Governance, Risk Management and Internal Control, Ownership Ratios
Corporate Governance Regulation for Insurance Companies
C 24/2022 Effective from 29/9/2022The Board of Directors,
Having perused Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities and the amendments thereof;
Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, the amendments thereof and its Executive Regulations;
Insurance Authority Board of Directors' Decision number (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and Insurance Authority Board of Directors' Decision number (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies;
Cabinet Resolution No. (42) of 2009 Concerning Insurance Company Minimum Capital Regulation, as amended;
And, based on the recommendation of the Governor and the approval of the Board of Directors;
Has resolved,
Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the insurance sector. To this end, Companies are required to implement comprehensive corporate governance frameworks to ensure their resiliency and enhance overall financial stability. In particular, Companies and Groups must have robust corporate governance policies and processes covering, but not limited to, strategy, organizational structure, the control environment, risk management responsibilities and compensation of Boards and Staff.
In implementing this Regulation and the accompanying Standards, the Central Bank's goal is to ensure that Companies' approaches to corporate governance are in line with leading international standards. The Central Bank expects that each Company will establish and implement a corporate governance framework, which provides for sound and prudent management and oversight of its business and adequately recognizes and protects the interests of policyholders.
This Regulation and the accompanying Standards establish the overarching prudential framework for corporate governance. Regulatory requirements for selected governance areas such as risk management, internal controls, compliance, outsourcing and financial reporting are established in separate Central Bank Regulations and Standards.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
This Regulation and the accompanying Standards supplement Federal Law No. (6) of 2007 On the Organization of Insurance Operations, the amendments thereof and its Executive Regulations, the Insurance Authority's Board of Directors' Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports, the Insurance Authority Board of Directors' Decision number (25) of 2014 Pertinent to Financial Regulations for Insurance Companies, the Insurance Authority Board of Directors' Decision number (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies, and The Insurance Authority's Board of Directors Resolution No (4) of 2010 Concerning the Takaful Insurance Regulations. Additional requirements may be imposed pursuant to decisions to be issued by the Central Bank in this regard.
Objective
The objective of this Regulation is to establish the minimum acceptable standards for Companies' approach to Corporate Governance, with a view to:i. Ensuring the soundness of the Companies; and;
ii. Contributing to financial stability and policyholder protection.
The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to Corporate Governance for Companies.The Company's Board is in control of the Company and accordingly ultimately responsible for the Company's Corporate Governance. Since each Company may comply with elements of the minimum requirements of the Regulation and Standards in a different way, the onus is on the Board to demonstrate to the Central Bank that it has implemented a comprehensive approach to Corporate Governance and has met the requirements of the Regulation and Standards. Companies are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.
Scope of Application
This Regulation and the accompanying Standards apply to all Companies. Companies established in the UAE with Group relationships including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.
The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Companies may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited therein. The Central Bank will decide on the extent to which a Company is expected to meet the requirements.
Branches of foreign Companies licensed to operate in the State must adhere to this Regulation and Standards, or establish equivalent arrangements so as to ensure regulatory comparability and consistency, with the exception of Article (5) of this Regulation. Branches of foreign Companies must establish local governance structures that meet the objectives of Articles (2), (3) and (4) of this Regulation.
The requirements established within the Regulation and the accompanying Standards are in addition to the provisions relating to Public Joint Stock Companies in the Federal Law No. 32 of 2021 on Commercial Companies (the "Commercial Companies Law"), and the Chairman of Authority's Board of Directors' Resolution No. (3/Chairman) of 2020 Concerning approval of the Public Joint Stock Companies' Governance Guide ("SCA Regulation") or their amendments. In the event of contradiction with any provisions of the SCA Regulation, the requirements of the Central Bank's Regulation and Standards shall prevail.
The Regulation and Standards are equally enforceable and must be complied with.
Article (1): Definitions
The following terms shall have the meaning assigned to them below for the purposes of this Regulation:
1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2. Authorised Manager: The person appointed by the foreign insurance company to manage its branch in the State.
3. Board: The Company's board of directors.
4. Central Bank: The Central Bank of the United Arab Emirates.
5. Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities, as amended.
6. Chief Executive Officer: The most senior executive appointed by the Board; and in the case of foreign branches, this refers to the Authorized Manager.
7. Company: The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
8. Compliance with Islamic Shari’ah: refers to compliance with Shari’ah in accordance with:
a. cresolutions, fatwas, regulations, and standards issued by the Higher Shari’ah Authority in relation to the Company's activities and businesses ("HSA's Resolutions"), and
b. resolutions and fatwas issued by the Internal Shariah Supervision Committee ("ISSC") of the Company, in relation to its activities and businesses ("the Committee's Resolutions"), provided they do not contradict HSA's Resolutions.
9. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
10. Control Function: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari’ah control and Shari’ah audit functions.
11. Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board, or the decisions made by the Board or by the general assembly of the Company, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence.
12. Corporate Governance: A set of relationships between a Company's Board, Senior Management, customers and other stakeholders; and a structure through which the objectives of the Company are set, and the means of attaining those objectives and monitoring performance are determined.
13. Duty of Care: The duty to decide and act on an informed and prudent basis with respect to the Company. Often interpreted as requiring a member of the Board to approach the affairs of the Company and policyholders ahead of his/her own interests.
14. Duty of Confidentiality: The duty to observe confidentiality applies to all information of a confidential nature with which a member of the Board is entrusted by the Company or which is brought to his or her attention during or at any time after the carrying out of his/her assignment.
15. Duty of Loyalty: The duty to act in the good faith in the interest of the Company. The duty of loyalty should prevent individual Members of the Board from acting in their own interest, or the interest of another individual or group, at the expense of the Company and shareholders.
16. Financial Regulations: Insurance Authority Board of Directors’ Decision number (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision number (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies.
17. Fit and Proper Process: The evaluation of a Company's proposed members of the Board, Senior Management and other persons as determined by the Central Bank from time to time, in terms of expertise and integrity. The specific fit and proper criteria are listed in article 5.20.e.l of the Standards.
18. Government: The UAE Federal Government or one of the governments of the member Emirates of the Union.
19. Group: A group of entities which includes an entity (the ‘first entity’) and:
a. any Parent of the first entity;
b. any Subsidiary of the first entity or of any Parent of the first entity;
c. any Affiliate
20. Higher Sharfah Authority: The Higher Shari’ah Authority that was established at the Central Bank.
21. Independent Member of the Board: A member of the Board who has no relationship with the Company or Group that could lead to benefit which may affect his/her decisions. He/she must not be under any other undue influence, internal or external, ownership or control, which would impede the Independent Member's exercise of objective judgment. The Independent Member of the Board forfeits his/her independence in the cases specified in Article 5.7 of the Standards.
22. Insurance Agent: The person approved and authorised by the Company to carry out insurance operations on behalf of the Company or any of its branches.
23. Insurance Broker: The person who independently intermediates in insurance and reinsurance operations between the applicant of the insurance or reinsurance on one side and any insurance or reinsurance company on the other side and receives for his efforts commission from the insurance company or the reinsurance company with which the insurance or the reinsurance has been accomplished.
24. Material Risk Takers: Staff whose work is deemed to have a significant impact on the overall risk profile of the Company or the Group.
25. Non-Executive Member of the Board: A member of the Board who does not have any management responsibilities within the Company, and may or may not qualify as an Independent Member of the Board.
26. Parent: An entity (the ‘first entity’) which:
a. holds a majority of the voting rights in another entity (the ‘second entity’);
b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board of directors or managers of the second entity; or
c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
d. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
27. Public Joint Stock Company: A Public Joint Stock Company is a company whose capital is divided into equal and negotiable shares. The founders shall subscribe to part of such shares while the other shares are to be offered to the public under a public subscription. A shareholder shall be liable only to the extent of his share in the capital of the company, as per the Commercial Companies Law.
28. Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
29. Relatives: Father, mother, brother, sister, children, spouse, father-in-law, mother-in-law and children of the spouse.
30. Related Parties: The Group and its Controlling Shareholders, members of the Board and Senior Management (and their Relatives) and persons with control, joint control or significant influence over the Company (and their Relatives).
31. Related Party Transactions: Include onbalance sheet and off-balance sheet credit exposures and claims as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and writeoffs. The term transaction incorporates not only transactions that are entered into with Related Parties but also situations in which an unrelated party (with whom a Company has an existing exposure) subsequently becomes a Related Party; disclosures must reflect all Related Party events and transactions for the financial period.
32. Risk Appetite: The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan.
33. Risk Governance Framework: As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company's strategy and risk approach; articulate and monitor adherence to the Risk Appetite and risks limits relative to the Company's strategy; and identify, measure, manage and control risks.
34. Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
35. State: The United Arab Emirates.
36. Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
a. holds a majority of the voting rights in the first entity;
b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
c. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
37. Staff: All the persons working for a Company including the members of Senior Management, except for the members of its Board.
38. Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution amount to form an account called the participants’ account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance company shall manage this account and invest the funds collected therein against certain compensation.
39. Takaful Regulation: The Insurance Authority's Board of Directors Resolution No (4) of 2010 Concerning the Takaful Insurance Regulations, as amended from time to time.
Article (2): Corporate Governance Framework
1. A Company must have a Corporate Governance framework that offers comprehensive management and oversight of the Company's business in a manner that protects the rights of policyholders.
2. The Corporate Governance framework must contain the following components, at a minimum:
a. Policies that define and support the Company's strategy and objectives.
b. Definition of the roles and responsibilities of persons accountable for management and oversight.
c. Description on the manner in which decisions are taken.
d. Sound compensation practices.
e. Requirements for active engagement and communication with the Central Bank relating to the management and oversight of the Company.
f. Corrective actions for non-compliance or weak oversight, controls or management.
g. An appropriate corporate culture that promotes integrity, transparency and accountability, which leads to achieving the Company's long-term objectives and the protection of the rights of policyholders and other stakeholders.
3. A Company must establish a transparent organisational structure, at the entity level and Group-wide level if applicable, that supports its objectives, including executing the key responsibilities of the Board and specifying any delegations and the key responsibilities and authorities of its committees, Senior Management and key persons in Control Functions. In this context key persons in Control Functions refers to persons responsible for heading control functions. Groups must ensure that their Corporate Governance frameworks are appropriate to their structure, business and risks.
4. The Board and Senior Management must understand the Group organisational structures, both at the level of the legal entity and business line, and the origin and responsibility for risks posed.
5. The Board is responsible for establishing and operating a clear governance framework for the Group, which must be appropriate to the structure, business and risks of the parent Company and all its related entities, including subsidiaries, Affiliates and international branches.
6. When setting up a Group, the following factors must be taken into consideration, at both the Group and entity levels:
a. Clear division of roles and responsibilities
b. Legal obligations, governance and risks associated at each level
c. Effective coordination and communication.
7. The Board must exercise appropriate/due oversight over the Group while respecting the independent legal and governance responsibilities that might apply to the individual entities.
Article (3): Oversight and Management Responsibilities
1. The Board must ensure that a Company and, if applicable, Group has in place robust Corporate Governance policies and processes commensurate with its risk profile and the nature and scale of activity. Such policies must be based on clear segregation between the oversight function and the management responsibilities.
2. The Board must ensure that there is a clear allocation of roles and responsibilities to the Board as a whole, to committees of the Board, to Senior Management and key persons in Control Functions, in a manner that guarantees appropriate segregation of duties. The Board must supervise Senior Management through creating a flexible and transparent organisational structure that guarantees the timely flow of information to decision makers, the accountability of Senior Management towards the Board and the accountability of Board Members towards shareholders and other stakeholders.
3. The Board must oversee Senior Management and their performance in order to ensure that the Company's activities are carried out in a manner consistent with the business strategy, Risk Governance Framework, compensation and other policies approved by the Board.
4. The Board must establish a Fit and Proper Process for the selection and continued assessment of Board members, Senior Management, including key persons in Control Functions and other persons as determined by the Central Bank from time to time, and the maintenance of succession plans for Board members and Senior Management. The Board must set appropriate standards for performance, compensation and on-going training and development in line with business operations for all Staff, consistent with the long-term strategy of the Company.
5. The Board must properly disclose the financial status of the Company, and is required to provide the Central Bank with such information in a timely manner in accordance with the applicable legal framework in the State and Regulations.
6. The Board must take the necessary measures to prevent any Board member from attaining personal gain at the cost of the Company's interests.
7. The Board must approve a compensation policy that is applicable to all Staff, which does not encourage excessive risk taking and must be in line with the Company's strategy and Risk Governance Framework.
8. The Board may delegate some of its tasks, under clear and well-defined terms, in a manner that does not create undue concentration of powers with the potential to influence the Company's business negatively.
9. A Company offering Takaful Insurance must demonstrate full Compliance with Islamic Shari'ah rules and establish a sound and effective Shari'ah governance framework with the key mechanisms and functionalities to ensure effective and independent Shari'ah oversight, as per the requirements set out by the Central Bank and the Higher Shari'ah Authority.
Article (4): Corporate Culture, Business Objectives and Strategies
1. The Board must set the strategies and policies for the Company, and for supervising Senior Management in implementing the business and risk strategy to ensure that the Company meets its goals, leaving daily function responsibilities to Senior Management. Strategies and polices must cover fair treatment of policyholders; Risk Appetite; choice of lines of insurance; introduction of new products; appointing competent persons with relevant qualifications commensurate with their roles and responsibilities; pricing underwriting; provision of reinsurance cover; investment; asset-liability management and the assessment of solvency requirements.
2. The Board must establish, communicate and oversee the implementation of corporate culture and values by reinforcing appropriate norms for responsible and ethical behaviour. The Board must set the "tone from the top", particularly as it relates to the ethical behavior expectations of Staff, through approving supporting policies, including, but not limited to, a written code of conduct, a conflict of interest policy, a whistleblowing policy mechanism and an insider trading policy.
3. A Company must enter into all transactions with Related Parties on an arm's length basis, monitor these transactions, and take appropriate steps to control or mitigate the risks to Related Parties in accordance with Board approved policies and procedures.
4. The Central Bank may set, on a general or case-by-case basis, limits for exposures to Related Parties, deduct such exposures from capital when assessing capital adequacy, or require collateralisation of such exposures.
5. The allocation of responsibilities to individual Board members to serve on one of the Board's committees must take account of whether the relevant Board member exercises the independence and objectivity required to carry out the functions of the said committee. Oversight of executive functions should be performed by the non-executive Board members.
Article (5): Structure and Governance of the Board
1. A Company's Board must be sufficiently diverse in its composition. Collectively, the Board must have knowledge of all significant businesses of the Company and, if applicable, the Group. The Board must have, and continue to maintain, an appropriate balance of skills, diversity and expertise commensurate with the size, nature of activities, complexity and risk profile of the Company and, if applicable, the Group. Such skills include, but are not limited to, the lines of insurance underwritten by the Company, actuarial and underwriting risks, investment analysis, the role of control functions, finance, accounting and obligations related to fair treatment of customers.
2. A Company's Board must be comprised of at least seven (7) members and a maximum of eleven (11) members, each with a maximum three (3) year renewable term of membership. All members of the Board must be Non-Executive, of which at least one third (1/3) must be Independent Members. It is recommended the chair of the Board is an independent Member of the Board. The Board should not contain any executive members with management responsibilities in the Company.
3. The Chairman and the majority of members of the Board must be UAE nationals.
4. The maximum tenure as an Independent Member of the Board in the same Company is twelve (12) consecutive years from the date of his/her first appointment. At the expiration of the tenure, the Member is no longer regarded as Independent. On the effective date of this Regulation the calculation of the twelve (12) years will consider the time already spent by a Board member in his/her directorship at the Company. Independence of a Board member shall not be affected solely on the basis of being an employee of the parent company or any of its subsidiaries if any of them is a Government entity or a company owned by at least 75% by the Government or any of its subsidiaries.
5. a. The Chairman and the members of the Board must prevent or manage conflicts of interest, and, in particular, must not:
1. Participate in managing other Companies.
2. Compete with the Company's operations or perform any actions or activities in a private or business capacity that could conflict with the Company's interests.
3. Carry out operations of an Insurance Agent or an Insurance Broker.
4. Receive any commission from any insurance operation.
b. A member of the Board must obtain permission from the Company's Board before accepting nomination to serve on another board of a Public Joint Stock Company (PJSC) and no conflict of interest must be present. The provisions of this Article shall apply equally to persons appointed by a Government shareholder.
6. A member of the Board may hold membership in the Board of only one (1) Company in the UAE. A member of the Board may hold memberships in the boards of up to a total of five (5) PJSCs in the UAE including the Company's Board. Board memberships of PJSCs inside the Group are included within this limit.
7. If the Government owns 5% or more of the Company's capital, it may appoint persons to represent it on the Board with the same proportion to the number of members of the Board. At least one member shall be appointed if the percentage required for appointing a member exceeds that percentage. A Government-owned Company's Board composition must allow the exercise of objective and independent judgment
8. At least 20% of candidates for consideration for the Board's membership must be female.
9. The non-objection of the Central Bank must be obtained prior to the nomination, appointment or renewal of any person for membership of the Board. In all cases, a Company must immediately notify the Central Bank if it becomes aware of any material information that may negatively affect the fit and proper assessment of a member of the Board. The non-objection of the Central Bank must be obtained prior to the removal of a member of the Board during his/her term of membership.
