1 Objectives of the Circular

1 This Circular provides guidelines on interpreting the provisions concerning the system of governance of institutions for occupational retirement provision (IORPs) set out in the German Insurance Supervision Act (Versicherungsaufsichtsgesetz - VAG). It explains these provisions bindingly for the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) and thereby guarantees consistent application in relation to the IORPs subject to BaFin’s supervision in accordance with margin no. 3. The Circular follows a principle-based approach, i.e. it is left to the individual IORP to determine, within the framework of the minimum requirements to be met, which concrete arrangements are appropriate for it, taking into account the principle of proportionality.

2 The Circular takes the basic approach that the management board members of an IORP bear collective responsibility for the IORP's proper and effective system of governance.

2 Scope and definitions

3 The Circular applies to all Pensionskassen and Pensionsfonds as well as separate ring-fenced pension funds governed by public law that provide retirement benefits by way of voluntary insurance with their registered office in Germany in accordance with section 1 (1) nos. 1 and 5, section 2 (1) and section 7 no. 33 of the VAG in conjunction with sections 232 and 236 of the VAG that are subject to BaFin’s supervision.

4 This margin number is superfluous in the translation and has therefore been omitted.

5 The term management board refers to the boards of IORPs. To the extent that ring-fenced pension funds governed by public law or IORPs in the legal form of the European Company (SE) that fall within the scope of this Circular do not have a governing body with this title, then the corresponding executive body is to take the place of the management board. The corresponding supervisory body is to take the place of the supervisory board under the same conditions.

6 The terms “risk profile” and “profile” differ in meaning. “Profile” refers to the set of proportionality criteria relevant to IORPs as reflected in the result of the assessment process. In addition to the nature, scale and complexity of activities, the profile of an IORP also captures the size of its activities and, to the extent explicitly mentioned by law, the size and internal organisation of the IORP. The term “risk profile”, however, refers to all the risks within the meaning of sections 26, 234c and 234d of the VAG to which IORPs are exposed.

3 Relationship of the Circular to other Federal Financial Supervisory Authority publications/entry into force

7 As regards the requirements related to the professional qualification and propriety of individuals who effectively run the IORP or have other key functions and the notification requirements for persons responsible for key functions, reference is made to the Guidance Notice on the fitness and propriety of members of management boards pursuant to the VAG, the Guidance Notice on the fitness and propriety of members of supervisory boards in accordance with the VAG, and the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the VAG.

8 Reference is made to the Circular on Minimum Requirements under Supervisory Law on the Own Risk Assessment of IORPS in accordance with section 234d of the VAG in relation to the requirements regarding the own risk assessment.

9 Any special requirements imposed by BaFin on the system of governance of IORPs within the scope of other publications remain unaffected by the requirements set out in this Circular.

10 This applies in particular to requirements relating to the system of governance in accordance with:

• Circular 11/2018 (VA) – Cooperation with insurance intermediaries, risk management in distribution
  
• Circular 10/2018 (VA) – Supervisory requirements for IT in insurance undertakings,
  
• Circular 11/2017 (VA) – Investment of the guarantee assets,
  
• Circular 8/2017 (VA) – Derivative financial instruments and structured products,
  
• Circular 7/2016 (VA) – Establishment and keeping of the register of assets,
  
• Circular 3/2016 (VA) – Trustees for monitoring of the guarantee assets (Sicherungsvermögen),
  
• Circular 1/2004 (VA) – Conduct of stress tests
  
• Interpretative decision dated 31 October 2013, amended on 24 April 2014 – Guidelines on the use of external ratings and on carrying out internal credit risk assessments,
  
• Interpretative decision on the statement of investment policy principles in accordance with section 234i and section 239 (2) of the VAG dated 24 April 2020,
  
• Guidance Notice on Dealing with Sustainability Risks dated 20 December 2019, amended on 13 January 2020.
  

11 This Circular comes into force on 1 June 2021.

4 Principle of proportionality

12 The principle of proportionality plays a major role in the implementation of the system of governance requirements. The requirements are to be fulfilled in a manner which is proportionate to the size, nature, scale and complexity of the IORPs’ activities. The size and internal organisation of the IORP must also be mandatorily taken into account as additional criteria under sections 234a (5) and 234c (1) sentence 2 of the VAG, but can also be included as indicators in the proportionality assessment beyond these statutory provisions.

13 Proportionality affects how the requirements are to be met in individual cases. For instance, a lower profile can result in simplified implementation requirements, whereas a more pronounced profile can lead to tighter requirements.

14 The additional supervisory criterion “size of activities” introduced for IORPs is to be determined, inter alia, on the basis of the balance sheet total (Bundestag printed paper 19/4673, page 61). The fact that the size of activities is mentioned first in the hierarchy of criteria for IORPs does not mean that this criterion alone is decisive. The decision on what is proportional can only be made in conjunction with the other criteria. However, if the size of activities is small, this criterion is usually of particular importance.

15 The number of staff can play a role in determining the size of the IORP (Bundestag printed paper 19/4673, pages 62 and 63). However, it is not the number of existing staff that is crucial, but the actual requirement for staff. This also includes the staff requirements at service providers in the event of outsourcing. The internal organisation refers, among other things, to the scope of the organisational and operational structure of the respective IORP. This can be based on the hierarchy, the structuring of the processes or the process flows.

16 The assessment of which form may be regarded as proportionate is not static with regard to the individual undertaking, but adjusts to the changing situation over time. In this respect, the IORPs have to examine whether and how the available structures and processes can, or indeed must, be further developed. However, the IORPs are not required to re-determine their profile according to a fixed cycle; the individual profile determined by the IORP continues to apply provided no changes have been made to it.

5 Overall responsibility of the management board

17 All members of the management board are responsible for the proper and effective system of governance of the IORP. The full management board is therefore also responsible to ensure that the IORP has an appropriate and effective risk management and internal control system in place. Where the requirements of this Circular expressly relate to the full management board, the board cannot delegate its responsibility, not even to one or more of its members.

6 Material risks

18 The principle of materiality provides that only material risks are to be included in the assessment. Which risks are to be classified as material is in principle to be determined individually for each IORP. Exceptionally, however, a determination that applies to all IORPs may be more appropriate than an undertaking-specific approach (see the material risks built-up in the areas stated in margin no. 30).

19 The full management board determines individual materiality thresholds appropriate to the IORP’s profile based on appropriate and comprehensible criteria. The appropriateness of these thresholds must be ensured on a continuous basis. To this end, the full management board gains an overview of all risks to which the IORP is actually or may potentially be exposed, both on a regular as well as on an event-driven basis.

20 All IORPs must establish separate materiality thresholds for the following risk categories at a minimum: underwriting risk, market risk, credit risk, liquidity risk and operational risk. In accordance with margin no. 19, further separate materiality thresholds are to be determined on an undertaking-specific basis where necessary, irrespective of whether the respective risks can be assigned to further risk categories (e.g. political, strategic or reputational risks). Accordingly, separate materiality thresholds may also be required in individual cases for concentration risks and sustainability risks within the meaning of BaFin’s Guidance Notice on Dealing with Sustainability Risks.

21 The materiality thresholds may not be based solely on the effects within the scope of accounting or the effects of infringements.

22 The full management board must ensure that the materiality thresholds are applied uniformly.

7 Risk culture

23 An actively supported risk culture forms the basis for an effective risk management system that is appropriate to the IORP’s profile. It includes in particular:

• establishing a common understanding of the IORP’s own risks and how to deal with these risks; this must be ensured at all hierarchical levels and is expressed in a common risk language;
• determining responsibilities both in respect of dealing with risks, which includes at least the persons responsible for the build-up, identification, assessment, monitoring and management of material risks, and in respect of the new product process;
• assessing whether and which incentive structures are appropriate for dealing with the IORP’s risks and whether such structures have been or should be introduced;
• encouraging an open dialogue among all individuals concerned in the IORP on how to deal with risks so that all individuals receive the information relevant to them in a timely manner.

24 The risk culture must be appropriate to the profile. It is reflected in the IORP’s standards and in the attitudes and behaviours of its staff. The risk culture affects the IORP's risk awareness, risk appetite, risk management and risk control system and is reflected in its documentation and written policy.

25 The full management board promotes the risk culture. In this context, it has an exemplary role (“tone at the top”). The full management board ensures that the risk culture is communicated within the IORP, observed in the build-up of risks and linked to the risk management and its internal controls.

8 General governance requirements

8.1 Organisational and operational structure

8.1.1 General

26 The IORPs decide with due consideration for their profile and the scope of the requirements to be met which specific organisational structure is suitable for them.

8.1.2 Determining tasks, responsibilities and reporting lines

27 A transparent organisational structure appropriate to the IORP’s profile requires a clear definition and segregation of tasks and responsibilities. There must be clear rules in place regarding who is responsible for tasks in the IORP and who is accountable for decisions.

28 Rules on representation and reporting lines must also be clearly defined in addition to the tasks and accountabilities. It must be ensured that all individuals in the IORP receive the information affecting them without delay and are able to recognise its significance, and that exercising the relevant task or responsibility is guaranteed at all times.

8.1.3 Appropriate segregation of responsibilities

29 The organisational structure of an IORP must provide for a segregation of responsibilities up to and including the management board that is appropriate to the IORP’s profile.

