CONTENTS
RESOLUTION CNSP N° 416, OF 20 JULY 2021(*)
Providing for the Internal Controls System, the Risks Management Structure and the Internal Audit activity.
THE PRIVATE INSURANCE SUPERINTENDENCY – SUSEP, in accordance with the provisions set forth in art. 34, item XI, of addendum to Decree 60.459, of 13 March 1967, makes it public that the NATIONAL COUNCIL FOR PRIVATE INSURANCE - CNSP, in its extraordinary session held on 20 July 2021, considering art. 5, item IV and art. 32, items I and II, of Decree-Law 73, of 21 November 1966, and art. 3, items I and II, and articles 37 and 74 of Complementary Law 109, of 29 May 2001, and article 3, paragraph 1, of Decree-Law 261, of 28 February 1967, and in articles 2 and 12 of Complementary Law 126, of 15 January 2007, and considering the contents of Susep File 15414.606131/2021-43, resolves:
CHAPTER I
SUBJECT AND SCOPE
Art. 1. To provide for the Internal Controls System, the Risks Management Structure and the Internal Audit activity.
Art. 2. The provisions of this Resolution apply to:
I - insurance companies, open supplementary pension companies (EAPCs), savings bonds companies, local reinsurers, representative offices of admitted reinsurers and reinsurance brokers; and
II - insurance brokers with a minimum annual gross revenue of R$ 12,000,000.00 (twelve million reals).
Sole paragraph. As to item II, the insurance broker will have up to the end of the accounting year following that of the said annual gross revenue to conform to the provisions of this Resolution.
CHAPTER II
GENERAL PROVISIONS
Art. 3. The Structure of Risks Management, the Internal Controls System and the Internal Audit activity should be compatible with the nature, size, complexity, risk profile and business model of the supervised company.
Art. 4. For the purposes of this Resolution, the following apply:
I - supervised companies: the organizations to which this Resolution applies, under the terms of art. 2;
II - internal controls: set of coherent, extensive and permanent processes and procedures carried out by the organization aiming at the:
a) operational efficiency of its activities;
b) existence and rendering of financial and non financial information to internal and external stakeholders in a timely, trustworthy and complete manner;
c) compliance with laws and regulations, best practices and its own internal policies and rules; and
d) prudent business conduct.
III - Internal Controls System (SCI): set of components that supply the basis and the organizational arrangements for the conception, implementation, operationalization, monitoring, critical analysis and permanent improvement of internal controls throughout the organization;
IV - risks management: processes and procedures employed in a coordinated fashion to identify, assess, measure, treat, monitor and report the organization risks, based on an adequate appreciation of the risk types, their features and interdependence, of the risks sources and of their potential business impact;
V - Risks Management Structure (EGR): set of components that supply the basis and the organizational arrangements for the conception, implementation, operationalization, monitoring, critical analysis and permanent improvement of risks management throughout the entire organization;
VI - prudential group: in accordance with the definition established in National Council for Private Insurance (CNSP) regulation;
VI-A - leading supervised prudential group: as defined in CNSP regulations;
(Note: item VI-A included by CNSP Resolution no. 467 of 25 April 2024)
VII - insurance group: in accordance with the definition established in a CNSP regulation;
VIII - financial conglomerate: any group of companies, including financial holdings, subject to a common control or dominant influence that carries out financial activities in at least two of the following sectors: banking, insurance or marketable securities;
IX - management bodies: Board of Directors and Executive Board;
X - top management body: the Board of Directors or, if inexistent, the Executive Board;
XI - collaborators: officers, employees, outsourced services providers and other relevant partners of the supervised company;
XII - business units: organizational units that carry out activities directly related to the business of the supervised company, including but not limited to: products, plans or savings bonds securities trading; risks underwriting; loss adjustment and payment of benefit; investments; technical provisions amounts, premiums and contributions definition; and cession of risks in reinsurance, coinsurance or retrocession; and
XIII - risks profile: a characteristic that reflects the risk exposure of an organization, taking into account the assumed risks, their causes, interdependence and potential impacts.
CHAPTER III
INTERNAL CONTROLS SYSTEM
Section I
General Provisions of this Chapter
Art. 5. The supervised company should implement and maintain an Internal Controls System (SCI) that complies with the minimum requirements of this chapter.
Sole Paragraph. The SCI to be implemented and maintained by the representative offices of admitted reinsurers should comprise only the processes carried out by the representative office itself, not affecting the processes carried out abroad by the represented reinsurer.
Art. 6. The internal controls should:
I - be prepared, implemented and operationalized in an effective and efficient manner;
II - permeate all levels of the organization, comprising processes, units and the supervised company as a whole; and
III - be incorporated into the supervised company's routines.
Art. 7. The SCI provisions should be formalized and accessible to all collaborators of the supervised company, in a clear, accessible language and in a detail level compatible with the functions they carry out, and should establish at least the:
I - take up high ethical and conduct standards along with a control culture that confirms and emphasizes, to all collaborators of the supervised company, the importance of internal controls and the role of each and everyone in the process;
II - clear definitions of the authority levels and objective separation of duties, in order to mitigate and manage conflicts of interest;
III - means of identification and assessment of material risks that may adversely affect the attainment of the supervised company's objectives;
IV - control activities that assure that the necessary actions to manage risks are adequately performed;
V - communication channels and reporting lines that assure to the collaborators of the supervised company, as well as to the external stakeholders a timely access to the relevant information for their respective functions and needs; and
VI - instruments for a systematic follow-up of the activities related to the SCI, in order to assure its effectiveness in relation to the performed activities and assumed risks.
