By Cédric DUCHATELLE, Analyse Financière No. 61
The insurance industry has not escaped the tightening of requirements in terms of business ethics. The European Solvency 2 Directive is radically changing the rules of governance.. It gives a central role to the compliance function. As a result, there are new relationships with management bodies. Several levels are now involved.
On 29 July 2016, the newspaper La Tribune1 published an article. It reported that three former bankers had been sentenced to prison for "conspiracy to defraud. At the same time, the newspaper mentions the conviction of a former director of a general insurance company. He was sentenced to two years and nine months in prison. For the newspaper "This is the first time since 2008 that banking sector executives have received prison sentences".. Judge Martin Nolan said: "The public must be able to rely on the honesty of reputable companies. If we can't trust the honesty of these banks, we lose all hope and confidence in our institutions.
Against this backdrop of mistrust and sanctions, the need for ethics in the business world is becoming unavoidable. This means strengthening compliance verification systems. In particular, this implies a change in corporate governance and greater attention to compliance mechanisms. This is now a new challenge for the insurance sector.2.
COMPLIANCE IN INSURANCE COMPANIES - A NEW KEY FUNCTION
Since the 1st January 2016, the directive 2009/138/EC of the European Parliament and the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency2) has drastically changed the risk governance landscape in the area of insurance by obliging insurers to include quality requirements in their risk management system. In this context a new key function has emerged in compliance, one of the cornerstones of the operational risk management system. However, this responsibility is vested in special actors who, as such, must be independent in order to advise the management bodies and alert them in case of a major non-compliance issue.
Cédric Duchatelle,
AG2R La Mondiale
September 2016 - www.sfaf.com
Analyse financière magazine
The insurance industry has not escaped the tidal wave sweeping through the financial sector. Since 1er January 2016. The European Solvency 2 Directive was transposed by Order No. 015-378 of 2 April 2015. It radically changes the rules governing the governance of insurance undertakings.
Alongside the usual senior executives (Chief Executive Officer, members of the Management Board, Deputy Chief Executive Officers) and members of the various boards (administrative or supervisory), new players are entering the governance system. These are the executive directors and the heads of the four key functions. These are the "audit", "risk management", "actuarial" and "compliance" functions.
However, the directive has not introduced any gender confusion in the roles and responsibilities of these new stakeholders. Key functions are responsible for alerting management and the supervisory board to excessive risk-taking. On the other hand, the power of decision rests solely with the governance bodies and effective management.
Since 1 January 2016, each insurance undertaking has notified the Autorité de contrôle prudentiel et de résolution (ACPR) of the names of the effective directors and heads of key functions for the purposes of assessing their good repute, skills and experience.
The purpose of this analysis is to put into perspective the links that need to be built between the insurance compliance function and the management bodies of the insurance organisation.
UNDERSTANDING THE RISK OF NON-COMPLIANCE
In today's complex business world, making the 'right' decision means striking a subtle balance between maximising objectives and complying with regulations. This complexity is primarily the consequence of regulatory inflation. This is forcing insurers to transform their organisations to comply with regulations, requiring budget and human resources. For example, in the coming months insurers will have to integrate the fourth directive on the fight against money laundering.3the European regulation on key information documents for investment products (PRIIPs)4 , the DDA5 (insurance distribution directive) on distribution, and the Sapin 26 law on the fight against corruption.
Secondly, the complexity lies in the active role played by stakeholders. They are increasingly sensitive to ethical and compliance issues within the company. Better-informed customers are better able to detect breaches of regulation. What's more, customers can organise themselves into a group action. NGOs and rating agencies are incorporating qualitative criteria into their assessments of companies. Finally, young graduates take the company's reputation into account when applying for jobs.
In addition, because of the financial risk generated by this complexity, the Autorité de contrôle prudentiel et de résolution (ACPR) has increased the penalties imposed. In 2014, insurers BNP Paribas Cardif7 , CNP Assurances8 and Allianz9 were condemned for failing to comply with the "Eckert" law on unclaimed life insurance policies. In addition to the reprimands, there were heavy financial penalties (€10m for the first, then €40m and finally €50m). Then, in June 2015, the insurer Gan Vie was fined €3 million.10.
In this context, it is a highly perilous exercise to be able to distinguish between the conformist and the non-conformist, the sensitive and the less sensitive, in the maze of texts.
