Johannes Gutenberg University, Mainz, Germany
10.2.1 The Relationship of Compliance Under the Insurance Supervisory Regime to Compliance Under General Company Law
10.2.2 The Solvency II Directive
10.4 The Task of Compliance Under the Insurance Supervisory Regime and the Compliance-Related Requirements
10.4.1 Underlying Principles
10.4.2 General Legal Monitoring
10.4.3 Advising the Managing Board
10.5.2 Company Officials?
This chapter addresses the compliance function under art. 46, para. 1 of the Solvency II Directive. The first items to be addressed here are the normative bases of compliance under the insurance supervisory regime and its conceptual content. Then, the tasks and relevant requirements for compliance under the insurance supervisory regime are identified. The chapter concludes by examining the function of compliance under the insurance supervisory regime of the Solvency II system.
First published as “Begriff, Aufgaben und Rechtsnatur der versicherungsaufsichtsrechtlichen Compliance nach Solvency II” [in English: Definition, Tasks, and the Legal Nature of Compliance under the Insurance Supervisory Regime of Solvency II], VersR (2013), 929 ff.
“If you think compliance is expensive, try non-compliance”. This well-known statement1 demonstrates on the one hand the necessity of compliance by and within undertakings in general and thus also by and within insurance undertakings.2 On the other hand it discloses the potentially boundless nature of compliance and similarly the threat potential—particularly as to legal liability—posed to the implementation of the concept of compliance and does so evidently more than existing and quite convincing factual arguments. In this context of sometimes exaggerated perceptions of compliance, it is understandable that concerns would arise within the business community, culminating in the view that any person active in business practically would need to have a compliance officer peering over his or her shoulder.3 The dispositive response, however, is to establish a culture of compliance in undertakings that is conjoined with its opportunities and outcomes. This is so because these permit none but a positive picture.4
An overview of this positive view of compliance leads first to the recognition that the economic activity of the undertakings and their employees is conditioned upon a system of open markets, markets based on freedom and equality of all who participate in the economy. This means, in other words, acting within the bounds established by law. Since compliance aims at action in accordance with the law, it contributes to values-oriented business management. This is so for two reasons: First, compliance ensures the concrete business model of the undertaking, including consistent compliance with the undertaking’s own internal rules. Second, it ensures entrepreneurial freedom, which otherwise would be increasingly hemmed in with remedial legislation brought on by a growing number of infringements in commerce. Action in accordance with the law not only protects employees themselves, for example, from the employment and legal liability consequences of avoidable errors on the job. In addition, such action protects and preserves the reputation of the undertaking. Note the familiar statement of Warren Buffet:
It takes more than 20 years to build up a reputation, but only 5 minutes to ruin it.
And finally, more and more undertakings subjected to infringements by other undertakings are discovering a new, reversed role for compliance. First, compliance can become a tool for settling up for damages that have occurred. In addition, future harm can be prevented or at least financially minimized by a forward-looking strategy in contracts, such as an integrity clause or a liquidated damages provision.
From a beginning in general company law,5 the concretization of duties and limits for compliance has quickly found application to supervised undertakings in the financial services fields, i.e., to insurance undertakings, lending institutions, and bond/securities services undertakings.6 This is so because compliance within these sectors was and is deemed particularly necessary on account of their significance for the economy in general.
The different aspects of compliance in the financial services sector leads to numerous legal questions. This article examines three basic compliance questions pertaining to the insurance supervisory regime. A preliminary matter is to ascertain how mandatory compliance under the insurance supervisory regime is placed (10.2, below). Proceeding upon this basis, the discussion turns to delineating the term “compliance under the insurance supervisory regime” (10.3, below). Such discussion will not, however, complete the description of compliance under the insurance supervisory regime. Therefore, the task of compliance under the insurance supervisory regime and the pertinent requirements will be delineated (10.4, below). Finally, against the foregoing background, this article will examine the legal nature of compliance under the insurance supervisory regime (10.5, below).