Sole paragraph. The supervised company should prepare and maintain an inventory of the identified material risks and of the corresponding control activities, expliciting their purposes and persons in charge of their completion, in order to comply with items III and IV, above.
Section II
Compliance Policy
Art. 8. The supervised company should have a compliance policy in force comprising at least the following:
I - the management bodies’ commitment to ethics and compliance, as well as to the permanent improvement of the related processes and procedures;
II - the applicable ethics and conduct principles to its collaborators;
III - the roles and responsibilities related to its commitment with compliance and with the assessment of adherence to the principles mentioned in item II, alongside its distinct levels;
IV - the communication channels and reporting lines to forward information about deficiencies, risks or compliance incidents, and about ethics and conduct deviations, including internal and external reporting channels, and instruments to prevent any type of retaliation against whistle-blowers; and
V - the guidelines to:
a) fostering actions towards the dissemination of ethical values and a control culture among its collaborators; and
b) the identification and treatment of deficiencies, compliance related risks or incidents, as well as of ethics and conduct deviations, in order to assure adequate disciplinary actions and the communication to the related levels of the supervised company, to Susep and to other authorities.
§ 1. The topics related to ethics and conduct set forth in the items of the head of this article may be contained in a separate code of ethics and conduct, at the supervised company's criterion.
§ 2. The compliance policy and the code of ethics and conduct, if established in separate charters should be:
I - formally registered in writing;
II - approved by the supervised company's top management body;
III - released to the collaborators of the supervised company in a clear and accessible language, and in a detail level compatible with the functions they perform; and
IV - biennially reassessed, and whenever deemed necessary by the supervised company.
Section III
Roles and Responsibilities
Art. 9. The supervised company should appoint a statutory officer in charge of internal controls.
§ 1. In the cases of the representative offices of admitted reinsurers, the provisions of this Resolution concerning the mentioned officer apply to the representative person, where appropriate.
§ 2. The officer mentioned in the head of this article may perform other assignments in overseeing or control associated with governance, being forbidden the accumulation with functions directly or indirectly related to the executive or operational management of the supervised company, or other implying the assumption of relevant risks related to the business itself.
§ 3. The officer mentioned in the head of this article should hold the prerogative of meeting with the Risks Committee or the Board of Directors, or with the chairman or chief executive officer of the company, without the presence of the remaining officers, whenever deemed necessary.
§ 4. The officer mentioned in the head of this article should not receive bonus or compensations connected to the performance of the business units, except the ones enforced by labour laws provisions.
(Note: par. 4 revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
§ 5. The articles of incorporation or articles of organization of the supervised company should expressly set forth the assignments of the officer mentioned in the head of this article, taking into account the requirements of this Resolution.
Art. 10. The supervised company should create an exclusive compliance unit, in charge of the permanent monitoring and support of the activities intended to the compliance assurance, which should:
I - participate in the compliance risks identification and assessment activity;
II - identify the working processes associated with the main risks mentioned in item I and regularly assessing them as for the effectiveness of the controls employed in the compliance assurance, also in relation to the available material and human resources sufficiency and suitability;
III - guide the strategies and alternatives to the compliance assurance;
IV - follow-up the implementation of action plans or corrective measures designed to fix deficiencies in compliance;
V - steer or follow-up investigations concerning internal or external reports on infringements, sanctions or supervisory measures imposed by Susep or other authorities, among other cases that may indicate compliance risks; and
VI - assist with the supervised company's collaborators information and education in ethics, conduct and compliance.
§ 1. The provisions of this article do not apply to the representative offices of admitted reinsurers.
§ 2. The supervised companies classified in segment S4 and the insurance or reinsurance brokers are exempt from creating the unit mentioned in the head of this article, and those assignments should be performed by the officer in charge of internal controls.
§ 3. The unit mentioned in the head of this article is released from the obligation of performing the assignment set forth in item II, if the supervised company, or the prudential group it belongs to has a specific unity in charge of the assessment of its internal controls, being such unit obliged to prepare a report analogous to the described in § 8 specifically about the controls assessment.
§ 4. In the cases of the services providers whose activities are considered critical by the supervised company, and being the education mentioned in item VI an obligation of the contracted company, it is a duty of the unit mentioned in the head of this article to confirm if the trainings were effectively performed and if they comply with the standards defined by the supervised company.
§ 5. The unit mentioned in the head of this article should be separate from the remaining organizational units and should directly or indirectly report to the officer in charge of internal controls, as mentioned in art. 9, being the supervised companies classified in segment S3 allowed to take up other functions related to the internal controls assessment.
§ 6. The unit mentioned in the head of this article should be secured of:
I - the necessary material and human resources, in-house or outsourced, including experienced, qualified and sufficient personnel; and
II - unrestricted and timely access to the information necessary to the accomplishment of their analysis.
§ 7. The members of the unit mentioned in the head of this article should not:
I - participate in the assessment of processes in which they have worked in the previous 12 (twelve) months, except for the activities described in the items of the head of this article; and
II - receive bonus or compensations connected to the performance of the business units, except the ones enforced by labour laws provisions.
(Note: item II revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
§ 8. The unit mentioned in the head of this article should prepare, at least on an annual basis a report containing:
I - description of the activities performed in the period and respective findings, conclusions and recommendations; and
II - updated information on the implementation status of needed corrective actions, including those resulting from checkouts performed in previous periods.
§ 9. The report mentioned in § 8 should be approved by the officer in charge of internal controls and forwarded to the supervised company's management bodies and to the Risks Committee, if any, for information and the appropriate foreseeable actions.
