LogoRegulatory Alerts
2012-07-11

Ordinance No. 47 of 11.07.2012 on Requirements for Information Systems of Pension Insurance Companies

The Commission for Financial Supervision issued Ordinance No. 47 to regulate the information systems of pension insurance companies, mandating the implementation of an information security management system based on ISO/IEC 27001 standards. The ordinance requires companies to maintain unified electronic files for insured persons and beneficiaries, ensuring secure data exchange, electronic service provision, and the upkeep of specific operational registers. It further establishes administrative liability for non-compliance and outlines transitional provisions for integrating Pan-European Pension Product (PEPP) regulations into existing system requirements.

Financial Supervision Commission Bulgaria logo

Bulgaria

Financial Supervision Commission Bulgaria

Click to view thumbnail

ORDINANCE No. 47 of 11.07.2012 on the Requirements for the Information Systems of Pension Insurance Companies

Pub. - State Gazette, No. 57 of 27.07.2012, in force from 28.07.2013; amended, No. 94 of 13.11.2018, in force from 19.11.2018; amended and supplemented, No. 55 of 02.07.2021; amended and supplemented, No. 70 of 20.08.2024.

Adopted by Decision No. 135-N of 11.07.2012 of the Commission for Financial Supervision

Section I General Provisions

Art. 1. This Ordinance regulates:

  1. the requirements for the information security management system of the pension insurance company;
  2. the requirements for information exchange and provision of electronic services;
  3. the registers maintained by the pension insurance company.

Art. 2. The pension insurance company shall establish and maintain an information system in accordance with the requirements of this Ordinance, other applicable normative acts and standards, and the adopted internal documents of the company, taking into account the specifics and volume of activities in supplementary pension insurance and its organizational structure.

Section II Information Security Management System

Art. 3. (Amended - SG, No. 70 of 2024) (1) (Amended - SG, No. 70 of 2024) The pension insurance company is obliged to establish an information security management system based on the requirements of the international standard ISO/IEC 27001.

(2) The information security management system must cover the following main aspects of security: risk assessment and management, personnel management, physical security, access control, security in the selection, purchase and use of software and hardware, plans and actions in emergency situations and crises.

(3) (Amended - SG, No. 70 of 2024) The pension insurance company shall align its activities with the good practices laid down in international standards ISO/IEC 27002 and ISO/IEC 27004.

Art. 4. (1) Compliance with the requirements of the standard under Art. 3, para. 1 is demonstrated at the choice of the pension insurance company by:

  1. certification;
  2. submission of documents proving such compliance without certification.

(2) In the cases under para. 1, item 2, the following documents are submitted:

  1. the company's security policy regarding its information system (company security policy);
  2. rules for the protection of the information system and archival information;
  3. rules for network protection;
  4. rules for the control of the physical and working environment;
  5. a plan for ensuring the continuity of information technology processes;
  6. other relevant documents.

Art. 5. (1) The management body of the pension insurance company adopts its security policy and other necessary internal rules and documents under Art. 4, para. 2 and ensures their implementation, and if necessary - their update.

(2) The application of the principles and requirements laid down in the company's security policy must:

  1. guarantee a general level of security in the development, operation and maintenance of the information system;
  2. ensure the development and maintenance of a common security architecture for the information system;
  3. ensure the identification and analysis of risks associated with the information system and the determination of necessary counter-measures;
  4. ensure the protection of information by ensuring the confidentiality, integrity and availability of information assets in the company, including in emergency circumstances.

(3) The company's security policy must meet the requirements in applicable normative acts and standards and contain at least:

  1. the basic principles on which it is based;
  2. the duties and responsibilities of the units and employees of the company for its implementation, for the establishment and operation of the information system and for the implementation of the planned security measures;
  3. the rules for managing risks associated with the information system, including the identification of risk factors, their assessment and the taking of necessary counter-measures against them;
  4. the procedure for adoption, updating and disclosure thereof.

Art. 6. (1) To verify compliance with the standard under Art. 3, para. 1, the pension insurance company submits to the Deputy Chairman of the Commission, heading the "Insurance Supervision" department (Deputy Chairman of the Commission):

  1. a certified copy of the document certifying certification - in cases where the pension insurance company is certified;
  2. the documents under Art. 4, para. 2 - when the certification of the company ceases to be in force;
  3. the amended or supplemented documents under Art. 4, para. 2 - upon changes made to them, when the company is not certified.