10.2 The Legal Bases of Compliance Under the Insurance Supervisory Regime
10.2.1 The Relationship of Compliance Under the Insurance Supervisory Regime to Compliance Under General Company Law
There is fundamental agreement, although controversial as to its provenance, that under general company law a legal duty of compliance for all undertakings already exists independently of the special law relating to supervised undertakings. There is, however, dispute about the provenance of this duty.7 Such a duty derives above all from the managing board’s duty under sec. 91 para. 2 of the AktG [German Stock Corporation Act]
to establish a monitoring system such that developments that threaten the continued existence of the company may be identified at an early stage,8
from the managing board’s general leadership responsibility under secs. 76 and 93 of the AktG [German Stock Corporation Act],9 or from the overall rules pertaining to organization and supervision of undertakings.10 The provenance is therefore of great but unfortunately largely overlooked practical significance, since only placement of the duty of compliance in sec. 91, para. 2 of the AktG [German Stock Corporation Act] would lead to inclusion of compliance in audit and reporting according to sec. 317, para. 4 and sec. 321, para. 4 of the HGB [German Commercial Code].11 In the present context the issue concerning the basis in company law for a duty of compliance can be left open as well is the generally disputed issue of a company-law-based duty to create a compliance organization.12 The same accounts to the issue of the scope of certain rules of the DCGK [German Corporate Governance Code] relating to compliance, namely no. 4.1.3 and no. 5.3.2, if the special insurance supervisory regime is superimposed on general company-law rules irrespective of their debatable scope.13
10.2.2 The Solvency II Directive
The Solvency II Directive is central to compliance under the insurance supervisory regime.14 Under Recital 30 and art. 13, no. 29 of the Solvency II Directive, “the system of governance includes… the compliance function”.15 Art. 40 of the Solvency II Directive—in German company-law terminology in substance also sec. 76, para. 1 of the AktG [German Stock Corporation Act]—imposes upon the managing board “the ultimate responsibility for compliance, by the undertaking concerned, with the laws, regulations, and administrative provisions adopted pursuant to this Directive”. Art. 46, para. 1 of the Solvency II Directive requires further, i.a., “an effective internal control system” (ICS), that includes, from the German-language version, “a function for compliance with the requirements (‘compliance function’)”.16 Individual tasks of the compliance function are addressed in art. 46, para. 2 of the Solvency II Directive in the following language:
The compliance function shall include advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.
10.2.3 The Draft of the Solvency II Implementing Regulation
Art. 260 SG8 of the draft of an implementing regulation (hereafter: DVO)17 contains the following rules relating to the compliance function for the insurance supervisory undertakings:
The compliance function of insurance and reinsurance undertakings shall include a compliance policy and a compliance plan. The compliance policy shall define the responsibilities, competencies and reporting duties of the compliance function. The compliance plan shall set out the planned activities of the compliance function which take into account all relevant areas of the activities of insurance and reinsurance undertakings and their exposure to compliance risk.
The duties of the compliance function shall include assessing the adequacy of the measures adopted by the insurance or reinsurance undertaking to prevent non-compliance.
In the context of the report on solvency and financial condition, as specified in art. 51 of the Solvency II Directive,18 art. 285 PDS4, para. 5 d of the DVO draft adds the obligation to describe how the compliance function is implemented. Following a parallel track, and in conformity with the required supervisory reporting to the supervisory authority under art. 35 of the Solvency II Directive,19 art. 297 SRS4, para. 5c of the DVO draft requires reporting on the undertaking’s internal compliance guidelines prepared pursuant to art. 260 SG8 of the DVO draft, on the process for reviewing these guidelines, on the frequency of review, and on all significant changes pertaining to the guidelines.
Independently of the compliance function, art. 258, para. 3, SG8 of the DVO draft sets up a rule for all key functions. The rule affects the right for access to information and reads as follows:
The persons performing a function shall be able to communicate at their own initiative with any staff member and shall have the necessary authority, resources and expertise and that they have unrestricted access to all relevant information necessary to carry out their responsibilities.
In addition, art. 258, para. 4 of the DVO draft requires all persons performing a key function—in this context the compliance function—to report any major problem in their area of responsibility to their managing board. The area of responsibility is determined with the German dual system.
Group supervision with centralized risk management under art. 236 of the Solvency II Directive is subject to further requirements under art. 335 CRM1, para. 1 b and para. 2 c of the DVO draft. These requirements address the exercise of the compliance function by the parent undertaking in respect of the subsidiary. A number of undertaking groups, however, have their head offices outside the EU. In such cases, under art. 260 of the Solvency II Directive, supervision of the insurance undertakings licensed in the EU is limited to a review of equivalence relating to supervision. There is an exception for situations in which the Commission previously has made a general determination concerning the equivalence of the supervisory system in the outside country. The criteria applicable to a review of equivalence are found in art. 368 GTCE1 of the DVO draft. Under para. 1 j, one of the criteria is whether the undertaking group is required to establish and maintain a compliance function. And finally, art. 358 RTCE1, para. 1 h of the DVO draft, concretizing art. 172 of the Solvency II Directive, also sets rules for the equivalence requirements for reinsurance undertakings headquartered in outside countries to the extent the compliance function is involved.
10.2.4 The CEIOPS Guidelines on the System of Governance
In December 2010, CEIOPS, the predecessor of EIOPA, presented a “Draft proposal for Level 3 Guidelines on the System of Governance”.20 These so-called Level 3 rules on the insurance supervisory regime in the Solvency system contain numerous specifics relating to compliance under the insurance supervisory regime and the Solvency II Directive. Consideration of this text, however, must be guided by a dual recognition: first, that this text appeared before the issuance of the DVO draft; and, second, Level 3 Guidelines cannot alter the substance of the DVO draft, inasmuch as it is a Level 2 scheme.21
At the outset, in point no. 1.14, the Governance Guidelines describe the compliance function as follows:
The compliance function has to perform a number of compliance-activities to promote the undertaking’s compliance with applicable laws and regulatory requirements and enhancing staff awareness.
