IVASS-ready insurance management system for brokers and intermediaries

1. The IVASS regulatory framework for intermediaries

The Italian regulatory framework for insurance intermediaries has progressively complicated since IDD adoption (EU Directive 2016/97, transposed via Italian D.Lgs. 68/2018). The five main regulatory bodies issued by IVASS cover complementary dimensions of distribution.

1.1 IVASS Reg. 40/2018 — distribution

The "core" regulation on post-IDD insurance distribution. Regulates: requirements for exercising distribution activity, pre-contractual information duties, conflict-of-interest management, distribution-activity registration, prudential supervision. For the broker's management system, art. 53 (distribution-activity register) and art. 65 (preservation obligations) are the two most operationally impactful points.

1.2 IVASS Reg. 41/2018 — transparency and customer information

Regulates pre-contractual documentation the broker must deliver to the principal before subscription: IPID (Insurance Product Information Document) for non-life products, information booklet more structured for life and investment products, declarations on distributor identity (RUI section, any participation relationships with insurers). All documentation must be delivered with proof of delivery.

1.3 IVASS Reg. 44/2019 — AML

The implementing regulation for the insurance sector of Italian D.Lgs. 231/2007 (Italian transposition of EU AML directives). For the broker, substantive obligations concentrate on life and investment lines: customer due diligence, risk profiling, sanctions/PEP screening, decade-long document preservation, UIF reporting for suspicious operations. For non-life lines obligations are reduced but not zeroed.

1.4 IVASS Reg. 45/2020 — POG (Product Oversight and Governance)

Insurance-product governance from the distribution side. Requires the broker operating as "manufacturer" or "distributor" to: define and apply the target market of each distributed product, monitor consistency between sold products and customer profiles, report distribution anomalies to the producer (insurer), maintain documentation of periodic product reviews.

1.5 IVASS Reg. 24/2016 and subsequent — continuing professional training

Continuing professional training obligation for RUI registrants: 60 hours every 36 months for sections A, B, D; 30 hours for section E. Hours must cover defined macro-areas (regulation, products, IT) and be documented with certificates obtained at recognised institutions. Non-compliance leads to automatic RUI suspension.

2. RUI register: sections A/B/D/E and operational implications

The Italian Insurance Intermediaries Register (RUI), kept by IVASS, is the authoritative source to establish who can legitimately distribute insurance in Italy. The section structure reflects the different intermediary types:

• Section A — insurance agents (insurer representatives with mandate);
• Section B — insurance brokers (customer advisors, insurer-independent);
• Section D — banks, SIMs, Italian Post and other financial intermediaries authorised to insurance distribution;
• Section E — collaborators (natural persons or companies) of A, B, D registrants.

2.1 Registration verification via IVASS API

IVASS exposes a RUI consultation service for programmatic registration verification. An IVASS-ready management system integrates this verification at key points: onboarding of a new section-E collaborator, enabling a new broker on a principal insurer, periodic verification of active registrations in your team. The check intercepts temporary suspensions, disciplinary cancellations, unrenewed expirations.

2.2 Onboarding of a new RUI sec. E collaborator

The typical onboarding workflow for a section-E collaborator includes: RUI verification via IVASS API (must be registered and active), data-treatment consent acquisition with FEA (advanced electronic signature), operational-profile assignment (what they can do in the management system: quote, issue, claims, etc.), tracking of initial training hours, personal audit-trail activation. All documentation is preserved 10 years compliant with AgID.

3. Operational compliance: what's needed in software

Translating the regulatory framework into software functionality is the decisive step. A "compliance-by-design" management system covers four areas.

3.1 Data traceability and immutable audit trail

Every relevant operation (policy creation, master-data modification, document issuance, customer-file access) is logged immutably: who, what, when, from which IP, with which motivation (if required). Logs are non-deletable and non-modifiable after the fact; they are exportable in standard format for IVASS audit and preserved 10 years. The technical pattern is write-once read-many with log signing to guarantee integrity.

3.2 Decade-long preservation (Italian CAD arts. 43-44)

The Italian Digital Administration Code (D.Lgs. 82/2005), articles 43-44, and AgID Guidelines 2020 regulate decade-long preservation of electronic documents. Preservation happens with an AgID-accredited Preservation Provider (Aruba, InfoCert, Postel, Namirial) natively integrated in the management system. Sent for preservation: issued policies and signed endorsements, IPID and information booklets delivered to customers, PEC communications, AML documentation, pending claims, professional-training evidence.

3.3 Conflict-of-interest management

Reg. 40/2018 requires the broker to identify, manage and disclose any conflicts of interest. Typical scenarios: the broker receives differentiated commissions across principal insurers steering them towards one over another; the broker has participation relationships with an insurer. The management system automatically tracks factors potentially configuring conflict (commissions, participations) and produces the transparency disclosure to deliver to the customer before quotation.

3.4 Auto-generated IPID and information booklet

The IPID (for non-life) and information booklet (for life) must be generated at quotation time and delivered to the customer before subscription. A vertical management system starts from IVASS-approved templates of the principal insurer and customises them with quotation data (sums insured, covers, exclusions, premium). Delivery happens digitally (customer portal or PEC) with timestamped delivery proof. Automatic decade-long preservation.

4. IVASS audit: what they check and what to have ready

IVASS inspections are standardising on five recurring "evidence packs", typically requested at inspection opening and to be provided within 24-48 hours.

