LogoRegulatory Alerts
2018-04-04

Ordinance No. 59 of 04.04.2018 on the Functions and Duties of Units, Services, and Persons Exercising Risk Management, Internal Control, and Internal Audit in Pension Insurance Companies

The Commission for Financial Supervision issued Ordinance No. 59 to define the specific functions and duties of risk management, internal control, and internal audit units within pension insurance companies. The regulation mandates that these units establish risk identification and measurement methodologies, conduct regular internal audits, and ensure compliance with legal requirements while protecting the interests of insured persons and pensioners. It further requires these entities to report significant risks and violations to the management board and the Commission, ensuring independent oversight and adherence to international auditing standards.

Financial Supervision Commission Bulgaria logo

Bulgaria

Financial Supervision Commission Bulgaria

Click to view thumbnail

ORDINANCE No. 59 of 04.04.2018 on the functions and duties of the units, services, and persons exercising risk management, internal control, and internal audit in pension insurance companies

Pub. - State Gazette, No. 34 of 20.04.2018, in force from 19.11.2018; amended and supplemented, No. 41 of 21.05.2019; supplemented, No. 60 of 20.07.2021; amended, No. 70 of 20.08.2024.

Adopted by Decision No. 347-N of 04.04.2018 of the Commission for Financial Supervision

Art. 1. This Ordinance regulates the functions and duties of the units, services, and persons exercising risk management, internal control, and internal audit in pension insurance companies.

Art. 2. (Amended and supplemented - State Gazette, No. 41 of 2019; supplemented, No. 60 of 2021; amended, No. 70 of 2024) The risk management unit:

  1. identifies, measures, monitors, and participates in the management of the risks (individually, in their entirety, and in their interdependencies) to which the pension insurance company and the funds managed by it are exposed, including as a result of the activities of external contractors to whom the company has entrusted the performance of certain activities related to supplementary pension insurance and activities associated with them;
  2. develops the rules for managing risks associated with the activities of the pension insurance company and the funds managed by it, and submits them for adoption by the management board of the company;
  3. reviews the rules under item 2 at least once a year and proposes changes to them when necessary;
  4. (supplemented - State Gazette, No. 60 of 2021; amended, No. 70 of 2024) assists the management board and the competent units of the company in determining the acceptable level of risk when investing the funds of supplementary pension insurance funds and funds for making payments, the company's own funds, and the reserves formed in the company, funds, and sub-funds under Art. 214a of the Social Security Code, and participates in the development of investment policies and other internal documents that have a significant impact on the risk exposure of the company, funds, and sub-funds under Art. 214a of the Social Security Code, or expresses opinions on them;
  5. (amended - State Gazette, No. 41 of 2019) develops: a) (amended - State Gazette, No. 70 of 2024) methods for identifying and assessing the risks to which the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code are or may be exposed in the short term or in the long term; b) models for quantitative measurement of at least interest rate risk, currency risk, price risk, credit risk, liquidity risk, concentration risk, and risk in hedging transactions, and determines the threshold values of the observed and measured types of risks;
  6. (amended - State Gazette, No. 41 of 2019) determines the set of data for monitoring risks under item 1 and the application of the methods and models under item 5, and the frequency of providing information about them;
  7. in connection with the identification, monitoring, and management of risk, requests additional information from the competent units of the company and/or the external contractors to whom the performance of certain activities related to supplementary pension insurance and associated activities has been entrusted, when necessary;
  8. currently analyzes information about risks and their status, including by comparison with the provided quantitative indicators;
  9. informs the competent units of the company about the results of the current analysis under item 8 and provides assistance to them in performing risk management actions within their competence;
  10. immediately informs the competent units of the company and the management board when it establishes excessive risk exposure;
  11. prepares monthly risk reports and their management for the management board and the competent units and committees of the company;
  12. (new - State Gazette, No. 41 of 2019) performs the own risk assessment under Art. 123e2 of the Social Security Code in cooperation with the responsible actuary and the unit, respectively the person, performing the function of internal audit, and presents it to the management board of the company;
  13. (previous item 12 - State Gazette, No. 41 of 2019) gives written recommendations for preventing or limiting the manifestation of risks and for eliminating the consequences of adverse events that have occurred;
  14. (previous item 13 - State Gazette, No. 41 of 2019) analyzes the effectiveness of the risk management actions taken and monitors the implementation of the given recommendations;
  15. (previous item 14 - State Gazette, No. 41 of 2019) maintains a risk register, which includes at least the following: a) the identified risks, a qualitative assessment of the probability of their occurrence and their impact, the data used for monitoring each risk, the indicators used to assess risks subject to quantitative measurement, and the planned actions to prevent or limit the manifestation of risks; b) the recommendations given during the current monitoring and management of risk and information about their implementation; c) adverse events that have occurred with significant consequences, the planned and taken measures to eliminate the consequences of them, and the prevention or limitation of the manifestation of such events in the future;
  16. (previous item 15 - State Gazette, No. 41 of 2019) informs the internal control service and the unit, respectively the person, performing the function of internal audit, upon establishing violations of applicable rules and procedures;
  17. (previous item 16 - State Gazette, No. 41 of 2019) informs the Commission for Financial Supervision when it has informed the management board and it has not taken appropriate and timely measures to counteract in case of: a) (amended - State Gazette, No. 70 of 2024) significant risk that the company or a fund managed by it will not comply with a significant legal requirement and this could significantly endanger the interests of the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP; b) significant violation of the regulatory framework;
  18. (previous item 17 - State Gazette, No. 41 of 2019; amended, No. 70 of 2024) presents to the management board an annual report on its activities and the risks to which the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code are exposed, and participates in the preparation of the report under Art. 123e, para. 5 of the Social Security Code;
  19. (previous item 18 - State Gazette, No. 41 of 2019) does not perform activities that are not directly related to risk management activities.