This supplements no. 3.155 of the Governance Guidelines, under which the compliance function is to identify, assess, monitor, and report the compliance risk exposure of the undertaking. In no. 3.156, the Governance Guidelines define compliance risk
as the risk of legal or regulatory sanctions, material financial loss or loss to reputation an undertaking may suffer as a result of not complying with laws, regulations and administrative provisions as applicable to its activities.
No. 3.157 of the Governance Guidelines notes that compliance activities focus on examining and promoting the undertaking’s compliance with applicable laws and regulatory requirements. This is followed in no. 3.158 by a list of representative activities for the compliance function of an insurance undertaking. Among these, no. 3.158 g requires at least annual reporting to the “management body” on compliance issues.
Further, Guideline 8 of the Compliance Guidelines presupposes that undertakings will devise written company guidelines22 that will set out the obligation of the organizational units to inform the governance function, including the compliance function, of all facts relevant for the discharge of their duties.23 Guideline 40 likewise addresses compliance policy. Besides the requirement to have such compliance guidelines in insurance undertakings, it directs that the compliance policy should comply with the undertaking’s General Governance—Written policies.
Guideline 41 addresses the compliance plan. Insurance undertakings should produce such a plan annually, which should describe the compliance work to be undertaken. The plan shall ensure that all relevant areas of the undertaking are appropriately covered, taking into account their susceptibility to compliance risk.
10.2.5 The EIOPA Guidelines on the System of Governance
On 27 March 2013, EIOPA issued the Proposal for “Guidelines on the System of Governance”. These serve expressly as preparation for the application of Solvency II in the transition before the Directive takes effect. The Guidelines do not provide a detailed layout of the compliance function, such as they do for the other key functions. In nos. 1.21, 1.22, and 1.28, the Guidelines mention only the duty to establish a compliance function at the level of the individual undertaking and of the group, to the extent group supervision is applicable. In addition, the Guidelines require that the undertaking’s guidelines in turn require the other units to inform the compliance function of all facts material to the performance of its duties, thus repeating superfluously a rule already prescribed in the DVO draft. The Explanatory Text accompanying the proposed Guidelines goes no further. It includes in no. 1.199 only the statement that a single incidence of external support for compliance under the insurance supervisory regime will “ordinarily” not constitute outsourcing under the insurance supervisory regime.
10.2.6 The VAG-RegE [Government’s Draft of a Tenth Act Amending the Insurance Supervision Act]
The VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]24 includes rules on compliance under the insurance supervisory regime initially in sec. 8, no. 11, with the definition of functions. In agreement with the Solvency II Directive, among these functions is the compliance function.25 Sec. 24, para. 1, sent. 1, the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] specifies “a business organization” that, i.a., will ensure “compliance with the laws, regulations, and supervisory requirements which insurance undertakings must observe”. Further, sec. 29 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] implements the requirement of art. 46, para. 1 of the Solvency II Directive. Paragraph 1 identifies the compliance function as an element of the Internal Control System (hereafter: ICS). Sec. 29, para. 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] then governs the tasks of the compliance function as follows:
The compliance function includes advising the managing board on compliance with the laws and regulations applicable to the operation of the insurance business. In addition, the compliance function shall assess the possible impact of any changes in the legal environment on the undertaking and shall identify and assess the risk (compliance risk) associated with infringement of legal requirements.
In accordance with the principle of proportionality,26 the rules of the Directive shall be “applied proportionately” to small insurance undertakings. This is controlled by art. 29, para. 4 of the Solvency II Directive.
Art. 4 of the Solvency II Directive defines insurance undertakings of limited economic significance and excludes them from the scope of its coverage. This definition is implemented in German law by sec. 198 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]. Section 199, para. 3, no. 7 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] excludes “small insurance undertakings” from the provisions of sec. 29, paras. 1 and 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act], to the extent that these “need not maintain a compliance function”.
The VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] as conceived gives the same treatment to insurance holding companies, a treatment not supported by European law. This is expressed in the government’s draft through the omission of any reference to sec. 29 in sec. 276, para. 1.27
10.2.7 The Government’s Draft of the German Banking Ringfencing Act
In February 2013, the German Federal Government presented the “Government’s Draft of an Act on Shielding against Risks and on Planning for Reorganization and Winding-up of Credit Institutions and Financial Groups”.28 In the interim, this Act has been passed. This Act contains a new sec. 64 a, para. 7 of the German Insurance Supervision Act, which in part raises the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)] to the level of a statute. This has raised numerous issues, as has the corresponding penal provision of the government’s draft with a new sec. 14229 of the German Insurance Supervision Act. Yet independently of these issues, according to sec. 64 a, para. 7, no. 2 a of the German Insurance Supervision Act (Draft), “the organizational structure as a rule should provide for a clear demarcation of functions between the establishment of fundamental risk positions and their review and monitoring”. This has an impact as well on compliance under the insurance supervisory regime.
