Non-Solvency II Firms – Governance

1.1

Unless otherwise stated, this Part applies to:

1. (1) a non-directive insurer; and
2. (2) subject to 1.2, a Swiss general insurer.

1.2

Only Chapters 3 and 5 to 10 apply to a Swiss general insurer and only in respect of the activities of the firm carried on from a branch in the UK.

1.3

In this Part, the following definition shall apply:

registered branch

means a branch of a registered friendly society which is separately registered within the meaning of the Friendly Societies Act 1974.

2.1

This Chapter only applies to a small non-directive insurer.

2.2

A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

2.3

A firm must take reasonable steps to establish and maintain adequate internal controls.

2.4

A firm must have in place an effective risk-management system.

2.5

A firm’s risk-management system must ensure that the firm’s governing body is furnished with the information it needs to contribute to identifying, measuring, managing and controlling risks which relate to the safety and soundness of firms.

2.6

A firm must establish and maintain appropriate systems and controls for managing operational risk that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others).

2.7

A firm must establish and maintain appropriate systems and controls for the management of its IT system risks.

2.8

A firm must establish and maintain appropriate systems and controls for the management of the risks involved in expected changes.

2.9

A firm must provide for an effective internal audit function.

2.10

The internal audit function must monitor the appropriateness and effectiveness of the firm’s systems and controls.

2.11

The internal audit function must provide independent assurance to the firm’s governing body, audit committee or an appropriate senior manager of the integrity and effectiveness of the firm’s systems and controls.

3.1

This Chapter only applies to a large non-directive insurer and a Swiss general insurer.

3.2

(1) A firm must have in place an effective system of governance which provides for sound and prudent management of its business.

(2) The system of governance must include at least:

(a) an adequate transparent organisational structure with a clear allocation and appropriate segregation of responsibilities; and

(b) an effective system for ensuring the transmission of information.

(3) The system of governance must include compliance with the requirements laid down in:

(a) 3.5

(b) 4 to 10 (as applicable);

(c) Large Non-Solvency II Firms – Fitness and Propriety 2.1 to 2.3, 4.1, 4.3 and 4.4; and

(d) Large Non-Solvency II Firms – Allocation of Responsibilities 4.

(4) The system of governance must be subject to regular internal review.

3.3

A firm’s system of governance must be proportionate to the nature, scale and complexity of its operations.

3.4

A firm must:

(1) have written policies in relation to at least risk management, internal control, internal audit and, where relevant, outsourcing;

(2) make those policies subject to prior approval of its governing body;

(3) ensure those policies are implemented;

(4) review those policies at least annually; and

(5) adapt those policies in view of any significant change in the system or area concerned.

3.5

The written policy on risk management referred to in 3.4(1) must comprise at least the specific policies required by 7.2.

3.6

A firm must take reasonable steps to ensure continuity and regularity in the performance of its activities, including the development of contingency plans, to which end, the firm must employ appropriate and proportionate systems, resources and procedures.

3.7

A firm (other than a Swiss general insurer) must engage a broad set of qualities and competences when recruiting members to the governing body.

3.8

A firm must put in place a policy promoting diversity on the governing body.

3.9

A firm that maintains a website must explain on the website how it complies with the requirements of 3.7 and 3.8.

4.1

This Chapter only applies to a non-directive insurer that is also a non-directive friendly society.

4.2

A firm must take reasonable steps to ensure that it does not carry on activities beyond its powers.

4.3

A firm must take reasonable steps to ensure that it and its registered branches comply with:

(1) any requirements of or under the Friendly Societies Act 1992 or FSMA which relate to the conduct of its insurance business; and

(2) any requirement which is otherwise applicable to its insurance activities.

4.4

A firm must supervise the activities of any:

(1) subsidiary;

(2) jointly controlled body; and

(3) registered branch of the firm;

with due care and diligence, having due regard to the interests of its policyholders and without detriment to the conduct of the firm’s activities.

4.5

A firm must ensure that every jointly controlled body and registered branch complies with:

(1) 2.2 or 3.2, whichever is applicable; and

(2) any applicable requirements of FSMA and the Friendly Societies Act 1992.

4.6

A firm must and must procure that each registered branch:

(1) keeps adequate accounting records; and

(2) establishes and maintains adequate systems of control of its business and records and of inspection and reporting.

4.7

A firm must ensure that the systems of control and of inspection and reporting are adequate to enable the governing body to properly discharge:

(1) the duties imposed on it by or under FSMA, the Friendly Societies Act 1992 or the Friendly Societies Act 1974; and

(2) the functions of direction of the affairs of the friendly society or registered branch.

No such system of control will be treated as adequate unless there is kept available to the governing body a detailed statement in writing of the system as in operation for the time being.

4.8

A firm must ensure that the systems of control and of inspection and reporting ensure that its:

1. (1) activities are conducted; and
2. (2) records that are kept are:
1. (a) sufficiently accurate; and
2. (b) available when required,

to enable the governing body to discharge its duties and functions.

4.9

A firm must within the period of 6 months beginning with the end of each financial year make and send to the PRA a statement of their opinion whether the requirements of 4.6 to 4.8 have been complied with in respect of that year by the firm and the statement must be signed by the chair on behalf of the governing body and by the chief executive.