(2) The documents under para. 1, item 1 or 2 are submitted within seven days from the certification or cessation of the certification, and under para. 1, item 3 - within seven days from the change.

(3) The Deputy Chairman of the Commission may require supplementation or correction of the documents under para. 1, items 2 and 3, as well as other data and information related to them, and may set a deadline for their submission. When the submitted documents do not meet the requirements of this Ordinance, the Deputy Chairman of the Commission may apply the measure under Art. 344, para. 1, item 1 of the Social Security Code (SSC).

Section III Requirements for Information Exchange and Provision of Electronic Services

Art. 7. (1) The pension insurance company uses an official e-mail address for receiving official correspondence from the Commission and other institutions with which the company exchanges information. The company notifies the Deputy Chairman of the Commission of a change in the official e-mail address at least three working days before the change.

(2) Employees of the company use only their personal official electronic mail for receiving and sending official correspondence electronically. Electronic messages sent by employees of the pension insurance company in connection with the performance of their duties must necessarily contain identifying contact information for the respective employee. At the end of each outgoing electronic message, instructions to the addressee for actions in case of erroneous receipt are automatically attached.

Art. 8. (Amended - SG, No. 94 of 2018, in force from 19.11.2018; amended and supplemented, No. 55 of 2021; amended, No. 70 of 2024) (1) (Amended - SG, No. 55 of 2021; amended, No. 70 of 2024) The information system of the pension insurance company must provide the possibility to create and maintain a unified electronic file for each insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP in a fund managed by the company. The file must contain all available data on the person and allow them to make inquiries and track their insurance history.

(2) (Amended - SG, No. 70 of 2024) Paper applications and petitions submitted by the persons under para. 1 and their heirs, as well as the company's acts related to them, are included in the electronic file of the respective person by scanning them and the documents attached to them with a scanning device in a form and manner allowing them to be read. The full and exact correspondence of the scanned electronic image with the scanned document is certified by an electronic signature of the person who performed the scanning.

(3) (Amended - SG, No. 94 of 2018, in force from 19.11.2018) The documents under para. 2 are stored by the pension insurance company. The pension insurance company may entrust by written contract the activity of scanning documents to a specialized external contractor. In this case, the company:

  1. is responsible for the actions of the external contractor as for its own actions;
  2. provides in the contract with the external contractor: a) obligations to preserve the confidentiality of the provided documents and information and to provide assistance from its side to the bodies and employees of the Commission for Financial Supervision in the exercise of their powers; b) prohibition on subcontracting the activities subject of the contract;
  3. monitors and assesses the risks associated with the outsourcing of the activities, as well as their implementation by the external contractor.

(4) (Amended - SG, No. 70 of 2024) The pension insurance company is obliged to issue to each insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP, upon request, a unique identifier for the use of the electronic services offered by the company.

(5) (Amended - SG, No. 70 of 2024) Insured persons, persons insured under a PEPP, pensioners, beneficiaries of a PEPP and their heirs have the right to obtain a copy of the electronic documents in the electronic file on paper or electronic media after presenting the necessary certification documents.

(6) The permission for access and the refusal of access to the electronic file and for the use of electronic documents from it under the procedure of para. 5 are issued in written form by the managing and representing person of the pension insurance company or by an employee authorized by him. The refusal of access must necessarily be motivated.

(7) (Supplemented - SG, No. 55 of 2021) The refusal under para. 6 may be appealed by the applicant under the procedure and within the deadlines provided in the rules on the organization and activities of the respective pension fund, respectively in the rules of the fund for the performance of payments.