30 The principle of segregation provides, among other things, that units responsible for the build-up of material risk positions may not at the same time be responsible for the monitoring and control of these risks. The build-up of material risks occurs at least in the areas of underwriting, investment and distribution. If the business model of an IORP does not include underwriting and distribution, these units need not be taken into account. Segregation may be less strict considering the principle of proportionality, provided that potential conflicts of interest are countered by accompanying measures. The accompanying measures to be taken depend on the nature of the respective conflict of interest. For example: in the event of a lower profile and if appropriate and effective accompanying measures are in place, a management board member may be responsible both for underwriting and – alone or together with the other board members – for risk management. Accompanying measures include the dual control principle, separate reporting lines and the establishment of accompanying committees.

31 If several tasks are assigned to the same unit, this must not impair the effective, objective, proper and independent performance of duties.

8.1.4 Determining regulations on the operational structure

32 The operational structure must ensure that processes that involve risks and their interfaces are appropriately managed and monitored. This requires, first of all, that all processes be assessed from a risk aspect.

33 Processes that involve risks exist in all IORPs at least in the units specified in margin no. 30, as well as in reserving (under the German Commercial Code (Handelsgesetzbuch - HGB)), asset liability management (ALM) and ceded reinsurance management. Ensuring appropriate management and monitoring of the risk-bearing processes identified requires clear definition of the individual process steps, including the necessary control activities as defined by the internal control system and, if necessary, the escalation steps, the process-specific competences and responsibilities and the information flows.

34 Control activities generally do not imply the implementation of comprehensive controls following each individual process step. However, particularly process steps which involve risks must always be identified and checked on a regular basis.

8.1.5 Implementing regulations on the operational structure

35 To ensure the proper performance of their tasks, it is important that all relevant staff know the work procedures relevant to them, meaning that they must be informed in this regard and be familiar with the relevant content.

8.1.6 Documenting the organisational and operational structure

36 Documentation on the organisational and operational structure must be kept up-to-date at all times. Previous versions must be archived for a minimum of six years. The basic regulations concerning the operational structure must be outlined in a written policy (see margin no. 56).

8.1.7 Special aspects relating to IORPs as part of an insurance group

37 In the case of IORPs that belong to an insurance group, changes to the organisational and operational structure may be required both at group level and at the level of the individual IORP if there are changes to the group structure. It may be necessary, for instance, to determine new competences and reporting lines.

38 Responsibility for changes to the organisational and operational structure at the level of an individual undertaking lies with the management board of the relevant IORP. Requirements of the undertaking responsible for fulfilling the requirements at group level may need to be observed and implemented in an individual undertaking as necessary.

8.2 Management board and supervisory board

39 The governance system of an IORP includes processes for regular and ad-hoc transmission of information and reports from the business units and functions to the management board. On this basis, and based on corresponding consultation, the management board carries out its executive responsibilities and makes its decisions. The processes used to ensure that staff are notified of decisions relevant to them in such a way that these can be implemented in full are equally important as the processes for transmitting information and reports to the management board.

40 The supervisory board actively exercises the rights of information, inspection and review granted to it for the purpose of fulfilling its duties and advises the management board on strategic and other issues.

8.2.1 Dual control principle

41 The IORP must ensure it is effectively run by at least two individuals. This implies that a minimum of two persons who effectively run the IORP are involved in any of the IORP's material decisions before the relevant decision is implemented.

42 The IORP is responsible for the initial assessment as to whether there are any other individuals in the IORP aside from the members of the management board who also belong to those individuals effectively running the IORP based on their decision-making powers. This is relevant for instance at the second management level.

43 The IORP is responsible for determining which decisions need to be categorised as material with respect to the business model and to the individual profile. Decisions may be considered material if they can have a significant impact on the IORP or are unusual given regular business operations. For example: a decision may be material if it has or may have a lasting negative impact on the net assets, financial position or results of operations of the IORP.

8.2.2 Documentation

44 The management board must document its decisions and the manner in which it takes into account the information obtained from risk management (see 10.1). In the same way, any decisions material to the IORP made by persons who effectively run the IORP must be documented.

45 No minimum level of structure can be specified for the documentation as a blanket concept. The scope and level of detail of the documentation for decisions depend on the purpose for the documentation and the risks associated with the relevant decision. The structure of the documentation must be determined, therefore, in the individual case based on a holistic view with due regard to the built-in checks and benefits involved. However, a complete waiver of the documentation cannot be considered.

46 The documentation is adequate provided that it is complete and precise and includes all of the material background information (e.g. formulas, parameters, decisions below management board level, crucial justifications for these) to enable a competent person to understand the content of the decision and review this.

47 Preparing a complete set of new documentation is not necessarily required. References to existing documentation with the documentation also appended may suffice, provided that this can be scrutinised and understood.

8.3 Internal review of the governance system

48 The full management board assesses the governance system on a regular basis (section 23 (2) of the VAG) with the frequency of assessments to be laid down in accordance with the IORP’s profile, and ensures that any required changes are implemented promptly. Assessments of individual units of the governance system can be made by the management board member responsible for this unit. The full management board must, however, be informed of the outcome of this assessment and manage the resulting implementation. Therefore, every management board member needs to understand at least the material risks to which the IORP is exposed.

49 The assessment covers the governance system in its entirety. It builds on existing findings, such as those gained in the review of the policy or obtained by the internal audit function during its review of the system of governance, or by other key functions in carrying out their tasks. A separate process is not required. If findings of the internal audit function are used in the assessment of system of governance, it should be noted that the audit perspective under section 23 (2) of the VAG differs from the perspective under section 30 (1) of the VAG. The management board will proactively assess in particular whether the system of governance supports the objectives under the business and risk strategies. The internal audit function, on the other hand, examines whether the system of governance of the audited areas is effective and appropriate at the time of the audit.

50 Regular assessment of the system of governance must be ensured. The outcome of the assessment along with the implementation of the changes required are to be documented.

51 The full management board determines the grounds for extraordinary assessments of the system of governance.

8.4 Written policy

52 The written policy is a tool for the management board to ensure that organisational units act in accordance with their tasks and duties and in an effective and targeted manner. The written policy also serves to operationally implement the principles-based legal requirements for IORPs.

8.4.1 General

53 IORPs are free to formulate the written policy as they see fit. Accordingly, organisational rules for key functions can be included in the policy of the relevant system of governance or documented in separate policies. For example, it is permissible to include the organisational rules for the independent risk management function in the risk management policy. However, a common written policy for all key functions would also be acceptable.

54 The practical implementation of the written policy is carried out through corresponding work procedures. The level of responsibility for these work procedures must be determined.

55 The written policy agreed at group level does not automatically apply to the legally independent individual undertakings. This also applies if control agreements are in place. Written policies must thereby be issued separately for the legally independent individual undertakings. Policies agreed at group level can be transferred to individual undertakings subject to undertaking-specific adjustment. Existing documents that already contain the specified contents of the policy can be used as policies.

8.4.2 Content of the written policy

56 The written policy must clearly present the basic rules on the operational structure, along with the competences, powers and reporting processes.

57 Corresponding interfaces and segregation must be stated in the relevant written policy in order to avoid duplication of tasks.

58 The written policy of the relevant organisational units must set out which information is relevant for the key functions and state that any such information must be conveyed to the key functions.

59 The written policies must be coordinated with each other and with the business and risk strategies.

8.4.3 Adoption and review of the written policy

60 The minimum requirements under this section 8.4.3 apply at least to the written policy on the system of governance within the meaning of section 23 (3) sentence 2 of the VAG in conjunction with section 234a (3) sentence 1 of the VAG. The minimum requirements do not apply to the work procedures implementing the policy.

61 In order to support the business and risk strategies to be determined by the board, the full management board must agree on the written policy upon initial adoption at least, as well as in the event of significant amendments.

62 The written policy specified in section 23 (3) sentence 2 of the VAG in conjunction with section 234a (3) sentence 1 of the VAG must be reviewed at least every three years using methods appropriate to the profile of the IORP. The full management board determines the grounds for ad-hoc reviews of the individual policy.

63 The review of the written policy requires that the persons or organisation units responsible for the review be specified. The review needs to take into account that changes to a written policy can have a direct impact on the other written policies.

64 The reviews of the written policy must be documented. The findings and any need for amendments resulting from these findings are to be reported to the management board.

65 Any identified need for substantial amendment of a written policy must be reported to the full management board, which then has to justify its corresponding decision briefly but in a comprehensive manner. The decision must be documented together with the justification. Otherwise, it is sufficient for the responsible management board member to take note of the decision, which must be documented accordingly.

8.4.4 Knowledge of and compliance with the written policy

66 The staff must be notified of the current written policies that are relevant to them.

67 The IORPs must implement internal controls to ensure that all conduct is in accordance with the written policy and that any infringements are identified promptly.

8.5 Automated business processes

68 In the context of the supervisory requirements for IT defined in Circular 10/2018 (VA), which remain unaffected, the organisational and operational structure must ensure that automated business processes that involve risks, which also include automated underwriting, automated case-by-case decisions in claims and benefit processing, as well as automated portfolio management, are appropriately managed and monitored and that the requirements on the system of governance are met. In addition to an assessment of the automated business processes from a risk perspective, this in particular requires that all automated business processes are identifiable and comprehensible and that it is ensured that the full management board is informed in broad terms about the implementation, design and functioning of the automated business processes.