Art. 11. Alternatively to the creation of the compliance unit, the supervised companies classified in segment S3 may have the assignments described in art. 10 performed by:
I - a qualified outsourced company or specialized unit of another organization within the same financial conglomerate, incorporated in Brazil, as long as:
a) the creation of its own compliance unit represents a relevant impact in the supervised company's work force and in its personnel expenses;
b) the operational procedures and the information technology systems are of low complexity; and
c) the commercialized products and plans have little diversity in terms of the available coverages; or
II - in the specific case of local reinsurers, a specialized unit of the foreign parent company, as long as:
a) the creation of its own compliance unit represents a relevant impact in the supervised company's work force and in its personnel expenses; and
b) there is low flexibility to implement operational procedures and information technology systems different from those globally adopted by the parent company;
§ 1. The provisions of art. 10 apply to the outsourced company and to the units mentioned in the items of the head of this article, where appropriate.
§ 2. The officer in charge of internal controls should approve a document stating that the supervised company fits into the criterions mentioned in items I or II of the head of this article, as appropriate, which should be available alongside other supporting analysis, information and documents for their prompt presentation to Susep, if required, in the case the supervised company opts for one of the alternatives prescribed in this article.
Art. 12. The appointment or the dismissal of the officer in charge of internal controls and of the manager directly in charge of the compliance unit should be:
I - approved by the top management body of the supervised company; and
II - informed to Susep within 30 (thirty) calendar days, including:
a) the names of the appointed and/or dismissed persons;
b) in the case of dismissal, the reasons for the decision; and
c) supporting documentation to prove compliance with the provision of item I.
§ 1. The provision of item II of the head of this article does not apply to the representative offices of admitted reinsurers and to the insurance or reinsurance brokers.
§ 2. The provision of the head of this article applies also in the case of replacement of the outsourced company mentioned in art. 11.
§ 3. If there is no Board of Directors, the General Meeting will be in charge of the appointment or dismissal of the officer in charge of internal controls, for the purposes of the provision of item I of the head of this article.
CHAPTER IV
RISKS MANAGEMENT STRUCTURE
Section I
The Chapter General Provisions
Art. 13. The supervised company should implement and maintain a Risks Management Structure (EGR) to comply with the requirements of this chapter.
Sole paragraph. The provisions of this chapter do not apply to the representative offices of admitted reinsurers and to the insurance or reinsurance brokers.
Art. 14. The EGR should:
I - integrate the SCI, regardless of the way both are implemented in the organizational structure, and work in cooperation so that internal controls have special focus on the risks of a potential influence in the attainment of the supervised company's strategic targets, including:
a) the underwriting, credit, market and operational risks, in accordance with the definitions established in the CNSP Resolution about risk capitals;
b) liquidity risks, in accordance with the definition seen in art. 23;
c) the remaining risks defined in Section IV, Chapter IV of this Resolution or in specific regulations; and
d) other relevant risks, according to the criterions defined by the supervised company; and
II - be compatible with the supervised company's systemic weight and be able to assess risks resulting from its macroeconomic and market environment, except for the supervised companies classified in segment S4.
Art. 15. The EGR should set forth:
I - the adoption of a risks culture and of instruments to induce the enforcement of the risk appetite, of the risks management policy and of the limits of exposure defined by the supervised company, as well as to restrain incompatible actions in this respect;
II - processes, methodologies and tools to identify, assess, measure, treat, monitor and report all material risks exposures of the supervised company at the individual and aggregate level, including:
a) identification of current and emerging, internal or external risks, arising from the supervised company's operations or from other companies of the same group;
b) assessment of the features and causes of the identified risks, and their interdependence;
c) methodologies for measuring identified risks, as well as their respective data sources, in order to enable its risk level evaluation, based on the combination of probability and impact;
d) treatment and controls compatible with the level of each identified risk and with the priorities of the supervised company, in order to maintain the risks exposure within acceptable levels; and
e) definition of markers and variables for the monitoring of the main risks exposure levels;
III - previous analysis of meaningful changes in the supervised company's structure or operations, that could mean an extensive change in its risk profile, including but not limited to:
a) launch of new products or plans, or important changes in existent products or plans;
b) changes in the supervised company's processes, systems, operations or business models; and
c) changes in the business geographic scope or in the corporate purpose, controlling interest transfer, portfolio transfer, spin-offs, mergers and acquisitions; and
IV - use of complete, updated, trustworthy, secure and auditable information systems, capable of providing sound support to the risks management.
§ 1. The risks inventory mentioned in the sole paragraph of art. 7 should, in the case of the supervised companies affected by the provisions of this chapter:
I - be reviewed whenever there is a meaningful change in the risk profile, or, at least:
a) annually, by the supervised companies classified in segments S1 and S2; or
b) biennially, by the supervised companies classified in segments S3 and S4; and
II - inform, for each identified risk:
a) the risk category, being mandatory the categories listed in art. 14, item I, sub items "a" and "b";
b) the risk level evaluation by means of qualitative measurement methodologies; and
c) a description of their possible causes and potential consequences.
§ 2. The supervised companies classified in segments S1 and S2 should, at least during the risks inventory review, use quantitative measurement methodologies that:
I - estimate the risk level by risk category to the categories listed in art. 14, item I, sub items "a" and "b";
II - are based on analytical formulas, stochastic simulations, stress tests, scenarios analysis or other relevant mathematical and/or statistical methods, excluding the standard formulas for risk capital calculations established by CNSP; and
III - quantify the impact of the risks at market value, whenever possible.
§ 3. At the information gathering stage in the process of asking Susep's previous authorization for the corporation actions mentioned in item III, sub item "c" of the head of this article, the interested supervised companies should present documents, signed by the respective officers in charge of internal controls outlining the subjects and describing the findings of the analysis carried out in compliance with the referred item, or alternatively explaining the reason why the impact of the action in the risk profile was not considered significant.