10. The Board must meet at least six (6) times a year. The Company must appoint a secretary to the Board who is not a member of the Board and independent of the Company's management. The Board and its committees must maintain appropriate minutes, which reflect details of issues discussed, recommendations made, decisions taken, rationales and dissenting opinions.
11. a. The chair of the Board is responsible for providing leadership and for the overall effective functioning of the Board and its committees.
b. The Board may delegate specific authority, but not its responsibilities, to specialized Board committees. Each committee created by the Board must have an approved charter or other instrument that sets out its membership, mandate, scope, working procedures and means of accountability to the Board. The committees must have access to resources and to external expert advice, where needed, to ensure a collective balance of skills and expert knowledge commensurate with the nature of business, operations and complexity of the Company and the duties to be performed.
c. The Board and its committees may invite members of the Company's staff and external independent experts to attend meetings as deemed appropriate. In this context external independent experts include, but are not limited to, risk management consultants and actuarial and reinsurance professionals. Staff of the Central Bank may attend meetings of the Board and/or its committees and shall have access to their minutes and any other relevant documents.
d. The Board operational structure must include committees with responsibilities for audit, risk, nomination, investment and compensation. The Board may also establish other specialised committees (e.g. ethics, assets and liabilities).
e. The audit and risk committees must not be merged neither with each other, nor with any other Board committees. Both committees' chairs must be Independent Members of the Board, who are distinct from the chair of the Board and the chairs of other committees. The audit committee must be made up of a majority of Independent Members of the Board and include members who collectively have experience in audit practices, financial reporting, accounting and an understanding of risk management. It is recommended that the audit committee be made up of only Independent Members of the Board. The risk committee must be made up of a majority of Independent Members of the Board and include members who individually have noteworthy experience in risk management issues, practices, challenges and mitigation techniques.
f. Companies may merge the nomination and compensation committees.
12. The Board must carry out annual assessments, alone or with the assistance of external experts, of the functioning of the Board as a whole, its committees, and individual members.
13. The Board must periodically review and make recommendations to update the Company's memorandum of incorporation/articles of association if needed, along with procedural rules or other similar documents setting out its organisation responsibilities and key activities.
Article (6): Duties of Individual Board Members
1. Members of the Board must act in good faith, honesty and integrity while exercising their Duty of Care, Duty of Confidentiality and Duty of Loyalty. They are responsible for ensuring effective control over the Company's entire business.
2. Members of the Board must disclose to the Board, in a timely manner, any potential Conflict of Interest or apparent Conflict of Interest.
3. Members of the Board must exercise independent judgement and objectivity in their decision-making taking into account the interests of the Company, policyholders and stakeholders.
Article (7): Duties Related to Risk Management and Internal Controls
1. A Company must have an appropriate Risk Governance Framework that provides a Company-wide and, if applicable, Group-wide view of all material risks pursuant to the Financial Regulation and Takaful Regulation, as the case may be. This includes policies, processes, procedures, systems and controls to identify, measure, evaluate, monitor, report, and control or mitigate material sources of risk, on a timely basis. The Company's risk management function must be independent of the management and decision-making of the Company's risk-taking functions and have a direct reporting line to the Board and/or the Board risk committee.
2. The Board is responsible for the design and implementation of effective risk management systems and internal controls, approving and overseeing implementation of the Company's Risk Governance Framework and the alignment of its strategic objectives with its Risk Appetite.
3. a. A Company must have strong internal control frameworks pursuant to the Financial Regulations and Takaful Regulation, as the case may be, and establish permanent, independent and effective compliance and internal audit functions, and where applicable Compliance with Islamic Sharia'ah and internal Shari'ah audit. The Company's compliance function must have primary reporting obligations to the Chief Executive Officer and a right of direct access to the Board, the Board audit committee and Board risk committee. The Company's internal audit function must report directly to the Board or the Board audit committee.
b. The Company's actuarial function must have primary reporting obligations to the Chief Executive Officer and a right of direct access to the Board or the Board audit committee and/or Board risk committee. Further governance requirements for internal control and internal audit are contained in the accompanying Standards.
Article (8): Duties Related to Compensation
1. A Company must have a Board-approved compensation system that supports sound Corporate Governance and risk management, including appropriate incentives aligned with prudent risk-taking. Performance standards must be consistent with the long-term sustainability and financial soundness of the Company.
2. The Board, must approve the compensation of Senior Management and oversee the development and operation of compensation policies, systems and related control processes.
3. Compensation outcomes must be symmetric with risk outcomes. Compensation payout schedules must be sensitive to the time horizon of risks through arrangements that defer a sufficiently large portion of the compensation until risk outcomes become better known. The compensation framework must provide for mechanisms to adjust variable compensation, including through in year adjustment, and malus or clawback arrangements, which can reduce variable compensation after it is awarded or paid. Any arrangement conducted after the effective date of this Regulation must take claw backs and deferrals into consideration.
4. Members of the Board must be compensated only with fixed compensation comprising the payment of an annual fixed amount and the reimbursement of costs directly related to the discharge of their responsibilities. Bonus or any incentive-based mechanisms based on the performance of the Company must be excluded.
5. The compensation of Staff in the control functions of risk management, compliance and internal audit must be predominantly fixed, to reflect the nature of their responsibilities; and determined independently of the performance of the Company. The variable compensation must be based on performance targets related to their functions and independent of the lines of business they monitor and control.
6. For Senior Management and Material Risk Takers, a proportion of the total compensation must be performance-based. Provisions must be included so that compensation can be reduced or reversed based on realised risks and violations of laws, Regulations, codes of conduct or other policies, before compensation vests.
7. The annual individual bonus for Senior Management and Material Risk Takers must not exceed 100% of the fixed proportion of their total compensation. A higher bonus of up to 150% must be approved by the Board. A bonus of up to 200%) requires approval by the general assembly of the Company.
8. The annual total bonus for all Staff must generally not exceed 5% of the Company's net profit. A higher bonus must be approved by the General Assembly of the Company before disbursement, along with an attestation signed by all members of the Board that the Company is in compliance with all relevant laws and Regulations issued by the Central Bank.
Article (9): Financial Reporting and External Audit
A Company must maintain appropriate records; prepare financial statements in accordance with the International Financial Reporting Standards (IFRS) frameworks pursuant to the Financial Regulations and Takaful Regulation, as the case may be, and the instructions of the Central Bank; and publish annual financial statements bearing the opinion of an external auditor approved by the Central Bank. Governance requirements for financial reporting and external audit must be adhered to according to the accompanying Standards, Financial Regulations, and Insurance Authority's Broad of Directors' Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, Information and Supervisory Reports.
Article (10): Communications
1. The Company's Corporate Governance policies and processes must ensure effective engagement with the Central Bank, and that timely and accurate disclosure is made on all material matters regarding the Company, including the financial situation, performance, ownership, and governance of the Company.
2. A Company must publish a comprehensive Corporate Governance statement in a clearly identifiable section of its annual report. In this regard, Corporate Governance statement refers to a periodic, integrated report that clarifies the relations between the operational and functional units of the Company and the resources they use or affect thereon. The main purpose of the Corporate Governance statement is to submit an integrated image about the operational sustainability of the Company.
More frequent disclosure of Corporate Governance matters is encouraged.
3. A Company must include in its Corporate Governance statement, the following, at a minimum:
a. clear, comprehensive and timely information about its compensation practices to facilitate constructive engagement with all stakeholders.
b. details of transactions with Related Parties during the reporting period and the aggregate amount of all Related Party exposures at the end of the reporting period.
c. an attestation in the form of a detailed report must be signed by the chair of the Board (or, in the case of a branch of a foreign Company, the Authorized Manager), confirming that all internal policies required to ensure compliance with the Central Bank's Regulations and Standards on Corporate Governance, risk management, internal controls, compliance, internal audit, financial reporting, external audit, outsourcing and, where applicable, Compliance with Islamic Sharia'ah and internal Sharia'ah audit, have been implemented and reviewed for adequacy by the Board, within the last year. Otherwise, the attestation must specify those requirements not met and the date by which the Company intends to comply fully.
Article (11): Duties of Senior Management
1. A Company must have a clearly defined organisational structure and decision-making process with authorities delegated by the Board to Senior Management.
2. Under the direction and oversight of the Board, Senior Management must carry out and manage the Company's activities in a manner consistent with the business strategy, Risk Appetite, compensation and other policies approved by the Board. They must also promote rigorous risk management and internal controls through personal conduct and transparent policies.
3. Senior Management must provide the Board with the information it requires to carry out its responsibilities, including the supervision and assessment of the performance of Senior Management.
