Binding rules of conduct for the Group

We use a defined framework to support our employees in behaving ethically and compliantly. This includes the Group-wide Code of Conduct as well as our guidelines and standards. Training, advice for managers and staff, and target group-oriented communication of relevant content promote implementation within the Group.

Our staff are required to familiarise themselves with the principles and rules anchored in our Code of Conduct, as well as to regularly complete training in person or via e-learning programs. Annual mandatory tests on selected Code of Conduct topics – such as fighting corruption or complying with antitrust law – help staff to grasp and internalise the training content. In this way staff demonstrate every three years that they understand all aspects of the Code of Conduct.

The compliance norms specify principles and minimum requirements for avoiding and managing material compliance risks within the Munich Re Group.

The assessment of compliance risks includes the systematic identification, analysis and mitigation of such risks. The process is based on a Group-wide coordinated methodology to identify, assess and document risks. The material compliance risks and corresponding mitigation measures are analysed and reported to the Board of Management at least once a year. The main risk areas include data protection, financial sanctions, antitrust law, use of external staff, money laundering, sales compliance, corruption and ESG.

The management of changes to the law is part of our risk assessment, allowing us to evaluate in good time any possible effects of changes in the legal environment. A particular focus in 2025 was the implementation of the legal requirements for using AI.

Our Group-wide communication and training courses are aimed at increasing awareness of compliance risks and dealing with them effectively. Both are tailored to the needs of the various German and international Group companies and their respective business models.

For companies within the reinsurance group, ERGO and MEAG, we also offer risk-based training programmes on the specific compliance risks of corruption and bribery, antitrust law, data protection, information security, and insider trading law. Staff must pass mandatory tests on these various subjects every two to three years. Line managers and the compliance organisation continually verify that staff complete all mandatory tests. Where necessary, training content is tailored to meet local requirements.

Each and every staff member is accountable for compliance. We therefore strive to help all staff members and managers by raising awareness of relevant compliance risks and enabling them to make decisions with integrity.

Board of Management members at Group companies also complete training on relevant compliance matters.

One of our top priorities in compliance training is to raise awareness among Munich Re staff with respect to anti-corruption. Anti-corruption training addresses, among other topics, appropriate conduct regarding gifts and hospitality. As a rule, Munich Re staff members complete training every three years on our Code of Conduct, which addresses corruption and bribery, among other subjects. Moreover, staff members in the reinsurance group complete an anti-corruption refresher course every two years. To this end, all Munich Re staff members were required to complete compliance training courses designed to combat bribery and corruption. The effectiveness of training activities is measured by continually monitoring the completion rates for our mandatory tests on the training content.

Monitoring involves evaluating whether the implemented measures for mitigating material compliance risks are appropriate and effective. It also includes reviewing the defined frameworks and evaluating the design and effectiveness of the controls implemented.

Continuous improvement entails regularly reviewing our CMS and compliance actions on the basis of risk assessments, monitoring and other relevant information from the various specialist departments (audit reports, changes to the law, organisational changes, etc.), and making adjustments if necessary. In this regard, the maturity level of the CMS is determined annually on the basis of quantitative and qualitative surveys and metrics. This includes monitoring of the completion rates of mandatory online tests, for example on anti-corruption, antitrust law, data protection and the Code of Conduct. The same applies to the number of whistleblower reports and other allegations received, as well as to the number, type and severity of compliance violations identified.

Reports may cover potential compliance violations (which occurred or are very likely to occur) relating to, among others:

• Corruption/ Bribery
• Other white collar crime (fraud, embezzlement, etc.)
• Data Protection
• Antitrust/ Competition
• Insider Trading/ Market Manipulation
• Regulatory
• Anti-money laundering (AML)
• Sanctions
• Information Security
• Human Rights or other ESG aspects
  
  as well as other topics that do not necessarily fit into any of the abovementioned categories or that defeat the object or the purpose of any underlying rules or regulations (statutory or internal).
  

For information on the complaint procedure under the Supply Chain Due Diligence Act (LkSG), please refer to the Rules of Procedure.

Our experience, financial strength, efficiency and first-class service are what make Munich Re the first choice for all matters relating to risk. In addition to competence and performance, we place great emphasis on dealing fairly with our employees and business partners. This includes compliance with statutory regulations, with the company's internal Code of Conduct and the regulations resulting from it.

You may have knowledge of behaviour or circumstances that could damage Munich Re, or in extreme cases, even threaten the company's continued existence. By providing the information, you can make an important contribution to identifying financial or reputational risks at an early stage, thereby preventing losses.

You can choose to report to Group Compliance and Legal (GCL), the group wide Munich Re Ombudsperson and/or – where required by law – the respective compliance function(s) at specific local entities. Your report will only be visible for those compliance functions with whom you want to share the information.