Section II
Policies
Art. 16. The top management body should formalize the supervised company's risk appetite describing:
I - the risks the supervised company is expected to assume, or otherwise the ones it should avoid in the pursuit for its strategic objectives attainment, on a qualitative basis; and
II - the financial or valuation loss the supervised company considers acceptable in relation to the risks to be assumed, its financial capacity and its risks management capability, on a quantitative basis:
a) at a global level; and
b) by risk category, considering at least those listed in art. 14, item I, sub items "a" and "b", taking into account their interdependence and the overall limit quoted in sub item "a".
Sole paragraph. The supervised company's risk appetite should be aligned with its business plan, and is to be reviewed whenever the said plan is updated.
Art. 17. The supervised company should have a risks management policy in place comprising:
I - the management bodies’ commitment to the risks management, as well as the permanent improvement of the related processes and procedures;
II - the roles and responsibilities related to the risks management, alongside its distinct organizational levels;
III - the communication channels and reporting lines to forward information about risks exposures or deficiencies in the EGR, thereby enabling the timely adoption of corrective measures, including the cases of deviation of the established exposure limits; and
IV - guidelines to:
a) fostering actions towards the dissemination of a risks culture among its collaborators; and
b) management of the risks of more relevance or of priority to the supervised company's operations, considering at least the ones included in the categories mentioned in art. 14, item I, sub items "a" and "b".
§ 1. In relation to the provisions of item IV of the head of this article, sub item "b", the risks management policy should be added with:
I - underwriting policy, addressing at least:
a) nature of the risks to be underwritten and possible coverage exclusions, special conditions for their acceptance, limits and other general parameters related to the underwriting;
b) criterions for losses adjustment and settlement, including procedures and conditions to be satisfied for the payment of indemnifications and benefits; and
c) guidelines to be adopted for the products development activity, definition of contracts and general conditions, pricing and reinsurance, in line with the provisions of sub items "a" and "b";
II - investment policy to the supervised companies classified in the segments S1, S2 and S3, comprising at least:
a) general parameters for the resources allocation, that take into account the restrictions imposed by the regulations in force and limits defined by the supervised company itself;
b) restrictions or specific guidelines for the use of derivatives and other complex financial instruments, particularly in the cases where the instrument itself, or the market where it is transacted are subject to less strict requirements in governance and transparency;
c) methodologies and reference sources adopted for the financial assets pricing, including, if existent, the instruments mentioned in sub item "b";
d) targets in risk-return and strategies to achieve them, taking into consideration the provisions in the previous sub items;
III - liquidity and Asset-Liability Management (ALM) policy, including at least:
a) guidelines to the alignment of the investments and underwriting policies, in order to establish groups of assets related to specific liabilities;
b) parameters for the valuation of the supervised company's assets as for the cash flow realization or generation, in amounts and timings compatible with the payment of its contractual obligations, as well as other financial undertakings, under normal or stressed conditions; and
c) strategies to supply, even under stress conditions, the liquidity needs of the supervised company, which could include the maintenance of an adequate stock of high liquidity assets and/or possible funding sources;
IV - specific risks policies, if required by regulations; and
V - other policies, if any, addressing certain activities, processes or risks.
§ 2. The additional policies mentioned in § 1. could integrate the risks management policy or be established in separate.
§ 3. The provision of art. 8, § 2, apply to the risks management policies and to its additional policies, if established separately.
§ 4. The risks management policy and its additional policies should contain the guidelines for the definition of operational procedures, in specific internal rules, and, for the business activities that imply the assumption of relevant risks, exposure limits in line with the risk appetite provision.
Section III
Roles and Responsibilities
Art. 18. The supervised company should create an exclusive risks management unit, in charge of the permanent monitoring and support to its risks management and assigned with the following responsibilities:
I - coordinate the drafting and reviews of the risks inventory and participate together with the distinct organizational units in the risks identification, assessment and measuring;
II - identify the working processes associated with the main identified risks and regularly assessing them as for the methodologies effectiveness, tools and controls employed in the risks management, also in relation to the available material and human resources sufficiency and suitability;
III - guide the strategies and alternatives to the risks management;
IV - follow-up the implementation of action plans or corrective measures designed to fix deficiencies in EGR;
V - regularly monitoring:
a) the supervised company's risks exposure, checking out its alignment with the pertinent exposure limits; and
b) changes in the internal and external environment, including new or emerging risks that could significantly modify the supervised company's risk profile;
VI - participate in the previous analysis mentioned in item III of the head of article 15;
VII - perform analysis intended to identify potential inducement to behaviours that could compromise EGR's effectiveness, ultimately arising from the performance evaluation metrics and compensation structures applicable to the collaborators of the supervised company; and
(Note: item VII revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
VIII - assist with the supervised company's collaborators information and education in risks management.
§ 1. The supervised companies classified in segment S4 are exempt from creating the unit mentioned in the head of this article, and the officer in charge of internal controls should perform the corresponding assignments.
§ 2. The unit mentioned in the head of this article is released from the obligation of performing the assignment set forth in item II, as for the controls used in risks management, if the supervised company, or the prudential group it belongs to has a specific unity in charge of the assessment of its internal controls, being such unit obliged to prepare a report analogous to the one described in art. 10, § 8, specifically about the controls assessment.
§ 3. The unit mentioned in the head of this article is released from the obligation of performing the assignment set forth in item VII, if the supervised company, or the prudential group it belongs to has a specific committee in charge of the assessment of guidelines in performance evaluation and compensation, that takes into account their effects on the risks management.