4. Senior Management must report and take timely remedial action towards any breach of any applicable laws and Regulations or internal policies, and must maintain adequate and orderly records of the Company.
5. A member of Senior Management may not hold a Staff position in any other entity, neither inside nor outside of the Group, where applicable. A member of Senior Management may hold memberships in the boards of up to two (2) non-insurance entities outside of the Group. In addition, the members of Senior Management, with the exception of chief risk officers and heads of the compliance and internal audit functions, may hold memberships in the boards of entities inside the insurance Group. The member of Senior Management must obtain approval from the Board before accepting nomination to serve on a board in any other entity; and no conflict of interest must be present.
6. The non-objection of the Central Bank must be obtained prior to the appointment or renewal of employment contracts of any member of Senior Management and other persons as determined by the Central Bank from time to time. In all cases, a Company must immediately notify the Central Bank if it becomes aware of any material information that may negatively affect the fit and proper assessment of a member of Senior Management or any other person determined by the Central Bank.
7. a. Senior Management are subject to the same requirements as specified in sub-article (5) of Article (5) of this Regulation.
b. Staff, including Senior Management, may not represent on the Board, any of the shareholders of the Company.
Article (12): Takaful Insurance
1. A Company offering Takaful Insurance products must ensure that its Corporate Governance framework complies with the Takaful Regulation, and provides for:
a. Internal Shari'ah controls review and Shari'ah governance reporting to ensure compliance with Shari'ah rules;
b. The processes and controls for protecting the rights of the participants in line with the general terms and conditions and Shari'ah requirements;
c. Establishment of the ISSC in the governance of the Company; and
d. Transparency of financial reporting in respect of the participants' rights.
2. A Company offering Takaful Insurance must ensure compliance with the Takaful Regulation and any direction or guidance issued by the Higher Shari'ah Authority with respect to its Shari'ah governance framework.
3. A Company offering Takaful Insurance must immediately notify the Central Bank if it becomes aware of any material information that may negatively affect the fit and proper assessment or independence of an ISSC member.
4. A Company offering Takaful Insurance must issue an annual Shari'ah report stating the extent of the company's Compliance with Islamic Shari'ah and publish it within the financial statement in the Company's disclosures and other available means.
Article (13) The General Assembly
1. In all cases, the national shareholding percentage should not be less than the percentage specified in Cabinet Resolution No. (42) of 2009 Concerning Insurance Company Minimum Capital Regulation, as amended;
2. a. The Board and shareholders of a Company must ensure that national shareholding is in accordance with the minimum requirements set out in sub-article (1) of Article (13) of this Regulation and shall take reasonable measures to achieve compliance with this minimum requirement.
b. The Board shall ensure that voting decisions of a shareholder, or shareholders, at a general assembly meeting comply fully with the Central Bank Law and Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations.
3. Companies must inform the Central Bank at the time of the invitation by the Company's Board to a general assembly meeting when a proposed shareholding change is on the agenda.
4. The Central Bank may send one or more representatives to attend a general assembly meeting including when a proposed shareholding change is on the agenda, without having any right to vote. The presence of such representatives shall be stated in the minutes of meeting.
5. a. The Central Bank may take all measures it deems appropriate to maintain conduct of operations of Companies, within the frameworks and limits set by the Board of Directors of the Central Bank.
b. The Central Bank may:
1. Request to hold a meeting of a general assembly of the Company to discuss any issue the Central Bank deems important;
2. Request to include any item that the Central Bank deems necessary into the agenda of a general assembly meeting of the Company;
3. Stop the implementation of any decision issued by a general assembly of the Company in the event that it violates the laws or Regulations in force.
Article (14): Enforcement and Sanctions
1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action and sanctions as deemed appropriate by the Central Bank.
2. Without prejudice to the provisions of the Central Bank Law, supervisory action and sanctions by the Central Bank may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Company, or barring individuals from the UAE insurance sector.
Article (15): Interpretation of Regulation
The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (16): Publication and Application
1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.
2. On the effective date of this Regulation, any Company which does not comply with this Regulation and the accompanying Standards, must, within ninety (90) days, provide the Central Bank with a detailed plan for coming into compliance with the requirements herein. The Central Bank will decide on the adequacy of the proposed plan. The plan should not exceed three years to ensure full compliance with requirements of this Regulation.
Corporate Governance Standards for Insurance Companies
C 24/2022 STAIntroduction
1. These Standards form part of the Corporate Governance Regulation (Circular No. 24/2022). All Insurance Companies must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation. 2. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.
1. Definitions
1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity. 2. Authorised Manager: The person appointed by the foreign insurance company to manage its branch in the State. 3. Board: The Company’s board of directors. 4. Central Bank: The Central Bank of the United Arab Emirates. 5. Chief Executive Officer: The most senior executive appointed by the Board, and in the case of foreign branches, this refers to the Authorised Manager. 6. Company: The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies. 7. Compliance with Islamic Shari’ah: Refers to compliance with Shari’ah in accordance with:a. resolutions, fatwas, regulations, and standards issued by the Higher Shari’ah Authority in relation to the Company’s activities and businesses (“HSA’s Resolutions”), and b. resolutions and fatwas issued by the Internal Shari`ah Supervision Committee (“ISSC”) of the Company, in relation to its activities and businesses (“the Committee’s Resolutions”), provided they do not contradict HSA’s Resolutions. 8. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities. 9. Control Functions: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit, and where applicable Shari’ah control and Shari’ah audit functions. 10. Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board, or the decisions made by the Board or by the general assembly of the Company, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence. 11. Corporate Governance: A set of relationships between a Company’s Board, Senior Management, customers and other stakeholders; and a structure through which the objectives of the Company are set, and the means of attaining those objectives and monitoring performance are determined. 12. Duty of Care: The duty to decide and act on an informed and prudent basis with respect to the Company. Often interpreted as requiring a member of the Board to approach the affairs of the Company and policyholders ahead of his/her own interests. 13. Duty of Confidentiality: The duty to observe confidentiality applies to all information of a confidential nature with which a member of the Board is entrusted by the Company or which is brought to his or her attention during or at any time after the carrying out of his/her assignment. 14. Duty of Loyalty: The duty to act in the good faith in the interest of the Company. The duty of loyalty should prevent individual members of the Board from acting in their own interest, or the interest of another individual or group, at the expense of the Company and shareholders. 15. Financial Regulations: Insurance Authority Board of Directors’ Decision number (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision number (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies. 16. Fit and Proper Process: The evaluation of a Company’s proposed members of the Board, Senior Management and other persons as determined by the Central Bank from time to time, in terms of expertise and integrity. The specific fit and proper criteria are listed in article 5.20.e.1 of the Standards. 17. Government: The UAE Federal Government or one of the governments of the member Emirates of the Union. 18. Group: A group of entities which includes an entity (the ‘first entity’) and:a. any Parent of the first entity;
b. any Subsidiary of the first entity or of any Parent of the first entity;
c. any Affiliate. 19. Higher Shari`ah Authority: The Higher Shari`ah Authority that was established at the Central Bank. 20. Independent Member of the Board: A member of the Board who has no relationship with the Company or Group that could lead to benefit which may affect his/her decisions. He/she must not be under any other undue influence, internal or external, ownership or control, which would impede the Independent Member’s exercise of objective judgment. The Independent Member of the Board forfeits his/her independence in the cases specified in Article 5.7 of the Standards. 21. Material Risk Takers: Staff whose work is deemed to have a significant impact on the overall risk profile of the Company or the Group. 22. Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank. 23. Relatives: Father, mother, brother, sister, children, spouse, father-in-law, mother-in-law and children of the spouse. 24. Related Parties: The Group and its Controlling Shareholders, members of the Board and Senior Management (and their Relatives) and persons with control, joint control or significant influence over the Company (and their Relatives). 25. Related Party Transactions: Include on-balance sheet and off-balance sheet credit exposures and claims as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction incorporates not only transactions that are entered into with Related Parties but also situations in which an unrelated party (with whom a Company has an existing exposure) subsequently becomes a Related Party; disclosures must reflect all Related Party events and transactions for the financial period. 26. Risk Appetite: The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan. 27. Risk Governance Framework: As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company’s strategy and risk approach; articulate and monitor adherence to the Risk Appetite and risks limits relative to the Company’s strategy; and identify, measure, manage and control risks. 28. Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions. 29. State: The United Arab Emirates. 30. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:a. holds a majority of the voting rights in the first entity;
b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
d. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity. 31. Staff: All the persons working for a Company including the members of Senior Management, except for the members of its Board. 32. Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution amount to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance company shall manage this account and invest the funds collected therein against certain compensation. 2. Corporate Governance Framework
1. A Company’s organisational structure must be transparent and support the strategic objectives and operations of the Company. The Board and Senior Management must understand the structure and the risks associated with it.