In addition to the whistleblowing portal, individuals may of course also reach out by post, by internal mail or by email to Munich Re’s Central Compliance Department (Group Compliance and Legal (GCL)) at:

Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft
München Group Compliance and Legal
Königinstraße 107
80802 München

Email: group.whistleblowing@munichre.com

In case of personal notification, please make an appointment in advance via email.

• Munich Re’s group wide Ombudsperson Markus Brinkmann. He can be contacted by telephone, post or e-mail (via your office or private PC):
  
  Markus Brinkmann
  Partner, Leiter Forensic, Risk & Compliance, CFE
  BDO AG Wirtschaftsprüfungsgesellschaft
  Fuhlentwiete 12
  20355 Hamburg, Germany
  
  In addition, he can be reached from the countries below toll-free on the numbers indicated, which are reserved for his activity as ombudsman:
  • Germany: 0800-66 45 89 5
    
  • USA: 866-77 85 03 0
  • Canada: 866-65 65 14 5 (direct dial)
  • UK: 0808-23 89 57 7
  • China (Beijing and Shanghai): Beijing: 10-800-712-2617
  • Shanghai: 10-800-120-2617 
  • Singapore: 800-12 05 333 
  • Poland: 00-800-12 13 62 9
  • Mexico: 001866-38 38 05 2

From all other countries the ombudsman can be reached on the following number (calls charged at normal rates): 0049-40 33 47 53 74 35

The ombudsman can be contacted from 9.00 a.m. to 7.00 p.m. CET. Should he be temporarily unavailable between the above times, you may leave a message on his voicemail.

Email: ombudsmann.mr@bdo.de

Finally, Munich Re employees who become aware or are suspicious of circumstances relating to compliance may first refer these within their immediate work environment, in particular to their line managers, their HR department, or the local/regional compliance officers. The data protection officer in Munich, who is bound to maintain confidentiality, is also available insofar as the protection of personal data is concerned.  

Any report is appreciated and retaliation is not to be feared (also refer to FAQ 9). We encourage you to use the above contacts. In addition, anyone may report potential compliance violations to the respective competent authorities in their local jurisdiction.

The input mask is available in German and English. The text input can of course be done in another language. It is free of charge and can be accessed from anywhere in the world and at any time.

You will be guided through the reporting process in five steps, including a categorisation of the reported topic and selection of the compliance function you would like to report to. The incident can be reported in a free text field (up to 5,000 characters) or via upload of a file (up to 5MB). The whistleblowing portal also allows a set-up of a protected mailbox function (“postbox”, see FAQ 6) which allows the responsible compliance function to contact you in case there are any questions. 

The responsible compliance function will follow up on your report, i.e. review the information and where required commence an investigation.

Provided you have chosen to include a communication channel via which the responsible compliance function can contact you (e.g. via a protected mailbox function within the whistleblowing portal), you will also receive an acknowledgment of receipt of your report within seven days and further feedback no later than three months following your report.

We therefore encourage you to set up the protected mailbox function within the whistleblowing portal as this will also allow the responsible compliance function to contact you in case there are any questions. 

Yes, your report is confidential!

You can choose to report anonymously or by name.

Should you decide to give your name, we guarantee that your identity will only be disclosed to those persons directly concerned with processing the case. Once processing of the case has been concluded, your personal data will be deleted again.

Either way, confidentiality and the protection of you as a Whistleblower is the top priority and guiding principle of our whistleblowing portal and all reports will be handled on a strict “need to know” basis. Your report will only be visible for those compliance functions with whom you want to share the information.

Irrespective of the channel(s) used, confidentiality and the protection of those reporting potential compliance violations is the top priority and guiding principle of our whistleblowing portal, and all reports will be handled on a strict “need-to-know” basis.

The principle of BKMS® is to protect the whistleblower's identity. The system's anonymity protection function is certified and can be verified by you at any time.

Encryption and other special security methods ensure that your report remains anonymous at all times. At no time during the process will you be asked for personal information.

The person in charge of your report will contact you via a secured postbox (also refer to FAQ 6) to provide information about the status of your report or to ask further questions if certain details need to be clarified - your anonymity will be always protected during this process.

No!

As long as you had reasonable grounds to believe that the information reported was true at the time of your report, you may not suffer any retaliation as a consequence for your report and any attempted retaliation would in itself be considered a severe compliance violation. If you feel that you are being intimidated or retaliated against as a result of your report, please contact the whistleblowing portal. Such intimidation or retaliation will also be reviewed and, if appropriate, further investigated in accordance with the procedures described above.

Vice versa, suspecting another person of a compliance violation may have serious consequences for those implicated. For that reason, the whistleblowing portal is to be used responsibly. Whistleblowers are encouraged to only provide information whose correctness they are convinced about to the best of their knowledge and belief. If you deliberately make a false report, this would also qualify as a severe compliance violation and may have serious consequences under criminal and labour law.