9 Key functions

9.1 General requirements and position in the undertaking

69 The concept of the "key function" comprises the following three functions: the internal audit function, independent risk management function and actuarial function. A distinction must be made between this and the additional concept of a "key task"; in addition to the key functions, IORPs can also determine additional key tasks (see Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the VAG.

70 The key functions have an equal ranking. Persons internally responsible for a key function (see 9.1.1) who are not members of the management board are only subject to instructions from the management board in terms of exercising the key function. This also applies if the key function is not directly subordinate to the management board level from an organisational point of view. The full management board represents the escalation level in the event of disputes between key functions that cannot be solved between the relevant management board members answerable and in the event of disputes between key functions for which the same management board member is responsible.

71 The key functions must be set up in an appropriate manner with due regard to their relevant purpose and the principle of proportionality. Apart from centralised or specialist team structures, decentralised or integrated structures also come into consideration (see 12.6 and 12.7 on outsourcing).

72 Conflicts of interest are to be avoided. The key functions must at all times be free from influences that may compromise the function's ability to undertake its duties in an objective, fair and independent manner. It is crucial for duties to be defined and allocated in a clear and transparent manner, in particular with regard to integrated approaches to the organisation of a key function. This must be laid down in a written policy.

73 With regard to the conflicts of interest that may arise from the fact that a person responsible for a key function within the IORP at the same time performs a similar function in the sponsoring undertaking, see margin nos. 141 et seq. and 250 et seq.

74 Apart from having adequate resources and powers, the key functions need to have a high status within the IORP (see margin no. 70). This must be enshrined in the written policy.

75 Undertakings that are part of groups must establish all key functions at the individual level.

9.1.1 Person internally responsible for a key function

76 For all forms, including decentralised ones, there must be a natural person who bears responsibility for the relevant key function being fulfilled properly. This is notwithstanding the ultimate responsibility of the full management board. There is an "internally responsible person" for any key function set up internally within the undertaking (see 12.6 and 12.7 on outsourcing). This responsibility may not be allocated wholly or partially to several natural persons. However, there can be many people who work for a key function, i.e. contribute to the key function’s work.

77 A member of the management board can at the same time be the person internally responsible for a key function only on a case-by-case basis (see 12.6 and 12.7 on outsourcing), i.e. in particular if this structure is appropriate to the IORP’s profile. Section 23 (1) sentence 3 of the VAG is applicable, which means that there must be a separation of the responsibilities appropriate to the IORP’s profile, including in relation to the responsibilities as an internally responsible person and as a member of the management board. In accordance with section 234b (1) of the VAG, IORPs must ensure that the assignment of the additional tasks does not or is not likely to prevent the relevant internally responsible person from undertaking all their duties effectively and in an objective, fair and independent manner. This requires, among other things, sufficient time for the relevant additional tasks. In all other respects, reference is made to the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the VAG.

78 The principle of proportionality must be observed if a person, whether a member of the management board or a person working below the management board level, is at the same time internally responsible for multiple key functions. In IORPs, the possibility to be internally responsible for multiple key functions at the same time is limited to the independent risk management function and the actuarial function. In such a case, the IORP must demonstrate that this arrangement is appropriate to its profile. A further limit to the assignment of multiple tasks to the same person is provided in section 234b (1) of the VAG (see margin no. 77). A special rule applies to the internal audit function, which stipulates that the person internally responsible for it cannot at the same time perform any other key function (see 9.3).

9.1.2 Information flow and special notification obligations to the management board and the supervisory authority

79 The relevant person internally responsible for a key function (see 9.1.1) must report directly to the full management board. This also applies if the key function is not directly subordinate to the management board level from an organisational point of view.

80 In certain cases, the person internally responsible for a key function within the IORP is subject to special notifications obligations to the full management board and the supervisory authority. This special notification obligation results directly from section 234b (4) of the VAG. Under section 234b (4) of the VAG, the relevant internally responsible person must notify the full management board immediately about any event subject to notification requirements from that person’s area of responsibility. The notification may also contain recommendations, i.e. specific proposals for appropriate measures, in which the full management board is to decide. If, depending on the complexity of the relevant findings, the search for suitable remedial actions proves to be time-consuming from an objective point of view, the full management board must be notified without such recommendation. The recommendation must be made immediately once appropriate actions have been timely identified. The internally responsible person must notify the supervisory authority if the full management board has failed to take action in a timely manner, i.e. within a period of time appropriate to the complexity of the findings after having been made aware of them.

81 The notification obligation under section 234b (4) of the VAG is structured in two stages: in the first notification stage, the internally responsible person must always first inform the full management board about any relevant occurrences. The need for the second notification stage, which requires notification of the supervisory authority, only arises in accordance with section 234b (4) sentence 3 nos. 1 and 2 of the VAG in cases where the management board remains inactive although it has been previously informed of the occurrence, or does not initiate the necessary measures in time, or the measures taken are not effective.

82 The notification obligation is limited to the area of responsibility of the person internally responsible for the key function concerned.

83 If members of the management board are at the same time internally responsible persons, it is not sufficient for compliance with the notification obligations that, as management board members, they are automatically informed about any fact subject to notification requirements. On the contrary, as internally responsible persons, management board members are required to inform the full management board.

84 If a key function is outsourced, the notification obligation under section 234b (4) of the VAG is transferred to the outsourcing manager. If the outsourcing manager is at the same time a member of the management board, the provisions of margin no. 83 apply accordingly.

85 The notification system in accordance with section 234b (4) of the VAG is parallel to and independent of the general whistleblowing system of IORPs under section 23 (6) of the VAG. Reports made under section 23 (6) of the VAG are voluntary, whereas occurrences under section 234b (4) of the VAG must be notified by the internally responsible person to full management board. For the same reason, anonymous reports to the BaFin contact point for whistleblowers under section 4d of the Act Establishing the Federal Financial Supervisory Authority (Finanzdienstleistungsaufsichtsgesetz – FinDAG) are considered insufficient to fulfil the notification obligation of the internally responsible person to the supervisory authority under section 234b (4) of the VAG.

86 Conversely to the notification obligations of the internally responsible person, the management board must notify persons internally responsible for the relevant key function at its own initiative and in a timely manner of all facts that may be required for them to fulfil their responsibilities. This duty to notify the internally responsible person applies accordingly to other business units.

9.2 Actuarial function

9.2.1 General requirements for the actuarial function

87 If an IORP itself covers biometric risks or guarantees an investment performance or a certain level of benefits, it is required to establish an actuarial function as a key function. Thus, in accordance with section 234b (6) of the VAG, the establishment of an actuarial function can be waived if the IORP exclusively provides pure defined contribution schemes within the meaning of sections 244a et seq. of the VAG or the Pensionsfonds exclusively provides non-insurance benefits. Irrespective of the actuarial function, the VAG continues to stipulate the appointment of a responsible actuary (see 9.2.6).

9.2.2 Responsibilities of the actuarial function

88 The schedule of the actuarial function's responsibilities is defined in sections 31 and 234b (5) of the VAG.

89 It is also generally possible to assign responsibilities to the actuarial function that go beyond the specified schedule of responsibilities if conflicts of interest are analysed and appropriate measures are implemented to handle these.

90 In this context, responsibilities of the actuarial function can generally also be performed by the responsible actuary (see Bundestag printed paper 19/4673, page 63), if measures are taken to avoid or handle any conflicts of interest. With regard to the relationship between the responsible actuary and the person responsible for the actuarial function, reference is made to margin nos. 115 to 118.

9.2.3 Coordination and monitoring of the calculation of technical provisions

91 The decision regarding who carries out the calculation of the technical provisions is left to the IORP.

92 The monitoring of the calculation of the technical provisions is carried out on the basis of the validation of the IORP’s technical provisions calculated in accordance with the German Commercial Code. The validation serves to verify the appropriateness of the assumptions and methods used in the calculation of the technical provisions. The decision regarding who carries out the validation is left to the IORP. This does not affect the actuarial function's responsibilities under sections 31 (1) and 234b (5) of the VAG.

93 If, within the scope of its competence, the responsible actuary has also made findings relating to the calculation of the technical provisions in the course of its control and monitoring activities, these may be included in the validation.

94 From a proportionality point of view, it may be sufficient if the technical provisions are only validated on the basis of the findings of the responsible actuary and external reviews, such as those of an auditing firm.

95 The calculation of the technical provisions and the validation are separated in such a way that avoids conflicts of interest and in particular does not unreasonably impair the independence of the validation. In line with the principle of proportionality, this requirement can be considered fulfilled for IORPs with a lower profile if the processes for the validation and calculation are separate. However, the staff carrying out the validation and calculation may need to be separate individuals in accordance with the principle of proportionality.

96 In the case of an IORP with a lower profile which has no staff or has only a small staff, the principle of segregation may already be fulfilled if calculation and validation processes are separated.

97 The validation includes the calculation methods and data used, the assumptions made, as well as the complete record of the obligations to be evaluated. The impact must be determined of changes to methods, assumptions and the bases for data from one reporting date to the next.

98 Within the scope of its competence, the actuarial function is responsible for ensuring that an appropriate validation is carried out. In this context, the actuarial function fulfils the following responsibilities.

99 The actuarial function evaluates whether the correlations between the method selection, the assumptions and the data quality and availability are observed. The source and intended use of the data are considered for this purpose.