1. Policies and claims register: complete list of managed policies with principal details, principal insurer, line, premium, status; complete list of claims opened, reserved, closed in the last 36 months.
2. IPID and information-booklet delivery proofs: random sample of 50-100 contracts with verification of timestamped delivery proof of the pre-contractual document to the customer.
3. Complaints register: list of complaints received in the last 24 months with status, response times, outcome. Verification of compliance with the 45-day response deadline.
4. Professional training register: for each RUI registrant in the organisation, training hours performed in the last 36 months with certificates. Verification of reaching 60 hours (sec. A/B/D) or 30 hours (sec. E).
5. AML framework: written AML policy, KYC evidence on life/investment customers, register of any UIF reports, evidence of staff AML training.

An IVASS-ready management system generates the five packs on demand in a few clicks, standardised Excel/PDF format. Without software, reconstructing these packs by hand in 48 hours is impossible for a mid-sized broker.

5. AML for intermediaries: complete workflow

The insurance broker's AML obligations concentrate on life and investment lines (life class I, III, V, capitalisation, pension funds) where the monetary value at stake and instrument flexibility make the sector vulnerable to money-laundering operations. For non-life lines, obligations are mitigated but not zeroed.

5.1 Initial KYC + sanctions/PEP screening

At first contact with a new customer, the broker collects identification data (master data, ID document, tax code, possible business name if legal person) and submits to screening against international sanctions lists (EU, UN, OFAC) and PEP (Politically Exposed Persons) lists. The management system automates screening via API to specialised providers (e.g. World-Check, Dow Jones Risk & Compliance, Refinitiv).

5.2 Enhanced due diligence for high-risk categories

For high-risk AML categories (PEPs, residents in AML-deficient jurisdictions, atypical operations by size or structure) enhanced due diligence applies: identification of the legal person's beneficial owner, independent verification of provided data, internal AML officer's authorisation, stricter monitoring of subsequent operations.

5.3 UIF reporting (when and how)

When suspicious operations emerge (e.g. premium paid in cash for anomalous amounts, immediate surrender of a just-subscribed life policy, repeatedly modified beneficiaries), the broker is required to report to the Italian Financial Intelligence Unit (UIF) at Bank of Italy. Reporting happens via UIF web portal in structured format. The management system supports module pre-filling from case-file data and maintains the register of reports made (for traceability in case of follow-up).

6. Internal operational controls and professional training

Beyond external evidence required during inspection, IVASS expects an internal operational controls system proportionate to broker size. For a mid-sized broker (10-30 collaborators) typical controls include: periodic file review by an internal compliance officer, quarterly verification of underwriting-authority compliance, complaints-register audit to identify problematic patterns, sample-check of IPID delivery proofs.

The professional training register tracks for each RUI registrant: hours performed by macro-area (regulation, products, IT), certificates obtained, training institution, alerts before triennial deadline. NewPicass 14.Net exposes the register as a dashboard and exports it in IVASS-compatible format.

7. IT security: DORA for intermediaries

DORA (EU Reg. 2022/2554, applicable since 17 January 2025) formally applies to EU insurance and reinsurance undertakings, not to intermediaries below certain thresholds. But the practical effect for Italian brokers is significant: principal insurers, subject to DORA, must include the broker in their third-party register and perform IT-system due diligence on it.

For the broker, this means exposing to the principal insurer: ISO/IEC 27001:2023 certification of the software vendor, daily backup attestation and tested disaster recovery, recent penetration-test evidence, exposure of traceable security logs, full GDPR compliance with EU data residency. NewPicass 14.Net covers these requirements as standard through the documented Trust Center.

8. AgID-compliant document preservation

AgID-compliant decade-long preservation is one of the technical pillars of an IVASS-ready management system. Preserved documents are numerous:

• Issued policies and endorsements signed in FEQ or FEA;
• IPID and information booklets with timestamped delivery proof;
• Complaints register and traces of responses given to customers;
• AML documentation: identification, screening, enhanced due diligence, UIF reports;
• PEC communications with principal insurers and customers;
• Professional training register for each RUI registrant;
• Possible disputes and related documentation until termination.

Preservation happens with an AgID-accredited Preservation Provider (Aruba, InfoCert, Postel, Namirial) integrated via API in the management system. The flow: document generated by the system, signed, timestamped, sent to the Provider with structured metadata, received in preservation with stamped receipt. All this happens without manual user intervention.

9. Compliance checklist for audit

A practical checklist for the broker wanting to verify own readiness ahead of an IVASS inspection:

• ☐ Policies and claims register generable with one click, complete for the last 36 months;
• ☐ IPID and information-booklet delivery proofs verifiable on a random 100-contract sample;
• ☐ Digital complaints register compliant with Reg. 41, with status and response times within 45 days;
• ☐ Professional training register updated for each RUI registrant with 60h coverage (sec. A/B/D) or 30h (sec. E);
• ☐ AML framework written and applied, with KYC evidence on life/investment customers;
• ☐ Decade-long preservation active with accredited AgID Preservation Provider, with preservation receipts tracked;
• ☐ Immutable audit trail on all relevant operations, exportable for inspection;
• ☐ RUI verification of collaborators active via IVASS API, with alerts on expiries or suspensions;
• ☐ Conflict-of-interest transparency disclosure generated for every quotation;
• ☐ PEC receipt-preservation policy documented and applied.

10. Free verification with an IVASS expert

A 45-minute session with one of our IVASS compliance experts, no sales script, for a frank assessment of your current readiness: management-system functional gaps, coverage of the five evidence packs, inspection non-compliance risk, intervention priorities. Output: a synthetic 3-page document with mapping between IVASS requirements and your current system's coverage, with impact-prioritised priorities. Request the free assessment.

11. Frequently asked questions