Against this backdrop of mistrust and sanctions, the need for ethics in the business world is becoming unavoidable, and this means strengthening compliance verification systems. In particular, this implies a change in corporate governance and greater attention to compliance mechanisms, a new challenge in the insurance sector.
THE COMPLIANCE VERIFICATION FUNCTION
The compliance function has been institutionalised to support this trend and help managers to manage risks with full knowledge of the situation. Romain Parisot, ACPR project manager, points out that "The implementation of a compliance function should not be seen as an external obligation, but as a useful and essential mechanism for the company. It is an asset 11".
The role of this new function, which has come 'out of the shadows', is to advise senior management on compliance with legislative, regulatory and administrative provisions. It is also responsible for helping to identify the risks of non-compliance and implementing plans to remedy them. This function develops an overall vision of the standards that must be complied with. It contributes to the "four eyes" rule set out in the directive. This involves checking the compliance of solutions implemented by operational departments.
It also helps to control the risks involved in bringing a new product to market. This new role is leading to new professional behaviours. From now on, before a new product is made available to the public, a compliance assessment must be carried out. As Odilon Audouin, Director, Compliance & Risk advisory at Deloitte Conseil, explains12, "When a new product is launched, compliance will naturally find its place in the approval process for contractual and commercial documentation".. Secondly, article 25 of the DDA directive stipulates that insurers will henceforth have to maintain, apply and review a validation process for each product placed on the market.
This function now plays a central role in preventing the risk of sanctions. These risks are likely to affect business continuity and customer confidence. By anticipating and looking ahead, it limits the risk of damage to reputation. This is the consequence of a failure to comply with regulations.
The compliance function now has a new operating framework13. Article 268 of the EU Regulation of October 201414 specifies that it is "free from influences that may compromise its ability to perform its duties objectively, loyally and independently"..
To facilitate the exercise of independence, a hierarchical or functional reporting line to one of the insurance company's executive directors seems preferable. The text stipulates that the head of the key function reports to the chief executive, the management board or the effective manager. The ACPR recommends avoiding intermediate levels between the effective management of the entity and the heads of key functions. It advises against the hierarchical subordination of one key function manager by another. The aim is to avoid any risk of the independence of the head of key function being called into question.
Finally, the compliance function needs to be adequately staffed. The aim is to be able to fulfil its missions. As long ago as June 2013, the ACPR fined a bank €10 million on the grounds that the compliance officer had insufficient resources.15.
CHOOSE THE PERSON RESPONSIBLE
The principle is that it is up to the insurance organisation to decide who is best suited to fulfil the responsibilities of the key functions. As David Revelin points out16Head of the ACPR's Insurance Supervision unit: "Solvency 2 does not impose a standard organisation, and account will have to be taken of the specific nature of each organisation's business and risk profile"..
Solvency 2 has nevertheless introduced conditions of good repute and competence. These conditions apply equally to members of boards of directors, executive directors and heads of key functions. The ACPR is notified of their appointment and renewal. In accordance with article 42 of the directive, the ACPR may object if the conditions are not met.
The assessment of a person's good repute, Article 273 of the October 2014 Delegated Regulation states, includes an assessment of his honesty and financial soundness. This assessment shall be based on concrete elements relating to his character, personal behaviour and professional conduct. To this must be added any elements of a criminal, financial or prudential nature. All convictions for fraud, handling stolen goods, money laundering, etc. are prohibited.17...
Competence is assessed on the basis of diplomas and professional qualifications, knowledge and relevant experience. In addition, the person in charge of a key function must have some form of authority. This will enable them to carry out the tasks entrusted to them as effectively as possible. Finally, the importance of assessing the impact of changes in the regulatory environment calls for solid legal skills. Added to this is an excellent knowledge of the organisation of the structure.
The ACPR recommends avoiding intermediate levels between the actual management of the entity and the heads of key functions and advises against the hierarchical subordination of one head of key function by another to avoid any risk of his independence being called into question.
IMPLEMENT THE COMPLIANCE AUDIT STRATEGY
The abundance of standards and rules means that the compliance function has to act with discernment. A detailed prior study of the issues to be addressed, coupled with a risk identification process, is essential to prioritise compliance risks. This is what risk mapping is all about. There is as yet no single, shared reference framework on this subject. It is therefore up to each compliance officer to create his or her own repository. They must also create their own system for rating compliance risks.