5.1

A firm must take reasonable care to supervise the discharge of outsourced functions by an outsourced provider.

5.2

A firm must take steps to obtain sufficient information from its outsourced provider to enable it to assess the impact of outsourcing on its systems and controls.

5.3

Before entering into, or significantly changing, an outsourcing arrangement, a firm must:

1. (1) analyse how the arrangement will fit with its organisation and reporting structure, business strategy, overall risk profile and ability to meet its regulatory obligations;
2. (2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
3. (3) conduct appropriate due diligence of the service provider's financial stability and expertise; and
4. (4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement, including what will happen on the termination of the contract or following a significant loss of services from the service provider.

6.1

A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.

6.2

The records required by 6.1 must be capable of being reproduced on paper and:

1. (1) in English; or
2. (2) if a firm’s records relate to business carried on from an establishment in a country or territory outside the UK, the official language of that country or territory.

6.3

A firm must make and regularly update accounting and other records that are sufficient to enable the firm to demonstrate to the PRA:

(1) that the firm is financially sound and has appropriate systems and controls;

(2) the firm’s financial position and exposure to risk (to a reasonable degree of accuracy); and

(3) the firm’s compliance with applicable rules.

6.4

A firm must retain the records in 6.1 and 6.3 for the longer of either:

(1) three years; or

(2) for as long as they are relevant for the purposes for which they were made.

6.5

A firm must be able to make available the records in 6.1 and 6.3 within a reasonable timeframe when requested to do so by the PRA.

6.6

A firm must keep the records required in 6.1 and 6.3 in the UK, except where:

(1) they relate to business carried on from an establishment in a country or territory that is outside the UK; and

(2) they are kept in that country or territory.

6.7

When a firm keeps the records required in 6.1 and 6.3 outside the UK, it must periodically send an adequate summary of those records to the UK.

7.1

A firm must take reasonable steps to ensure the establishment and maintenance of:

(1) a business plan; and

(2) appropriate systems for the management of prudential risk.

7.2

A firm’s business planning must involve the creation and maintenance of specific risk policies that outline a firm’s strategy and objectives for the identification and management of at least its market, credit, liquidity, reinsurance, operational, insurance and group risks and the processes that it intends to adopt to achieve these objectives.

7.3

When establishing and maintaining its business plan and prudential risk management systems, a firm must document:

1. (1) an explanation of its overall business strategy, including its business objectives;
2. (2) a description of, as applicable, its policies towards market, credit (including provisioning), liquidity, operational, insurance and group risks (that is, its risk policies), including its appetite or tolerance for these risks and how it identifies, measures or assesses, monitors and controls these risks;
3. (3) the systems and controls that it intends to use in order to ensure that its business plan and risk policies are implemented correctly;
4. (4) a description of how the firm accounts for assets and liabilities, including the circumstances under which items are netted, included or excluded from the firm’s balance sheet and the methods and assumptions for valuation;
5. (5) appropriate financial projections and the results of its stress testing and scenario analysis;
6. (6) details of, and the justification for, the methods and assumptions used in financial projections and stress testing and scenario analysis; and
7. (7) its procedures to allow managers to monitor the application and effect of its reinsurance programme.

7.4

A firm’s business plan and risk management systems must be effectively communicated so that all employees understand and adhere to the procedures related to their own responsibilities.

8.1

This Chapter only applies to a large non-directive insurer and a Swiss general insurer.

8.2

1. (1) A firm must have in place an effective internal control system.
2. (2) That system must include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the firm and a compliance function.

8.3

The compliance function referred to in 8.2(2) must include:

1. (1) advising the governing body on compliance with applicable rules; and
2. (2) an assessment of the possible impact of any changes in the legal environment on the operations of the firm concerned and the identification and assessment of compliance risk.

8.4

A firm must have internal processes and procedures in place to ensure the appropriateness, completeness and accuracy of the data used in the calculation of its technical provisions.

9.1

This Chapter only applies to a large non-directive insurer and a Swiss general insurer.

9.2

(1) A firm must provide for an effective internal audit function.

(2) The internal audit function must:

(a) include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance; and

(b) be objective and independent from the operational functions.

(3) A firm must ensure that any findings and recommendations of the internal audit function are reported to the firm’s governing body which must:

(a) determine what actions are to be taken with respect to each of the internal audit findings and recommendations; and

(b) ensure that those actions are carried out.

10.1

This Chapter only applies to a large non-directive insurer and a Swiss general insurer.

10.2

A firm must provide for an effective actuarial function to:

1. (1) coordinate the calculation of technical provisions;
2. (2) ensure the appropriateness of the methodologies and underlying models used, as well as the assumptions made in the calculation of technical provisions;
3. (3) assess the sufficiency and quality of the data used in the calculation of technical provisions;
4. (4) inform the governing body of the reliability and adequacy of the calculation of technical provisions;
5. (5) express an opinion on the overall underwriting policy;
6. (6) express an opinion on the adequacy of reinsurance arrangements; and
7. (7) contribute to the effective implementation of the risk management system referred to in 7.1.

10.3

The actuarial function must be carried out by persons who have knowledge of actuarial and financial mathematics, commensurate with the nature, scale and complexity of the risks inherent in the firm’s business, and who are able to demonstrate their relevant experience with applicable professional and other standards.