Definition, Tasks and Legal Nature of the Compliance Function

There is fundamental agreement, although controversial as to its provenance, that under general company law a legal duty of compliance for all undertakings already exists independently of the special law relating to supervised undertakings. There is, however, dispute about the provenance of this duty.⁷ Such a duty derives above all from the managing board’s duty under sec. 91 para. 2 of the AktG [German Stock Corporation Act]

from the managing board’s general leadership responsibility under secs. 76 and 93 of the AktG [German Stock Corporation Act],⁹ or from the overall rules pertaining to organization and supervision of undertakings.¹⁰ The provenance is therefore of great but unfortunately largely overlooked practical significance, since only placement of the duty of compliance in sec. 91, para. 2 of the AktG [German Stock Corporation Act] would lead to inclusion of compliance in audit and reporting according to sec. 317, para. 4 and sec. 321, para. 4 of the HGB [German Commercial Code].¹¹ In the present context the issue concerning the basis in company law for a duty of compliance can be left open as well is the generally disputed issue of a company-law-based duty to create a compliance organization.¹² The same accounts to the issue of the scope of certain rules of the DCGK [German Corporate Governance Code] relating to compliance, namely no. 4.1.3 and no. 5.3.2, if the special insurance supervisory regime is superimposed on general company-law rules irrespective of their debatable scope.¹³

The Solvency II Directive is central to compliance under the insurance supervisory regime.¹⁴ Under Recital 30 and art. 13, no. 29 of the Solvency II Directive, “the system of governance includes… the compliance function”.¹⁵ Art. 40 of the Solvency II Directive—in German company-law terminology in substance also sec. 76, para. 1 of the AktG [German Stock Corporation Act]—imposes upon the managing board “the ultimate responsibility for compliance, by the undertaking concerned, with the laws, regulations, and administrative provisions adopted pursuant to this Directive”. Art. 46, para. 1 of the Solvency II Directive requires further, i.a., “an effective internal control system” (ICS), that includes, from the German-language version, “a function for compliance with the requirements (‘compliance function’)”.¹⁶ Individual tasks of the compliance function are addressed in art. 46, para. 2 of the Solvency II Directive in the following language:

Art. 260 SG8 of the draft of an implementing regulation (hereafter: DVO)¹⁷ contains the following rules relating to the compliance function for the insurance supervisory undertakings:

In the context of the report on solvency and financial condition, as specified in art. 51 of the Solvency II Directive,¹⁸ art. 285 PDS4, para. 5 d of the DVO draft adds the obligation to describe how the compliance function is implemented. Following a parallel track, and in conformity with the required supervisory reporting to the supervisory authority under art. 35 of the Solvency II Directive,¹⁹ art. 297 SRS4, para. 5c of the DVO draft requires reporting on the undertaking’s internal compliance guidelines prepared pursuant to art. 260 SG8 of the DVO draft, on the process for reviewing these guidelines, on the frequency of review, and on all significant changes pertaining to the guidelines.

Independently of the compliance function, art. 258, para. 3, SG8 of the DVO draft sets up a rule for all key functions. The rule affects the right for access to information and reads as follows:

In addition, art. 258, para. 4 of the DVO draft requires all persons performing a key function—in this context the compliance function—to report any major problem in their area of responsibility to their managing board. The area of responsibility is determined with the German dual system.

Group supervision with centralized risk management under art. 236 of the Solvency II Directive is subject to further requirements under art. 335 CRM1, para. 1 b and para. 2 c of the DVO draft. These requirements address the exercise of the compliance function by the parent undertaking in respect of the subsidiary. A number of undertaking groups, however, have their head offices outside the EU. In such cases, under art. 260 of the Solvency II Directive, supervision of the insurance undertakings licensed in the EU is limited to a review of equivalence relating to supervision. There is an exception for situations in which the Commission previously has made a general determination concerning the equivalence of the supervisory system in the outside country. The criteria applicable to a review of equivalence are found in art. 368 GTCE1 of the DVO draft. Under para. 1 j, one of the criteria is whether the undertaking group is required to establish and maintain a compliance function. And finally, art. 358 RTCE1, para. 1 h of the DVO draft, concretizing art. 172 of the Solvency II Directive, also sets rules for the equivalence requirements for reinsurance undertakings headquartered in outside countries to the extent the compliance function is involved.