10.2.8 MaRisk BA [Minimum Requirements for Risk Management (Banking Supervision)]
On 14 December 2012, the BaFin [Federal Financial Supervisory Authority] presented new MaRisk BA, which for the first time contain a submodule AT [General Part] 4.4.2 on the compliance function and which took effect on 1 January 2013.30 In seven points, the MaRisk BA address numerous issues whose parallel is also to be found in the insurance arena.
10.2.9 MaComp VA [Minimum Requirements for the Compliance Function (Insurance Supervision)]?
In the area of securities supervision, the BaFin [Federal Financial Supervisory Authority] published Circular 4/2010 (WA) “Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organization and Transparency pursuant to Sections 31 et seq. of the Securities Trading Act (Wertpapierhandelgesetz – WpHG) for Investment Services Enterprises”. The present MaComp WA contain in BT 1 requirements “directed to the compliance function of the bond/securities services enterprise”.31 This is a second revised version of 31 August 2012 consisting of 24 closely printed pages. In this context it is questionable whether the BaFin should also fashion minimum requirements for compliance under the insurance supervisory regime, to be called, presumably, MaComp VA.
In BT 1, the MAComp WA spend three pages dealing with three subject areas, all under the general heading “Position and Tasks of Compliance”: first, under the main heading “Status”, the individual subjects “Independence”, “Effectiveness”, and “Permanence”. Then under the main heading “Responsibilities of the compliance function” are listed eleven points on this subject. Finally, they briefly address the “Relationship with the BaFin [Federal Financial Supervisory Authority]”.
Applying differential diagnostic analysis to the insurance supervisory regime shows that neither an occasion, a competence, nor a need exists for a corresponding MaComp VA. To begin with, there is no comparable point of departure. Investment services enterprise personnel charged with the compliance function under the WpHG [German Securities Trading Act] and the corresponding European law requirements are oriented toward combating insider trading32 and thus have a differing function and status33 from those who exercise the compliance function in insurance undertakings. In addition, the MaComp WA address only bond/securities trading out of the entire field of activity of bond/securities services enterprises.34 Added to this is the fact that beyond its legal provisions, the Solvency II Directive expressly presumes the right of insurance undertakings to organize key functions themselves and thus also their compliance function.35 In addition, particularly for compliance under the insurance supervisory regime, art. 260 SG8, para. 1, sent. 2 of the DVO draft confers on insurance undertakings themselves autonomy in forming their own internal compliance policy. This power is granted subject to mandatory requirements such as those found in art. 258 SG6, para. 3 of the DVO draft.36 Since the DVO draft here means the “responsibilities, competencies, and reporting duties of the compliance function”, insurance undertakings generally have the freedom to provide the concrete content relative to their own operations. Their employment of this freedom can of course be monitored after the fact in the Supervisory Review Process.37 Any additional curtailing of this operational freedom by BaFin [Federal Financial Supervisory Authority] circulars on compliance under the insurance supervisory regime would thus be inconsistent with this freedom and with Directive requirements.
Further, the BaFin [Federal Financial Supervisory Authority] would lack competence to issue a circular on MaComp VA. This is so because the content of the MaComp WA does not deal with the self-description of individual administrative practices, but with concrete, detailed requirements to addressees of the circular, such as was the case with the previously issued MaRisk VA. The Solvency II Directive allows disclosure only of “the general criteria and methods…used in the Supervisory Review Process as set out in art. 36”. This restriction appears in the Directive at art. 31, para. 2 b and is implemented in sec. 312, paras. 1 and 2, no. 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]. Providing concrete content to art. 46 of the Solvency II Directive on the compliance function by national supervisory authorities below the fourth regulatory level, “national implementing act”, in the form of a fifth regulatory level, “national supervisory directives”, is thus not permissible in the Solvency II system. In addition, such a procedure would impugn the creation of “supervisory convergence…also in respect of supervisory practices”, as required by Recital 40 of the Solvency II Directive and likewise by art. 71, para. 2, sent. 1 of the Solvency II Directive.38
Finally, there also would be no corresponding need for MaComp VA. Subjects such as the tasks and independence of the compliance function, the duty of notice, fit-and-proper requirements as to staff members, and reporting lines have already received detailed treatment in the proposals for Level 2 and Level 3 rules. Thus, the specific elements of compliance under the insurance supervisory regime as demanded by full harmonization39 have now been fully addressed by the European legislator to the limit of that legislator’s intent. It is now up to the national legislator to implement these requirements. Tertium non datur.