There are several dimensions to setting priorities. They will be set by the legislator with the deadlines for implementing new regulations. The head of the compliance function will also set priorities for the non-compliances he or she has identified. Prioritisation will also be determined by the attention that the supervisory authorities will pay to certain regulations and, finally, by senior management for non-compliance risks that it deems strategic.
The system is now based on the implementation of a compliance policy and plan. This provision is set out in Article 270 of the Delegated Regulation.
The compliance policy defines the responsibilities, competencies and obligations of reporting. It constitutes the reference document for the organisation of compliance. It will be supplemented by a description of the processes that structure the function's main tasks. For example :
- monitoring and impact analysis ;
- product governance ;
- identifying the risks of non-compliance ;
- standards, procedures, recommendations ;
- reporting and alert ;
- risk culture: training and information.
The compliance plan may be annual or multi-year. It puts the function's development priorities into perspective. In addition, it details the activities planned for the function in the light of the prioritisation of the risks selected. These activities will cover all the company's relevant areas of activity and their exposure to compliance risk.
The compliance plan is a tool that will continue to grow in importance over the coming years. It is a sensitive indicator of the level of maturity of the compliance verification system. Ideally, it should set the priorities to be implemented within the stock of regulatory requirements already in place in the company. To these should be added the priorities for implementing new regulations. The plan includes the deployment of specific training initiatives that the compliance function wishes to implement. However, the plan may be modified in response to requests or audits by the supervisory authorities.
The key to organising the plan therefore lies in the ability to "choose the right subjects". The exposure to the risk of non-compliance of one subject compared with another must be taken into account. In addition, the team's ability to 'do' must naturally be taken into account, depending on the profiles and numbers of its members.
For example, the compliance plan could be organised as follows:
- identification of topics (e.g. LCB-FT, anti-corruption measures, obligation to provide advice, etc.) that should be the subject of a compliance audit or monitoring of the roll-out of new regulations (PRIIPS, DDA, etc.);
- identification of the major risks of non-compliance and the actions required to bring them into line ;
- formalising the deployment actions directly handled by the compliance function in terms of coordinating the compliance channel (report, training system, etc.), reportingetc.).
DIALOGUE WITH MANAGEMENT
The dialogue between the key compliance function and senior management takes place at several levels.
On the one hand, compliance risk management is shared between the compliance officer and the executive. The compliance officer is responsible for presenting the main compliance risks identified. The executive also needs to be made aware of forthcoming regulatory developments. Recommendations are drawn up to help management make decisions. The aim is to facilitate the implementation of action plans (changes to the information system, modifications to processes or procedures, reinforcement of control dis- positives). The latter is responsible for fostering a culture of compliance and allocating the necessary resources and budgets. He or she must also issue clear instructions to all employees. The aim is to ensure that the head of the key function has access to all the necessary information.
In addition, a dialogue is now institutionalised between the compliance function and the Boards. In fact, the head of the key function is also obliged to inform the Board or Boards directly and on his or her own initiative of any major problems encountered in the performance of his or her duties. The Board must therefore be able to influence the CEO on the choice of compliance measures to be prioritised. A constructive dialogue must be established between the CEO, the Board of Directors and the head of the key compliance function. As Anne Bechet and Véronique Herguido-Lafargue pointed out in the magazine Financial analysis January 201618, " the Chief Compliance OfficerAs a strategic partner [...], we act as a true advisor, anticipating the risks of non-compliance at every level".
THE CULTURE OF COMPLIANCE AND BUSINESS ETHICS
The Solvency 2 directive offers insurance companies a real opportunity not only to improve their control of risks, including non-compliance, but above all to establish a genuine culture of compliance and business ethics.
As Blandine Cordier explains19, "the compliance is not limited to compliance with legal or financial standards. It includes processes designed to ensure good governance within the company and, in the best possible way, to improve its overall performance. A vision of the business that goes far beyond compliance"..
The aim is not to make companies virtuous. It's not about morality. Rather, the aim is to raise awareness of the fact that operating ethically in the business world is an essential lever. The aim is to protect one of the company's main assets, its reputation.
Implementing this culture means, on the one hand, working transversally with all employees as well as with the other key functions. On the other hand, it means building on shared values, which are essential to any corporate culture. This is then translated into good practice, which is the only way to change behaviour.
Disseminating this good practice involves drawing up simple, comprehensible and verifiable company rules. This could, for example, take the form of a guide to good commercial practice. This sets out the conditions for implementing a good advisory approach. It could also take the form of a guide to gifts and hospitality. It is important that these reference documents are created with the input of the stakeholders concerned. The aim is to avoid too great a disconnect with reality. However, setting these rules is only the first step in the process. The next step is to ensure that they are effectively disseminated and properly understood. It's all the work around the 'meaning' attached to these rules that needs to be transmitted as part of the training programmes.