2. The Board must act in the best interests of its various stakeholders while meeting regulatory expectations. Treating customers fairly and policyholder protection must be an integral part of a Company’s governance and corporate culture.
3. Branches of foreign Companies must establish local governance structures, such as a Senior Management committee or equivalent, that fulfill the responsibilities of a Board required by these Standards. Branches must ensure their Control Functions are operating effectively. Branches must establish Control Functions that are robust, report to the local management structures and are accountable to the Group’s heads of Control Functions. The local management structure of the branch must take steps, as necessary, to help the branch meet its own Corporate Governance responsibilities in line with the Regulation and Standards. It is the responsibility of the local governance structures to ensure that local legal and regulatory requirements are implemented and, where appropriate, make adjustments where the Group structures conflicts with a provision of these Standards.
4. Group Structure:
a. In order to fulfil its responsibilities, the Board must ensure that: 1. There is a Corporate Governance framework at the Group level, with clearly defined roles and responsibilities, taking into account the complexity and significance of the individual entities;
2. There is an appropriate Group management structure and internal control framework which takes into account the material risks to which the Group and its individual entities are exposed;
3. The Group’s Corporate Governance framework includes adequate policies, processes and controls, and addresses risk management across the entities;
4. The Group’s Corporate Governance framework includes appropriate processes and controls to identify and address potential intragroup Conflicts of Interest, such as those arising from intragroup transactions;
5. There are Board-approved policies and clear strategies for establishing new structures and legal entities, which ensure that they are consistent with the policies and interests of the Group;
6. There are effective systems in place to facilitate the exchange of information and coordination among the various entities, to manage the risks of the individual entities as well as of the Group as a whole, and to ensure effective control of the Group;
7. There are sufficient resources to monitor the compliance of all entities with all applicable legal, regulatory and governance requirements; and
8. There is an effective internal audit function, and in the case of a Company offering Islamic financial services, an effective internal Shari`ah audit function, which ensures audits are being performed on all Group entities and the Group itself.
b. While the Board of the Company must conduct strategic, Group-wide risk management and prescribe corporate risk profiles, the Company’s management and Affiliate boards must have appropriate input into their local or regional application and the assessment of local risks. It is the responsibility of the Companies’ boards, or equivalent in the case of foreign branches, to assess the compatibility of the Group policies with local legal and regulatory requirements.
c. The Board and Senior Management must take into account the financial, legal, reputational and other risks to the Company from operating through complex or non-transparent structures. Measures to avoid or mitigate these risks include, but are not limited to:
1. Avoiding setting up complex structures that lack economic substance or business purposes;
2. Continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the Company’s ability to manage those risks prior to setting up new structures and initiating associated activities;
3. Having a centralised process for approving the creation of new legal entities and dissolution of dormant entities based on established criteria, including the ability to monitor and fulfil each entity’s regulatory, tax, financial reporting, governance and other requirements;
4. Establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk, ensuring that structures are only approved if the material risks can be properly identified, assessed and managed; and
5. Ensuring that activities and structures are subject to regular internal and external audit reviews and Shari`ah audit reviews in case of providing Takaful Insurance products.
5. The Board must have a formal written Conflict of Interest policy for its members. The policy must include the following, at a minimum,:
a. Duties of the members of the Board to avoid, to the extent possible, activities that could create Conflicts of Interests or the appearance of Conflicts of Interests;
b. Examples of how Conflicts of Interest can arise when serving as a member of the Board;
c. A process for management of Conflicts of Interests by the Board or an ethics committee, where one exists;
d. A Board review and approval process applicable to members of the Board before they engage in specific activities, such as serving on another Board, to ensure that such activities will not create a Conflict of Interest;
e. A process to prevent members from holding directorships in other Companies;
f. A member of the Board’s duty to promptly disclose any matter that may result, or has already resulted, in a Conflict of Interest;
g. A member of the Board’s duty to abstain from voting on any matter where the member of the Board may have a Conflict of Interest (existing or potential) or where the member of the Board’s objectivity or ability to properly fulfil duties to the Company may be otherwise compromised;
h. Procedures to ensure that transactions with Related Parties must be undertaken on an arm’s length basis; and
i. The way the Board will deal with non-compliance with the Conflict of Interest policy.
6. Transactions with Related Parties must not be undertaken on more favourable terms than corresponding transactions with non-related counterparties.
7. Companies must have policies and processes in place to identify individual exposures to and transactions with Related Parties, as well as the total amount of such exposures; and monitor and report on them through an independent credit review or audit process. Exceptions to policies, processes and limits must be reported to the appropriate level of the Company’s Senior Management and, if necessary, to the Board for timely action, based on the stipulations of the policy. Senior Management must monitor Related Party Transactions on an ongoing basis, and the Board must also provide oversight of these transactions.
8. The Board must ensure that transactions with Related Parties (including intragroup transactions) are reviewed to assess risk and are subject to appropriate restrictions (e.g. by requiring that such transactions be conducted on arm’s length terms) and that corporate or business resources of the Company are not misappropriated or misapplied.
9. Transactions with Related Parties and the write-off of related-party exposures are subject to prior approval by the Company’s Board. Members of the Board with Conflicts of Interest must be excluded from the approval process for granting and managing Related Party Transactions. Companies must report any breaches promptly to the Central Bank. The Central Bank may impose additional capital and/or provisioning requirements to cover any such breaches.
10. Companies must have policies and procedures in place to prevent persons benefiting from a transaction that has an existing or potential Conflict of Interest and/or persons related to such a person, from being part of the process of granting and managing the transaction.
11. Companies must maintain a register of Related Parties and details of every Related Party Transaction.
3. Oversight and Management Responsibilities
1. The Board must provide oversight of Senior Management. It must hold members of Senior Management accountable for their actions and document the consequences if these actions are not aligned with the Board’s expectations. This oversight involves ensuring that Senior Management is adhering to the Company’s values, Risk Appetite and risk culture. Oversight by the Board should include, but is not limited to:
a. Monitoring Senior Management’s actions to ensure that they are consistent with the strategic objectives and policies approved by the Board and are aligned with the Company’s Risk Appetite;
b. Overseeing implementation of the Company’s governance framework and reviewing it annually to ensure that it remains appropriate in the light of any material changes to the Company’s size, complexity, business strategy, markets and regulatory requirements;
c. Overseeing the Company’s adherence to its Risk Appetite and Risk Limits;
d. Overseeing the Company’s approach to Board and Staff compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the Company’s culture and Risk Appetite;
e. Meeting regularly with Senior Management;
f. Critically reviewing and challenging explanations and information provided by Senior Management;
g. Setting appropriate performance and compensation standards for Senior Management consistent with the long-term strategic objectives and the financial soundness of the Company;
h. Assessing whether Senior Management’s collective knowledge and expertise remain appropriate given the nature of the business and the Company’s risk profile; and
i. Actively engaging in succession planning for the Chief Executive Officer and ensuring that appropriate succession plans are in place for all Senior Management positions.
2. The Board should review the Company’s policies and procedures on a regular basis to ensure that they are being implemented by those responsible within Senior Management. The Board should obtain reports from Senior Management in this regard, at least annually.
3. The responsibilities of the Board in this regard include, but are not limited to:
a. Determining the Company’s Risk Appetite, taking into account the competitive and regulatory landscape and the Company’s long-term interests, risk exposures and ability to manage risk effectively;
b. Approving and overseeing the implementation of key policies including, but not limited to, liquidity , capital adequacy, technical provisions and solvency margin;
c. Overseeing the appointment of the external auditor;
d. Approving the annual financial statements and requiring periodic independent review of critical areas of the business and internal controls;
e. Approving the selection of and overseeing the performance of Senior Management;
f. A Takaful Company must demonstrate full Compliance with Islamic Shari’ah and establish a sound and effective Shari`ah governance framework with key mechanisms and functionalities to ensure effective and independent Shari`ah oversight, as per the requirements of the Takaful Regulation and any other requirements set by the Central Bank and the Higher Shari`ah Authority.
4. Corporate Culture, Business Objectives and Strategy
1. The Board is responsible for the implementation of an effective risk management culture and internal control framework across the Company and the Group. In order to promote a sound corporate culture, the Board must establish the “tone from the top” by:
a. Setting and adhering to corporate values that create the expectation that all business must be conducted in a legal and ethical manner, and overseeing the adherence to such values by Staff;
b. Promoting risk awareness within a strong risk culture, and setting the expectation that all Staff are responsible for ensuring that the Company operates within the established Risk Governance Framework, Risk Appetite and Risk Limits;
c. Ensuring that appropriate steps have been taken to communicate throughout the Company the corporate values, professional standards and codes of conduct approved by the Board, together with supporting policies; and ensuring that Staff are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and breaches.