Art. 3. (Amended - State Gazette, No. 41 of 2019; amended, No. 70 of 2024) The internal control service:

  1. monitors the performance of the company's activities in accordance with the regulatory framework, the internal acts and documents adopted by the company, the concluded contracts, and the principles of economy, efficiency, and effectiveness of activities with the aim of preventing and detecting violations;
  2. develops the rules for internal control and submits them for adoption by the management board of the company;
  3. reviews the rules under item 2 at least once a year and proposes changes to them when necessary;
  4. gives opinions and recommendations in connection with the development or amendment of the company's internal documents and other documents related to the performance of its activities;
  5. (amended - State Gazette, No. 41 of 2019) prepares an annual plan for its activities based on the findings in the course of the service's activities and the documents under Art. 2, items 11 and 12, and submits it to the management board for approval;
  6. performs checks in accordance with its annual activity plan and off-plan checks at the request of the management and supervisory bodies of the company or on its own initiative;
  7. exercises current control regarding the compliance with the prohibitions under Art. 177, para. 1-3 and under Art. 249 in connection with Art. 177, para. 1-3 of the Social Security Code and regarding the documentation of investment decisions;
  8. familiarizes itself with all received signals about violations in the activities of the company;
  9. requests the necessary information for the performance of the check and ensures free access to the official premises from the competent units of the company and/or the external contractors to whom the performance of certain activities related to supplementary pension insurance and associated activities has been entrusted;
  10. in case of doubts during the check about committed violations, the establishment of which is within the competence of state bodies other than the Commission for Financial Supervision, immediately informs the management and supervisory bodies of the company, and in the absence of appropriate and timely measures from them - the respective competent state bodies;
  11. analyzes the results of the check, makes findings and conclusions, and gives recommendations for eliminating identified weaknesses and violations;
  12. familiarizes the head of the audited unit with the draft report on the check and considers the comments and objections given on it;
  13. presents the check report to the management board of the company, and when the check was entrusted by the supervisory body or at the discretion of the head of the service - also to the supervisory body;
  14. (amended - State Gazette, No. 70 of 2024) informs the risk management unit about circumstances established during the check that have a significant impact on the risk exposure of the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code;
  15. monitors the implementation of the given recommendations and the additional measures provided by the management board;
  16. informs the management and/or supervisory bodies of the company in cases where the given recommendations or the provided additional measures are not implemented;
  17. informs the Commission for Financial Supervision when the service has informed the management board and it has not taken appropriate and timely measures to counteract in case of: a) (amended - State Gazette, No. 70 of 2024) significant risk that the company or a fund managed by it will not comply with a significant legal requirement and this could significantly endanger the interests of the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP; b) significant violation of the regulatory framework;
  18. prepares and presents to the management and supervisory bodies of the company an annual report on the activities of internal control and participates in the preparation of the report under Art. 123e, para. 5 of the Social Security Code;
  19. does not perform activities that are not directly related to the exercise of internal control.

