The term “compliance” can be defined as the totality of all content-related and organisational safeguards that ensure lawful conduct on the part of the Hannover Re companies, the members of their governing bodies and their employees with regard to all legal and ethical standards as well as the internal corporate policies in the major areas of the organisation and operating processes.
We consider efficiently functioning compliance management to be essential, since legally correct, responsible and ethical actions constitute the fundamental precondition for trust in our company and for its competitiveness as well as for ensuring that licences to pursue our business activities are maintained and not denied. In our view, conformity with applicable legal requirements is a self-evident prerequisite for enduring successful business operations. This includes laws and regulations relating to the environment just as it does those with a bearing on, among other things, fighting corruption, the prevention of money laundering, data privacy and tax compliance. In addition, the compliance function is one of the four key functions of the system of governance pursuant to the Solvency II Directive and an important element of the internal control system under these rules governing European insurers and reinsurers.
The Corporate Compliance Organisational Manual summarises the major activities and defines the responsibilities within our company, the interfaces and the elements of the compliance organisation. Our compliance structure was reviewed most recently in 2015 against the backdrop of the compliance requirements associated with Solvency II. The Compliance department and the Chief Compliance Officer keep employees informed of changes in legislation, insofar as they affect their work. A worldwide network of compliance officers reports to and supports the Chief Compliance Officer in his duties. With a view to improving cooperation within the compliance network on the European level, we organise an annual gathering of European compliance officers. Conference calls are also held on a regular basis. The Chief Compliance Officer works to ensure compliance with internal corporate policies by cooperating with other departments, including Group Auditing, and updates the Executive Board on material compliance issues and developments in an annual compliance report. A Web-based whistleblower system is also in place for the companies within the Group. This enables employees, customers and third parties to report compliance violations anonymously in their local language or in English. Relevant tips and any countermeasures initiated are included in the annual compliance report. In the year under review no tips were received through the Group-wide whistleblower system regarding potential wrongdoing. Furthermore, no lawsuits were filed against our company in the reporting period on grounds of anti-competitive or anti-trust practices. Similarly, we were not required to pay any significant fines in the period under review due to violations of legal provisions; nor were any non-monetary sanctions imposed on our company.
Our Code of Conduct is accepted by our employees as an integral component of their employment contract and therefore has binding effect. It encompasses, among other things, specific rules of conduct in the form of instructions for the avoidance and disclosure of conflicts of interest, for the granting and acceptance of benefits, gifts and invitations, for the arrangement of donations and sponsorships as well as with respect to sideline activities and involvement in other companies and business transactions. The Compliance Officer is to be notified of any suspicious cases. As a general principle, all employees receive compliance training when they join the Group. In the year under review four training activities were held for altogether 107 employees. In order to stay updated on compliance issues such as combating corruption, we use traditional communication channels including intranet portals and online newsletters. Important information of company- wide relevance is made available to staff in the intranet.
As a listed company, we also emphasise to our employees the necessity of observing rules on insider trading and we specify blocking periods during which shares may not be traded.
Generally speaking, the risk of human rights violations in connection with our business operations is minimal. We have nevertheless put special emphasis on respect for human rights within the supply chain. For further information we would refer to the section “Supplier management”.
With the aid of our Tax Guideline, which applies throughout the Group, a Tax Compliance System that is currently under development and the associated review of all relevant task areas, processes and responsibilities, we want to ensure – going forward, as in the past – that despite growing complexity we satisfy tax liabilities arising out of our international business operations in accordance with the respective national legal requirements.
