1 Introduction

The systematic increase of legal and supervisory requirements imposed on financial institutions, including insurance undertakings, results in a proportionate increase in their exposure to the risk of financial and non-financial losses due to expectations of supervisory bodies and violations of certain legal obligations. The risk of non-compliance in financial institutions should be defined as the risk of failure to comply with applicable law, internal regulations and accepted standards of conduct.Footnote 1 The above definition was adopted by the Polish Financial Supervision Authority (KNF) in Resolution No. 258/2011 of 4 October 2011 with regard to the banking sector.Footnote 2 However, it seems to have a universal character, applicable also to other financial institutions. In the case of non-compliance, the infringer incurs financial sanctions and can lose its reputation and credibility.

Conducting business activity in accordance with applicable laws, internal regulations and supervisory expectations is undoubtedly part of what makes up safe, stable and prudent governance of an insurance undertaking. The legislators qualify the compliance function in the insurance undertaking as a key function which is a part of the insurance undertaking’s governance system. There is no doubt that, with an increasing number of regulations, the role and significance of the compliance function in the insurance market will systematically become more prominent, as was the case with more developed areas of the financial market.

The aim of this chapter is to attempt to determine the importance of the compliance function in the process of managing the risk of non-compliance in an insurance undertaking through its functioning and organisation within the structures of insurance undertakings. The chapter was drawn up based on the literature discussing this subject matter and in the light of national and European regulations relating to the compliance function in an insurance undertaking. The chapter also considers the Polish supervisory expectations addressed to financial institutions, especially to in this respect. Considerations devoted to risk management process were also presented taking into account solutions applicable in banks.Footnote 3

2 The Compliance Function in an Insurance Undertaking in the Light of Polish and European Insurance Law and Polish Supervisory Practice

2.1 European Insurance Law

The compliance function in insurance undertakings was separated and shaped because of the entry into force of the Directive of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ EU L of 17 December 2009).Footnote 4 In the Recitals (No. 30) of Solvency II, the European legislator has clearly indicated that an insurance undertaking’s governance system includes the risk-management function, the internal audit function, the actuarial function and the compliance function. An effective system of governance is essential for proper management of insurance undertakings.Footnote 5 It is worth noting that ineffective internal control systems, of which compliance is an element, were significant fraud factors in banks.Footnote 6 In this context, it is worth pointing out that according to the de Larosière High Level Group report on the future of financial supervision in the EU, corporate governance was among the most important elements underlying the financial crisis.Footnote 7 The management system of the insurance undertaking has been identified as crucial in the light of Solvency II, which states that ‘Some risks may only be properly addressed through governance requirements rather than through the quantitative requirements… An effective system of governance is therefore essential for the adequate management of the insurance undertaking and for the regulatory system.’Footnote 8 The report by Sharma et al. (2002) identified a causal relationship between undertakings that fail and those that are inherently vulnerable due to ‘underlying management weaknesses or operational weaknesses’. Good governance practices and strong risk management are therefore essential aspects of a prudential regulatory framework.Footnote 9

The compliance function in the light of Solvency II is an element of the internal control system, which also includes administrative and accounting procedures, the organisation of internal control, appropriate reporting arrangements at all levels of the insurance undertaking. The compliance function itself, in accordance with Article 46(2) of Solvency II, includes advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions. It also allows for an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking in question as well as the identification and assessment of compliance risk.

The legal provisions and supervisory expectations impacting the shape of the compliance function in insurance undertakings include, most notably:

  • Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II

  • European Insurance and Occupational Pensions Authority (EIOPA) guidelines on the governance of insurance undertaking

  • International standards for the conduct of insurance business activity and principles of insurance supervision, issued by the International Association of Insurance Supervisors (IAIS)

  • ISO 19600:2014

The international standards for the conduct of insurance business activity and principles of insurance supervision, issued by the International Association of Insurance Supervisors (IAIS), are among the noteworthy regulations impacting the shape of the compliance function in an insurance undertaking. In Guideline 8.4, the IAIS recommends that insurance undertakings should have an effective compliance system in place which is to support the insurer in meeting its legal and regulatory obligations and promote a culture of compliance. To fulfil the above-mentioned task, the management board should adopt a code of good practice which will serve as a reference point for its activities, which are to comply with generally applicable law and accepted ethical standards. The guidelines also refer to the organisation of the compliance function within the structures of the insurance undertaking and the person in charge of that unit (the ‘Chief Compliance Officer’). The person appointed to supervise the compliance function should have direct access to the management board in order to keep it informed about:

  • the most important compliance risks associated with the business activity of the insurer and the measures taken to combat them

  • the assessment of how the various departments and units are meeting the standards and compliance objectives

  • personal problems and conflicts of interest

  • fines and other disciplinary sanctions imposed by the competent authorities on the insurer or its employees

The ISO 19600:2014 is certainly a benchmark for entrepreneurs who plan to implement the compliance function, including insurance undertakings. This standard specifies general requirements related to the development of compliance. The ISO standard is internationally applied, however in this sense should not be identified as a requirement to be met by entrepreneurs. Its scope includes recommendations related to the implementation, execution and development of the compliance function. It is based on the principles of good governance, proportionality, transparency and sustainability. The standard indicates that having an effective compliance function results in an organisation’s possibility to achieve the anticipated business objectives by complying with the law and accepted standards of conduct, as well as ethical standards. The primary task of an organisation in ensuring an effective compliance function is to identify all the requirements associated with its business activity. To that end, it is necessary to perform a self-assessment of the conducted business activity (nature of the activity, services or products provided).

