POR ASF Pension Governance Systems


On May 15, POR ASF consulted on new pension regulatory standards.


  • POR ASF issued consultation details on a new draft regulatory standard relating to the governance system of pension fund management entities, for improved supervision.
  • Also, a linked consultation on the draft regulatory standard relating to security and governance of information and communication technologies and subcontracting to any cloud computing service providers within the scope of pension fund management area.
  • Follows POR ASF Jun. 2022 issued regulatory standard 6/2022R on case, see #139925.
  • Also follows POR ASF May. 2022 consulted on new governance structure, see #137313.
  • Legal Basis
  • Under article 47 of Statutes under Decree-Law 1/2015, Jan. 6, 2015, POR ASF issued two draft regulatory standards on pension management entities systems and security.
  • Consultation 4/2024
  • For sound and prudent management of pension fund management entities, essential to the protection of associates, contributors, participants and beneficiaries, it is important ensure that robust governance systems are in place appropriate to complexity and risk.
  • POR ASF understands the need to reinforce supervision model of governance system of management entities pension funds, via review of regulations in light of framework.
  • Also in terms European regulatory standards and best supervisory practices, with the promotion and implementation of proportionate and consistent supervisory practices.
  • The structure of the governance system that pension fund management companies must be in accordance with the applicable national regulatory framework, including the risk management system and internal control system, with autonomous internal audit.
  • In case of management of pension funds that finance defined benefit plans or defined contribution plans, paid via a pension fund, an actuarial function must also be ensured.
  • The draft regulatory standard establishes requirements that must govern development of governance system to be implemented by the pension fund management entities.
  • They include matters on self-assessment risk, conflicts of interest, on remuneration, on the internal reporting of irregularities as well as pension fund governance structures.
  • The draft standard is organized into fourteen chapters, considering matters essential to the sound and prudent management of activities of pension fund management entities.
  • There are also appendices provided that, for example, set out actuarial requirements in relation to the various aspects of the governance requirements for such pension funds.
  • Consultation 5/2024
  • EIOPA published, on Feb, 6, 2020, guidance on outsourcing to cloud computing service providers and, on Oct. 12, 2020, separate guidance on ICT security and governance.
  • POR ASF published Regulatory Standard 6/2022-R, for all insurance and reinsurance companies, establishing general requirements and principles in terms of ICT security.
  • However, ICTs are increasingly complex and the potential for incidents related to these technologies, namely cybersecurity, has increased on a global basis, so is an issue.
  • The management of risks associated with ICT and security is essential for all entities supervised by POR ASF for objectives in strategic, business, operation and reputation.
  • Given potential negative impact of cybersecurity incidents and increasing use of ICT in pension fund management companies, POR ASF sees it as essential that, in alignment with regime for insurance and reinsurance firms, similar regime is needed for pensions.
  • The regulatory standard aims to ensure reduction of vulnerability to security incidents, including cyberattacks, as well as the optimization of risk management associated with ICT and security in the all of the activities of pension fund management companies.
  • Based on need for preparation for prevention and management of cyber risks and the implementation of cybersecurity framework by pension fund management companies, this standard covers cybersecurity in the scope of the information security measures.
  • The established requirements aim to promote diligent, equitable and transparent action by pension fund management firms, with objective of adequate consumer protection.
  • It should be noted insurance firms that manage pension funds are already subject to requirements for insurance activities in the scope of Regulatory Standard 6/2022-R.
  • Effectiveness
  • Comments and recommendations from stakeholders can be made until Jul. 1, 2024.
  • Aug. 2024 Final Versions Published
  • On Aug. 26, 2024, POR ASF issued Regulatory Standard RS 6/2024-R, and Regulatory Standard RS 7/2024-R, both of Aug. 20, 2024 following previous consultation process.
  • RS 6/2024-R was approved, establishing requirements that must govern development of the governance system to be implemented by pension fund management entities.
  • These include matters related to risk self-assessment, conflict of interest, remuneration and internal reporting of irregularities and the governance structures of pension funds.
  • The requirements established aim to promote diligent, equitable and transparent action by pension fund management entities, with the aim of adequate consumer protection.
  • This regulatory standard will come into force 60 days after the date of its publication, on Oct. 25, 2024, although some provisions will only take full effect from Jan. 1. 2025.
  • RS 7/2024-R was approved, and related to the security and governance of information and the communication technologies and subcontracting to cloud computing service providers that will fall within the scope of pension fund management requirements.
  • In addition to general governance requirements in RS 6/2024-R, POR ASF has drawn up this standard to ensure that pension fund management companies are prepared to manage all risks associated with information and communication technologies (ICT).
  • Provision arises from a growing dependence on ICT in the operational functioning of management firms, and to reduce vulnerability to security incidents, like cyber attacks.
  • The provision of general requirements and principles regarding wider ICT security and governance, and the specific requirements regarding outsourcing to cloud computing service providers is an important step towards greater alignment with the regulations.
  • Regulatory standard will come in force 30 days after date of publication, on Sep. 25, 2024, but some provisions are covered by a transitional regime ending Jan. 17, 2025.

Regulators POR ASF
Entity Types Corp; Fiduciary; IA; Ins; Pension
Reference PR 8/26/2024; RS 6/2024-R, RS 7/2024-R, 8/20/2024; RS CP 4/2024, CP 5/2024, PR 5/15/2024; RS 6/2022-R, 6/7/2022; ESG; Citation: RS 6/2024-R; RS 7/2024-R;
Functions Actuarial and Valuation; Audit; Compliance; C-Suite; Cyber; Financial; HR; Legal; Operations; Outsourcing; Privacy; Product Administration; Reinsurance; Reporting; Risk; Technology; Treasury
Countries Portugal
Category
State
Products Corporate; Fund Mgt; Insurance; Pensions; Retirement Plan
Regions EMEA
Rule Type Final
Rule Date 5/15/2024
Effective Date 9/25/2024
Rule Id 212177
Linked to Rule :139925
Reg. Last Update 8/26/2024
Report Section EU

Last substantive update on 08/28/2024