(Note: par. 3 revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
§ 4. The unit mentioned in the head of this article should be separate from the remaining organizational units and should directly or indirectly report to the officer in charge of internal controls, as mentioned in art. 9, and:
I - in the case of the supervised companies classified in segments S2 and S3, it can be created in conjunction with the compliance unit mentioned in art. 10, into a single structure; and
II - in the case of the supervised companies classified in segment S3 it can take up other functions related to the internal controls assessment.
§ 5. The provisions of art. 10, §§ 6 to 9, apply to the unit mentioned in the head of this article.
Art. 19. Alternatively to the creation of the risks management unit, the supervised companies classified in segment S3 may have the assignments described in art. 18 performed:
I - by a qualified outsourced company or specialized unit of another organization within the same financial conglomerate, incorporated in Brazil, subject to the conditions established in art. 11, item I; or
II - in the specific case of local reinsurers, a specialized unit of the foreign parent company, subject to the conditions established in art. 11, item II, and as long as the risks acceptance is under strict control by the mentioned parent company.
§ 1. The provisions of art. 18 apply, where appropriate, to the outsourced company and to the units mentioned in the items of the head of this article.
§ 2. If the supervised company opts for one of the alternatives prescribed in this article, the officer in charge of internal controls should approve a document stating that the supervised company fits into the criterions mentioned in items I or II of the head of this article, as appropriate, which should be available alongside other supporting analysis, information and documents for their prompt presentation to Susep, if required.
Art. 20. The provisions of art. 12 apply in the cases of appointment or dismissal of the officer directly in charge of the risks management unit, or of replacement of the outsourced company mentioned in art. 19.
Art. 21. The supervised company should create a Risks Committee to assist its top management body with the performance of its tasks related to the risks management with the following assignments:
I - regular assessment of the EGR effectiveness, in particular as for:
a) the compliance with the risk appetite and with he risks management policies;
b) the performance of the officer in charge of internal controls;
c) the performance of the risks management units; and
d) the effectiveness of the actions adopted to fix deficiencies;
II - assess the supervised company's business plan with a focus on risks and assist with the definition of the corresponding risk appetite;
III - assist with the strategic decisions taking processes related to the risks management; and
IV - review the risks management policy, formulating and assessing changes proposals.
§ 1. The supervised companies classified in segments S3 or S4 are exempt from creating the Risks Committee, and in this case its assignments, except for the provision of item I, sub item "b", should be performed by the officer in charge of internal controls.
§ 2. In the case of the supervised companies classified in segment S2, another committee may take up the Risks Committee’s assignments able to comply with the provisions of this Resolution.
§ 3. The Risks Committee should report directly to the top management body of the supervised company.
§ 4. The Risks Committee should be composed of a minimum of 3 (three) members, of which;
I - no one who is, or has been during the previous 12 (twelve) months:
a) the officer in charge of internal controls of the supervised company; or
b) a member of the Audit Committee, in the cases of the supervised companies classified in S1 segment; and
II - the majority of the members should concurrently comply with the following requirements:
a) being not, and have not been within the previous 3 (three) years, a collaborator of the supervised company or of its controllers, controlled or subsidiaries, except if in the exclusive conditions of member of the Board of Directors or of the committees of the top management body;
b) being not a shareholder of the supervised company, its controllers, controlleds or subsidiaries with equity of 5% or more of the total stock, by company;
c) being not a member of the group of control of the supervised company, its controllers, controlleds or subsidiaries;
d) being not spouse, common-law spouse, relative in straight line, collateral or by affinity, up to the third degree of persons who do not comply with the provision of at least one of the previous sub items of this item, except for collaborators cited in sub item "a" that do not hold managerial positions;
e) being not connected to the shareholders' agreement;
f) do not receive any type of compensation from the supervised company, its controllers, controlleds or subsidiaries, not related to the shareholding cited in sub item "b" or, where applicable, not related to the function of member of the Board of Directors and its committees;
g) do not have any other type of connection with persons or institutions that, at Susep's criterion, may exert significant influence in the member's views, opinions and decisions;
h) having maximum 5 (five) years term in the Risk Committee, or in consecutive terms with a interval of minimum 3 (three) years for reinstatement; and
i) have proven experience in risks management.
§ 5. The Risks Committee should be chaired by a member who complies with the requirements of § 4, item II.
§ 6. The risks management policy of the supervised company should expressly provide for the following aspects concerning the Risks Committee:
I - number of members and respective minimum qualifications, criterions for appointment, dismissal, compensation and term; and
II - functioning rules, including the committee's assignments, minimum meetings frequency and the way of rendering accounts to the top management body of the supervised company.
§ 7. The Risks Committee may, within the scope of its assignments, use specialists works, without giving up its responsibilities.
Section IV
Requirements for the Specific Risks Management
Subsection I
Business Continuity
Art. 22. The risks that could cause total interruption or significant reduction in the critical business processes of the supervised company should be mitigated by means of a business continuity plan that sets forth:
I - specific roles and responsibilities involving business continuity;
II - minimum operation level and the time limit for returning to normal functioning;
III - procedures of communication with internal and external stakeholders; and
IV - regular tests.
Subsection II
Liquidity Risks Management
Art. 23. For the purposes of this Resolution, the liquidity risk is defined as the possibility of the supervised company's inability in efficiently fulfil its financial obligations, whether foreseeable or not, at the moment they become due, either for the impossibility of a timely realization of its assets or for the fact that such realization may result in significant losses and/or in noncompliance with regulatory requirements.
Art. 24. The strategies and guidelines set forth in the liquidity and ALM policy mentioned in art. 17, § 1, item III, should be applied to the processes and procedures meant for the liquidity risk management, which should take into account, where applicable:
I - potential increases in cancelation, redemption and transferability requests;
II - potential increases in loss ratios, administrative expenses and other operational expenses, including those arising from catastrophe events;
III - oscillations in the assets and liabilities cash flows as a result of financial market's fluctuations;
IV - need of margin deposits and other guarantees resulting from operations in derivatives;
V - need of compliance with the regulatory requirements in force.
