CNSP Resolution No. 416/2021: Rules and criteria providing for Companies´ Internal Controls System, Risk Management Framework and Internal Audit Activity

The National Council of Private Insurance (CNSP) published CNSP Resolution No. 416/2021, which provides for companies´ Internal Control System (“SCI”), Risk Management Framework (“EGR”) and Internal Audit activity (“AI”), which must be compatible with the nature, size, complexity, risk profile and business model of the supervised company. The Resolution stems from Public Consultation No. 14/2021, through which SUSEP gathered comments and suggestions from the market for the preparation of the Resolution.

The new Resolution is applicable to insurance companies, open supplementary pension entities (EAPCs), capitalization companies, local reinsurers, representative offices of admitted reinsurers and reinsurance brokers. As for insurance brokers, only those with annual gross sales equal to or greater than BRL 12,000,000.00 (twelve million reais) are subject to the new rules.

Regarding the SCI, the main aspects to be highlighted are:

  • Internal controls must be implemented and operated effectively, in order to involve the various levels of the organization, and to integrate the routine activities of the supervised company.
  • The provisions of the SCI must be formalized and accessible to all employees, containing the minimum requirements indicated in the Resolution.
  • The implementation of a Compliance Policy must be established, to ensure compliance with ethical principles by the employees of the supervised company, containing internal and external reporting channels in the event of misconduct.
  • The appointment of a Board Director is required to ensure full compliance with the established internal controls and who may perform other duties relating to governance. This Director is prohibited from acting in roles that involve his/her assumption of risks relevant to the business, and the bylaws must expressly provide for his/her duties and responsibilities.
  • Constitution of a “compliance unit”, which will be responsible for monitoring and ensuring adherence to compliance requirements of the activities performed by employees, also with the purpose of helping and training them as regards ethics and conduct. Supervised companies that fall within the S4 segment as well as insurance and reinsurance brokers are exempt from the constitution of such a unit, and the director responsible for internal controls must assume the equivalent duties and responsibilities.

In turn, regarding the EGR, the following provisions are noteworthy:

  • Integration with the SCI, in order to complement each other so that internal controls have a special focus on risks capable of influencing the achievement of the objectives of the supervised company.
  • Establishment of procedures capable of assisting in the identification and assessment of material risks that the supervised company may be exposed to.
  • Prior analysis of changes that may impact the EGR or the supervised company’s operation.
  • Use of complete, secure and auditable systems that provide adequate support for risk management.
  • The inclusion of complementary information regarding the identified risks and to, where possible, quantify their impacts at market value.

The Resolution also establishes the obligation to formalize institutional policies, with the purpose of guaranteeing the performance of the supervised companies in the market in line with the implemented risk management guidelines, with the presentation of their risk appetite and the preparation of a policy for risk management.

In addition to the institutional policies mentioned in the Resolution, the supervised company must also set up (i) a risk management unit, which will be responsible for continuously monitoring and supporting its risk management activities; and (ii) a Risk Committee, which will be responsible for providing assistance to the management body in the performance of duties related to risk management, as well as being responsible for evaluating the efficiency of the EGR and reviewing the risk management policy. The constitution of such Committee is waived for insurance companies in the S3 and S4 segment, in which case the referred duties must be performed by the director responsible for internal controls.

Finally, the Resolution determines the mandatory implementation of the AI, of which we summarize the main aspects:

  • Insurance brokers are not subject to the AI ​​implementation rules.
  • The AI ​​must consider all functions and activities of the supervised company, including those that are outsourced.
  • The supervised company must prepare a specific regulation for the AI, meeting the requirements set out in the Resolution.
  • The supervised companies must set up an IA unit, which reports to the highest management body of the supervised company and has a permanent communication channel with it, in addition to being independent from the other organizational units. It is noteworthy that, for admitted reinsurance offices, reinsurance brokers or those companies falling into segments S3 or S4, it is permissible that AI duties can be performed by an independent auditor, provided that the requirements listed in the Resolution are observed.

In the case that it is SUSEP’s understanding that the provisions of the Resolution are not being complied with or respected, the regulator may determine the adoption of additional controls and procedures by the supervised companies, establishing a deadline for their implementation.

Finally, for the regularization and application of the provisions set forth in the Resolution, SUSEP has granted the following deadlines:

  • June 30, 2022, for insurance brokers with annual gross sales exceeding BRL 12,000,000.00 (twelve million reais) in the year 2020; and
  • For the other supervised companies, the term will end on (i) June 30, 2022, to adapt to the provisions of the Resolution and for the constitution of the officer responsible for internal controls as well as the compliance unit, risk management unit and Risk Committee; and (ii) December 31, 2022, in relation to adapting to the specific prohibitions on the performance of the appointed director and members of the AI ​​unit, as set out in greater detail in the Resolution.

The full text of CNSP Resolution No. 416/2021 can be accessed at this link, and the regulation will come into force on January 3, 2022.

Demarest’s Insurance and Reinsurance team is available to provide any additional clarification that may be necessary.