SUSEP Public Consultation No. 14/2021: Rules Providing for Companies’ Internal Controls System, Risk Management Framework and Internal Audit Activity

The Superintendence of Private Insurance (SUSEP) opened Public Consultation No. 14/2021, putting forward a draft CNSP Resolution that introduces new provisions about a supervised company’s Internal Controls System (“SCI”), Risk Management Framework (“EGR”) and Internal Audit Activity.

The proposed Resolution seeks to consolidate the regulatory requirements related to the SCI and the Internal Audit activity, currently provided for in SUSEP Circular No. 249/2004, as well as the EGR, currently defined by SUSEP Circular No. 517/2015.

The proposal follows the current trend of simplifying the insurance market regulation, seeking to promote changes that aim to consolidate risk management, internal audit and the internal controls of supervised companies, in order to promote responsible performance and to improve resilience conditions of the market as a whole.

The new regulation aims to bring SUSEP closer to the approach adopted by other supervisors in the National Financial System and to promote greater alignment with international standards of good risk management practices, observing the recommendations of the Financial Stability Assessment Program (FSAP), COSO Internal Control Programs – Integrated Framework (COSO, 2013) and International Association of Insurance Supervisors (IAIS).

The Draft, placed under public consultation, therefore aims to (i) establish general duties for  the management body and  for the Director responsible for Internal Controls; (ii) establish general criteria for the constitution of centralized policies, frameworks and functions in the case of supervised companies that belong to groups or conglomerates, entitled “unified SCI / EGR”; and (iii) to define criteria for the constitution of the Internal Audit unit in the case of supervised companies that belong to groups or conglomerates that were not linked to the “unified SCI/EGR”.

In addition, the Draft introduces several innovations, of which we highlight:

I. Supervised Company’s Internal Controls System (“SCI”)

• The SCI will also be applied (i) to reinsurance brokers and firms that represent admitted reinsurers, according to the current scope of SUSEP Circular No. 249/2004, and (ii) to insurance brokers with annual revenues equal to or greater than BRL 12.000.000,00 (twelve million Brazilian reais), at a level considered compatible with the implementation of more complex controls to prevent money laundering and terrorist financing (Article 47 of SUSEP Circular No. 612, of August 18, 2020);
• Insertion of specific requirements regarding compliance and ethics, including a compliance policy approved by the highest management body of the supervised companies and a specific unit to perform the compliance function;
• the constitution of the compliance unit was waived for supervised companies that belong to the S4 segment, considering their smaller size and simplified risk profile, as well as for firms that represent admitted reinsurers, of which the compliance functions, in both cases, fall under the Director responsible for Internal Controls. For the S3 segment, outsourcing of the functions of the compliance unit was permitted;
• The Director responsible for Internal Controls, as already provided for currently in SUSEP Circular No. 249/2004, must have only inspection and control functions, while management functions are forbidden; and
• In the case of firms that represents admitted reinsurers, the SCI must cover only those proceedings carried out exclusively by such firm, and not extend to proceedings carried out abroad by the reinsurer.

II. Risk Management Framework (“EGR”)

• Breakdown of Risk Appetite by risk category (underwriting, credit, market, operating and liquidity), as a complement to the global definition of the level of acceptable loss, which is currently required;
• Establishment of specific requirements regarding the content of the risk management policy, including practical aspects such as the definition of roles and responsibilities related to risk management and guidelines for the dissemination of the risk culture, in addition to the development of risk appetite until the end of the year. level of EGR business activities and risk or disability reports;
• Exclusion of the current minimum list of business processes for which the guidelines for risk management should be provided, requiring, instead, that such guidelines be established for the “relevant risks or considered priorities”, which will be defined freely by the supervised company, respecting the minimum risk categories to be considered (underwriting, credit, market, operational and liquidity);
• Creation of a specific unit to perform the “risk management function”, provided for in ICAIS 8 of IAIS and CMN Resolution Nº 4.557, of 2017, replacing the current Risk Manager, in order to promote greater formalization of the occupation;
• Exemption from setting up the risk management unit for the S4 segment, which is smaller in size and has a simplified risk profile, with the burden of its functions set upon to the Director responsible for Internal Controls. As for the S3 segment, the risk management unit was allowed to be the same responsible for compliance, to accumulate other supervisory and control duties or even to outsource its functions. In the specific case of local reinsurers, the functions can be delegated to the foreign parent unit, with authorization from SUSEP;
• For the S1 and S2 segments, the creation of a Risk Committee with the task of assisting the maximum supervised management body in assessing the effectiveness of EGR, in defining risk appetite and risk management policy and in strategic decisions related to risk management; and
• Segregation, in a separate section, of requirements for the management of specific risks.

III. Internal Audit

• Establishment of a regulation for the Internal Audit activity, approved by the Audit Committee, if any, and by the maximum supervisory management body, with parameters that discipline and guide the performance of this activity;
• Better definition of the Internal Audit unit, which must be subordinate to the highest supervisory management body and segregated from other organizational units, including compliance and risk management;
• Obligation of the Internal Audit activity to the supervised ones, with the exception of insurance brokers. Outsourcing to an Independent Auditor who meets specific criteria by reinsurance brokers, firms that represents admitted and supervised reinsurers in the S3 and S4 segments is allowed;
• Establishment of requirements for the planning and execution of the Internal Audit work. With a view to better documenting these activities, an annual Internal Audit plan and an annual report containing the summary of the work carried out, which must be carried out by the Audit Committee, if any, and by the highest management body;
• Requirement for each individual audit work to have a specific plan, report and work papers.

Finally, we highlight that the Draft provides for the future Resolution to come into force on January 3, 2022.

The full draft Circular can be accessed at this link. Interested parties may send comments or suggestions by electronic message addressed to corac.rj@susep.gov.br, in accordance with the specific standardized table duly completed, by June 2, 2021.

Demarest’s Insurance and Reinsurance team is closely monitoring the development of this public consultation through to the publication of the final version and make themselves entirely available to provide any clarifications on the subject.