2. The Company’s corporate culture must recognise the critical importance of timely and frank discussion and escalation of problems to higher levels. Staff must be encouraged and must be able to communicate legitimate concerns about illegal, unethical and/or questionable practices confidentially and without the risk of reprisal.
3. The Board must approve and oversee a whistleblowing policy mechanism and ensure that Senior Management appropriately addresses legitimate issues flagged through the whistleblowing mechanism. The Board is responsible for ensuring that Staff who raise concerns are protected from detrimental treatment or reprisals. The Board must oversee and approve how and by whom legitimate matters are investigated and that they are addressed by an objective internal or external body, Senior Management, and/or by the Board itself.
4. A Company must have a written code of conduct for Staff that defines acceptable and unacceptable behaviours. It must explicitly prohibit illegal activity including fraud, breach of sanctions, money-laundering, anti-competitive practices, bribery and corruption, and the violation of consumer rights. It must make clear that Staff are expected to conduct themselves ethically and perform their jobs with skill, due care and diligence. The code of conduct covers, at a minimum:
a. The obligation to comply with all Regulations and the Company policies.
b. Prevention and management of Conflicts of Interest.
c. Guidance on decision-making.
d. Reporting mechanisms on any breach of applicable laws and Regulations, and protection for whistle blowers from retaliation.
e. Fair treatment of policyholders.
f. Information sharing with stakeholders.
5. Structure and Governance of the Board
1. A Company’s Board must be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess qualifications commensurate with the size, complexity and risk profile of the Company. In assessing its collective suitability, the factors a Board should take into account include, but are not limited to:
a. Whether members of the Board have a range of knowledge and experience in relevant areas and varied backgrounds to promote diversity of views;
b. Relevant individual areas of competence which may include, but are not limited to, capital markets, financial analysis, financial stability, financial reporting, information technology, strategic planning, risk management, compensation, regulation, Corporate Governance, management, accounting, underwriting, actuarial, reinsurance, investment, audit and Shari`ah rules and principles in the case of a Takaful Company;
c. Whether the Board collectively has a good understanding of local, regional and global economic and market forces and of the legal and regulatory environments applicable to the Company’s operations; and
d. Whether individual members of the Board can contribute to effective communication, collaboration and critical debate at the meetings of the Board and its committees.
2. The Board must have well-defined powers, including the ability to obtain timely information from Senior Management and key persons in Control Functions, in order to manage the Company.
3. The Board must have documented procedures for its own internal governance which must be periodically reviewed and assessed for their effectiveness. These may be included in organisational rules or by-laws, and should set out how the Board will carry out its roles and responsibilities, the nomination process, selection and removal of Board members, a specified term of office and succession planning.
4. The Board must be adequately funded and have access to resources, staff and facilities in order to carry out its responsibilities effectively. The Board must have documented procedures to access external, independent experts including procedures related to their appointment and dismissal.
5. Where the Board makes any delegations, it should ensure that:
a. The delegation does not hinder the Board from discharging its roles and responsibilities effectively.
b. The scope of delegation is well defined in terms of the powers, accountabilities and procedures related to the delegation.
c. There is no undue concentration of powers, giving anyone inappropriate levels of power capable of affecting the Company.
d. It has the ability to monitor and obtain reports on whether the delegated tasks are properly carried out.
e. It retains the ability to withdraw the delegation if it is not properly discharged, and to have contingency plans in this regard.
6. Members of the Board, individually and collectively, must be and continue to remain qualified for their positions. Members of the Board must understand their oversight and Corporate Governance role and be able to exercise sound, objective judgement about the affairs of the Company. Members of the Board must not have any Conflict of Interest that may impede their ability to perform duties independently and objectively, or be subject to any undue influence from:
a. Other persons/business;
b. Previous or current positions held; or
c. Personal, professional or other economic relationships with other members of the Board or Senior Management, or
d. Other entities within the Group.
7. A member of the Board shall lose his/her independence in the following cases:
a. If his/her tenure as an Independent Member of the Board in the same Company exceeds twelve (12) consecutive years from the date of his or her appointment. This provision applies equally to persons appointed by a Government shareholder;
b. If he/she, or any of his/her Relatives, has worked as Staff of the Company, or its Subsidiaries during the past two (2) years;
c. If he/she has worked for, or is a partner, in a company that performs consulting works for the Company or its Group or he/she has acted in such capacity during the past two (2) years;
d. If he/she has had any personal services contracts with the Company or its Group during the past two (2) years;
e. If he/she has been affiliated with any non-profit organisation that receives significant funding from the Company or its Group;
f. If he/she, or any of his/her Relatives, has been a partner or employee of the Company’s auditor during the past two (2) years;
g. If he/she, or any of his/her Relatives, has or had a direct or indirect interest in the contracts and projects of the Company or its Subsidiaries during the past two (2) years, and the total of such transactions exceeds the lower of 5% of the Company’s paid capital or of the amount of five million Dirhams or its equivalent amount in a foreign currency, unless such relationship is part of the nature of the Company’s business and involves no preferential terms; and
h. If he/she and/or any of his/her Relatives (individually or collectively) own directly or indirectly 10% or more of the Company’s capital or is a representative of a shareholder who owns directly or indirectly more than 10% of the Company’s capital.
The provisions in items b to h above do not apply to members of the Board appointed by a Government shareholder.
8. All nominated members of the Board must have sufficient competence, knowledge and experience to effectively carry out their duties and be subject to the Fit and Proper Process.
9. An ex-ante review and approval process must be completed before a member of the Board accepts nomination to serve on another board as permitted by the Corporate Governance Regulation and these Standards, so as to ensure that the activity will not create a Conflict of Interest. In addition, each member of the Board must confirm annually that he/she has sufficient time available to manage the time commitments required from the role on the Board.
10. The chair of the Board must provide leadership to the Board and is responsible for its overall effectiveness. The chair must ensure that Board decisions are taken on a sound and well-informed basis, encourage and promote critical discussion, and ensure that dissenting views can be freely expressed during the decision-making process. The chair must:
a. Ensure that the Board acts efficiently, fulfils its responsibilities and discusses all issues on a timely basis;
b. Approve the agenda of each Board meeting, ensuring that the content, organisation, quality of documentation and time allocated to each topic allows for sufficient discussion and decision making;
c. Encourage all Members of the Board to fully and efficiently participate in Board meetings in order to ensure that the Board acts in the best interests of the Company;
d. Adopt suitable procedures to ensure efficient communication with the shareholders, and the communication of their views to the Board; and
e. Facilitate the effective participation of Independent Members of the Board and the development of constructive relations between individual Board members.
A Takaful Company must safeguard an effective independent oversight of Compliance with Islamic Shari’ah within the organisational framework.
11. The majority of the members of the Board must be present at each Board and its committees’ meetings to establish a quorum. Attendance at meetings must be by physical presence or via audio or audio-videoconferencing subject to appropriate safeguards to preserve confidentiality and accuracy of deliberations.
12. The Board’s and its committees’ resolutions must be approved by the majority of votes. In the case of parity, the Chair shall have a casting vote.
13. There must be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the Company’s Risk Governance Framework. The risk committee must, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.
14. The Board must ensure that new members of the Board participate in an appropriate induction programme that must include an introduction to the strategy, structure, codes of conduct, main policies and material businesses of the Company. In addition, the induction programme must include an overview of the regulatory environment applicable to the Company, including the requirements of all relevant laws and Regulations.
15. The Board must dedicate sufficient time, budget and other resources to an ongoing training and development programme for its members and draw on external expertise, as needed. The Board must review annually its programme for ensuring that its members acquire, maintain and enhance knowledge and skills relevant to their responsibilities.
16. The Board, or the Board nomination committee, must carry out, at least annually, an assessment of the Board as a whole, its committees, and individual members. The Board must also ensure that an independent assessment is carried by an external third party at least once every five (5) years.
17. Annual assessments of the Board must include, but are not limited to:
a. Reviewing the structure, size and composition of the Board as a whole and its committees;
b. Reviewing the effectiveness of Board governance procedures, determining where improvements are needed and making any necessary changes; and
c. Assessing the ongoing suitability of each member of the Board, taking into account the fit and proper criteria and his/her performance on the Board.