100 In its review of which validation process is the most appropriate one, the actuarial function takes into account the characteristics of the obligations to be evaluated.

101 The actuarial function regularly reviews the validation process and ensures that this is adjusted as necessary. For this purpose, it incorporates the empirical values acquired from previous validations.

102 The actuarial function ensures that both quantitative as well as qualitative aspects are taken into account in the validation.

9.2.4 Assessment of data quality

103 The statements made in the following margin numbers relate to the data used for the evaluation of technical provisions.

104 For the assessment of the data quality, the actuarial function includes the results of analyses that were carried out as part of external or internal reviews of the data quality.

105 In assessing the completeness of the data, the actuarial function reviews whether the quantity and the level of detail of the available data suffice for application of the calculation method used.

106 The actuarial function determines material shortcomings in the data as well as the causes for these. For this, it also reviews internal processes and consults with the staff responsible as required. It puts forward solutions for rectifying the shortcomings to the management board.

107 The actuarial function documents the material shortcomings and causes for these as well as the solutions chosen. It also outlines the potential material effects of these shortcomings on the calculation.

108 The actuarial function formulates recommendations as necessary for improving internal procedures as part of data management in order to ensure that the IORP is capable of meeting the relevant supervisory requirements.

109 It reviews in which circumstances external and/or market data is additionally required. It also evaluates the quality of this data.

9.2.5 Opinion on the underwriting policy and reinsurance

110 In cases where the IORP has a general underwriting and acceptance policy in place, the actuarial function supports the management board by analysing the interdependencies between the underwriting and assumption policy, the calculation of premiums and benefits, the reinsurance policy and the technical provisions. The actuarial function must assess the compatibility of the underwriting and reinsurance policy with the IORP’s profile.

111 The analysis of the underwriting and assumption policy and the calculation of premiums and benefits required for this does not generally take place at the individual product level, but rather at an appropriate abstraction level.

112 The analysis of the reinsurance policy includes the effectiveness of the reinsurance agreements under stress conditions. The scope of the analysis depends on the significance of the coverage. Materially insignificant coverages justify a less extensive analysis taking into account the profile of the IORP.

113 The analyses are also regularly carried out on a quantitative basis.

114 Irrespective of whether or not IORPs have a general underwriting and acceptance policy in place, in cases where they provide pension contracts with long-term interest rate guarantees, the actuarial function will also provide an opinion in particular on the extent to which the premium income from new business is adequate to cover the future claims and expenses taking account of the level and type of the embedded interest rate guarantees. The individual profile of the IORP must be taken into account in the underlying analyses. Particular consideration must be given to the extent to which the IORP is expected to be able to meet the obligations arising from the interest rate guarantees of the new business using the expected future returns on its investments. General reference to the fact that the guaranteed interest rate used for the premium calculation does not exceed the applicable maximum technical interest rate under section 2 of the German Premium Reserve Regulation (Deckungsrückstellungsverordnung – DeckRV) is not sufficient.

9.2.6 Relationship between the person responsible for the actuarial function and the responsible actuary

115 Responsible actuaries exercise a protective function for members and beneficiaries. They ensure equal treatment and that surpluses are used appropriately. In addition, the responsible actuary must ensure that the calculation of the premium reserve under commercial law is in accordance with the relevant statutory regulations and that premiums are calculated in such a way that an adequate premium reserve can be established. In doing so, the responsible actuary also reviews whether the undertaking is in a position to fulfil its obligations under the pension contracts at all times. If the responsible actuary is at the same time the responsible person for the actuarial function, the IORP reviews whether this combination could lead to conflicts of interests (see margin nos. 89 and 90).

116 The tasks of the responsible actuary with respect to compliance with the statutory regulations for provisions under the commercial law and the appropriate premium calculation usually do not impair the role of the actuarial function so severely that an organisational separation would be considered necessary.

117 The tasks of the responsible actuary and the actuarial function of the IORP are largely the same. Both activities relate to the technical provisions of insurance undertakings and Pensionsfonds in accordance with the German Commercial Code.

118 The actuarial function can make use of existing analyses of the responsible actuary when formulating its opinion on the adequacy of the premiums.

9.2.7 The actuarial function’s duties to inform

119 The actuarial function submits to the management board a written report showing all essential results achieved (Actuarial Function Report) at least once a year. If, with BaFin’s consent, Pensionskassen do not calculate their premium reserve annually, the Actuarial Function Report provides information on the premium reserve only in the year in which it is calculated.

120 The Actuarial Function Report will clearly highlight any deficiencies as well as recommendations on rectifying these deficiencies. It will also include details on changes to the underlying assumptions and methods used at a minimum. A general note to the effect that the situation has not changed compared with the previous year is not sufficient. However, specific references to individual aspects are possible.

121 The Actuarial Function Report cannot be replaced by individual sub-reports. It must be inherently comprehensible for the full management board.

122 The actuarial function is free to report separately on individual topics in addition to the Actuarial Function Report. Material aspects from these reports must be incorporated into the next Actuarial Function Report.

123 A separate report is compiled in each case by the responsible actuary and the actuarial function to the extent that a report is envisaged. This also applies if the responsible actuary is at the same time the person responsible for the actuarial function. In the event of overlaps, e.g. in relation to an analysis of data quality, the Actuarial Function Report can also address or refer to the findings from the report submitted by the responsible actuary and assess them independently.

9.3 Internal audit function

124 All IORPs must establish an internal audit function. Exceptions to this rule are not permitted.

125 The audit assignment for internal audit relates to the entire governance system of an IORP, including outsourced units and processes.

126 Compliance with the audit plan, i.e. fulfilling the audit function, takes priority over the consultancy function. The internal audit, therefore, may potentially restrict consultancy activities as applicable.

127 The internal audit is not subject to any influences (controls, constraints or other influences) that could impair its independence and impartiality in completing its tasks.

128 The internal audit must be independent of all business units in the IORP. This applies to the person responsible for the internal audit function as well as to all individuals who work for the internal audit.

129 In particular, the internal audit must not be impaired, even indirectly, in carrying out the audit, evaluating the audit results or reporting on these results. The internal audit communicates its results, findings, concerns, recommendations for improvement, etc. directly and without having been influenced for changes to be made to the full management board.

130 The full management board's right to issue instructions in relation to the internal audit's inspection schedule is not inconsistent with the internal audit's independence. The internal audit function may conduct audits not provided for in the audit plan to the extent necessary.

131 The internal audit must be independent of other operational functions or activities (section 30 (2) sentence 1 of the VAG). This applies equally to all IORPs; proportionality aspects are irrelevant to this extent.

132 The other key functions are permitted to cooperate with the internal audit. Inappropriate influence exerted by the other key functions must be ruled out by setting out clear remits, among other factors.

133 The internally responsible for the internal audit function may not at the same time perform any other key function within the IORP. That person may also not at the same time be the outsourcing manager for other outsourced key functions. The prohibition on the bundling of functions with regard to the person internally responsible for the internal audit function results directly from section 234b (2) of the VAG. However, the person internally responsible for another key function within the IORP can at the same time be the outsourcing manager for the outsourced internal audit function (see margin no. 240).

9.4 Independent risk management function

134 This Circular uses the term “independent risk management function” (IRMF). It is synonymous with the term “risk management function”.

135 In accordance with section 26 (8) sentence 1 of the VAG, the IRMF significantly promotes implementation of the risk management system. In this context, the IRMF, as the central body promoting risk management, ensures that appropriate processes, procedures and methods for operational risk management are implemented.

136 The IRMF assists the full management board and if necessary the responsible management board members as well as other functions in effectively operating the risk management system. In this respect, the IRMF must in particular:

a) regularly assess whether the risk strategy is consistent with the corporate strategy,
b) regularly assess whether the written policy is adequate with regard to the risk management system,
c) promote risk awareness among the staff affected by the risk management system,
d) regularly assess the methods and processes for risk assessment and monitoring and develop these further where appropriate,
e) propose limits and
f) evaluate planned strategies based on the risk aspects.

137 The IRMF monitors the risk management system. In this respect, the IRMF must in particular:

a) develop processes and procedures for monitoring the risk management system and
b) monitor the adequacy of the risk management system on a continuous basis.

138 The IRMF monitors the IORP’s overall risk profile. In this respect, the IRMF must in particular:

a) identify, assess and analyse the risks at an aggregate level at least,
b) monitor the measures aimed at limiting risk,
c) monitor the limits and the risk at an aggregate level and
d) coordinate implementation and documentation of the IORP's own risk assessment.

139 The IRMF reports regularly, at least once a year, to the full management board at a minimum on material risk exposures and the overall risk profile. The IRMF also reports to the full management board on the adequacy of the risk management system and proactively advises it at a minimum of any material deficiencies and/or potentials for improvement in relation to the risk management system. Material information that has already been presented to the full management in the own risk assessment report only needs to be reprocessed in the written report of the IRMF if and to the extent that it is necessary for the understanding of the statements not yet reported in the own risk assessment.

140 The IRMF advises the management board on risk management issues and assists it in rectifying any deficiencies and in developing the risk management system on a continuous basis.

9.5 Simultaneous performance of a similar function at the sponsoring undertaking by a person internally responsible for a key function

141 The permissibility of the simultaneous performance of a similar function in the sponsoring undertaking by the person internally responsible for a key function of the IORP is governed by section 234b (3) of the VAG.