As part of our business activities we process and store personal data. The data are required primarily in the context of underwriting, for providing customer and contract-related services as well as in claims and benefit management. Furthermore, personal data are collected, processed and stored in connection with, among other things, human resources management and shareholder administration. We also process personal data in order to assert our own legitimate interests or those of third parties. In particular, this may be necessary in order to safeguard IT security and IT operations and to meet official requirements. It is incumbent on the Hannover Re Group to uphold the statutory data privacy rights of data subjects, and we have implemented appropriate procedures and methods for this purpose. The general principle is that personal data may only be collected, processed and stored by Group employees to the extent that this is necessary for a precisely defined purpose as part of their lawful task fulfilment or a corresponding basis exists in law. We make use of external service providers to some extent in order to perform our contractual and statutory duties. These external data recipients are to be viewed as part of the data processing operations, as is the case with brokers, outside experts, business partners etc. All external recipients are contractually bound to comply with statutory data protection requirements and are checked in this regard. The EU General Data Protection Regulation does not directly affect all Hannover Re companies if their registered office is located outside the European Union or European Economic Area. The respective national legal frameworks are primarily determinative for these companies. The existing structures of the established compliance organisation are used to implement the minimum standards required by data privacy law. Irrespective of the scope of application of the EU General Data Protection Regulation, the designated Compliance Officers and contact persons are responsible for local data protection requirements. As necessary, they draw up additional local data privacy guidelines and serve as the interface to the Data Protection Officer at Hannover Re in Germany. The Data Protection Officer coordinates overarching aspects of the installed data privacy management system within the Hannover Re Group. He gives advice on how to resolve specific data privacy issues and monitors compliance with the EU General Data Protection Regulation and other data protection standards. In this context, the monitoring of data privacy requirements takes place in close coordination with Group Auditing. The findings of the separate reporting on data protection are integrated into the annual compliance report. No complaints were received about privacy breaches affecting personal data or the loss of such data during the period under review. There was therefore no requirement to fulfil the duty to notify data breaches pursuant to Articles 33 and 34 of the GDPR.
An information security management system geared to ISO 27001 has been set up Group-wide for operational assurance of the protection requirements under data privacy law as well as for ensuring the security of all other sensitive information within the company. In organisational terms, information security management is coordinated centrally by the Group Information Security function and incorporates all other relevant functions, including for example Group IT for matters of IT security or Facility Management with respect to building security. In addition, awareness among our employees of such security risks is raised through practically oriented assistance measures, training activities and a staff information campaign.
Risks arising out of the areas of data protection and information security are integrated into the system of risk management as operational risks and monitored here.
In addition to an annual self-assessment, we participate in various cooperative projects undertaken by our industry and engage in a regular dialogue with advocacy groups such as the Bundesverband der IT-Anwender e.V. in the context of the Cyber Security Competence Center.
Observance of applicable sanctions regulations plays a central role for us on account of our international orientation. We have enshrined compliance with relevant sanctions provisions in our Code of Conduct and Underwriting Guidelines. In addition, a Sanctions Screening Guideline is in place, stipulating when members of staff must perform sanctions screening with respect to the initiation of contracts and / or the payment of claims. A software-supported check continuously verifies whether the company’s data inventories include the names of persons who are subject to sanctions and hence with whom no business may be transacted. Each working day staff in Group Legal Services check the Official Journal of the European Union for changes in sanctions law on the EU level and publicise relevant changes Group-wide without delay. The compliance training given to new members of staff also includes basic instruction in sanctions law. New underwriters and claims managers receive additional training in the use of the screening software as well as in the scenarios in which a sanctions check must be made. In addition, all underwriting and accounting departments received training in the topic of trade embargos in the year under review.
|Goal to be achieved by 2020:|
|Optimisation of compliance management||Appropriate measures to improve compliance standards are
regularly coordinated in the context of the meetings of European
Compliance Officers and routine conference calls.|
In the year under review work began on the creation of a Groupwide compliance plan and a consistent Group-wide Compliance Risk Matrix was elaborated in cooperation with the European locations. The compliance reports of the international offices are evaluated and analysed on an ongoing basis.
Furthermore, new legislative developments such as the statutory requirements of the European Insurance Distribution Directive were examined and appropriate processes were put in place at the Hannover location. The processes for implementation of this directive, which applies Europe-wide, are progressively being established at our European locations in accordance with local legal and timing requirements.
As a consequence of the roll-out of the new General Data Protection Regulation (GDPR), we specified our existing policies in greater detail and also created new processes, including for example the conduct of a data protection impact assessment if a particular instance of data processing will likely pose considerable risks to the rights and freedoms of natural persons.