CHAPTER V
INTERNAL AUDIT
Section I
General Provisions of this Chapter
Art. 25. The supervised companies should implement and maintain Internal Audit activity in compliance with the requirements established in this chapter.
Sole paragraph. The provisions of this chapter do not apply to insurance brokers.
Art. 26. The Internal Audit activity should be permanent, effective and independent from the audited activities.
Art. 27. The Internal Audit scope should consider all functions and activities of the supervised company, including the outsourced ones, and it should assess, as a minimum:
I - corporate governance's systems and processes effectiveness, including the SCI and the EGR, taking into account the current and emerging risks at all levels of the supervised company;
II - the management and financial information processes and systems trustworthiness, effectiveness and integrity;
III - the compliance with legal and regulatory prescriptions, the supervisory authorities recommendations and the internal policies and rules of the supervised company;
IV - the safeguard of the supervised company's assets and of the insureds, participants, beneficiaries and savings bonds holders, thereby verifying the existence of such assets and, where applicable, the adequate level of separation among them; and
V - other specific topics as required by the regulations in force.
Sole paragraph. Susep may determine that the supervised company should include specific tasks in the scope of its Internal Audit activity, in accordance with its supervisory assignments.
Section II
Bylaws of the Internal Audit Activity
Art. 28. The supervised company should have specific bylaws for the Internal Audit activity addressing as a minimum:
I - purpose and scope of the Internal Audit;
II - parameters needed in order that the Internal Audit activity is completed in an independent and effective manner, and compliant with recognized audit standards;
III - assignments, responsibilities, prerogatives and prohibitions applicable to the members of the Internal Audit unit, in accordance with the provisions of this Resolution;
IV - the communication channels to report conclusions and recommendations arising from the audit works; and
V - the procedures for the coordination between the Internal Audit and Independent Audit activities.
Sole paragraph. The Internal Audit bylaws should be submitted to the assessment of the Audit Committee, if existent and approved by the top management body of the supervised company.
Section III
Internal Audit Unit
Art. 29. The supervised company should create an Internal Audit unit, exclusively in charge of carrying out the Internal Audit activity.
§ 1. The unit mentioned in the head of this article should:
I - be independent and separate from the other organizational units, including the compliance and risks management units mentioned in arts. 10 and 18; and
II - report to the top management body of the supervised company, being admitted the indirect reporting, through the Audit Committee, if existent.
§ 2. The unit mentioned in the head of this article should be secured of:
I - the necessary material and human resources, in-house or outsourced, including experienced, qualified and sufficient personnel;
II - unrestricted and timely access to the information necessary to the performance of their analysis; and
III - permanent communication channel with the management bodies thereby enabling the effective reporting of the recommendations arising from the audit works and the timely adoption of suitable corrective measures.
§ 3. The members of the unit should not:
I - participate in audit of areas where they have worked in the 12 (twelve) previous months, excluding the typical audit activities;
II - engage in the development and implementation of specific measures related to internal controls;
III - accumulate any other functions or activities, with the possible exception of those defined by the supervised company in accordance with the provision of item V of the head of article 10; and
IV - receive bonus or compensations connected to the performance of the business units, except the ones enforced by labour laws provisions.
(Note: item IV revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
Art. 30. The assignments of the Internal Audit unit mentioned in art. 29, in the cases of the representative offices of admitted reinsures, the reinsurance brokers or the supervised companies classified in S3 or S4 segments, may be performed by independent auditor that:
I - is registered with the Securities Commission of Brazil (CVM);
II - has specific technical qualification to serve in companies authorized to operate by Susep; and
III - is not in charge of the financial statements of the supervised company or in charge of any other activity posing a potential conflict of interests.
Sole paragraph. The provisions of art. 29 apply to the independent auditor mentioned in the head of art. 30, where appropriate.
Art. 31. In the cases of the appointment or dismissal of the officer in charge of the Internal Audit unit, or of the replacement of the independent auditor mentioned in art. 30, the provisions of art. 12 apply, except if the supervised company opts for the alternative of art. 41, item III.
Section IV
Planning and Performance of the Internal Audit Activity
Art. 32. The Internal Audit activity planning should be done yearly, based on:
I - the guidelines issued by the Audit Committee, if existent and by the top management body of the supervised company; and
II - a risks assessment specifically and independently prepared by the Internal Audit unit for auditing purposes, contemplating the supervised company's main processes, areas or activities.
Sole paragraph. The risks assessment mentioned in item II of the head of this article should consider, among other information, the findings of the assessments performed by the compliance and risks management units, as well as by any other unit or entity able to do so in accordance with this Resolution.
Art. 33. The performance of Internal Audit activity should comprise the information gathering and analysis, as well as the completion of suitable tests to support its findings and recommendations to the management bodies of the supervised company.
Sole paragraph. The Internal Audit activity should be compliant with the audit rules and procedures established by the National Monetary Council of Brazil (CMN), CNSP, Susep and, as long as not conflicting with these, the rules determined by Federal Board of Accountancy (CFC) and by the Institute of Internal Auditors of Brazil (IIA Brazil).