142 Functions are considered similar if they may result in conflicting interests, goals or obligations for the persons performing them because of an overlap in terms of content.

143 Conflicts of interest resulting from simultaneous performance of similar functions can generally also occur in the case of outsourcing. While simultaneous performance of a similar function is always impermissible in the event of outsourcing to a service provider that is not a sponsoring undertaking, it may be permissible in the case of outsourcing to a sponsoring undertaking, provided the IORP takes special measures to address and to avoid any conflicts of interest (see margin nos. 250 et seq.). For example: there is no simultaneous performance of similar functions and thus no conflict of interest if the outsourcing manager of the IORP is not at the same time the person responsible for the outsourced key function in the sponsoring undertaking. Conversely, if the IORP’s outsourcing manager is at the same time also responsible for the proper performance of the key function in the sponsoring undertaking, this would be considered simultaneous performance of a similar function. In this case, a conflict of interest exists because monitoring and assessment relate to the person’s own area of responsibility. The IORP therefore must take accompanying measures to address and avoid any conflicts of interest if it wishes to make use of the possibility to bundle functions (see margin no. 250 et seq.)

144 In accordance with section 234b (3) sentence 2 of the VAG, the IORP must submit a statement to the supervisory authority without undue delay explaining how it intends to avoid or address conflicts of interest with the sponsoring undertaking if the person internally responsible for a key function – in the case of outsourcing, the outsourcing manager for a key function outsourced to the sponsoring undertaking – performs or is intended to perform a similar task in the sponsoring undertaking

10 Risk management system

10.1 Role of the management board in the risk management system

145 The full management board is responsible to ensure that the structure and design of the risk management system are effective and appropriate with regard to the profile of the IORP. This includes appropriate reporting procedures and processes which ensure, in particular, that information is provided at a minimum on all material risks and that the effectiveness of the risk management system is actively monitored and analysed and that it is improved where necessary.

146 The full management board is responsible to determine the risk appetite of the IORP and to define materiality thresholds at least for the material risks, which must be reviewed on a regular basis, at least once a year, and adapted if necessary.

147 The responsibility of the full management board does not release the supervisory board from its duty to check whether the full management board has established an appropriate and effective risk management system.

148 Irrespective of the full management board's collective responsibility, the IORP's profile may require a certain member of the management board to be assigned specifically to risk management.

149 The full management board's collective responsibility for the risk management system relates to the managerial functions. These functions include, inter alia, the strategic decisions and determinations for the organisational framework for risk management, and therefore specifically also assuming and managing material risks.

150 The managerial functions also include the development of a risk strategy. This must be reviewed at least once a year and adapted as necessary. The risk strategy, its review and any changes made to it must be documented. The risk strategy reflects the risks arising from the business strategy. It also includes a statement on the IORP's risk appetite to achieve the strategic objectives, both at the aggregate level and with regard to the material risks. The risk strategy must be structured in such a way that operational management of the risks can be linked to it.

151 The full management board and, where appropriate, the responsible management board member must appropriately consider the information from the risk management system in their own decisions. This also requires adequate inclusion of the IRMF as the central unit for risk management. Inclusion of the IRMF does not release the full management board or the responsible management board member from responsibility for their own decisions.

10.2 Risk management policy

152 The written risk management policy includes, at a minimum, requirements on the areas specified in section 26 (5) sentence 1 of the VAG. In addition, it considers the risks stated in section 234c (1) sentence 1 and (2) of the VAG from the perspective of the members and beneficiaries, provided these risks are material. The written risk management policy defines and categorises, at a minimum, the material risks, unless these are determined in the risk strategy. It also specifies the risk tolerance limits at least for the material risks.

153 Aside from defining the responsibilities as well as the status and powers of the IRMF, the written risk management policy must also state the status and powers of the other key functions, provided that these exercise responsibilities within the risk management system. The written risk management policy may refer to any of these responsibilities and powers of the other key functions that are stated in other written policies.

10.2.1 Risk management policy for operational risk

154 Operational risks within the scope of risk management include, inter alia, IT risks, irrespective of whether these result from the IT organisational structure, the IT systems or the IT processes.

155 Operational risks within the scope of risk management also include legal risks.

156 Risks of legal changes, at least those linked to transactions concluded in the past, must be adequately considered based on risk aspects. Risks of legal changes involve risks that arise based on a change to the legal environment, including to the regulatory requirements.

157 An analysis of the operational risks must also be carried out before products, processes and systems are implemented or are subject to a significant change. The results of this analysis must be included in the decision-making process.

158 IORPs must implement a suitable process in order to identify and monitor potential operational risks that at a minimum records and evaluates the internal loss events. Thresholds appropriate to the profile must be determined for this purpose. The process steps required must be adequately documented.

159 IORPs must also take into account known external loss events when identifying potential operational risks.

160 The IORPs will review whether to introduce suitable key risk indicators or key performance indicators as part of an early warning system.

161 Material loss events resulting from operational risks must be reported both to the full management board and the IRMF without delay and analysed in relation to their causes. The loss events that are covered by this shall be determined individually for each undertaking. The full management board will decide whether additional measures need to be implemented in the event of material loss events and which measures these are. Implementation of the measures must be monitored.

10.2.2 Risk management policy for reinsurance and other risk mitigation techniques

162 The risk management policy for reinsurance and other risk mitigation techniques determines the targeted level of risk transfer. This level must be based on the defined risk tolerance limits. The type of reinsurance or other risk mitigation techniques chosen by the IORP is also to be specified. The type chosen must be the type most appropriate to the IORP’s profile. The criteria for the choice of reinsurance arrangements or other risk mitigation techniques must also be determined.

163 Principles must be developed for the selection of contracting parties to reinsurance and other risk mitigation techniques. These also include procedures to assess and monitor the performance and creditworthiness of reinsurers and other risk mitigation partners. If the IORP relies on external ratings to assess the creditworthiness, it is to verify, to the extent possible, their suitability by carrying out additional assessments.

164 If the IORP chooses reinsurance arrangements or other risk mitigation techniques, its risk management takes into account all associated risks, in particular the credit risk associated with the relevant risk mitigation technique. This includes documentation of at least the material risks, the measures taken and the potential consequences.

165 The IORP identifies and evaluates both the extent and the impact of the risk transfer. To this end, it develops procedures and criteria appropriate to its profile.

166 With regard to reinsurance and other risk mitigation techniques, the liquidity management also takes into account possible liquidity shortfalls resulting from a timing mismatch between the insurance benefits to be paid and the receipt of amounts recoverable from reinsurers and other risk mitigation partners.

10.3 Elements of the risk management process

10.3.1 Risk identification

167 All risks must be identified and classified in a timely manner. Risks, associated internal and external risk drivers, existing interdependencies between risks and risk drivers, as well as reference values affected by risks (hereinafter: key reference figures) are to be defined consistently and without overlaps.

168 The risk identification must be performed regularly, at least annually. If there is a significant change in the risk profile, the results of the risk identification must be reviewed in a timely manner taking into account the changed framework conditions.

169 The results of the risk identification must be documented. The following information should at least be included:

• risk type,
• risk category,
• the responsible risk officers,
• risk drivers,
• key reference figures,
• possible interactions and correlations with other risks,
• measures for risk treatment already initiated.

10.3.2 Risk evaluation

170 The risk evaluation must be performed for the individual risks and the overall risk of the IORP. It is carried out both qualitatively and quantitatively on the basis of the relevant risk drivers.

171 As far as the risk type permits, the risk level and its probability of occurrence are to be specified. The risk level and probability of occurrence can be determined on the basis of statistical methods or, if the available data is not adequate, by internal or external expert estimates. In the case of statistical evaluations, correlations between at least the material risks must also be stated where possible. If there is no adequate database for the risk evaluation, such a database must be established at least for the material risks. Expert estimates are to be made in accordance with qualitative standards taking into account the amount of claims and the probability of occurrence. The time horizon of the risk evaluation must be defined individually for each IORP and must be in line with the IORP’s planning horizon.

172 The assumptions and methods used for the risk evaluation and its frequency are to be defined and must be appropriate to the relevant risk. The methods used must also allow results to be aggregated. The data required for risk evaluation are to be collected in accordance with the needs of risk treatment. The risk evaluation is to be based on clear key indicators.

173 The IORP’s overall risk is to be defined based on the evaluation of the individual risks. The risk concentrations and interdependencies between the individual risks must also be taken into account.

174 If quantitative risk assessment is not appropriate or possible for individual risks, the qualitative assessment must be justified in detail.

10.3.3 Risk treatment

175 A risk-bearing capacity concept is to be prepared based on the results of the risk evaluation. This concept sets out the overall risk taking potential and the extent to which this is to be used to cover all material risks the IORP has taken on. The risk-bearing capacity concept considers the various requirements for risk management. Compliance with the regulatory capital requirements constitutes the lower limit for the risk-bearing capacity of the IORP. This means that compliance with the regulatory capital adequacy requirements is a minimum requirement in the context of a risk-bearing capacity concept. The own funds of the IORP for the coverage of the solvency capital requirement can therefore not be used as risk coverage potential. Strategic objectives for business units to be managed and accounting requirements must also be taken into account.

176 The methods and assumptions used for drawing up the risk-bearing capacity concept must be documented and clearly explained. The documentation can take the form of a stand-alone document or be part of an existing documentation.