2.2 Polish Insurance Law and Supervisory Practice

The compliance function in Polish insurance law has been clearly distinguished and developed in the structure of insurance undertakings following the European Parliament’s adoption of Directive 2009/138/EC of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ EU L of 17 December 2009).Footnote 10 This period was certainly a breakthrough for the development of the compliance function in insurance undertakings. Before the adoption of Solvency II, the compliance function was not fully separated and shaped on the Polish insurance market. At that time, the tasks of the compliance function were performed by the legal unit, the risk unit or the internal audit unit.Footnote 11 This is essential for the proper governance of insurance undertakings.Footnote 12

The separation and shaping of the compliance function in the insurance undertakings took place because of the entry into force of Solvency II. Its final shape, from the perspective of insurance undertakings operating in Poland, was determined by the Act of 11 September 2015 on Insurance and Reinsurance Activity,Footnote 13 which implemented Solvency II into Polish law. The above-mentioned regulations introduced an obligation to establish the compliance function in insurance undertakings from 1 January 2016.

The role of the compliance unit is defined in Article 64(2) of the Act on Insurance and Reinsurance Activity. Pursuant to this provision, the compliance function covers:

  • advising the undertaking’s management and supervisory board on the compliance of conducting insurance or reinsurance business activity with the law

  • assessing the possible impact of any changes in the legal status on the undertaking’s operations

  • identifying and assessing the risk of non-compliance with laws, internal regulations and standards of conduct adopted by the undertaking

At the same time, the compliance function has been qualified as an element of the insurance undertaking’s management system, in addition to the risk management function, the internal audit function and the actuarial function, whose combined task is to ensure proper and prudent management of the insurance undertaking. The person supervising the compliance function has been classified as a person playing a key role within the insurance undertaking. Such a qualification determines this person’s obligation to meet certain requirements such as:

  • having full legal capacity

  • having higher education obtained in Poland or obtained in another country, which constitutes higher education within the meaning of the relevant provisions of that country

  • not being convicted of an intentional crime or an intentional fiscal offence by way of a final court judgement

  • having the professional experience necessary to supervise the key function

  • guaranteeing that tasks are performed properly

Of the above-mentioned requirements, the KNF attaches particular importance to the need for the person supervising the compliance function to have the professional experience necessary to perform this function and to guarantee due performance of tasks.Footnote 14 In the opinion of the supervisory authority, those criteria should be assessed in the light of the principle of proportionality, taking into account the scale and complexity of the activities of the insurance undertaking or the risks to which it is exposed, as well as some kind of projection of the functions of the person in question based on that person’s previous professional experience. In particular, an assessment of a person’s professional experience acquired hitherto, including any irregularities found in his or her area of responsibility. The supervisor is of the opinion that ‘human actions are repetitive and, once a person has committed irregularities, the risk that they will be committed by that person in the future is significantly higher’. The question whether the candidate for the person supervising the compliance function meets the requirements is assessed not only by the statutory bodies of the insurance undertaking, i.e. the management board and the supervisory board, but also on the audit committee. In the opinion of the supervisor, these bodies should not only assess the candidate’s technical qualifications, but also determine whether the person in question has the ability to perform the compliance function independently. Each of the above-mentioned bodies of the insurance undertaking should actively assess the candidate and should not limit itself to an automatic acceptance of the candidate based on the management board’s recommendations.

At this point it should be noted that the KNF’s recommendations do not constitute generally applicable law but are an expression of supervisory expectations directed at insurance or reinsurance undertakings with regard to their activities. Supervisory expectations are also expressed in the form of positions or communications addressed to a specific group of recipients. A supervisory recommendation itself constitutes an indication of what conduct of the insurance or reinsurance undertaking is approved by the supervisory authorities and hence will not be challenged by the KNF.Footnote 15 As a consequence, recommendations constitute an expression of the KNF’s perception of certain areas of an insurance undertaking’s business activity, and actions to the contrary of the supervised entity may, in situations specified in legal regulations, result in the initiation of supervisory activities.Footnote 16 However, it should be emphasised that simple non-compliance of an insurance undertaking with a recommendation cannot constitute the basis for imposing supervisory sanctions by the KNF. A circumstance which constitutes grounds for the application of supervisory instruments by the KNF is violation of applicable provisions of law. However, it is possible that a specific recommendation adopts the content of a legal standard.Footnote 17 The Corporate Governance Principles for supervised institutions issued by the Polish Financial Supervision Authority should also be mentioned among the most notable provisions of law and supervisory expectations affecting the development of the compliance function in insurance undertakings.