10.3 The Definition of “Compliance Under the Insurance Supervisory Regime”
The phrase “compliance under the insurance supervisory regime” is not defined in the Solvency II system. It is often primarily understood from an organizational point of view. While diverging somewhat at the level of concrete descriptions, a prevalent view holds that compliance is “the sum of the organizational precautionary provisions put in place by an organization to ensure continuing effective conduct in accordance with the law by the undertaking and by any persons acting on behalf of the undertaking”.40 Compliance under the insurance supervisory regime is thus located within the law concerning the organization of undertakings.41 Indeed, this is reflected in the fact that compliance is part of the “business organization” by virtue of sec. 64, para. 1, sent. 1 of the VAG [German Insurance Supervision Act]. The VAG [Insurance Supervision Act], however, does not content itself in the present law on rules for business organizations, but goes on to emphasize the rules’ substantive objective, namely, “compliance with the laws, regulations, and supervisory requirements that they [viz., the insurance undertakings] are bound to observe”.
Art. 46, para. 1, subpara. 2 of the Solvency II Directive makes it clear that compliance under the insurance supervisory regime is likewise part of the undertaking’s organizational system, namely, the ICS. The Solvency II Directive, however, like the applicable portion of the VAG [German Insurance Supervision Act] singles out the task of the mandatory compliance function.42 This is, under art. 46, para. 1, subpara. 2 of the Solvency II Directive, “monitoring compliance with the requirements”.43 Under paragraph 2 of this provision, the compliance function also “shall include advising the administrative, management or supervisory body” on matters of compliance. Under the German corporate law dual system this means advising the managing board.
Further, the compliance function includes an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of the risk arising from non-compliance with the requirements of the law (compliance risk).44
The very wording of this provision in its listing shows that the term “compliance under the insurance supervisory regime” even under the Solvency II Directive must be understood not only in terms of the law concerning organizations, but also as having equal weight in matters affecting tasks and powers, i.e., matters of substantive law.45 This means that the compliance function is assigned to the legality duty of the undertaking’s management.46 But the insurance supervisory regime does not contend with a perfect organization for compliance under the insurance supervisory regime. After all, the organization is but a means to an end, with the end being performing the function which from a legal point of view is set for the task of compliance under the insurance supervisory regime. There is another continuing contested issue at work here: whether under general company law a managing board is under an organization-law duty with respect to compliance, contrasted with the question of the existence of a substantive compliance duty.47 Even if the Solvency II requirements resolve this question in favor of establishing the duty of compliance as a matter of organization law with respect to insurance undertakings, the controversy discloses under general company law both the distinction between and the independence of the two aspects of the term “compliance under the insurance supervisory regime”.
Seen against this background, the term “compliance under the insurance supervisory regime” contains a combination of both organizational and substantive law requirements. Thus, the definition of the term must take account of both elements and is properly stated as compliance by insurance undertakings with the requirements of the law on the basis of organizational measures appropriate and adequate to the purpose. The characteristic of adequacy follows from the effective operation of the principle of commensurability or proportionality. This principle in the form of a horizontal clause arises from Recital 19 and art. 29, para. 3 of the Solvency II Directive and controls the totality of the insurance supervisory regime.48 The principle is thus directly applicable to compliance under the insurance supervisory regime. This is true both for the organization of compliance under the insurance supervisory regime and for the fulfillment of its task.49
10.4 The Task of Compliance Under the Insurance Supervisory Regime and the Compliance-Related Requirements
10.4.1 Underlying Principles
10.4.1.1 The Area of Operation of Compliance Under the Insurance Supervisory Regime and Its Hierarchy
Previously in this chapter,50 four areas have been identified in which compliance under the insurance supervisory regime is operational under the Solvency II Directive51: These areas may be conceptually categorized as general legal monitoring, advice of management, evaluation of the risks arising from changes in the law,52 and evaluation of the compliance risk.53 The areas of operation of the compliance function, however, are not of equal import and are not exhaustive. Rather, the Solvency II Directive itself arranges them in hierarchical order and supplies a non-exhaustive list. This has not been recognized, however, in previous legal treatises on compliance under the insurance supervisory regime, which treatises rather took an early, undifferentiated approach to the “four subfunctions” of the compliance function54 and thenceforward uncritically conformed to this classification.55 This issue also has significant practical import for the extent and depth of activities in the compliance function of the insurance supervisory regime.