177 A consistent system of risk limits for risk treatment purposes is to be installed based on the risk-bearing capacity concept. The full management board determines appropriate limits at least for the most important business units to be managed. For higher management levels, the limits are to be aggregated in a meaningful way.

178 Risks associated with existing business as well as losses incurred are to be counted towards the limits.

179 Limit utilisation must be monitored regularly on the basis of appropriate risk-related key figures. To the extent possible, the key figures are to be aggregated at the firm-wide level and compared with the risk coverage potential.

180 If a quantitative limit is not suitable for a business unit, other suitable risk-related key figures are to be provided.

181 If a significant change in the risk profile is identified, the key indicators are to be recalculated after measures have been taken.

182 Risk treatment is implemented operationally by the business units which have responsibility for results. To ensure that these business units carry out their tasks properly and effectively, they must be kept continuously and fully informed about the utilisation of the limits relevant to them and of the status of other control metrics.

183 The appropriateness and effectiveness of the limits and other risk treatment measures is to be reviewed on a regular basis. Any adjustment of existing risk treatment measures or the implementation of new measures resulting from the review must be in line with the IORP’s risk strategy. Intended changes must be communicated to the business units concerned in a timely manner.

184 At a minimum, the written policy on risk management must specify who is to be involved when and in what form if a limit is exceeded or a risk treatment measure is to be adjusted. Subsequent processes, such as the link to business continuity management, must also be specified.

10.3.4 Risk monitoring

185 Monitoring the material risks includes control of

• risk profile,
  
• limits,
  
• implementation of the risk strategy,
  
• risk-bearing capacity,
  
• all risk-relevant methods and procedures

186 Risk monitoring is to be performed regularly. The frequency and nature of monitoring must be appropriate to the IORP’s profile.

10.3.5 Risk reporting

187 As part of the risk reporting process, the management board is informed about the current and future risk situation. In particular, the degree to which the objectives set out in the risk strategy were achieved and the extent to which the limits set for the risks are utilised must be presented. In addition, the report is to include all other material information necessary for an understanding of the IORP’s risk situation.

188 As a minimum, the risk reporting explains the material consequences of important changes in the IORP, for example changes due to an adjustment of the business strategy. The consequences of changes to the risk management system, such as those resulting from the implementation of risk treatment measures or changes in the assumptions and methods used to identify and assess risks, must also be included.

189 The risk reporting must be prepared in a clear and concise manner. It must be carried out at regular intervals, at least once a year. In the event of significant changes in the risk profile, an ad hoc report is required as part of the IORP's own risk assessment under section 234d (1) sentence 3 of the VAG, unless regular reporting is due.

11 Internal control system

11.1 General

190 In particular, the internal control system ensures the appropriate and effective functioning of the governance system. In addition, it ensures the availability and reliability of the information necessary for business operations.

191 IORPs must structure their internal control system in accordance with their profile. The internal control system is an independent element of the governance system. It must be incorporated adequately into the organisational and operational structures and processes so that it fulfils its purpose.

192 The internal control system must also take into account any outsourced units and processes.

11.2 Internal control framework and reporting arrangements

193 The IORPs must set out the principles, procedures and measures related to the internal controls in the internal control framework. The internal control framework must be appropriate to the profile of the IORP.

194 The nature, frequency and scope of the internal controls in particular must be based on the risks of the relevant units and processes.

195 The IORPs must ensure that the individuals appointed to implement the internal controls have all of the necessary information available.

196 The adequacy and effectiveness of the internal controls must be monitored on an ongoing basis using appropriate procedures.

197 The results of the monitoring must be reported to the full management board on a regular basis, and at least once a year. Ad-hoc reports are also required in specific situations, particularly in the event of significant deficiencies in the internal controls. The management board must ensure that the required adjustments are implemented in good time.

11.3 Compliance with requirements and external standards

198 Under their internal control framework, IORPs must ensure compliance with the applicable laws and regulations, as well as with the relevant supervisory requirements and external standards.

199 External standards are to be observed under margin no. 198 only if they are of major importance to the IORPs or deal with material risks and originate from nationally or internationally recognised stakeholders with the necessary high level of expertise in their area of standard setting. Non-exhaustive examples of recognised standard setters include the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), the German Institute for Standardisation (Deutsches Institut für Normung – DIN) and the International Standard Organisation. The external standards to which the above criteria apply must be determined individually for each IORP taking into account the principle of proportionality. The external standards identified must be communicated to the staff concerned, for example by including them in the written policy.

200 IORPs are free to make independent decisions as to which external standards are to be observed and about the scope of the control activities to be carried out. The decision-making process must be documented in a way that is comprehensible to third parties, e.g. the supervisory authority.

12 Outsourcing

12.1 Definition

201 The scope of application of section 32 of the VAG covers the outsourcing of functions and pension activities. The legal definition in section 7 no. 2 of the VAG only refers to the feature "outsourcing" and requires, among other things, that the relevant process, service or activity would otherwise be carried out by the IORP itself. This requirement is usually fulfilled if an IORP must provide the relevant process, service or activity in compliance with legal requirements or because it is necessary for the IORP’s business operations. If the requirements of section 7 no. 2 of the VAG are met, it must be examined cumulatively whether a function or pension activity within the meaning of section 32 of the VAG exists. This appropriately limits the specific outsourcing control. A function or pension activity can also exist if the corresponding situation occurs not only in IORPs but also in other undertakings (e.g. investment).

202 It should be noted that general supervision of impropriety can take action even in cases where there is no outsourcing within the meaning of section 7 no. 2 of the VAG. This is because general supervision of impropriety covers all circumstances that could be a risk to policyholders' interests. This also includes service relationships that are not subject to the outsourcing requirements. - For example: canteen operations by an external service provider are not subject to the outsourcing concept because the relevant activities would otherwise not necessarily be carried out by the IORP itself and are therefore not subject to the specific outsourcing controls exercised by the supervisory authority. However, if there are repeated staff absences as a result of hygiene issues that thereby result in a risk to proper business operations, then this could represent an irregularity which entitles the supervisory authority to take action.

203 The criteria for the segregation of outsourcing and other service relations include the content of the relevant activity, and especially the scope and duration of this along with the frequency with which the service provider is used. The terms cannot be generally quantified and instead depend on how substantial the activity is for the relevant IORP.

204 The more substantial or frequent a third party service is, the more likely it is that this involves outsourcing. The thresholds applied for assuming duration or frequency must be lower the more substantial the relevant area is for the IORP. Operational or consultative use of a service provider on a merely occasional basis is not generally considered to be outsourcing. However, repeated appointment of the same service provider or frequent use of the same service provider for the same type of activity with a framework agreement in place could be an indication of outsourcing. Conversely, sets of circumstances are also conceivable, although rare, whereby typical pension activities are outsourced and the duration and frequency criteria for use of a service provider are also met, but the unit outsourced is of minor significance to the IORP. Circumstances such as these could provide grounds for the assessment that no outsourcing has taken place.

205 The agreement required between the outsourcing IORP and a service provider does not need to be a certain type of contract or have a particular contract name in order to qualify as an outsourcing agreement. The IORP is to review the outsourcing agreement at appropriate intervals in order to avoid conflicts of interest with the service provider and to ensure the continuity of the outsourced activities as well as the proper provision of services to the beneficiaries.

12.2 Form and content of the outsourcing agreement

206 The outsourcing agreement must be in written format (section 234e (2) of the VAG).

207 The outsourcing agreement must include provisions on at least:

• clearly defining the outsourced function or activity,
• defining the detailed requirements for the provision of the outsourced function or activity,
• determining the respective rights and obligations of the IORP and the service provider,
• the obligation of the service provider to identify, monitor, manage and disclose conflicts of interests,
• the obligation of the service provider to protect confidential information and to inform the IORP in the event of a data protection breach,
• the right of the IORP to monitor the service provider and to issue instructions related to the contractual services in order to achieve the relevant objectives,
• the obligation of the service provider to cooperate with the supervisory authority,
• the obligation of the service provider to provide the IORP, its auditor and the supervisory authority with access to information on the outsourced functions or activities and to facilitate on-site inspections,
• the obligation of the service provider to disclose any significant development which could have an impact on the ability of the service provider to properly perform the outsourced function or activity immediately after becoming aware of such development,
• the right of the IORP to terminate an open-ended outsourcing agreement by ordinary termination without this compromising the continuity and quality of the service to members and beneficiaries,
• the right of the IORP to terminate the outsourcing agreement by extraordinary termination if the supervisory authority requires such termination for compelling reasons,
• the right of the IORP to transfer the outsourced function or activity to another service provider or to reintegrate it into the IORP by ordinary or extraordinary termination, if necessary,
• clearly setting out whether and under what conditions the service provider is permitted to sub-delegate. If the agreement permits sub-delegation, it should state that sub-delegation in no way exempts the service provider from its obligations and responsibilities.

12.3 Permissible scope

208 Outsourcing of all key functions and functions defined as key tasks by the IORP is possible for any IORP, with due regard to the provisions in this section.

209 The full management board bears ultimate responsibility in all cases of outsourcing, including intra-group outsourcing and sub-delegation. Primary managerial functions including responsibility for establishing and developing the risk management system and internal control system may not be outsourced. Service providers can only provide support and advice in these areas. Outsourcing certain sub-areas of the risk management system or internal control system is conceivable following careful consideration of the risks. This also applies to intra-group outsourcing where there is a control agreement in place.

