able to report to the administrative and management body and, if present, to the supervisory body (typically the supervisory board).
A Solvency II insurer's system of governance includes the following four key functions:
- the risk management function
- the compliance function
- the actuarial function
- the internal audit function
The aim of key functions is to exert countervailing power with respect to business units pursuing insurance activities, so as to ensure sound and ethical operational management. In the widely used three lines of defence model, the risk management, compliance and actuarial functions are the second line, the internal audit function is the third line, while the insurance activities take place in the first line. In such a set-up, the four key functions operate independently, both from the first line and from each other. The key functions’ operational independence does not preclude effective collaboration with other functions and key functions.
This Q&A document sets out the aspects DNB verifies in terms of the operational independence and proportional set-up of a Solvency II insurer's key functions.
Small and medium-sized insurers can deviate from criteria a) or b), or from both, if this is proportionate to the nature and complexity of their operations. The nature and complexity of their operations depend on several interconnected factors, which include:
- the type and number of different products and services provided
- whether or not primary operations are outsourced
- the legal and organisational structure
- in the case of a group:
- the number of entities within the group and their size
- the number of insurers within the group and their size
- the nature of the entities and insurers within the group, i.e. whether the products and services they provide are similar or different
- the number of entities within the group and their size
- the number of countries in which an insurer operates and how it does so, i.e. through branch offices, subsidiaries or cross-border service provision
- the average maturity of its liabilities
Large insurers can also deviate from criteria a) or b), or from both, but only if this is proportionate to their nature and if their operations are not very complex. DNB considers it unlikely for such deviations to be appropriate for large or complex insurers, however.
If an insurer deviates from criterion a) for reasons of proportionality, meaning it combines a key function with another function or key function, it ensures that a key function does not controls or audit its own activities.
Insurers deviating from criterion a) or b), or both, safeguard that each of the key functions is free of influences that could affect their ability to perform their duties in an objective, fair and independent manner. This applies to all insurers, irrespective of the nature, scale and complexity of their operations. After all, proportionality does not exempt insurers from specific statutory requirements such as the operational independence of its key functions. Insurers cannot deviate from criterion c).
Key functions and the administrative and management body
The ultimate responsibility for an insurer's key functions rests with the administrative and management body. Nonetheless, its members can also bear direct responsibility for a key function, for example to safeguard its status and authority. This could be the case, for example, for the risk management function. If this is the case, an insurer considers how such responsibility for a key function relates to the key function's operational independence on the one hand and the collective responsibility of the administrative and management body on the other. Conversely, if no member of the administrative and management body bears direct responsibility for a key function, the insurer ensures that its key functions have the status and authority needed.
If an insurer has allocated the responsibility for a key function to a member of the administrative and management body, other key functions may still report to that member, provided that the insurer takes measures to safeguard the operational independence of those key functions.
Documentation: substantiation of set-up
Irrespective of the set-up of its key functions, an insurer demonstrates that this is adequate and documents its substantiation. The nature and extent of such substantiation is also proportionate to the nature, scale and complexity of the insurer's operations.
In its substantiation, an insurer answers at least the following questions:
- Why is any deviation from criteria a) and b) considered proportionate, given the nature, scale and complexity of the insurer's operations?
- How does the organisational structure opted for ensure that the key functions are able to perform their duties in and in an objective, fair and independent manner and that all persons who perform key functions are fit and proper?
- If persons who perform the internal audit function also perform other functions or key functions:
- How does the insurer safeguard that such persons will not have any conflicts of interests?
- What evidence shows that maintaining persons for the internal audit function who do not perform other functions or key functions would entail costs disproportionate to the insurer's total administrative expenses?
An insurer evaluates on a periodic basis whether its governance system is adequate and effective. The aspects evaluated also include the design, existence and operating effectiveness of the key functions.
An insurer evaluates at least once yearly its policies for specific elements in the governance structure, such as the risk management system, the other internal control systems (compliance and actuarial) and internal audit. This policy evaluation should provide input for the more widely-scoped evaluation of the governance system.
Lastly, the insurer’s supervisory category determines DNB’s expectations with regard to the depth and frequency of the evaluation. We expect large, complex insurers to perform more in-depth and more frequent evaluations than small and medium-sized, non-complex insurers.