3 Organisation and Tasks of the Compliance Function in the Insurance Undertaking

3.1 Tasks and Structure

The provisions of law do not interfere in a detailed manner in how the compliance function is developed and operated in the organisational structure of the insurance undertaking.Footnote 18 The existing legal requirements concerning the compliance function in insurance undertakings concentrate on essential aspects related to the exercise of that function, such as the obligation to establish compliance, a description of the role and tasks of that function and the criteria to be fulfilled by the person who is to supervise the exercising of that function.Footnote 19 However, the obligation to establish a compliance function shall not entail the separation of that function from other key functions within the organisational structure of the insurance undertaking in accordance with EIOPA’s guidelines on the governance of the insurance undertaking.Footnote 20 Nevertheless, considering the tasks and essence of individual key functions, it does not seem that the possible combining of these functions within one organisational structure could contribute to their greater effectiveness. Additionally, it is even impossible to combine some key functions of an insurance company in the light of the third line of defence concept, as in the case with the role of audit function.Footnote 21

The detailed tasks for the compliance function in an insurance undertaking and the manner of their performance are specified in Article 270 of Commission Delegated Regulation (EU) No. 2015/35. In the light of this provision, the compliance function in the insurance undertaking:

  • establishes rules and a plan to ensure compliance with provisions of law:

    1. a)

      The principles on ensuring compliance specify the tasks, competences and reporting obligations assigned to the compliance function.

    2. b)

      The compliance plan describes the planned activities of the compliance function, which cover all relevant areas of insurance and reinsurance undertakings’ business activity and their exposure to non-compliance risk.

  • assesses the adequacy of measures adopted by the insurance or reinsurance undertaking to prevent non-compliance with provisions of law

An insurance undertaking’s failure to establish the compliance function may be sanctioned by the Polish Financial Supervision Authority through supervisory measures specified in the Act on Insurance and Reinsurance Activity. The compliance structure of the insurance undertaking itself should be based on an appropriate and clear division of tasks which ensures an effective decision-making process, prevents conflicts of interest and provides an effective information system.Footnote 22 At the same time, in line with the principle of proportionality, the compliance system should be adequate to the nature, scale and complexity of the business activity of the insurance undertaking in question. A proportional compliance system should ensure its effective implementation.Footnote 23

When developing the compliance function in an insurance undertaking, it is also worth considering the KNF’s position of 20 August 2018 on the role and importance of the implementation of the compliance function by insurance and reinsurance undertakings.Footnote 24 In the vision of the compliance function presented by the supervisor, the KNF draws attention to the fact that the core of this function consists in ensuring compliance with the broadly understood legal regulations, including regulations on the prevention of money laundering, personal data protection, as well as ensuring compliance with supervisory recommendations. Implementation of the statutory task of the compliance function, i.e. ensuring compliance with the law, should not interfere with any additional tasks carried out by that function, such as those related to the implementation and application of internal regulations which are in force in the capital group to which the insurance undertaking belongs. In the opinion of the supervisor, establishing a compliance unit in which tasks other than ensuring legal compliance are prioritised is unacceptable. Such prioritisation of tasks by a shareholder may be deemed as an unauthorised influence on the compliance function’s autonomy.

The concept of function under Solvency II should be understood as an opportunity to undertake practical tasks.Footnote 25 In view of the above, the primary role of the compliance unit is to coordinate non-compliance risk management in a manner ensuring a level of risk acceptable from the perspective of the security of the insurance undertaking. As part of developing the compliance system in an insurance undertaking, consideration should also be given to its model, i.e. whether compliance should be part of the internal control system, as set out in Article 64(1) of the Act on Insurance and Reinsurance Activity, or whether compliance should be understood more broadly as part of the risk management system. In the Act on Insurance and Reinsurance Activity, the Polish legislator adopted the rule of separating the compliance function from the risk management function. However, the compliance function is classified differently by the Polish Financial Supervision Authority, which, in its Corporate Governance Principles for supervised institutions, does not determine whether this function is only an element of the internal control system or whether it also includes a risk management system.Footnote 26 Thus, it seems that this way it leaves some freedom to financial institutions, including insurance undertakings, in how they choose to organise the compliance function within their internal structures. The above-mentioned concept of understanding the compliance system by financial supervision was also expressed in Resolution No. 258/2011 of the KNF addressed to the banking sector.Footnote 27

On the compliance unit’s place in an insurance undertaking’s organisational structure, certain supervisory expectations expressed both in the framework of the Corporate Governance Principles for supervised institutions and the positions of the KNF of 16 February 2016 on requirements for the governance system of an insurance/reinsurance undertaking and of 2 August 2018 on the role and importance of the compliance function of insurance and reinsurance undertakings should be mentioned.Footnote 28 Pursuant to Article 47 of the Corporate Governance Principles, ‘1. The supervised institution should develop and implement an effective, efficient and independent function for ensuring the supervised institution’s compliance with laws and internal regulations and should take into account supervisory recommendations. 2. The compliance function should be organised in a manner guaranteeing the independent performance of tasks in this respect’. In view of the above, the Polish Financial Supervision Authority expects that financial institutions, including insurance undertakings, will develop the compliance function within their structures in a way ensuring its independence and effectiveness.