The ICS, under art. 46, para. 1, subpara. 2, of the Solvency II Directive includes within the compliance function the general tasks of “monitoring compliance with the requirements”. Thus, from the legal point of view, compliance under the insurance supervisory regime has only this one central task. But as shown in art. 46, para. 2 of the Solvency II Directive, this can be separated out into several subtasks. In this provision, the Directive identifies three subtasks: advising the management body, assessment of the possible effect of changes in the legal environment, and the assessment of compliance risk. By including the phrases “zählt auch” and “umfasst ebenfalls” in the German language version, art. 46, para. 2 of the Solvency II Directive demonstrates that these three subtasks serve only as examples. Other official language versions of the Directive support this view. Thus, the English language version has “shall include” and the French has “dans le cadre de cette fonction” and “comprend également”. Along with the subtasks given as examples in the Directive, compliance under the insurance supervisory regime also includes such further subtasks as the identification and assessment of legal risks and advising management on methods and means to avoid or mitigate such risks.56
The Solvency II Directive is limited to identifying the central task of compliance under the insurance supervisory regime and giving examples of certain tasks included in that function. Thus quite properly there is no comprehensive concrete description of how the function is to be performed. And on the one hand, the Directive takes account of the freedom of internal organization emphasized by Recital 31 in conjunction with the elaboration of the key functions. On the other hand, there has arisen in the interim a series of tools generally recognized as efficacious for performing compliance functions for any compliance, i.e., independently of assignment to category of the insurance supervisory regime. It is therefore not apparent that this need be taken up into the Directive. Even though expressed in varying terminology, these tools are analyzable in the triad of instruction, preventive monitoring (including advice), and coercive sanctions.57 For example, in the subtasks advice and evaluation of compliance risk, the Solvency II Directive manifestly operates within this system.
10.4.1.2 The Principle of Materiality and the Task of Compliance Under the Insurance Supervisory Regime
The principle of materiality is a prime characteristic of the new supervisory system under the Solvency II Directive in those areas where it applies. In reference to the previously mentioned task of compliance under the insurance supervisory regime, concretized in the Solvency II Directive itself, the question arises whether the principle of materiality applies also to performance of the compliance task. An additional consideration is that the principle of legality per se requires unconditional application. Thus upon initial consideration, it might appear that application of the principal of materiality consigns the compliance function and the principle of legality to a relative status not provided for in the Solvency II system. Along with the principle of proportionality58 to be addressed below and the potential for a decentralized compliance organization,59 it is precisely the principal of materiality that is put forward as a means to address the oft-feared hypertrophy of compliance under the insurance supervisory regime.60
In the Solvency II system,61 the principle of materiality means that any applicable supervisory requirements are not applied dogmatically, but in a qualitative fashion with a view to the essence of the particular matter at issue. This applies not only for side issues, but also for core issues, such as orientation to risk, the quality of the system of governance, and compliance with the Solvency Capital Requirement.62 Thus, unlike the principle of proportionality discussed below,63 the principle of materiality is not a legal requirement in the sense of a horizontal clause overarching the insurance supervisory regime. Rather it is related to matters of fact, i.e., its application is restricted to the 19 particular places in the text of the Directive where it is included.64 The implication of this for compliance under the insurance supervisory regime is that the principle of materiality is a prior consideration to the “compliance with the requirements” as a task, to the extent it affects definite requirements. General legal monitoring by the compliance function of the insurance undertakings cannot exceed the requirements themselves.
Essentially, the principle of materiality restricts the task of compliance under the insurance supervisory regime not generally, but only selectively. It is of no importance for the function of compliance under the insurance supervisory regime whether legal requirements for the insurance industry are material or non-material. Cafeteria health regulations are an example of non-materiality often mentioned by those in the industry. Restriction of the task to monitoring only “material” deficiencies with regard to legal requirements is to be found only in the instances enumerated in the statutes. Beyond this, there is no legal obligation in compliance under the insurance supervisory regime for a highly inclusive degree of monitoring, one that purports to cover all legal requirements. Such a degree of monitory is frequently abhorred in the insurance industry and, further, would be neither reasonable nor achievable. Only the principle of proportionality and not the principle of materiality can form the basis for a proper concretization of tasks.
10.4.1.3 The Principle of Proportionality and the Function of Compliance Under the Insurance Supervisory Regime
The principle of proportionality affects the overall insurance supervisory regime in the Solvency II system other than the principle of materiality. It constitutes thereby an insurance supervisory regime horizontal clause, which also forms a substantive part of compliance under the insurance supervisory regime and its performance.65 The starting point here is that in accordance with Recital 18, sent. 2 of the Solvency II Directive not only the “actions taken by the supervisory authorities” with the objective of “effectiveness of supervision”, but in a consistent manner also the internal monitoring activities already put in place by the insurance undertakings66 must “be proportionate to the nature, scale and complexity of the risks inherent…”. This alone shows, taking up again the discussion relating to the cafeteria example which is prevalent in the industry,67 that monitoring of such requirements by compliance under the insurance supervisory regime despite the unrestricted application of the principle of legality in all areas cannot and should not be on a par with legal requirements, such as those for capital investment68 or solvency capital.69
An additional foundation for the principle of proportionality is to be found in Recital 19 and art. 29, para. 3 of the Solvency II Directive. Under this authority, the “requirements” of the Directive should not “be too burdensome for small and medium-sized insurance undertakings”. Further, in alignment with Recital 18, sent. 2 of the Solvency II Directive the strictures of the Directive generally shall be “applied in a manner which is proportionate to the nature, scale and complexity of the risks inherent in the business of an insurance or reinsurance undertaking”. And ultimately the principle of commensurability applies as well in the general area of company law compliance, where despite conceptual differences in the present context, the effect is the same. The significance of this principle is that only legally and factually suitable, feasible, required, and adequate measures and action shall be undertaken.70
The principle of proportionality entails concrete consequences for the task of compliance under the insurance supervisory regime. These consequences relate to the performance of this task with respect to factual situations as well as to time and location. Each of these three dimensions requires that the performance of the task be concretely designed for the individual undertakings, on the basis of the principle of proportionality. From the factual perspective, this signifies ranking the subjects monitored according to their exposure to risk. This is to be combined with the impact of a risk occurrence on maintaining “continuity and regularity” in insurance undertakings’ performance,71 as emphasized and required by the Solvency II Directive72 for general governance requirements. This is illustrated by the example already given of legal requirements for the various performance areas of an insurance undertaking. This required hierarchical approach, then, covers the extent of the performance of compliance under the insurance supervisory regime, ranging from monitoring the totality of legal requirements for insurance undertakings in the area of their subject matter to monitoring requirements in particular areas highly susceptible to risk only.