18. Factors to be considered in the assessment of the Board as a whole include, but are not limited to:
a. Has the Board set clear performance objectives, and how well has it performed against these objectives?
b. Has the Board been effective in the strategy development process?
c. What has been the Board’s contribution to ensuring effective risk management?
d. Is the membership of the Board appropriate with the right mix of skills and knowledge?
e. Is the organisational structure and interaction between the Board and Senior Management working effectively?
f. How well has the Board responded to problems and challenges?
g. Is the Board dealing with the right issues?
h. Is the relationship between the Board and its committees working effectively?
i. Is the Board taking the necessary steps to stay up to date with regulatory and market developments?
j. Is the Board taking the necessary steps to acquire timely information of the right depth and quality?
k. Are Board meetings of the right frequency and length to enable proper consideration of issues?
l. Is the content of the agenda appropriate for the size, nature and complexity of the Company?
m. Are Board procedures adequate for effective performance?
19. Factors to be considered in the assessment of the performance of individual members of the Board include, but are not limited to:
a. Does the member of the Board continue to meet the requirements of the Fit and Proper Process, and in the case of Independent Members of the Board, independence?
b. Has the member of the Board actively contributed to the work of the Board, and if applicable, Board committees?
c. If newly appointed, has the member of the Board participated in the Board’s induction programme?
d. Has the member of the Board participated in ongoing training on relevant issues?
e. Is the member of the Board taking the necessary steps to stay up to date with regulatory and market developments?
f. Has the member missed meetings of the Board without an excuse acceptable by the Board?
20. COMMITTEES:
a. The Board elects the audit committee and sets its mandate and responsibilities, including, but not limited to:
1. Assessing the adequacy of Senior Management, and the extent of their application of the Board’s directions.
2. Assessing and following up on the efficiency of the internal controls, through:
a. Holding regular meetings with persons who are primarily responsible for internal controls over financial reporting, including but not limited to the heads of internal audit, risk management and accounting functions.
b. Mitigating key financial reporting risks through discussing controls with Senior Management, including fraud risks.
c. Understanding how Senior Management plans to assess internal controls and what role internal audit and other Related Parties will play.
d. Understanding the external auditors' scope and plan to test the controls.
e. Conducting regular meetings with Senior Management, internal and external audit to discuss findings and relevant action plans.
3. Assessing the extent of compliance with relevant laws and Regulations.
4. Nominating external auditors to be selected by the general assembly; terminating their services, when required; and determining their fees.
5. Effectively overseeing and supporting the internal audit function, that incudes, but is not limited to:
a. Understanding internal audit resources.
b. Being involved in hiring the head of internal audit, evaluating his/her performance, and verifying the sufficiency of his/her compensation.
c. Reviewing the internal audit's charter annually, and approving any changes to the charter.
d. Approving the annual internal audit plan and reviewing the recommendations issued by the internal auditor.
6. Approving the appointment and dismissal of the head of internal audit.
7. Following up on the recommendations made by internal and external audit and the Central Bank.
8. Overseeing the integrity and accuracy of the financial statements and related disclosures, that includes:
a. Taking an active role in overseeing annual and interim financial statements and related disclosures.
b. Assessing whether the significant accounting policies the company uses are reasonable and appropriate. This includes discussions with the chief financial officer and external auditors about the impact on the results and financial disclosures of any new accounting development.
c. Assessing and making submissions to the Board regarding the suitability of the Company’s accounting policies. This includes discussions with the chief finance officer or equivalent and the external auditors about the impact on the results and financial disclosures of any changes to accounting standards and policies.
d. Reporting to the Board, any limitations in the reliability of accounting and financial processes, including management information systems.
9. Meeting with internal and external auditors and appointed actuaries at least twice a year, without the presence of representatives from Senior Management.
10. Enabling Staff to report in confidentiality, any violation concerning the financial statements or internal controls, and producing a report to the Board in this regard.
11. To report to shareholders by preparing a report to be included in the annual financial statements describing how the committee carried out its functions, confirming the independent nature of the audit, and commenting on the financial statements, accounting practices and internal financial control measures of the Company.
12. Ensuring integrated reporting to the Central Bank (integrating financial and sustainability reporting, to the extent that it is relevant). At a minimum, the audit committee should provide the following information in the integrated report:
a. A summary of the role of the audit committee;
b. A statement on whether or not the audit committee has adopted a formal terms of reference that has been approved by the Board, and if so, whether the committee satisfied its responsibilities for the year in compliance with its terms of reference;
c. The names and qualifications of all members of the audit committee during the period under review, and the period for which they served on the committee;
d. The number of audit committee meetings held during the period under review and members’ attendance at these meetings;
e. A statement on whether or not the audit committee considered and recommended the internal audit charter for approval by the Board;
f. A description of the working relationship with the chief audit executive;
g. Information about any other responsibilities assigned to the audit committee by the Board;
h. A statement on whether the audit committee complied with its legal, regulatory and/or other responsibilities; and
i. A statement on whether or not the audit committee has reviewed the integrated report and submitted the report to the Board with a recommendation for approval.
b. The Board elects a risk management committee and sets its mandate and responsibilities including, but not limited to:
1. Proposing the Company's risk management policies, risk tolerance and Risk Appetite to the Board for approval, and to follow up on their implementation and update them on an annual basis. The committee should ensure that risk assessments are performed regularly, monitor the whole risk management process, and receive assurance from internal and external assurance providers regarding the effectiveness of the risk management process.
2. Assessing and making submissions to the Board regarding the Company’s risk management through:
a. Satisfying itself with regard to the expertise, resources and experience of the risk management function;
b. Meetings with individuals who are primarily responsible for the design, implementation and effectiveness of risk management, as well as continual risk monitoring; and
c. Meeting regularly with management to discuss the controls in place to: assume and accept risk, avoid risk, control risk, transfer risk, watch and monitor risk, amongst other things.
3. Proposing the Company's reinsurance strategy and ensuring appropriate oversight and consistent implementation of reinsurance programmes. The committee should consider the Company’s business objectives, levels of capital and business lines, with particular reference to the following:
a. Risk Appetite;
b. Large exposures and frequency of perils;
c. Level of diversification; and
d. The ability of reinsurers to fulfill their obligations.
4. Assessing the extent to which the Company applies the provisions contained in the Financial Regulations, and submitting reports to the Company’s Board in this regard.
5. Without prejudice to the tasks of the compensation committee, proposing a compensation policy for management that is aligned to the business strategy and risk levels.
6. Ensuring detailed job descriptions for the roles, duties, and responsibilities of each Board member, and that controls for measuring their performance are in place.
c. The Board elects from among its members an investment committee, and sets its mandate and responsibilities including, but not limited to:
1. Preparing and reviewing the investment policy, reviewing its performance, implementation and managing its risks, on an annual basis.
2. Reviewing the performance of the Company's assets annually.
3. Submitting quarterly reports to the Board on the performance of the Company's investment portfolio.
4. Establishing the necessary controls to prevent investments in related companies, unless it is proven that this is in the interest of the Company; maintain relevant information, documents, restrictions and studies in this regard.
d. The Board elects from among its members a compensation committee, and sets its mandate and responsibilities including, but not limited to:
1. Providing the Board with the design and oversight of the Company’s compensation system.
2. Periodically reviewing the compensation policies and determining if they are appropriate to each Board member and the Staff.
3. Preparing a policy for granting allowances and incentives to Senior Management.
4. Reviewing the performance of Senior Management.
e. The Board elects from among its members a nomination committee, and sets its mandate and responsibilities, including, but not limited to:
1. Identifying, assessing fitness and propriety of candidates for the Board and Senior Management. Fit and proper criteria must ensure that selected candidates:
a. Possess the necessary knowledge, skills, and experience;
b. Have a record of integrity and good repute;
c. Have sufficient time to fully discharge their responsibilities;
d. Provide for collective suitability and added value to the Board/ Senior Management;
e. Do not have any Conflict of Interest; and
f. Have a record of financial soundness.
Before providing the non-objection for nominations, appointments or renewals, the Central Bank will conduct additional interviews and/or background checks to ensure that the candidates are fit and proper, including assessing their ability to manage the time commitments required for their role in the Company, and confirm the accuracy and completeness of the information and documentation provided by the Company.
2. Establishing a policy to require at least 20% of candidates for consideration for the Board to be female. Information on the policy and actual numbers of female candidates’ consideration and representation on the Board must be disclosed in the Company’s annual Corporate Governance statement.
6. Duties of Individual Board Members
1. Members of the Board are fully responsible for the overall interests of the Company. This applies to members of the Board representing or appointed by an individual shareholder or group of shareholders. The Duty of Loyalty precludes individual members of the Board acting in their own interest, or the interest of another individual or group, at the expense of the Company, its policyholders or shareholders. Policyholders’ interests must take precedence over shareholders’ interests.