The compliance function, as part of an insurance undertaking’s governance system, is also subject to a supervisory review by the BION. As part of the assessment of this field, the KNF verifies whether the compliance function implemented by the insurer is adequate to the nature, scale and complexity of the undertaking’s business activity and whether the insurer has ensured its integration into the undertaking’s organisational structure and decision-making processes. Furthermore, the KNF assesses whether the insurance undertaking carries out mitigation activities in the field of the compliance function, as declared.Footnote 29

It is also worth mentioning that under the Corporate Governance Principles, the status of the head of the compliance unit equals that of the head of the internal audit unit. At the same time, the aforementioned persons should be able to communicate with the management board, supervisory board and the audit committee directly. Consequently, they should be able to report directly to these bodies. In the light of the Corporate Governance Principles, the KNF expects the head of the compliance unit as well as the head of the internal audit unit to participate in the meetings of the management and supervisory board or audit committee whenever issues related to the internal control system, internal audit function or compliance function are discussed. It should also be emphasised that under the Corporate Governance Principles, the appointment or dismissal of the head of the compliance unit takes place with the approval of the supervisory board or audit committee. In addition, it is worth mentioning that the insurance undertaking is obliged to inform the supervisory authority about changes in the position of the person supervising the compliance function within seven (7) days from the date of such a change. The KNF may also, by way of a decision, prohibit a person from supervising the compliance function if it has been determined that the person in question does not meet the requirements set out in the Act on Insurance and Reinsurance Activity.

The KNF also expects that members of the management board will not combine their functions with supervision of other key functions, i.e. the compliance function, the risk management function, the internal audit function and the actuarial function.Footnote 30 The KNF underlines the different nature of the duties imposed on the management board and the duties of the persons supervising other key functions in the insurance undertaking. In the opinion of the supervisory authority, the role of persons supervising other key functions, including the compliance function, is to provide advice and expertise to members of the management board. Similarly, EIOPA sees the role of supervisors with other key functions in line with the guidelines for an insurance company’s governance system which indicate that the AMSB interacts with the senior management and key functions holders—including the audit, compliance, actuarial and risk management—‘proactively requesting relevant information from them and challenging that information when necessary’.Footnote 31

3.2 Responsibility for Irregularities of the Compliance Function

In the light of the KNF’s position, irregularities of the compliance function give rise to liability on the part of both the persons supervising the performance of the key function and the president of the management board and other members of the management board. Possible sources of irregularities in the functioning of the compliance function include an inadequate organisational structure, an inefficiently organised management system, an incorrect organisational and risk management culture, flawed attitudes of the managers in the insurance undertaking or, finally, a lack of independence and objectivity in the functioning of the compliance function.

There should be no doubt that the liability of the person supervising the compliance function, as well as that of the members of the management board of the insurance undertaking in connection with irregularities in the operation of that function is of an administrative and legal nature, which may be based on a breach of certain provisions of the Act on Insurance and Reinsurance Activity. Violation of provisions of law itself is one of the prerequisites for the KNF to apply the supervisory measures referred to in Article 362(1) of the Act on Insurance and Reinsurance Activity in connection with Article 362(2) (1) of the Act on Insurance and Reinsurance Activity. In the light of these provisions, one of the supervisory measures that the KNF is entitled to is the possibility to impose a financial penalty on a member of the management board if an insurance undertaking conducts business in violation of the law.

3.3 Role of the Compliance Function

When creating the compliance unit of an insurance undertaking, the following models can be adopted as a reference (analogous to those existing in banksFootnote 32):

  • A central model where responsibility for the entire compliance risk management process lies with the compliance unit, which cooperates with the other units of the insurance undertaking, including in particular business and operational units. It is directly subordinated to the management board of the insurance undertaking.

  • A hybrid model in which all units of the insurance undertaking are involved in the process of managing the risk of non-compliance. The compliance unit is in this case responsible for the comprehensive assurance of compliance and the comprehensive process of managing the risk of non-compliance. In particular, it is reflected in the monitoring and verification of business units within the scope of their activities and reporting to the management board and supervisory board.

  • A distributed model in which the compliance function is performed by all units of the insurance undertaking. In this model, the compliance unit is only an intermediary in the transmission of information to the management board or even becomes redundant.