Art. 34. The documentation of the planning and completion of the Internal Audit activity should comprise:
I - annual plan of Internal Audit, containing processes, areas and activities that will be subject to audit in the period, its classification per risk level, proposed timeline and necessary resources projection;
II - for each specific Internal Audit task:
a) specific work plan with scope and timeline definition, and the relevant elements for its completion, such as the audit procedures nature, opportunity and range to be applied and the available resources allocation;
b) work papers recording facts, information and evidences obtained in the course of the audit; and
c) report containing findings and recommendations resulting from audit work; and
III - annual report on Internal Audit, containing a summary of the audit works completed in the period and its main findings and recommendations, as well as updated information on the stage of the implementation of the necessary corrective actions, including those resulting from works completed in previous accounting years.
§ 1. The Internal Audit annual plan and the Internal Audit annual report should be submitted to the assessment of the Audit Committee, if existent, and approved by the top management body of the supervised company.
§ 2. The reports mentioned in item II, sub item "c", and item III of the head of this article should be forwarded to the management bodies of the supervised company for information and possible actions.
CHAPTER VI
PROVISIONS IN COMMON TO CHAPTERS III, IV AND V
Section I
Roles and Responsibilities
Art. 35. The officer in charge of internal controls, as mentioned in art. 9 is assigned with:
I - guide and supervise:
a) the implementation and operationalization of the SCI and the EGR, fostering the integration mentioned in art. 14, item I; and
b) the activities of compliance and risks management units, if existent;
II - supply the compliance and risks management units with the resources needed to the performance of their respective activities, in particular as for the provision of art. 10, § 6, item I; and
III - inform on a regular basis, and whenever suitable, the management bodies and the Risks Committee of any material subjects related to internal controls, compliance and risks management, including but not limited to:
a) new and emerging risks;
b) risks exposure levels, as well as potential limitations and uncertainties related to its measurement;
c) actions related to the risks management; and
d) deficiencies related to the EGR and the SCI and respective correction.
Art. 36. The management bodies of the supervised company are assigned with:
I - looking after the adequacy and effectiveness of the EGR and the SCI, fostering:
a) the dissemination of the risk and control cultures; and
b) the alignment of the operations of the supervised company with the compliance policy, the risk appetite and the risks management policy;
II - retain a general understanding of the supervised company's risk profile and recognize, about the main risks to which it is exposed:
a) its nature and potential impacts in the business;
b) the current exposure level; and
c) actions adopted to its management;
III - supply the distinct organizational units with the organizational structure and material and human resources needed to the adequate risks management and operationalization of the controls associated with its respective activities, including experienced, qualified and sufficient personnel; and
IV - ensure that the instruments for the performance assessment and the compensation structure adopted by the supervised company do not induce behaviours ultimately capable of compromising the SCI's and the EGR's effectiveness.
§ 1. The management bodies may at their criterion create executive committees or commissions, as well as make use of internal or external assessments in order to assist in the fulfilment of the assignments defined in this article.
§ 2. It is of the exclusive administrative competence of the supervised company's officers:
(Note: item IV revoked by CNSP Resolution no. 476, of 26 December 2024 - effective 2 January 2026)
I - guide, supervise and ensure the creation, implementation and operationalization of the processes and procedures related to internal controls and risks management associated with the activities under their responsibility;
II - constantly verify the adoption and compliance of the processes and procedures mentioned in item I, as well as the maintenance of its adequacy, defining and implementing action plans designed to the correction of the deficiencies in the EGR and the SCI; and
III - approve the exposure limits to the business activities that imply relevant risks assumption, mentioned in art. 17, § 4.
Section II
Prudential Groups, Insurance Groups and Financial Conglomerates
Art. 37. The SCI and the EGR may be implemented in a unified manner (the unified SCI/EGR) to assist the supervised companies, all or part of them, pertaining the same prudential group, as long as:
I - the option for the alternative prescribed in the head of this article is entered on the minutes of the top management bodies meetings of each of the assisted supervised companies; and
II - one of the assisted supervised companies remains in charge of centralizing the structures set up and of performing the assignments prescribed in this Resolution, in accordance with the provisions of this section, thereby recording its decision in assuming such responsibilities as prescribed in item I.
II - the leading supervised company of the prudential group is responsible for setting up the structures and carrying out the duties provided for in this Resolution in a centralised manner, in accordance with the provisions of this section.
(Note: item II amended by CNSP Resolution no. 467 of 25 April 2024)
§ 1. The unified SCI/EGR should take into consideration the risks associated with the group of assisted supervised companies and with each one of them individually.
§ 2. In the cases of the change of the supervised company specified in item II above, and of the inclusion or exclusion of a supervised company from the unified SCI/EGR, the respective decisions should be formalized as established in the items above.
§ 2 In the event of the inclusion or exclusion of supervised companies in the unified SCI/EGR, this must be formalised in the manner provided for in item I of the heading.
(Note: paragraph 2 amended by CNSP Resolution no. 467 of 25 April 2024)
Art. 38. In the case that the SCI/EGR is unified, it will be the supervised company mentioned in art. 37, item II solely in charge of:
Art. 38. In the event of the adoption of a unified SCI/EGR, it will be the sole responsibility of the supervised company leading the prudential group:
(Note: caput of art. 38 amended by CNSP Resolution no. 467 of 25 April 2024)
I - define and formalize the risk appetite as set forth in art. 16, in the individual level for the supervised company itself and for each of the other assisted supervised companies, as well as in the aggregate;
II - define and formalize the compliance and risks management policies as set forth in arts. 8 and 17, which will apply to the whole group of assisted supervised companies;
III - appoint the officer in charge of internal controls as set forth in art. 9;
IV - create the compliance and risks management units as set forth in arts. 10 and 18; and
V - create the Risks Committee, where applicable.
§ 1. The policies set forth in item II of the head of this article should consider the specificities of the operations of all the supervised companies assisted by the unified SCI/EGR.