Art. 4. (Amended - State Gazette, No. 41 of 2019; amended, No. 70 of 2024) The unit, respectively the person, performing the function of internal audit:

  1. checks and assesses the adequacy and effectiveness of the internal control system, the risk management system, and other elements of the management system, including with regard to the outsourcing of activities related to supplementary pension insurance and associated activities to external contractors;
  2. develops the rules for internal audit and submits them for adoption by the management board of the company;
  3. reviews the rules under item 2 at least once a year and proposes changes to them when necessary;
  4. (amended - State Gazette, No. 41 of 2019) prepares an annual plan for internal audit activities based on the findings in the course of its activities and the documents under Art. 2, items 11 and 12, submits it to the management board for approval, and provides it to the audit committee;
  5. performs off-plan audits at the request of the management and supervisory bodies of the company or on its own initiative;
  6. requests the necessary information for the performance of the audit from the competent units of the company and/or the external contractors to whom the performance of certain activities related to supplementary pension insurance and associated activities has been entrusted;
  7. familiarizes the head of the audited unit with the draft audit report and considers the comments and objections given on it;
  8. presents the audit report to the management board of the company, and when the check was entrusted by the supervisory body or at its own discretion - also to that body;
  9. (amended - State Gazette, No. 70 of 2024) informs the risk management unit about circumstances established during the audit that have a significant impact on the risk exposure of the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code, and the internal control service about established violations;
  10. gives recommendations for eliminating the identified weaknesses and monitors the implementation of the recommendations approved by the management board and the additional measures provided by it;
  11. (new - State Gazette, No. 41 of 2019) assists the risk management unit in performing the own risk assessment under Art. 123e2 of the Social Security Code and independently performs the assessment under Art. 123e2, para. 2, item 3 of the Social Security Code;
  12. (previous item 11 - State Gazette, No. 41 of 2019) informs the Commission for Financial Supervision when it has informed the management board and it has not taken appropriate and timely measures to counteract in case of: a) (amended - State Gazette, No. 70 of 2024) significant risk that the company or a fund managed by it will not comply with a significant legal requirement and this could significantly endanger the interests of the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP; b) significant violation of the regulatory framework;
  13. (previous item 12 - State Gazette, No. 41 of 2019) prepares and presents to the management and supervisory bodies of the company an annual report on internal audit activities and participates in the preparation of the report under Art. 123e, para. 5 of the Social Security Code;
  14. (previous item 13 - State Gazette, No. 41 of 2019) complies with the International Standards for the Professional Practice of Internal Audit in the performance of its activities;
  15. (previous item 14 - State Gazette, No. 41 of 2019) does not perform activities that are not directly related to internal audit activities.

Additional Provisions § 1. For the purposes of this Ordinance:

  1. "Effectiveness" is the degree of achievement of the objectives of the audited object when comparing the actual and expected results of its activities.
  2. "Efficiency" is the achievement of maximum results from the resources used in the performance of the audited object's activities.
  3. "Economy" is the acquisition with the least costs of the necessary resources for the performance of the audited object's activities while complying with the quality requirements for resources.
  4. "Adequacy" is the correspondence of the management system and its individual elements to the current and possible future needs of the pension insurance company and the funds managed by it.
  5. "International Standards for the Professional Practice of Internal Audit" are the International Standards for the Professional Practice of Internal Audit issued by the Institute of Internal Auditors, Altamonte Springs, Florida, USA, and their translation into Bulgarian, published by the Institute of Internal Auditors in Bulgaria.

Final Provisions § 2. (Amended - State Gazette, No. 41 of 2019) The Ordinance is issued on the basis of Art. 123e1, para. 12 of the Social Security Code and was adopted by Decision No. 347-N of 4.04.2018 of the Commission for Financial Supervision.

§ 3. This Ordinance enters into force from 19.11.2018.