The choice of the compliance function model is at the discretion of the insurance undertaking. At the moment, there is no legal requirement for an insurance undertaking to adopt a specific compliance function model. however, when choosing a compliance function model, the insurance undertaking should apply the principle of proportionality. In line with that principle, the choice of the model should be appropriate to the nature, scale and complexity of the business activity of the insurance undertaking in question.

Some guidelines on the model of the compliance function that should be in place in an insurance undertaking have been indicated by the KNF in the Corporate Governance Principles. In the light of Article 47(2) and Article 49 of those Principles, the compliance unit should participate in the process of managing the risk of non-compliance. This role should focus more on coordinating the process itself, reporting to the supervisory board and the management board and providing expertise to these bodies.Footnote 33 In this context, it seems that a hybrid model is the supervisor’s preferred compliance function model. The above-mentioned position seems to be in line with the so-called three-line defence model adopted in Solvency II, in the line with which the compliance unit is the process owner for managing the risk of non-compliance and business and operational units are the owner of the risk itself. In keeping with the three-line defence model, the compliance function plays an advisory and coordinating role in the process of managing the risk of non-compliance through its monitoring and management. The role of the compliance function itself should not consist in accepting an identified non-compliance risk or in accepting it for the decision-making processes of business units or the Management Board.Footnote 34 In this context, the exertion of pressure on the compliance function through existing formal or informal mechanisms for this purpose should be criticised particularly strongly.Footnote 35 A key element in guaranteeing the independence of the compliance function is ensuring it is organised in a manner preventing it from influencing its employees with the possibility of having a detrimental effect on their employment situation.Footnote 36

The literature on the subject matter underlines that the compliance function should clearly indicate the boundary conditions which should not be exceeded by business and operational units.Footnote 37 At the same time, it should be stipulated that when an insurance undertaking creates the compliance function, the relevant legal requirements and supervisory expectations with respect to that function should be considered. At this point it should be pointed out that while in the case of legal requirements, the insurance undertaking is obliged to comply or otherwise face potential sanctions, in view of the supervisory expectations expressed in the form of positions or recommendations, the undertaking has a certain degree of discretion in their implementation based on the ‘comply or explain’ principle. Consequently, when establishing the compliance function, an insurance undertaking may, based on the principle of proportionality, decide to organise that function differently than recommended by the supervisory authority, provided that it is justified by the nature, scale and business activity of the undertaking.

In relation to the characteristics of the compliance function, it should be stated that, in the light of Article 64(2) of the Act on Insurance and Reinsurance Activity, all legal regulations, including internal regulations, which affect or may affect the activity of an insurance undertaking should be of interest to that entity. In the context of the scope of the regulations that apply to the business activity of an insurance undertaking, it should be stated that the so-called hybrid model is the most optimal model for the implementation of the compliance function.Footnote 38 As indicated above, in this model, the compliance function is performed by all units of the insurance undertaking, and the compliance unit coordinates the compliance process and the process of managing the risk of non-compliance on the systemic level across the insurance undertaking. There is no doubt that the particular focus of an undertaking's compliance unit should lie primarily on the legal provisions strictly governing insurance activity and the regulations, the non-compliance of which generates the greatest risk. On the activity of insurance undertakings, these include the following areas:Footnote 39

  • compliance of the undertaking’s business activity with the provisions of the Polish and EU law and recommendations of supervisory institutions and other entities which have impact on practices in force on financial markets

  • prevention of money laundering, terrorist financing, corruption and other abuses on the part of customers, employees and contractors, safeguarding of legally protected secrets

  • protection of confidential information and personal data, supervision of the confidential information flow

  • management of conflicts of interest

  • assurance that the company’s employees will follow the ethical code and relevant market practices

  • establishment of principles of ethical conduct when conducting an insurance activity

  • advertisement of insurance products

  • receipt of reports, investigation procedures, development of standards to protect employees who report irregularities (including whistle-blowers)

  • management of operational risk in the compliance area

  • contacts with supervisory authorities, including the distribution of the correspondence sent by that authority and replying to its enquiries

  • issues related to insurance outsourcing

  • participation in the development of new business models or the creation of new products, taking into account the applicable regulations and appropriate communication

  • supervision of the policy related to the receipt and distribution of gifts by employees and the organisation of events participated of customers

  • training and information campaigns for employees in the field of compliance culture

3.4 Selected Models of Compliance Functions in European Insurance Undertakings

3.4.1 PZU Group

According to the SFCR report for 2018 published by PZU SA,Footnote 40 Compliance Department is responsible for shaping the PZU Group’s compliance system while ensuring its consistency across all levels within the PZU Group. PZU’s Compliance Department reports to the Company’s Management Board and Supervisory Board on all events occurring at the level of both PZU and the subsidiaries with which agreements on cooperation and exchange of information have been entered into. Recommendations issued by the Compliance Department at PZU as part of its activities and compliance analyses are subject to the monitoring process. In each PZU Group company, the compliance function is arranged based on uniform and consistent standards developed at the PZU level in consideration of the ‘proportionality principle’, that is while taking into account the scale and specific nature of the pertinent PZU Group company. The internal regulations in place delineate the extent and nature of activities of the compliance function, including regular reporting by the subsidiaries’ compliance units to PZU’s Compliance Department, and then by PZU’s Compliance Department to the PZU Management Board and Supervisory Board. This notwithstanding, the subsidiaries’ compliance units also report to their own management boards or supervisory boards. The compliance function in PZU Group companies is objective and independent. The most significant powers of PZU’s Compliance Department in compliance risk in the PZU Group are as follows:

  • analysing and participating in the process of deploying systemic solutions in all functional areas of PZU Group companies and ongoing business processes in terms of compliance risk

  • initiating and recommending changes in systemic solutions and analysed processes in place at PZU Group companies ensuing from compliance analyses

  • ensuring coordination and uniform solutions in deploying the compliance function and managing compliance risk in the PZU Group

  • consulting and cooperating with subsidiaries to ensure uniform solutions in deploying the compliance function in the PZU Group, fulfilling reporting obligations arising from the Supplementary Oversight Act and adopting a consistent approach of the PZU Group’s regulated subsidiaries to the preparation of responses to inquiries sent by the Polish Financial Supervision Authority systemically to regulated entities

  • consulting and exchanging information with subsidiaries to ensure consistency in the process of compliance risk identification and assessment

  • conducting systemic compliance analyses in PZU Group companies based on internal regulations, cooperation agreements and policies

  • system-level reporting on compliance risk in the PZU Group

  • monitoring observance of the standards of conduct, including ethical standards, in consideration of the best practices adopted in PZU Group companies

As part of the exchange of information and cooperation with subsidiaries in the compliance function, the PZU’s Compliance Department participates in the deployment, in these companies, of uniform standards and key methodological solutions. The formal basis for cooperation in the compliance function is provided by agreements on cooperation and exchange of information and the provisions of the PZU Group’s Compliance Policy which define in detail the rules, extent and nature of such cooperation between PZU and its subsidiaries.

3.4.2 Generali Group

According to the SFCR report for 2018 published by Assicurazioni Generali S.p.A.,Footnote 41 the compliance function has the responsibility to advice the Administrative, Management or Supervisory Body on compliance with laws, regulations, and administrative provisions, including those adopted pursuant to the Solvency II Directive for insurance and reinsurance Group companies. The compliance function also advice on other laws, regulations, and administrative provisions, including the Group Code of Conduct and Group policies. Moreover, the compliance function has the responsibility to assess the possible impact of any changes of in the legal environment on the operation of relevant Group company and to identify and assess the compliance risk, including the adequacy of the measures adopted to prevent non-compliance.

Assicurazioni Generali S.p.A., in its capacity as parent company of the Generali Group, has adopted the ‘Group Compliance Management System Policy’ which includes the fundamental rules on how compliance must be embedded in the daily operations and how the compliance function must be implemented. In this respect, the above-mentioned policy defines the operating model of the global compliance function across the Group.

In particular, the core processes included under the compliance operating model are the following:

  • risk identification

  • risk evaluation

  • risk mitigation

  • risk monitoring

  • reporting and planning

The risk identification process is aimed at ensuring that the requirements arising in connection with both the internal and the external regulations are identified and allocated under the responsibility of the relevant operational functions.

The risk evaluation process is aimed at assessing, also under a forward-looking perspective, the risk which each Group company is exposed to and the level of adequacy of the internal control system to achieve its goals. The compliance function, together with the risk management function, performs and supports risk owners in risk assessment activities and ensures that Group methodologies are applied.

The risk mitigation process aims at ensuring the adoption of all necessary for the correct implementation of the requirements set out by the internal and external regulations. In particular, the compliance function ensures that appropriate training programs for all employees are delivered on regular basis, internal regulations and procedures are defined and minimum standard for controls identified, in cooperation with the operational functions.

The risk monitoring process aims at achieving an updated picture on the ability of the Group company to manage compliance risks. Such process consists in the collection and periodical analysis of specific data and indicators that ensure the effective deployment of such risk monitoring

The reporting process aims at ensuring that appropriate information flows towards Senior Management and the Administrative, Management or Supervisory Body of each Group company are in place such a way as to allow these parties to make decisions that consider the level of exposure of the Group company to compliance risks and to assess the adequacy and effectiveness of their internal control systems to manage such risks.

3.4.3 Allianz Group

According to the SFCR report for 2018 published by Allianz Group,Footnote 42 key tasks and activities of the compliance function include:

  • Advising the Board of Management on compliance with laws, regulations, and regulatory requirements applicable to the Allianz Group (external requirements) as well as on the potential impact of material changes in the legal environment

  • Identifying and assessing compliance risk (risk of legal or regulatory sanctions, material financial losses, and/or reputational damages that Allianz SE or the Allianz Group might sustain as a result of non-compliance with external requirements

  • Monitoring of appropriate and effective internal procedures to ensure compliance with material external requirements applicable to the Allianz Group

  • Observing and analysing developments in the legal environment and evaluating the potential impact of material changes to the legal environment on the Allianz Group

The compliance function reports to the Board of Management on current compliance issues as and when required, but at least once a year.