Art. 9. (Supplemented - SG, No. 55 of 2021) The information system must provide the possibility for:

  1. accounting and verification of the time of occurrence of facts with legal significance with accuracy to year, date, hour, minute and second;
  2. (supplemented - SG, No. 55 of 2021) preparation of an extract from the individual account and from the analytical account under Art. 192b, para. 3, item 1 of the SSC at any time, for the creation and printing of necessary primary documents and for providing copies under Art. 8, para. 5 in all offices of the company;
  3. connection with all offices and insurance intermediaries of the company for registering documents submitted at them;
  4. receiving and sending documents signed with an electronic signature;
  5. preparation and exchange in an electronic format determined by the supervisory authority of the required daily, periodic and on-request reports and inquiries;
  6. operational exchange of information with institutions with which the pension insurance company exchanges data, in accordance with the standards, formats and templates provided for this purpose.

Art. 10. (1) Documents submitted to the company electronically are registered by persons determined by the management body. After registration of an incoming electronic document received by the company, a confirmation of its receipt is generated and sent to the applicant.

(2) The persons under para. 1 carry out a check for the regularity, completeness and accuracy of the provided data. Upon establishment of irregularities by the sender, an electronic message with instructions and a deadline for their elimination is sent.

Art. 11. When providing an electronic service, the pension insurance company informs the user of the service in advance in a clear and understandable manner regarding:

  1. the technical steps for providing the service, their legal significance and the deadline for its provision;
  2. the possibility of the issued act being stored in electronic form by the company and the method of access to it;
  3. the technical means for establishing and eliminating errors in the input of information, before the statements related to the service are made.

Art. 12. (Supplemented - SG, No. 55 of 2021; amended, No. 70 of 2024) The electronic page of the pension insurance company must provide convenient access:

  1. to the information published on it;
  2. (supplemented - SG, No. 55 of 2021; amended, No. 70 of 2024) for each insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP to the data on their individual account, their analytical account and their electronic file after entering the identifier.

Section IV Registers

Art. 13. (Amended and supplemented - SG, No. 55 of 2021; amended and supplemented, No. 70 of 2024) The information system of the pension insurance company must maintain the following main components in an up-to-date state, respectively applicable to the funds managed by the company:

  1. registers of: a) insurance contracts - including by type for the voluntary fund (contract with personal contributions, contract with an employer or with a person under Art. 230, para. 3, item 3 of the SSC and contract with another insurer); b) officially distributed persons with the number and date of the protocol for official distribution; c) pension contracts; d) contracts for the deferred payment of accumulated funds in individual accounts; e) (new - SG, No. 55 of 2021) contracts for the deferred payment of funds in individual accounts in the cases under Art. 167a of the SSC; f) (new - SG, No. 70 of 2024) PEPP contracts.
  2. (amended - SG, No. 55 of 2021; amended, No. 70 of 2024) a register of individual accounts of insured persons and pensioners and of PEPP accounts, which must contain the data according to Art. 24 and 25 of Ordinance No. 9 of 19.11.2003 on the assessment of assets and liabilities of the pension insurance company and of the funds managed by it, for the calculation of the value of net assets, of one share and of the yield from investment properties and for the maintenance of individual accounts, PEPP accounts and analytical accounts in a fund for deferred payments (SG, No. 109 of 2003) (Ordinance No. 9), as well as the account of the reserve for guaranteeing minimum yield under Art. 193, para. 7 SSC;
  3. (new - SG, No. 55 of 2021) a register of analytical accounts of persons receiving payments from funds for deferred payments, which must contain the data according to Art. 27a of Ordinance No. 9;
  4. (previous item 3 - SG, No. 55 of 2021) a register of received petitions for withdrawal or payment of funds separately for each managed fund;
  5. (previous item 4 - SG, No. 55 of 2021) registers of applications for participation under Art. 6 of Ordinance No. 33 of 2006 on individual applications for participation in a fund for supplementary mandatory pension insurance (SG, No. 83 of 2006) - for funds for supplementary mandatory pension insurance;
  6. (previous item 5 - SG, No. 55 of 2021; supplemented, No. 70 of 2024) registers of applications for change of participation or transfer of funds under Art. 20 of Ordinance No. 3 of 2003 on the procedure and manner of changing participation and for the transfer of accumulated funds of an insured person from one fund for supplementary pension insurance to another corresponding fund managed by another pension insurance company (SG, No. 90 of 2003) and of applications for change of PEPP provider;
  7. (previous item 6 - SG, No. 55 of 2021) a register of received petitions for transfer of funds from one insurance account to another in the same pension fund of a spouse or relatives in the direct line up to the second degree - for a fund for supplementary voluntary pension insurance;
  8. (previous item 7, amended - SG, No. 55 of 2021; supplemented, No. 70 of 2024) a register of held assets separately for each fund for supplementary pension insurance, respectively for a sub-fund under Art. 214a of the Social Security Code and for each fund for the performance of payments, analogous to the register under Art. 123a, para. 4, item 4 of the SSC, with records for the daily, respectively monthly, evaluation of each asset;
  9. (previous item 8 - SG, No. 55 of 2021) a register of professional schemes - for a fund for supplementary voluntary pension insurance under professional schemes;
  10. (previous item 9 - SG, No. 55 of 2021) a register of the official correspondence of the pension insurance company, including a register of complaints;
  11. (previous item 10 - SG, No. 55 of 2021) other registers that the pension insurance company maintains in accordance with the normative regulation or its internal rules.