In similar fashion, however, this task of hierarchical ranking gives something up to the insurance undertakings with respect to the thoroughness of their performance of compliance. This spectrum may range from compliance measures directed toward complete monitoring to mere plausibility checks on the one hand and from unannounced monitoring measures to such measures as would always be fixed far in advance on the other hand. And further, where time considerations are involved, the period of regular monitoring procedures must be established, as must the occasion for additional ad hoc measures.
Ultimately, the managing board of the insurance undertaking is principally responsible for this task description and for establishing the monitoring measures. The appropriate place for these provisions to be recorded is in the undertakings’ guidelines,73 which are also compliance-related, and in the concrete compliance plan.74
10.4.1.4 The Task-Related Requirements for the Holder of the Compliance Function in the Insurance Undertakings and for the Managing Board as Monitoring Body
Key function holders in the Solvency II system must be not only personally reliable (“proper”) but also factually suitable (“fit”).75 The task of general legal monitoring, which the holder of the compliance function must perform, is of broad extent. This task has repercussions also for the subject-specific profile requirements for the occupant of such a position. Improper filling of such a position has legal consequences not only for the individual involved, but also for the managing board which filled the position. In the case of an obviously poor choice, the “fitness” of the hiring board members may justly be called into question. The same applies to later negligent monitoring.
It strongly appears that the task of general legal monitoring requires that the holder of the compliance function must have completed a legal education and have an aptitude for the legal profession.76 Individual subtasks such as the required advice of the managing board in matters pertaining to the insurance supervisory regime further outline the profile requirements. These differentiate the profile for the holder of the task of compliance within undertakings subject to the insurance supervisory regime from the profile requirements applicable to a compliance officer under general company law. In this latter area, there is some sentiment that exclusively lawyers should serve77 and other views that at least “legal guidance”78 from outside parties is required, with such legal guidance being sought based on the compliance officer’s own legal knowledge. The background, then, is first the core task of “general legal monitoring” and the subtasks emphasized in the Directive of advising the managing board concerning the insurance supervisory regime. The holder of the function of compliance under the insurance supervisory regime is ultimately responsible for performing these duties. A further background feature is evaluating risks arising from changes in the legal environment. Against this background, it appears that compliance under the insurance supervisory regime is significantly more marked by legal features than general company-law derived compliance already is. Consequently, the result is that, contrary to the latter, the former compels the requirement to assign the task to an individual with an appropriate legal education.
To the extent, however, that they may be required to have a “comprehensive competence in the insurance supervisory regime”,79 this would miss the mark as to what is actually achievable and legally to be expected. If this criterion were to be applied, for want of appropriate legal experts in Germany only a very few insurance undertakings would be able to find suitable holders of the compliance function, i.e., individuals possessing “comprehensive” insurance supervisory regime expertise. In fact, the principle of proportionality has an effect also upon the insurance supervisory regime profile requirements for holders of the insurance supervisory regime compliance function. Pars pro toto, i.e., transferable to other legal competence areas, this means two things: First, the amount of prescribed supervisory knowledge and experience is likewise characterized by the triad of “nature, scale and complexity” of the risks80 existing in the insurance undertaking. And second, resort may be had at need to outside (insurance supervisory) legal advice, as follows from the potential of continuing and far-reaching outsourcing of the compliance function.
In sum, the qualification profile for a holder of the insurance supervisory regime compliance function appears as follows: First, with respect to the job description and the related fitness criterion it is imperative but also sufficient to require a full legal education.81 If there are multiple holders of the insurance supervisory regime compliance function, it will suffice that one of them meets this criterion. Second, it is to be expected that all holders will possess knowledge and skills in the insurance supervisory regime, in insurance contract law in the areas of law where the insurance undertaking is particularly exposed to compliance risks. Third, these holders must possess sufficient familiarity with other legal areas so that they can identify risks to the extent that they recognize when outside counsel is required and they then arrange to acquire that counsel. One may presume generally that a fully trained lawyer serving as a holder of the insurance supervisory regime compliance function will possess such knowledge and skills.