In December 2010, CEIOPS, the predecessor of EIOPA, presented a “Draft proposal for Level 3 Guidelines on the System of Governance”.²⁰ These so-called Level 3 rules on the insurance supervisory regime in the Solvency system contain numerous specifics relating to compliance under the insurance supervisory regime and the Solvency II Directive. Consideration of this text, however, must be guided by a dual recognition: first, that this text appeared before the issuance of the DVO draft; and, second, Level 3 Guidelines cannot alter the substance of the DVO draft, inasmuch as it is a Level 2 scheme.²¹

At the outset, in point no. 1.14, the Governance Guidelines describe the compliance function as follows:

This supplements no. 3.155 of the Governance Guidelines, under which the compliance function is to identify, assess, monitor, and report the compliance risk exposure of the undertaking. In no. 3.156, the Governance Guidelines define compliance risk

No. 3.157 of the Governance Guidelines notes that compliance activities focus on examining and promoting the undertaking’s compliance with applicable laws and regulatory requirements. This is followed in no. 3.158 by a list of representative activities for the compliance function of an insurance undertaking. Among these, no. 3.158 g requires at least annual reporting to the “management body” on compliance issues.

Further, Guideline 8 of the Compliance Guidelines presupposes that undertakings will devise written company guidelines²² that will set out the obligation of the organizational units to inform the governance function, including the compliance function, of all facts relevant for the discharge of their duties.²³ Guideline 40 likewise addresses compliance policy. Besides the requirement to have such compliance guidelines in insurance undertakings, it directs that the compliance policy should comply with the undertaking’s General Governance—Written policies.

Guideline 41 addresses the compliance plan. Insurance undertakings should produce such a plan annually, which should describe the compliance work to be undertaken. The plan shall ensure that all relevant areas of the undertaking are appropriately covered, taking into account their susceptibility to compliance risk.

On 27 March 2013, EIOPA issued the Proposal for “Guidelines on the System of Governance”. These serve expressly as preparation for the application of Solvency II in the transition before the Directive takes effect. The Guidelines do not provide a detailed layout of the compliance function, such as they do for the other key functions. In nos. 1.21, 1.22, and 1.28, the Guidelines mention only the duty to establish a compliance function at the level of the individual undertaking and of the group, to the extent group supervision is applicable. In addition, the Guidelines require that the undertaking’s guidelines in turn require the other units to inform the compliance function of all facts material to the performance of its duties, thus repeating superfluously a rule already prescribed in the DVO draft. The Explanatory Text accompanying the proposed Guidelines goes no further. It includes in no. 1.199 only the statement that a single incidence of external support for compliance under the insurance supervisory regime will “ordinarily” not constitute outsourcing under the insurance supervisory regime.

The VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]²⁴ includes rules on compliance under the insurance supervisory regime initially in sec. 8, no. 11, with the definition of functions. In agreement with the Solvency II Directive, among these functions is the compliance function.²⁵ Sec. 24, para. 1, sent. 1, the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] specifies “a business organization” that, i.a., will ensure “compliance with the laws, regulations, and supervisory requirements which insurance undertakings must observe”. Further, sec. 29 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] implements the requirement of art. 46, para. 1 of the Solvency II Directive. Paragraph 1 identifies the compliance function as an element of the Internal Control System (hereafter: ICS). Sec. 29, para. 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] then governs the tasks of the compliance function as follows:

In accordance with the principle of proportionality,²⁶ the rules of the Directive shall be “applied proportionately” to small insurance undertakings. This is controlled by art. 29, para. 4 of the Solvency II Directive.

Art. 4 of the Solvency II Directive defines insurance undertakings of limited economic significance and excludes them from the scope of its coverage. This definition is implemented in German law by sec. 198 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]. Section 199, para. 3, no. 7 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] excludes “small insurance undertakings” from the provisions of sec. 29, paras. 1 and 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act], to the extent that these “need not maintain a compliance function”.

The VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act] as conceived gives the same treatment to insurance holding companies, a treatment not supported by European law. This is expressed in the government’s draft through the omission of any reference to sec. 29 in sec. 276, para. 1.²⁷

In February 2013, the German Federal Government presented the “Government’s Draft of an Act on Shielding against Risks and on Planning for Reorganization and Winding-up of Credit Institutions and Financial Groups”.²⁸ In the interim, this Act has been passed. This Act contains a new sec. 64 a, para. 7 of the German Insurance Supervision Act, which in part raises the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)] to the level of a statute. This has raised numerous issues, as has the corresponding penal provision of the government’s draft with a new sec. 142²⁹ of the German Insurance Supervision Act. Yet independently of these issues, according to sec. 64 a, para. 7, no. 2 a of the German Insurance Supervision Act (Draft), “the organizational structure as a rule should provide for a clear demarcation of functions between the establishment of fundamental risk positions and their review and monitoring”. This has an impact as well on compliance under the insurance supervisory regime.