210 An appropriate segregation of responsibilities is to be ensured also in the event of outsourcing (section 23(1) sentence 3 of the VAG); this applies in relation to the organisational location of the outsourcing manager both with regard to the service provider and the IORP.

211 The IORP must pay special attention to the control framework in particular if the service provider is located outside of the EEA. The IORP must also be able to effectively control such service providers so that it can react swiftly to any breach of the provisions in the outsourcing agreement. The IORP must ensure that the service provider's local supervisory authority or the national regulations do not, in particular, restrict access to information on the functions and pension activities outsourced or to the service provider's business premises. In the case of outsourcing outside the EEA, the IORP must also pay attention to differences in national data protection regulations. The outsourcing agreement should include the obligation of the service provider to protect confidential information and personal data.

12.4 Risk analysis in the context of outsourcing

212 The risks associated with outsourcing must be identified and evaluated as well as monitored, managed and reported appropriately both before and after the outsourcing.

213 The IORP must first determine in an independent manner whether transferring an activity is covered by the definition of “outsourcing”. The additional assessment as to whether it is an important function or pension activity that is to be outsourced, is also a sub-area of the risk analysis that must take place before any outsourcing.

214 Along with the strategic reasons, economic and operational factors and quantitative and qualitative aspects, the risk aspects must also play an appropriate role in any fundamental decision in favour of or against outsourcing. The relevant risk categories are normally the strategic, operational and reputational risks. Particular attention must also be paid to concentration risks if multi-client service providers are used.

215 A new risk analysis is required in the event of material changes to the risk profile due to outsourcing circumstances with a decision to be made on continuing or ending the outsourcing.

216 The relevant organisational units must be involved in the preparation of the risk analysis. The depth of the risk analysis and the involvement of the relevant organisational units is to be decided on the basis of proportionality aspects. The results of the risk analysis must be documented.

12.5 Process for reviewing the selection of adequate service providers

217 The IORP must select a suitable service provider before making a decision on outsourcing (section 234e (1) of the VAG). The objective selection criteria for the review process must be set out in the written outsourcing policy. The following aspects of the process must be covered at a minimum in the policy:

• the service provider's financial performance,
• the service provider's technical abilities,
• the service provider's ability to provide the services outsourced,
• the service provider’s risk management and internal control system,
• any conflicts of interest.

218 The IORP must document the findings of the review process and the resulting conclusions and verify them whenever the IORP sees the need to do so.

219 In addition, the IORP independently determines in the written policy whether any further aspects need to be considered in the review process. If so, these aspects are to be adapted in the event of changes to the internal or external circumstances of the IORP.

12.6 Outsourcing of important functions and activities

220 A distinction must be made in the functions and pension activities between important and other activities.

221 In the event that important functions or pension activities are partially outsourced, then the crucial issue is whether the sub-area scheduled to be outsourced is considered important in its own right. The full management board must pre-approve all outsourcing of important functions or pension activities. The sub-delegation of an important function or pension activity must at least be pre-approved by the responsible member of the management board.

222 Key functions and functions defined as key tasks by the IORP are always considered to be important activities.

223 In addition, the following units are also generally considered to be important functions or to carry out important pension activities:

• sales,
• portfolio management,
• benefits processing,
• calculation of the technical provisions,
• accounting,
• investment products and management,
• electronic data processing in relation to important functions and pension activities.

224 Th point stated under margin no. 221 also applies to cases of partial outsourcing falling under margin nos. 222 and 223.

225 In all other respects, the IORP is responsible for determining whether the relevant function or pension activity is important and must document this as part of its risk analysis (see 12.4). The issue of whether a function or pension activity is important can only be assessed on a case-by-case basis.

226 The assessment regarding whether a function or pension activity is or is not important must be reviewed and accordingly adjusted if the underlying circumstances have changed significantly.

227 The criteria and the process for categorising a function or pension activity as important must be set out in the written outsourcing policy and adjusted for any changes in circumstances.

228 In accordance with section 234e (3) of the VAG in conjunction with section 47 no. 8 of the VAG, an immediate duty of notification with submission of the draft contract applies to the intention to outsource functions or other pension activities. Similarly, essential circumstances which arise after formation of the contract related to other outsourced pension activities are subject to notification requirements under section 234e (3) of the VAG in conjunction with section 47 no. 9 of the VAG. The extension of the notification obligations to include not only the outsourcing of important functions and pension activities but also other pension activities thus arises directly from the law. Only a sufficiently concrete intention to outsource functions or other activities is subject to notification requirements. The notification, as well as all documentation to be appended, must generally be submitted in German. The documents can also be submitted in English following consultation with the supervisory authority. If necessary, the supervisory authority may request at a later point that the IORP provide a certified translation.

229 The draft contract must also be submitted together with the notification.

230 The notification must state:

• the name of the service provider,
• he address of the service provider,
• a description of the scope of the outsourcing,
• the reasons for the outsourcing,
• in the event that a key task is being outsourced, in particular one of the three key functions stipulated by statute, the name of the competent person at the service provider side,
• the date of commencement and termination of the outsourcing contract,
• the place where the outsourced activity is carried out, whether in the home country or abroad,
• any sub-delegations.

231 If a key task is being outsourced, no documentation (e.g. CV, certificate of good conduct) needs to be submitted in relation to the competent person at the service provider side.

12.7 Outsourcing manager

232 The outsourcing manager monitors and evaluates the proper implementation of the outsourced functions, without prejudice to the ultimate responsibility of the full management board. The outsourcing manager is a responsible person within the meaning of section 47 no. 1 of the VAG (see the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act).

233 The outsourcing manager evaluates and scrutinises the service provider's performance independently and objectively. If a key function is outsourced (see 9.1.2), the reporting process to the full management board of the outsourcing IORP is as follows: the service provider submits the reports to the outsourcing manager who can add to or comment on them as part of the outsourcing manager’s monitoring and evaluating role before submitting them to the full management board. This reporting process does not preclude direct contact between the service provider and the management board of the outsourcing IORP, for example to discuss certain issues. However, it is not permissible that the service provider only submits the written reports to the management board without providing the outsourcing manager with the same information.

234 The management board must appropriately notify the outsourcing manager at its own initiative and in good time of all facts that the outsourcing manager may require to fulfil their responsibilities.

235 There must be an outsourcing manager in all cases where key functions and functions defined by the IORP as key tasks are outsourced. If other important functions or pension activities are outsourced (see margin no. 223), the outsourcing IORP must check whether it is appropriate to deploy an outsourcing manager also in these cases given the ultimate responsibility of the full management board for the function or activity outsourced.

236 In exceptional cases, assignment of the function as outsourcing manager to a person who does not work at the outsourcing IORP, but at the service provider or another undertaking may be permitted, if that person works below the management level and is subject solely to the instructions of the management board of the outsourcing IORP as far as their tasks as outsourcing manager are concerned. Moreover, measures to avoid any conflicts of interest must be taken where needed. The outsourcing manager cannot in any case be at the same time the competent person at the service provider side within the meaning of margin no. 230. – Example: if a group undertaking operating as a service provider has at the same time established a central outsourcing management that monitors and evaluates outsourcings (outsourcing controlling), the outsourcing manager may, in individual cases, work at the undertaking to which the activity was outsourced. This makes it possible for the undertakings to establish the outsourcing manager centrally at the service provider or at the central outsourcing controlling in the case of intra-group outsourcing. The other requirements of this margin number and the requirements of margin no. 239 remain unaffected.

237 BaFin believes that it is acceptable for a member of the management board of the outsourcing IORP to act at the same time as the outsourcing manager for a key function or a function defined as a key task by the IORP without this structure having to be justified on the basis of proportionality considerations. However, section 23 (1) sentence 3 of the VAG is applicable, meaning that there must be a separation of functions appropriate to the IORP's profile, including in relation to the responsibilities as an outsourcing manager and as a member of the management board. Section 234b (1) of the VAG is also applicable, meaning that IORPs must ensure that the assignment of the additional task as an outsourcing manager does not or is not likely to prevent the member of the management board from carrying out all their functions effectively in an objective, fair and independent manner, including functions at other undertakings, if applicable. This requires sufficient time capacities, among other factors. It should also be noted that a significantly greater monitoring intensity is required from the outsourcing manager than from the management board. Reference is also made to the Guidance Notice on the fitness and propriety of persons responsible for key functions or persons who work for a key function pursuant to the German Insurance Supervision Act.

238 The fact that a member of the management board of the outsourcing IORP acts at the same time as an outsourcing manager is also relevant if this manager also works for the group undertaking to which the key function or function defined as key tasks by the IORP has been outsourced (these cases differ from those covered in margin no. 236). However, measures to avoid any conflicts of interest must be taken where needed. The outsourcing manager cannot in any case be at the same time the competent person at the service provider within the meaning of margin no. 230.

239 Whether a person, be it a member of the management board or a person working below board level, can at the same time be the outsourcing manager for multiple key functions or functions defined as key tasks by the IORP depends on the circumstances of the individual case. The more key functions/tasks that are affected, the more precise IORPs must be in showing that the structure selected is appropriate in the relevant case. A further limit to the assignment of multiple tasks to the same individual is provided in section 234b (1) of the VAG (see margin no. 237).