But well-grounded legal knowledge and skills are not enough in themselves to constitute a completely sufficient basis of subject-specific suitability. Thus the fourth requirement comprises a general understanding of the insurance business and the business model of the particular insurance undertaking at issue and its own business process. And for a fifth and last point, because of interfacing with the other three insurance supervisory regime functions, namely risk management, internal audit, and actuarial, the holder of the compliance function also must have a basic command of these areas. This is so because only in this way can the holder perform the activity monitoring required by supervisory law for these areas.
10.4.2 General Legal Monitoring
10.4.2.1 The Insurance Supervisory Regime or Legal Requirements in General as a Subject of Monitoring?
The Solvency II Directive outlines only minimally the central task of general legal monitoring. For example, the English, French, and Dutch versions of art. 46, para. 1, subpara. 2 of the Solvency II Directive do not contain the task description “monitoring compliance with the requirements” such as is found in the German language version [in German: “Überwachung der Einhaltung der Anforderungen”]. These language versions go no further than to require a “compliance function”, “fonction de vérification de la conformité”, or a “compliance functie”. As rendered back into German, these phrases are but the term “Compliance-Funktion”. So the question then arises as to how the task of general legal monitoring is to be concretized.
The answer cannot come from the advice task area, because the compliance function “shall include” the advising task. Therefore it cannot fully describe this task. The “laws, regulations and administrative provisions adopted pursuant to this Directive” with regard to the advice task do not therefore essentially limit the subject-matter of the monitoring task of the compliance function. In art. 46, para. 2 of the Solvency II Directive, the issuer of the Directive in regard to the subject-matter and objective of the Directive was apparently solely concerned with emphasizing the particular significance of the insurance supervisory regime in the advice of the managing board by the compliance function, as required by the insurance supervisory regime. In addition, the narrow construction of the advice task in the Solvency II Directive comports with art. 40 of the Solvency II Directive. This is so because, consistent with this construction, this provision assigns ultimate responsibility “for the compliance…with the laws, regulations and administrative provisions adopted pursuant to this Directive” to the usual organizational triad of “administrative, management or supervisory bodies”. As with the issue of advice of the managing board by the compliance function under art. 46, para. 2 of the Solvency II Directive, the European legislator in art. 40 of the Solvency II Directive by emphasizing the managing board’s “ultimate responsibility” for compliance with the insurance supervisory regime was concerned with fundamentally clarifying the objective of the rules scheme: The insurance supervisory regime provides the imperative guideline for insurance undertakings. The managing board itself, therefore, retains “ultimate” responsibility for following this guideline. And this includes compliance.
There is no warrant in arts. 40 and 46, para. 2 of the Solvency II Directive for restricting the task of “general legal monitoring” of the compliance function to the insurance supervisory law.82 This would fail not only in view of the previously noted telos of the rules.
More than that, it would lead to an absurd interpretation of arts. 40 and 46, para. 2 of the Solvency II Directive. This is so because these provisions point to “regulations and administrative provisions adopted” “pursuant to this Directive” or “in accordance with this Directive” as the basis for the managing board’s responsibility for compliance and the advice of the managing board by the compliance function. In other words, the issue is exclusively the “future European insurance supervisory regime”.83 Such an interpretation of arts. 40 and 46, para. 2 of the Solvency II Directive would mean that not even compliance with the Solvency II Directive would be covered, for example in the case of its direct or supplementary application. This absurd result could be countered, however, by noting that only the given national insurance supervisory regime would be affected because of the implementation of the Solvency II Directive. Nevertheless, the Directive does not differentiate in other places along these lines, in particular not in the governance functions, between its own terms and those of future national implementation law “pursuant to this Directive”.
Completely independently and first and foremost, the language of the Solvency II Directive itself indicates that the insurance supervisory regime duty of compliance is not thus restricted as to subject matter. As a first point, other official language versions of the Directive besides the German do not recognize a subject-matter restriction in art. 46, para. 1, subpara. 2 of the Solvency II Directive, which is the primary provision for compliance under the insurance supervisory regime. Nor does the German version in its supplementary “monitoring of compliance with the requirements” recognize any such limitation.84 Further in this context, there is the “shall include” legal requirement of art. 46, para. 2 of the Solvency II Directive, as noted above. This factor bars any attempt to limit the monitoring task of the insurance supervisory regime compliance function to the insurance supervisory law. Furthermore, art. 46, para. 2 of the Solvency II Directive refers to the “legal environment” and “legal requirements” in general while addressing the other tasks of the compliance function, with no reference to the insurance supervisory regime. This cannot be glossed over with a reference to the formulation of the advice task, even if this task were not subject to the legal requirement “shall include”, not the least because of the equivalence of the three areas of operation named as examples in paragraph 2.