Section V Administrative Liability

Art. 14. (1) A pension insurance company or its employees who commit or allow the commission of a violation of this Ordinance are punished according to Art. 351 of the SSC.

(2) Violations of the provisions of the Ordinance are established by acts drawn up by officials authorized by the Deputy Chairman of the Commission.

(3) Penalty orders are issued by the Deputy Chairman of the Commission or by an official authorized by him.

(4) The establishment of violations, the issuance, appeal and execution of penalty orders are carried out under the procedure of the Law on Administrative Offences and Penalties.

Transitional and Final Provisions

§ 1. (1) Within a 7-day period from the entry into force of the Ordinance, the pension insurance company submits to the Deputy Chairman of the Commission a certified copy of the document certifying certification for compliance with the standard under Art. 3, para. 1, respectively - the documents under Art. 4, para. 2.

(2) The Deputy Chairman of the Commission may require supplementation or correction of the submitted documents under Art. 4, para. 2, as well as other data and information related to them, and may set a deadline for their submission. When the submitted documents do not meet the requirements of this Ordinance, the Deputy Chairman of the Commission may apply the measure under Art. 344, para. 1, item 1 of the SSC.

§ 2. In Art. 6, para. 4 of Ordinance No. 33 of 2006 on individual applications for participation in a fund for supplementary mandatory pension insurance (SG, No. 83 of 2006), the words "requirements for the creation and maintenance of an information system of a pension insurance company, approved by the Deputy Chairman of the Commission for Financial Supervision, heading the "Insurance Supervision" department" are replaced with "the Ordinance under Art. 123j, para. 1 of the SSC".

§ 3. The Ordinance is issued on the basis of Art. 123j, para. 1 of the SSC and is adopted by Decision No. 135-N of 11.07.2012 of the Commission for Financial Supervision.

§ 4. The Ordinance enters into force one year after its publication in the "State Gazette".

Chairman: Stoyan Mavrodiev

Final Provisions to ORDINANCE No. 62 of 30.10.2018 on the Procedure for Storage, Use and Destruction by Pension Insurance Companies of Documents and Data Related to Activities in Supplementary Pension Insurance (SG, No. 94 of 13.11.2018, in force from 19.11.2018)

§ 3. In Ordinance No. 47 of 2012 on the Requirements for the Information Systems of Pension Insurance Companies (SG, No. 57 of 2012), in Art. 8, para. 3, the words "activities of scanning and/or storage" are replaced with "the activity of scanning".

Final Provisions to the Ordinance on Amendment and Supplement of Ordinance No. 61 of 27.09.2018 on the Requirements for Advertising and Written Information Materials and Internet Pages of Pension Insurance Companies (SG, No. 55 of 02.07.2021)

§ 22. In Ordinance No. 47 of 11.07.2012 on the Requirements for the Information Systems of Pension Insurance Companies (pub., SG, No. 57 of 2012; amended, No. 94 of 2018), the following amendments and supplements are made:

  1. In Art. 8: a) in para. 1, the word "pension" is deleted; b) in para. 7, at the end, a comma is placed and "respectively in the rules of the fund for the performance of payments" is added.
  2. In Art. 9, item 2, after the words "individual account", "and from the analytical account under Art. 192b, para. 3, item 1 of the SSC" is added.
  3. In Art. 12, item 2, after the words "their individual account", a comma is placed and "for their analytical account" is added.
  4. In Art. 13: a) in the main text, the word "pension" is deleted; b) in item 1, letter "d" is created: "d) contracts for the deferred payment of funds in individual accounts in the cases under Art. 167a of the SSC;" c) item 2 is amended as follows: "2. a register of individual accounts of insured persons and pensioners, which must contain the data according to Art. 24 and 25 of Ordinance No. 9 of 2003 on the manner and procedure for the assessment of assets and liabilities of the pension insurance company and of the funds managed by it, on the value of the net assets of the fund, for the calculation and announcement of the value of one share, for the calculation and comparison of the yield from investment properties and for the requirements for the maintenance of individual accounts and analytical accounts in a fund for deferred payments (SG, No. 109 of 2003) (Ordinance No. 9), as well as the account of the reserve for guaranteeing minimum yield under Art. 193, para. 7 SSC;" d) a new item 3 is created: "3. a register of analytical accounts of persons receiving payments from funds for deferred payments, which must contain the data according to Art. 27a of Ordinance No. 9;" e) current items 3 - 6 become respectively items 4 - 7; f) current item 7 becomes item 8 and is amended as follows: "8. a register of held assets separately for each fund for supplementary pension insurance and for each fund for the performance of payments, analogous to the register under Art. 123a, para. 4, item 4 of the SSC, with records for the daily, respectively monthly, evaluation of each asset;" g) current items 8 - 10 become respectively items 9 - 11.

Transitional and Final Provisions to the Ordinance on Amendment and Supplement of Ordinance No. 63 of 8.11.2018 on the Requirements for the Content, Periodicity of Preparation and Deadlines for Submission of Reports for Supervisory Purposes of Pension Insurance Companies and Funds Managed by Them (SG, No. 70 of 20.08.2024)

§ 18. In Ordinance No. 47 of 11.07.2012 on the Requirements for the Information Systems of Pension Insurance Companies (pub., SG, No. 57 of 2012; amended, No. 94 of 2018; amended and supplemented, No. 55 of 2021), the following amendments and supplements are made:

  1. In Art. 3: a) in para. 1, the words "ISO/IEC 27001:2005" are replaced with "ISO/IEC 27001"; b) in para. 3, the words "international standard ISO/IEC 27002:2005 (ISO/IEC 17799:2005)" are replaced with "international standards ISO/IEC 27002 and ISO/IEC 27004".
  2. In Art. 8: a) in para. 1, the words "insured person or pensioner" are replaced with "insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP"; b) in para. 2, the words "insured persons, pensioners" are replaced with "persons under para. 1"; c) in para. 4, the words "insured person or pensioner" are replaced with "insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP"; d) in para. 5, the words "Insured persons, pensioners" are replaced with "Insured persons, persons insured under a PEPP, pensioners, beneficiaries of a PEPP".
  3. In Art. 12, item 2, the words "insured person or pensioner" are replaced with "insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP".
  4. In Art. 13: a) in item 1, letter "e" is created: "e) PEPP contracts."; b) item 2 is amended as follows: "2. a register of individual accounts of insured persons and pensioners and of PEPP accounts, which must contain the data according to Art. 24 and 25 of Ordinance No. 9 of 19.11.2003 on the assessment of assets and liabilities of the pension insurance company and of the funds managed by it, for the calculation of the value of net assets, of one share and of the yield from investment properties and for the maintenance of individual accounts, PEPP accounts and analytical accounts in a fund for deferred payments (SG, No. 109 of 2003) (Ordinance No. 9), as well as the account of the reserve for guaranteeing minimum yield under Art. 193, para. 7 SSC;" c) in item 6, at the end, "and of applications for change of PEPP provider" is added; d) in item 8, after the word "insurance", a comma is placed and "respectively for a sub-fund under Art. 214a of the Social Security Code" is added.
  5. Everywhere in the Ordinance, the words "insured person or pensioner" are replaced with "insured person, a person insured under a PEPP, a pensioner or a beneficiary of a PEPP".
Share