240 The conditions stated above also apply to the outsourcing manager for the internal audit function. This is because the outsourcing manager does not perform the internal audit function themselves, but has a monitoring and evaluating role. Whereas the person internally responsible for the internal audit function may thus not perform any other key function within the IORP in accordance with section 234b (2) of the VAG, the outsourcing manager for the internal audit function can at the same time also be the outsourcing manager for another outsourced key function (see margin no. 133).

241 The requirements relating to the outsourcing manager also apply in the case of outsourcing to a sponsoring undertaking which in this context acts as an external service provider. Therefore, when key functions and functions defined as key tasks by the IORP are outsourced to a sponsoring undertaking, an outsourcing manager needs to be appointed and the supervisory authority must be notified accordingly. In individual cases, a person can at the same time be the outsourcing manager for several key functions or functions defined as key tasks by the IORP outsourced to the sponsoring undertaking, irrespective of whether that person is a management board member or works below the management level. If an IORP that has no staff has outsourced all key functions to a sponsoring undertaking, the management board member/s of the IORP may at the same time perform the function of outsourcing manager for the outsourced activities, without this having to be justified by proportionality considerations. Individual management board members may hold single or multiple posts. However, it is not permissible that several members of the management board hold the same post or that all posts are held by the full management board. If the sponsoring undertaking to which the relevant activity is outsourced is an insurance undertaking that belongs to a group which is subject to group supervision, the provisions of 12.8 and margin no. 236 must be observed.

12.8 Intra-group outsourcing within insurance groups

242 The following provisions apply to intra-group outsourcing on the part of IORPs that belong to an insurance group for which BaFin is the competent group supervisor in accordance with the criteria set out in section 279 (2) of the VAG. Intra-group outsourcings by IORPs which belong to a non-insurance group are subject to the requirements relating to outsourcing to external service providers to be fulfilled in accordance with this Circular.

243 The provisions on outsourcing also apply to intra-group outsourcing. The following requirements for intra-group outsourcing apply accordingly throughout the entire affiliated group.

244 Intra-group outsourcing may not generally involve less care or less intensive monitoring. Further, intra-group outsourcing cannot be categorised automatically as not important.

245 Nevertheless, intra-group outsourcing may justify some exemptions, the characteristics of which will be based on the relevant individual case. A few examples are provided below.

246 A written agreement which sets out the rights and obligations of both parties in relation to the outsourcing may take the form, for instance, of a service level agreement, provided its contents were not addressed in formal contract negotiations, as is normally the case before a contract is concluded with an external service provider.

247 Under certain circumstances, the review of the intra-group service provider prior to the outsourcing decision may be less detailed than the review required for a service provider from outside the group. However, it must always be checked whether a conflict of interests exists.

248 The IORP must avoid any automatic recourse to an intra-group service provider since there is the risk also with intra-group service providers that they provide highly standardised services without taking the special features of the individual undertaking appropriately into account.

249 If functions or pension activities are outsourced within the group, there must be precise documentation regarding which legal entity has outsourced which function or pension activity and to which service provider.

12.9 Avoiding conflicts of interest when outsourcing key functions to sponsoring undertakings

250 The requirements for outsourcing also apply to outsourcing to sponsoring undertakings. In order to avoid conflicts of interest, the outsourcing manager for a key function outsourced to a sponsoring undertaking may perform a similar function at that undertaking only if
- this is appropriate to the size, nature, scale and complexity of the IORPs’ activities and
- the IORP demonstrates to the supervisory authority how conflicts of interest with the sponsoring undertaking are avoided or managed.

251 Sponsoring undertakings to which key functions are outsourced can be non-insurance undertakings or insurance undertakings. Conflicts of interest arise if the outsourcing manager of the IORP is also responsible for the proper performance of the outsourced key function in the sponsoring undertaking.

252 Whether, in exceptional cases, the outsourcing manager for the internal audit function may, at the same time, perform a similar function in the sponsoring undertaking depends on the circumstances of the individual case. The chosen arrangement must be appropriate to the profile of the IORP. A mere indication that no conflicts of interest exist is not sufficient. Rather, the IORP must provide a statement under section 234b (3) sentence 2 of the VAG which explains in a qualified manner the previously determined measures that are to prevent the occurrence of conflicts of interest from the outset.

253 The following is a non-exhaustive list of examples of measures that can be taken in order to avoid or manage conflicts of interest under section 234b (3) of the VAG in cases where the outsourcing manager of the IORP is at the same time also responsible for the proper performance of the outsourced key function in the sponsoring undertaking:

The sponsoring undertaking commits itself in the written outsourcing agreement not to give any instructions to the persons responsible for a (key) function in the sponsoring undertaking with regard to their activities as outsourcing

manager at the IORP. In this respect, the sponsoring undertaking waives any right to issue instructions which otherwise exists for its own employees.

• The sponsoring undertaking commits itself in the written outsourcing agreement to commission an external body, such as an auditor, to audit the provision of its services in regular intervals, e.g. annually, in order to ensure independent control of proper performance even if the person responsible for key functions is at the same time the outsourcing manager. The written outsourcing agreement is to state the obligation of the sponsoring undertaking to forward the report of the external body on the findings of the audit directly and without being requested to do so to the full management board of the IORP.
• The sponsoring undertaking commits itself in the written outsourcing agreement not to threaten the person employed by it who is responsible for the proper performance of the respective outsourced key function with any sanctions under labour law or any other detrimental sanctions and not to take any action against that person if, in their capacity as outsourcing manager of the IORP, the person reports any deficiencies arising from improper performance of the outsourced key function by the sponsoring undertaking to the management board of the IORP.
• The IORP implements the dual control principle at the level of the outsourcing manager. Another staff member of the IORP, who is not subject to the instructions of the outsourcing manager, independently monitors and evaluates the proper performance of the outsourced key function by the sponsoring company. The staff member informs the management board if their evaluation deviates from that of the outsourcing manager.

12.10 Outsourcing to insurance intermediaries

254 Although they are normally of a permanent duration, typical intermediation activities (not involving underwriting powers or authorisations related to benefits adjustments) are not subject to outsourcing requirements.

255 The transfer of underwriting powers or authorisations related to benefits adjustments to insurance intermediaries always represents outsourcing of important functions or pension activities. To this extent, IORPs have no freedom to evaluate the situation. It should be noted that insurance brokers cannot be responsible for benefits adjustments in accordance with the civil case law of the German Federal Court of Justice (Bundesgerichtshof, ruling dated 14 January 2016, I ZR 107/14).

256 The statements made under 12.6 apply to the issue of whether a partial outsourcing is a significant outsourcing. If an IORP transfers underwriting powers or authorisations related to benefits adjustments to a large number of insurance intermediaries, then an assessment of the overall situation is required.

12.11 Outsourcing policy

257 A written policy is required for the entire outsourcing area. This must cover the impact of outsourcing on business operations and the procedural and quality standards to be applied to each individual undertaking in outsourcing cases, along with the reporting and monitoring obligations to be implemented from the start to the end of the outsourcing process.

258 The written policy must be consistent with the IORP's business strategy.

259 The written policy must include a process for reviewing the relevant service providers (see 12.5).

260 The outsourcing policy must show how the continuity and undiminished quality of the functions and pension activities outsourced can also be ensured in the event that the contract with the service provider is terminated.

261 The written policy must include the duty to develop contingency plans for important functions and pension activities outsourced that deal with the problems occurring with the service provider. The policy must also describe the process and accountabilities for creating these contingency plans. The plans must specifically account for how the important functions and pension activities outsourced can be assigned to a different service provider in an emergency situation or how they can be reincorporated into the IORP's business operations once again.

262 The principles stated under 8.4 apply in all other respects to the written outsourcing policy.

12.12 Transitional provisions for outsourcing agreements and outsourcing policies

263 Outsourcing agreements existing at the time of publication of this Circular may be continued, provided they do not contain any serious deficiencies. If outsourcing agreements fall short of the expectations set out in this Circular with regard to individual requirements, they are to be brought into line with these requirements as soon as possible, for example by way of contract extensions or negotiations on substance.

264 After the publication of this Circular, the IORPs will review whether their existing written outsourcing policies need to be adjusted (see margin no. 257 et seq.) and, if necessary, make the adjustment at the latest after the entry into force of the Circular (see margin no. 11). Any additional requirements resulting from the adjustment may be gradually implemented within a reasonable period of time.

13 Business continuity management

265 The business continuity management increases the resilience of units and processes in IORPs in order to ensure the availability of material data and functions and to guarantee that business activities continue in potential crisis situations on the basis of processes defined beforehand.

266 The management board is responsible for operational business continuity management. The full management board must agree on the contingency planning.

267 Contingency plans must be created for those units and processes where an unforeseeable disturbance could represent a risk to continued business activities. The units and processes outsourced must be taken into account for business continuity management purposes. The adequacy and effectiveness of the contingency plans must be ensured on a permanent basis. Regular test runs and exercises must be carried out for this purpose in accordance with the risks of the relevant unit or process.

268 The contingency scenarios underlying the contingency plans must take adequate account of the IORP’s individual profile.

269 Both the contingency planning and the completion of a contingency plan must be incorporated adequately into the organisational and operational structures and processes. Tasks, accountabilities, duties to inform and escalation processes must be set out and documented clearly and comprehensibly.

270 The individuals affected must be familiar with the contingency plans. Availability of the contingency plans must also be ensured in any emergency situation.