§ 2. The provision of item II of the head of this article applies to the additional policies mentioned in art. 17, § 1, except in the case of the supervised companies assisted by the unified SCI/EGR that have analogous policies approved by the respective top management bodies.
§ 3. The assignments of the position and the bodies mentioned in items III to V of the head of this article are extended to the remaining supervised companies assisted by the unified SCI/EGR.
§ 4. For the purposes of item IV of the head of this article:
I - the provisions of arts. 11, 19 and 30 apply, as long as their requirements are performed by the group of the supervised companies assisted by the unified SCI/EGR; and
II - the provisions of arts. 11, item II, and 19, item II, do not apply to local reinsurers assisted by unified SCI/EGR.
§ 5. All the supervised companies assisted by the unified SCI/EGR should comply with the criterions of art. 21, § 4, item II, for the purposes of item V of the head of this article.
Art. 39. The supervised companies of the prudential group that are not assisted by unified SCI/EGR, if existent, should set up their respective individual SCI and EGR.
Art. 39: Supervised companies in the prudential group that are not served by a unified SCI/EGR, if any, must implement their SCI and EGR individually, according to their segment.
(Note: heading of art. 39 amended by CNSP Resolution no. 467 of 25 April 2024)
§ 1. The supervised companies mentioned in the head of this article may opt for the alternatives set forth in this Resolution for the S2 and S3 segments regardless of the segment assigned to their prudential groups, if:
I - its individual size is compatible with the segments mentioned in the head of this article; and
II - its management and operations are separate from the remaining supervised companies of the same prudential group, including, but not limited to:
a) the inexistence of members of the management bodies in common;
b) the inexistence of shared units or functions, except in respect of activities of a merely administrative nature, not related to the business units; and
c) substantially distinct lines of control, report and strategic definition.
§ 2. If the supervised company opts for one of the alternatives prescribed in § 1, the officer in charge of internal controls should approve a document stating that the supervised company fits into the criterions mentioned in items I and II, which should be available alongside other supporting analysis, information and documents for their prompt presentation to Susep, if required.
(Note: par. 1 and 2 revoked by CNSP Resolution 467 of 25 April 2024)
Art. 40. The assignments set forth in art. 36 apply to the management bodies of each supervised company, including those assisted by unified SCI/EGR.
Sole paragraph. The remaining assignments prescribed in this Resolution, related to the topics listed as items of the head of art. 38, apply to the management bodies of the supervised company as defined by art. 37, item II.
Sole Paragraph. The other duties provided for in this Resolution, in relation to the items mentioned in the headings of article 38, apply to the management bodies of the supervised company that is the leader of the prudential group.
(Note: sole paragraph amended by CNSP Resolution no. 467 of 25 April 2024)
Art. 41. The Internal Audit unit mentioned in art. 29 may be created:
I - in the supervised company itself;
II - in another supervised company belonging to the same prudential group; or
III - in another institution, not among the companies supervised by Susep, belonging to the same insurance group or financial conglomerate.
§ 1. The supervised company referred to in item II of the head of this article should be the one prescribed in art. 37, item II, in the case that a unified SCI/EGR is adopted.
§ 1 In the event of the adoption of a unified SCI/EGR, the supervised company referred to in item II of the caput must be the leading supervised entity of the prudential group.
(Note: par. 1 amended by CNSP Resolution no. 467 of 25 April 2024)
§ 2. The option for the alternative provided in item III of the head of this article is subject to the compliance with the provisions of chapter V of this Resolution, both by the Internal Audit unit and the institution to which it is linked.
CHAPTER VII
FINAL AND TRANSITIONAL PROVISIONS
Art. 42. The supervised company should structure a timeline for trainings in the SCI and the EGR, particularly for the collaborators that hold high responsibility positions or perform high-risk activities.
Art. 43. The supervised company should maintain current and previous versions of all policies, internal rules, reports, minutes of meetings and other documents demonstrating compliance with the provisions of this Resolution, allowing prompt access to them by Susep, as required.
Art. 44. Susep may:
I - determine that the supervised should adopt additional controls and procedures, therefore establishing a deadline for their implementation, if Susep considers that any of the EGR, the SCI or the Internal Audit activity requirements are not being appropriately performed; and
II - issue additional rules and guidelines necessary to the implementation of the provisions of this Resolution, including specific risks management requirements.
Art. 45. The supervised companies will have the following deadlines to conform to the provisions of this Resolution:
I - 30 June 2022, for the insurance brokers that have recorded annual gross revenue higher than R$ 12,000,000.00 (twelve million reals) in the accounting period of 2020;
II - for the other supervised companies:
a) 30 June 2022, to conform to arts. 9, 10, 18, 21 and 35; and
b) 31 December 2022, to conform to the following provisions: art. 9, § 4; art. 10, § 7, item II; art. 15, § 2; and art. 29, § 3, item IV.
Sole paragraph. The supervised company should continue to abide by the rules in force immediately before the effective date of this Resolution as long as it does not conform to the provisions mentioned in the items of the head of this article, where appropriate.
(Note: art. 45 revoked by CNSP Resolution no. 467 of 25 April 2024)
Art. 46. This Resolution becomes effective on 3 January 2022.
SOLANGE PAIVA VIEIRA
Superintendent
(Official Gazette DOU of 21 july 2021 - pages 327 to 331 - section 1)
*The information provided in this publication is general and may not apply to a specific situation or person. Every effort has been made to ensure that matters of concern to readers are covered. Although the information provided is accurate, be advised that this is a developing area. The information contained herein is not intended to be relied upon or to be a substitute for legal advice in relation to particular circumstances. Specific legal advice should always be sought from experienced local advisers. Accordingly, Editora Roncarati accepts no liability for any loss that may arise from reliance upon this publication or the information it contains.