Chairman: Karina Karaivanova

Final Provisions to the Ordinance on Amendment and Supplement of Ordinance No. 48 of 2013 on the Requirements for Remuneration (State Gazette, No. 41 of 21.05.2019)

§ 16. In Ordinance No. 59 of 2018 on the functions and duties of the units, services, and persons exercising risk management, internal control, and internal audit in pension insurance companies (Pub., State Gazette, No. 34 of 2018), the following amendments and supplements are made:

  1. In Art. 2: a) item 5 is amended as follows: "5. develops: a) methods for identifying and assessing the risks to which the company and the funds managed by it are or may be exposed in the short term or in the long term; b) models for quantitative measurement of at least interest rate risk, currency risk, price risk, credit risk, liquidity risk, concentration risk, and risk in hedging transactions, and determines the threshold values of the observed and measured types of risks;" b) in item 6, the words "application of the models under item 5" are replaced with "application of the methods and models under item 5"; c) a new item 12 is created: "12. performs the own risk assessment under Art. 123e2 of the Social Security Code in cooperation with the responsible actuary and the unit, respectively the person, performing the function of internal audit, and presents it to the management board of the company;" d) the current items 12, 13, 14, 15, 16, 17, and 18 become respectively items 13, 14, 15, 16, 17, 18, and 19.
  2. In Art. 3, item 5, the words "own risk assessment, based on" are deleted, and the words "reports under Art. 2, item 11," are replaced with "documents under Art. 2, items 11 and 12".
  3. In Art. 4: a) in item 4, the words "own risk assessment, based on" are deleted, and the words "reports under Art. 2, item 11" are replaced with "documents under Art. 2, items 11 and 12"; b) a new item 11 is created: "11. assists the risk management unit in performing the own risk assessment under Art. 123e2 of the Social Security Code and independently performs the assessment under Art. 123e2, para. 2, item 3 of the Social Security Code;" c) the current items 11, 12, 13, and 14 become respectively items 12, 13, 14, and 15.
  4. In § 2 of the Final Provisions, the words "Art. 123e1, para. 10" are replaced with "Art. 123e1, para. 12".

Transitional and Final Provisions to ORDINANCE No. 70 of 29.06.2021 on the Requirements for Payment Funds (State Gazette, No. 60 of 20.07.2021)

§ 8. In Ordinance No. 59 of 4.04.2018 on the functions and duties of the units, services, and persons exercising risk management, internal control, and internal audit in pension insurance companies (Pub., State Gazette, No. 34 of 2018; amended and supplemented, No. 41 of 2019), in Art. 2, item 4, after the words "supplementary pension insurance funds", the words "and funds for making payments" are added.

Transitional and Final Provisions to the Ordinance on Amendment and Supplement of Ordinance No. 63 of 8.11.2018 on the Requirements for the Content, Frequency of Preparation, and Deadlines for Submission of Supervisory Reports of Pension Insurance Companies and the Funds Managed by Them (State Gazette, No. 70 of 20.08.2024)

§ 22. In Ordinance No. 59 of 4.04.2018 on the functions and duties of the units, services, and persons exercising risk management, internal control, and internal audit in pension insurance companies (Pub., State Gazette, No. 34 of 2018; amended and supplemented, No. 41 of 2019; supplemented, No. 60 of 2021), the following amendments are made:

  1. In Art. 2: a) in item 4, the words "the company and the funds" are replaced with "the company, the funds, and the sub-funds under Art. 214a of the Social Security Code"; b) in item 5, letter "a", the words "the company and the funds managed by it" are replaced with "the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code"; c) in item 17, letter "a", the words "the insured persons or pensioners" are replaced with "the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP"; d) in item 18, the words "the company and the funds managed by it" are replaced with "the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code".
  2. In Art. 3: a) in item 14, the words "the company and the funds managed by it" are replaced with "the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code"; b) in item 17, letter "a", the words "the insured persons or pensioners" are replaced with "the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP".
  3. In Art. 4: a) in item 9, the words "the company and the funds managed by it" are replaced with "the company, the funds managed by it, and the sub-funds under Art. 214a of the Social Security Code"; b) in item 12, letter "a", the words "the insured persons or pensioners" are replaced with "the insured persons, persons insured under PEPP, pensioners, or beneficiaries of PEPP".
Share