The compliance function is a core component of the Allianz Group’s Internal Control System. Fulfilment of the compliance function’s duties is ensured by the compliance department of Allianz SE (Group Compliance).

4 Management of the Risk of Non-Compliance in an Insurance Undertaking on the Example of Solutions Existing in Poland

In the light of Article 50(2) of the Corporate Governance Principles issued by the Polish Financial Supervision Authority, the process of risk management in financial institutions consists of individual, interrelated activities. Similarly, the process was regulated in the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy and detailed estimation of internal capital in banks (Journal of Laws of 2017, item 637). At the same time, attention should be paid to supervisory expectations concerning the process of managing the risk of non-compliance in banks expressed in Recommendation H on the internal control system in banks. While these regulations and supervisory expectations are addressed to banks, they can provide a reference point for illustrating the model of the process of managing the non-compliance risk that may occur in insurance undertakings. In the light of Article 37 (4)-(8) of the above-mentioned Regulations, responsibilities of the compliance unit include:

  • identification of the risk of non-compliance, in particular through the analysis of legal regulations, the bank’s internal regulations, market standards and the results of internal investigation procedures conducted by the compliance unit

  • assessment of the risk of non-compliance by measuring or estimating that risk

  • development and implementation of mechanisms for controlling the risk of non-compliance based on an assessment of the risk of non-compliance

  • monitoring of the extent and profile of the risk of non-compliance following the application of mechanisms for controlling the risk of non-compliance

  • the periodic submission of reports on non-compliance risk to the management and supervisory board or audit committee, if the latter has been appointed

4.1 Identification of the Risk of Non-Compliance

The first component of the process of managing the risk of non-compliance is its identification. The purpose of this activity is to identify areas where the risk of non-compliance may occur. For this purpose, the compliance unit should have guaranteed access to relevant sources of information on the business activity and operational activities of the insurance undertaking. Only in this way will the compliance function be able to perform its tasks independently and objectively.Footnote 43 This may be achieved, for example, through the participation of the compliance unit in the work on the implementation or modification of products offered by the insurance undertaking. In addition, the participation of the compliance unit in this process is required by the Polish Financial Supervision Authority in the light of the recommendations on the product management system. In line with Recommendation 11, ‘the Undertaking should carry out detailed analyses of products before they are placed on the market and each time when there are changes in the target customer group or significant changes in products’. As part of product analyses, the insurance undertaking should carry out a qualitative analysis consisting of an assessment of compliance with the applicable laws, guidelines and recommendations of the supervisory authority and the internal regulations adopted by the Undertaking, an analysis of whether clauses that have been considered as prohibited contractual or analogous clauses are present in the products, as well as an analysis of potential risks associated with the product, including those relating to inadequacy of the premium offered by the undertaking. However, the process involved in changing or implementing the products offered by the undertaking should not be the only source of information on potential risks of non-compliance. In its Recommendation H on the internal control system in banks, the Polish Financial Supervision Authority also distinguishes the following basic sources of information which should be used in the identification of risk of non-compliance (in line with Recommendation 15.2):

  • changes in provisions of law, internal regulations and market standards

  • registers and documentation maintained by the bank (e.g. register of operational risk losses)

  • information obtained from other organisational units as part of the performance of their duties, including in particular as part of their independent monitoring process

  • findings of the compliance unit made in connection with the ongoing verification and testing carried out by that unit

  • results of internal investigation procedures conducted by the compliance unit or other organisational units of the bank

  • irregularities identified by the bank in all three lines of defence

  • information from an anonymous infringement notification channel

  • arrangements resulting from supervisory activities performed by authorised institutions (e.g. the KNF) and activities performed by other authorised institutions (e.g. Consumer Protection and Competition Office, Financial Ombudsman)

4.2 Assessment of the Risk of Non-Compliance

The second component of the process of managing the risk of non-compliance is risk assessment, also called risk analysis, measurement or estimation. Risk assessment is performed once a risk has been identified and consists in risk estimation.Footnote 44 Nevertheless, the risk of non-compliance is a risk that is difficult to measure. Qualitative methods, consisting of expert risk measurement carried out by compliance officers, are crucial in risk assessment. This assessment results in the determination of the level of the identified risk (e.g. high, medium or low) based on an established procedure or methodology. In this sense, the assessment of the risk of non-compliance may consist in an estimation of the amount of financial and non-financial losses that an insurance undertaking may incur as a result of failure to meet those risks. These losses may result from fines imposed by regulators such as the Consumer Protection and Competition Office or the Polish Financial Supervision Authority. For example, in the case of an identified risk of non-compliance consisting in a potential breach of the collective interests of consumers, the amount of the penalty that the President of the Consumer Protection and Competition Office may impose if that risk occurs amounts to 10% of the turnover achieved in the financial year preceding the year in which the penalty is imposed. The above does not include to the losses that may arise from litigation with particular clients, as well as losses resulting from the loss of credibility among clients. The following methods should be distinguished as part of the assessment of the risk of non-compliance (in line with the KNF’s Recommendation 16.2 on the internal control system in banks):

