Instruction No. 2017-I-12 of June 26, 2017 amending Instruction No. 2015-I-18 on the electronic signature of documents transmitted to the ACPR (Insurance Sector)

PRUDENTIAL CONTROL AND RESOLUTION AUTHORITY

Instruction No. 2017-I-12 amending Instruction No. 2015-I-18 on the electronic signature of documents transmitted to the ACPR (Insurance Sector)

The Prudential Control and Resolution Authority, Having regard to Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, known as the 'eIDAS Regulation'; Having regard to the opinion of the Prudential Affairs Advisory Commission of 1 June 2017; Having regard to the opinion of the Anti-Money Laundering and Counter-Terrorist Financing Advisory Commission of 9 June 2017. DECIDES:

Article 1 Article 1 of Instruction No. 2015-I-18 is replaced as follows:

"Article 1 This instruction applies to the entities referred to in all ACPR instructions referencing electronic signature."

Article 2 Article 2 of Instruction No. 2015-I-18 is replaced as follows:

"Article 2 For the purposes of electronic signature, transmitted collection statements are electronically signed using an electronic signature certificate that meets, depending on its date of issue, the following conditions:

1. Certificates issued before 1 July 2017 must be issued: 1.1 By a qualified electronic certification service provider at the 'Two Stars' security level or the 'Three Stars' security level, within the meaning of the General Security Reference in version 1.0 'Trust Service Signature' provided for by Ordinance No. 2005-1516 or in version 2.0 according to the order of 13 June 2014 approving the general security reference and specifying the implementation procedures for the certificate validation process. Or 1.2 By an electronic certification service provider declared compliant with the Common Acceptance Policy (PAC) of the French Centre for Banking Organization and Standardization (CFONB) for signature at level 2 or level 3. Or 1.3 By an electronic certification service provider certified compliant with the European standard of the European Telecommunications Standards Institute (ETSI) ETSI TS 101 456 QCP Public + SSCD. Or 1.4 According to one of the modalities provided for in 2.1 and 2.2 below.

2. Certificates issued after 1 July 2017 must be issued: 2.1 By an electronic certification service provider certified compliant with the European eIDAS Regulation for the 'qualified certificates' level (EU Qualified Certificates). Or 2.2 By the 'strong signature' Certification Authority of the Bank of France.

Article 3 Article 3 of Instruction No. 2015-I-18 is repealed.

Article 4 Article 4 of Instruction No. 2015-I-18 is replaced as follows:

"Article 4 Any entity implementing electronic signature must declare to the ACPR, by means of a single document, the identity of the electronic certification service provider it uses, the type of certificate used, as well as, for each person it authorizes to sign on its behalf, their identity and their role within the entity.

Unless otherwise indicated or specified in the relevant instructions, the persons authorized to sign are those ensuring the effective management of the insurance entity within the meaning of the first paragraph of II of Article L. 612-23-1 of the Monetary and Financial Code and the persons referred to in the second paragraph of II of the same article (hereinafter the Senior Management). Senior Management may also duly authorize persons who have the competence and position within the establishment allowing them to commit to the quality of the information they are required to sign.

The aforementioned Senior Management may also delegate authority to another entity within the group within the meaning of Article L. 356-1 of the Insurance Code if this entity is mentioned in B of I of Article L. 612-2 of the Monetary and Financial Code. In this case, the persons authorized to sign are the Senior Management (effective, if applicable) of the delegated entity as well as the agents designated by them in application of the aforementioned provisions.

In the event of signature delegation by Senior Management under the aforementioned conditions, the types of collections subject to the delegation must be specified.

Regardless of the delegations granted, the aforementioned Senior Management remain responsible for the quality and reliability of the information transmitted on their behalf and must be able to transmit the information under their own electronic signature.

The declarations provided for by this article must be communicated to the ACPR at least one month before the deadline for the first electronically signed submission.

Similarly, each modification made to these declarations must be communicated to the ACPR at least one month before the relevant deadline.

Entities must take the necessary measures to communicate to the persons they declare the information provided for in Article 32 of Law No. 78-17 of 6 January 1978 relating to computing, files and freedoms."

Article 5 Article 5 of Instruction No. 2015-I-18 is replaced as follows:

"Article 5 The ACPR may at any time oppose the use of an electronic certificate by an entity that does not or no longer meets the requirements of Article 2 above."

Article 6 The second paragraph of Article 7 of Instruction No. 2015-I-18 is supplemented as follows:

"The amendments to Instruction No. 2015-I-18 set out in Instruction No. 2017-I-12 of 26 June 2017 shall enter into force as of 1 July 2017."

Article 7 This instruction shall enter into force as of 1 July 2017.

Done in Paris, 26 June 2017 The President of the Prudential Control and Resolution Authority François VILLEROY de GALHAU