The Solvency 2 Directive is therefore a tremendous opportunity to create a new ethical way of thinking about business and business relationships. It is a lever for developing new behaviours that accompany and/or anticipate tomorrow's developments. Strengthening the culture of compliance within the company is therefore a way of bringing values and practices to life. The aim is to ensure that we retain the trust of our customers. We also need to inspire employees to be proud and happy to be involved in the financial sector.
TO CONCLUDE
Discussions on compliance are held within the Cercle d'Éthique des Affaires. They show that this new approach to business ethics concerns all companies. These may be industrial, commercial or service companies.
The key compliance function manager is now a strategic partner of the effective managers. Through the implementation of complianceIt is part of the company's governance system. These managers ensure compliance with regulatory requirements and the resulting ethical practices. They are also the guarantors, for the executives they advise, that financial and non-financial risks are properly taken into account. These include reputational risk, in the operational and strategic decisions they are called upon to make.
Secondly, through its close relationship with the supervisory authorities, it is in the best position to ensure that the most sensitive compliance risks have been considered and covered. Finally, by deploying appropriate communication and targeted training programmes for all employees, they help to give meaning to the regulatory requirements. Through all these actions, the compliance officer is now a key contributor to improving the company's overall performance.
CÉDRIC DUCHATELLE IS GROUP COMPLIANCE & BUSINESS ETHICS MANAGER, KEY COMPLIANCE AUDIT FUNCTION AG2R LA MONDIALE AND VICE-PRESIDENT CLUB-PRO OF THE CERCLE D'ÉTHIQUE DES AFFAIRES.
After starting his career as a lawyer, he joined AG2R La Mondiale, France's leading social protection group, in 2000. Since 1 January 2016, he has been Group Head of Compliance. He also teaches law at the Université Catholique de Lille in the Master 2 Business Law programme with final-year students at EDHEC. A member of the French Association of Professors of Law and Management, Cédric Duchatelle holds a postgraduate diploma (DEA) in law and judicial sciences and is a graduate of the Centre des hautes études d'assurance (CHEA).
(1) http://www.latribune.fr/economie/union-europeenne/irlande-trois-ex-banquiers-condamnes-a-de-la-prison-huitans-apres-la-crise-financiere-589749.html
(2) International Review of Compliance and Business Ethics, No. 13 of 31 March 2016, by Cédric Duchatelle. "La conformité, nouvel enjeu dans le secteur de l'assurance", Études 30.
(3) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering.
financing of terrorism.
(4) Regulation (EU) No 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for retail and insurance-based packaged investment products.
(5) Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on the distribution of insurance.
(6) Bill on transparency, the fight against corruption and the modernisation of economic life (FCPM1605542L).
(7) CARDIF ASSURANCE VIE Procedure no. 2013-03 bis of 7 April 2014.
(8) CNP ASSURANCES Procedure no. 2013-05 of 31 October 2014.
(9) ALLIANZ VIE Procedure no. 2014-01 of 19 December 2014.
(10) GROUPAMA GAN VIE Procedure no. 2014-09 of 25 June 2015.
(11) Quoted in "La fonction conformité sort de l'ombre" by Jérôme Speroni, published on 7 March 2014 L'argus de l'assurance.com
(12) Quoted in "Les actions à réaliser" by Jérôme Speroni, published on 7 March 2014 L'argus de l'assurance.com
(13) Directive 2009/138/EC of the European Parliament and of the Council of 25/11/2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency).
(14) Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).
(15) ACPR Enforcement Committee no. 2012-03 of 25 June 2013 concerning UBS (France) SA.
(16) Quoted in "Placer la fonction conformité sur un organigramme" by Jérôme Speroni, published on 7 March 2014 L'argus de l'assurance.com
(17) Articles L. 322-2 R. 322-11-6 R. 322-167 of the Insurance Code; Articles L. 931-7-2 R. 931-3-10-1, R. 931-3-45-1 of the Social Security Code; Articles L. 114-21 R. 114-9, R. 211-13 of the Mutual Code.
(18) Revue Analyse financière No. 58 January-March 2016, p 79.
(19) Revue Analyse financière No. 58 January-March 2016, p 80.