  • self-assessment of risk

  • scenario analyses

  • analyses of regulatory gaps

  • indicators of the risk of non-compliance

4.3 Control of the Risk of Non-Compliance

The use of risk mitigation mechanisms is the next step in the process of managing the risk of non-compliance. They have a preventive function. The purpose of the control mechanisms is to minimise the risk of non-compliance.Footnote 45 In the light of Article 36(1) of the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and internal control system, remuneration policy and detailed estimation of internal capital in banks, the following types of control mechanisms should be distinguished:

  • procedures

  • division of responsibilities

  • authorisation, in particular the authorisation of financial and economic operations

  • access control

  • physical inspection

  • process of recording financial and economic operations in accounting, reporting and operational systems

  • stocktaking

  • documentation of derogations

  • performance indicators

  • training

The risk control mechanisms defined by the KNF in Recommendation H on the internal control system (Recommendation 7.2.) are also noteworthy:

  • analysis of new products and services introduced to the bank’s offer

  • analysis of modifications to these products and services and analysis of the sales processes of these products and services, in terms of compliance with provisions of law, internal regulations and market standards

  • issuance of detailed guidelines by the compliance unit

  • coordination of the process of informing about changes in laws, internal regulations and market standards

  • participation in key implementation projects, in the context of ensuring compliance with the provisions of law, internal regulations and market standards (provided that the independence of the compliance unit in the testing process is not affected)

  • performance or commissioning of training to the extent indicated by the compliance unit

  • determination of non-compliance risk indicators

4.4 Risk Monitoring

Monitoring of the identified and assessed risk of non-compliance aims to determine whether the applied risk mitigation mechanisms have reduced the risk likelihood and to determine whether the level of that risk is acceptable from the perspective of the adopted risk management strategy of the insurance undertaking. Risk monitoring should also be perceived as a control of prior stages of the process of managing the risk of non-compliance. The purpose of this activity is also to demonstrate to the management and supervisory board whether the level of risk of non-compliance is acceptable. The instruments for risk monitoring include the following:Footnote 46

  • compliance tests

  • surveys, including self-assessment surveys

  • evaluation of the maturity of the compliance model

  • performance indicators (e.g. the percentage of trained employees, processed customer complaints and requests, the pace of implementation and performance of internal recommendations and post-inspection recommendations of the supervisor)

4.5 Reporting to the Management Board and the Supervisory Board

Reporting constitutes the final element of the process of managing the risk of non-compliance. As part of this activity, the compliance unit should inform the management and supervisory board on a regular basis (monthly, quarterly and annually) and on an ad hoc basis (e.g. internal investigation procedures) of the level and profile of the risk of non-compliance within the insurance undertaking. At the same time, the reports should contain information on individual components of the process of managing the risk of non-compliance, including the identified risks of non-compliance, their assessment, the applied control mechanisms and the results of monitoring of those risks. To ensure transparency, it seems that cyclical reports should be provided to both the management and the supervisory board.

5 Conclusions

The main assumption of the chapter was an attempt to determine the importance of the compliance function in the process of managing the risk of non-compliance by means of the functioning and organisation of this unit within the structures of an insurance undertaking. The aim of the compliance unit as well as of the process of managing the risk of non-compliance itself should be to reduce the risk by ensuring adequate mitigation actions. In this context, the role of compliance should be perceived not as a restriction of business development, but as an opportunity to prevent significant financial losses resulting from the materialisation of the risk of non-compliance. Effective implementation of the compliance function allows both operating and business units to make informed decisions on risk acceptance. This is of particular importance in an era of systematic growth of legal and supervisory requirements applicable to financial institutions, including the risks associated with the conduct of business and relationships with customers (conduct risk). This results in a proportionate increase in an insurance undertakings’ exposure to the risk of incurring significant financial and non-financial losses due to their violation of specific obligations.

Given the above, it should be concluded that ensuring the compliance of an insurance undertaking’s business activity with applicable laws, internal regulations and supervisory expectations is undoubtedly part of safe, stable and prudent management of an insurance undertaking. Conscious managing of the risk of non-compliance also helps to reduce reputational risk, which is particularly important for financial institutions which are to enjoy public trust. The organisation of compliance units is a matter of interest to the Polish Financial Supervision Authority, which draws attention to the fact that irregularities with regard to that function give rise to liability on the part of the person supervising that function as well as the members of the management board of the insurance undertaking. There is no doubt that, with increasing regulation, the role and importance of the compliance function in the insurance market will continue to increase systematically, as is the case with more developed fields of the financial market.