On 14 December 2012, the BaFin [Federal Financial Supervisory Authority] presented new MaRisk BA, which for the first time contain a submodule AT [General Part] 4.4.2 on the compliance function and which took effect on 1 January 2013.³⁰ In seven points, the MaRisk BA address numerous issues whose parallel is also to be found in the insurance arena.

In the area of securities supervision, the BaFin [Federal Financial Supervisory Authority] published Circular 4/2010 (WA) “Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organization and Transparency pursuant to Sections 31 et seq. of the Securities Trading Act (Wertpapierhandelgesetz – WpHG) for Investment Services Enterprises”. The present MaComp WA contain in BT 1 requirements “directed to the compliance function of the bond/securities services enterprise”.³¹ This is a second revised version of 31 August 2012 consisting of 24 closely printed pages. In this context it is questionable whether the BaFin should also fashion minimum requirements for compliance under the insurance supervisory regime, to be called, presumably, MaComp VA.

In BT 1, the MAComp WA spend three pages dealing with three subject areas, all under the general heading “Position and Tasks of Compliance”: first, under the main heading “Status”, the individual subjects “Independence”, “Effectiveness”, and “Permanence”. Then under the main heading “Responsibilities of the compliance function” are listed eleven points on this subject. Finally, they briefly address the “Relationship with the BaFin [Federal Financial Supervisory Authority]”.

Applying differential diagnostic analysis to the insurance supervisory regime shows that neither an occasion, a competence, nor a need exists for a corresponding MaComp VA. To begin with, there is no comparable point of departure. Investment services enterprise personnel charged with the compliance function under the WpHG [German Securities Trading Act] and the corresponding European law requirements are oriented toward combating insider trading³² and thus have a differing function and status³³ from those who exercise the compliance function in insurance undertakings. In addition, the MaComp WA address only bond/securities trading out of the entire field of activity of bond/securities services enterprises.³⁴ Added to this is the fact that beyond its legal provisions, the Solvency II Directive expressly presumes the right of insurance undertakings to organize key functions themselves and thus also their compliance function.³⁵ In addition, particularly for compliance under the insurance supervisory regime, art. 260 SG8, para. 1, sent. 2 of the DVO draft confers on insurance undertakings themselves autonomy in forming their own internal compliance policy. This power is granted subject to mandatory requirements such as those found in art. 258 SG6, para. 3 of the DVO draft.³⁶ Since the DVO draft here means the “responsibilities, competencies, and reporting duties of the compliance function”, insurance undertakings generally have the freedom to provide the concrete content relative to their own operations. Their employment of this freedom can of course be monitored after the fact in the Supervisory Review Process.³⁷ Any additional curtailing of this operational freedom by BaFin [Federal Financial Supervisory Authority] circulars on compliance under the insurance supervisory regime would thus be inconsistent with this freedom and with Directive requirements.

Further, the BaFin [Federal Financial Supervisory Authority] would lack competence to issue a circular on MaComp VA. This is so because the content of the MaComp WA does not deal with the self-description of individual administrative practices, but with concrete, detailed requirements to addressees of the circular, such as was the case with the previously issued MaRisk VA. The Solvency II Directive allows disclosure only of “the general criteria and methods…used in the Supervisory Review Process as set out in art. 36”. This restriction appears in the Directive at art. 31, para. 2 b and is implemented in sec. 312, paras. 1 and 2, no. 2 of the VAG-RegE [Government’s Draft of a Tenth Act Amending the German Insurance Supervision Act]. Providing concrete content to art. 46 of the Solvency II Directive on the compliance function by national supervisory authorities below the fourth regulatory level, “national implementing act”, in the form of a fifth regulatory level, “national supervisory directives”, is thus not permissible in the Solvency II system. In addition, such a procedure would impugn the creation of “supervisory convergence…also in respect of supervisory practices”, as required by Recital 40 of the Solvency II Directive and likewise by art. 71, para. 2, sent. 1 of the Solvency II Directive.³⁸

Finally, there also would be no corresponding need for MaComp VA. Subjects such as the tasks and independence of the compliance function, the duty of notice, fit-and-proper requirements as to staff members, and reporting lines have already received detailed treatment in the proposals for Level 2 and Level 3 rules. Thus, the specific elements of compliance under the insurance supervisory regime as demanded by full harmonization³⁹ have now been fully addressed by the European legislator to the limit of that legislator’s intent. It is now up to the national legislator to implement these requirements. Tertium non datur.