2. Members of the Board must exercise their Duty of Care, Duty of Confidentiality and Duty of Loyalty to the Company when carrying out their activities, which include, but are not limited to:
a. Actively engaging in the affairs of the Company to ensure strategy and policies are implemented as designed as well as acting in a timely manner to protect the long-term interests of the Company;
b. Overseeing the development of and approving the Company’s business objectives and strategy, and monitoring their implementation;
c. Playing a lead role in establishing the Company’s corporate culture and values.
7. Duties Related to Risk Management and Internal Controls
1. The Board approved Risk Governance Framework must incorporate a “three lines of defense” approach including Senior Management of the business lines, the functions of risk management, actuarial and compliance, and an independent and effective internal audit function. In the case of a Takaful Company, independent and effective internal Shari`ah Control and internal audit functions must be in place.
2. The Risk Governance Framework may vary with the specific circumstances of the Company, particularly its risk profile, size, business mix and complexity. Companies must incorporate the minimum requirements specified in the Central Bank Regulations and Standards on risk management and internal controls.
3. The internal controls framework must contain the following elements, at a minimum:
a. Empowering Senior Management according to the organisational structure, commensurate to the nature of the Company, which clearly defines lines of communication and responsibilities for each unit in the Company.
b. Segregation of duties, along with separation between managing risks and supervising the management of such risks.
c. Written procedures accredited by the Board for applying and reviewing information technology strategies, in a manner that guarantees the provision of information to decision makers in a timely manner, along with a crisis management strategy.
4. A Company shall set up a documented internal control system approved by its Board in line with the Company’s business and volume, and it shall be supported by information systems that ensure the accuracy of such information. This system shall be reviewed periodically by the internal audit, external audit and actuarial auditors to ensure its compliance with the legal framework in force and to assess its effectiveness and adequacy.
5. The internal auditor shall assess the effectiveness and adequacy of the internal controls system and the company’s operations, to make sure that the Company operates in compliance with the legal framework and within the strategic objectives of the Company. A report in this regard along with the relevant recommendations must be submitted to the audit committee.
6. Governance requirements for risk management and internal controls are contained in separate Regulations issued by the Central Bank.
8. Duties Related to Compensation
1. The compensation committee is responsible for the overall oversight of management’s implementation of the compensation system for the entire Company. In addition, the compensation committee must regularly monitor and review outcomes to assess whether the Company-wide compensation system is creating the desired incentives for managing risk, capital and liquidity. It must have clear terms of reference, be properly constituted to exercise competent and independent judgement on the Company’s compensation policies and practices and work closely with the Company’s risk committee in the evaluation of incentives created by the compensation system. The committee must review the compensation plans, processes and outcomes, at least annually. An independent assessment of the compensation system by an external third party must be conducted at least once every five (5) years.
2. The Board must have oversight of the compensation system for the whole Company, not just for Senior Management. The compensation structure must be in line with the strategy, Risk Appetite, objectives, values and long-term interests of the Company. Incentives embedded within compensation structures should not incentivise Staff to take excessive risk.
3. Issues that the compensation committee of the Board must consider in overseeing the operation of Company-wide compensation policies include, but are not limited to:
a. the ratio and balance between the fixed (basic salary and any routine employment allowances that are predetermined and not linked to performance) and variable components of compensation;
b. the nature of the duties and functions performed by the relevant Staff and their seniority within the Company;
c. the assessment criteria against which performance-based components of compensation are to be awarded; and
d. the integrity and objectivity of the process of performance assessment against the set criteria.
4. The annual fixed amount paid to the members of the Board should be comprised of payment for their service on the Board and for their participation on Board committees, with greater weighting applied to members chairing committees. The payment may also include the value of other non-monetary benefits, e.g. insurance and healthcare. The agreement with each member of the Board must specify all the details of his/her compensation.
5. Negative financial performance or net loss reported by a Company in a financial year should generally lead to a contraction of the Board’s total compensation and Senior Management bonus. The Central Bank may impose additional reductions to the Board’s total compensation where the negative financial performance was due to non-compliance with laws or Regulations, omission or error by the Board. In addition, a net loss reported by a Company in a financial year is expected to lead to a contraction of the Staff bonus pool.
6. Staff in the Control Functions of risk management, compliance and internal audit and in the case of Takaful Companies, Shari`ah control and Shari’ah audit, must be compensated in a way that makes their incentives independent of the lines of business whose risk taking they monitor and control. Instead, their performance measures and performance incentives must be based on achievement of their own objectives so as not to compromise their independence. This also applies to the compliance function staff embedded in independent support or control units.
7. If Staff in the Control Functions receive variable compensation, their total compensation must be made up of a higher proportion of fixed relative to variable compensation.
8. Companies must identify, both on a solo basis and at the Group level, the Staff who have the potential to take or commit the Company to significant risk, including reputational and other forms (Material Risk Takers), and consider the extent to which the structure of their compensation is effectively risk aligned. The identification must be performed by means of an annual assessment and based primarily on control and influence over risk; i.e. Staff who receive incentive compensation and have an ability, either alone or as a member of a group of Staff, to take or influence risk that is significant to the Company. These may include, but are not limited to:
a. Senior Management and key Staff (including but not limited to the Chief Executive Officer and other members of Senior Management who are responsible for oversight of the Company’s key business lines and, if applicable, the Control Functions).
b. Staff whose duties involve the assumption of risk or the taking on of exposures on behalf of the Company (including but not limited to proprietary traders, dealers, and loan officers).
c. Staff who engage in the design, sales and management of insurance products.
d. Staff who are incentivised to meet certain quotas or targets by payment of variable remuneration (including, but not limited to, those in marketing, sales and distribution functions).
e. Staff in the Control Functions.
9. For Senior Management and Material Risk Takers:
a. a proportion of compensation must be variable and paid on the basis of individual, business-unit and Company-wide measures that adequately measure performance;
b. a substantial portion of the variable compensation must be payable under deferral arrangements over at least three (3) years. These proportions should increase significantly along with the level of seniority and/or responsibility. For Senior Management and the most highly paid staff, the percentage of variable compensation that is deferred should be substantially higher than other Staff;
c. a portion of variable compensation may be awarded in shares or equivalent ownership interests or share-linked or equivalent non-cash instruments in the case of non-listed Companies, as long as these instruments create incentives aligned with long-term value creation and the time horizons of risk. Awards in shares or share-linked instruments must be subject to an appropriate share retention policy; and
d. The remaining portion of the deferred compensation can be paid as cash compensation vesting gradually. In the event of negative financial performance or net loss of the Company and/or the relevant line of business in any year during the vesting period, any unvested portions should be clawed back, subject to the realised performance of the Company and the business line.
10. Contractual payments related to the termination of employment should be examined to ensure there is a clear basis for concluding that they are aligned with long-term value creation and prudent risk-taking; any such payments must be related to performance achieved over time and designed in a way that does not reward failure.
11. Where the Company makes any severance payments, such payments must be subject to appropriate governance, limits and controls, and should relate to performance over time. Severance payment must not reward failure or potential failure of the Company.
12. Companies are encouraged to follow best international practices in sound compensation, Including the guidance provided by the Financial Stability Board in its issued Principles and Standards on Sound Compensation Practices as updated from time to time.
9. Financial Reporting and External Audit
1. Governance requirements for financial reporting and external audit must be adhered to as stipulated in the Financial Regulations, Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and any separate Regulations issued by the Central Bank in this regard.
2. The Board is responsible for overseeing the necessary controls to ensure the soundness and accuracy of the financial reports, including:
a. Overseeing the financial statements, financial reporting and disclosure process.
b. Assessing the effectiveness of the accounting policies and practices.
c. Overseeing the internal audit process (reviews by internal audit of the Company’s financial reporting controls) and reviewing the internal auditor’s plans and material findings.
d. Significant findings and observations regarding the weakness in the financial reporting process are promptly rectified. This should be supported by a formal process for reviewing and monitoring the implementation of recommendations by the external auditor.
e. Reporting to the Central Bank on significant issues regarding the financial reporting process, and the remedial action taken in this regard.
3. The Board is responsible for ensuring the sound governance and oversight of the external audit process, including:
a. Approving, recommending, appointing, reappointing, dismissing and determining the compensation of the external auditor.
b. Ensuring the independence of the external auditor through robust processes to ensure that the appointed external auditor has the necessary knowledge, skills, expertise, integrity and resources to conduct the audit and meet any additional regulatory requirements.
c. Assessing the effectiveness of the external audit.
d. Investigating circumstances of resignation or removal of the external auditor, and reporting the same to the Central Bank.
4. The Board must ensure an effective relationship with the external auditor, through:
a. Setting clear and adequate terms of engagement of the external auditor, along with a defined scope of work and resources required to conduct the audit. For this purpose the Board must ensure that the terms of engagement of the external auditor are clear and appropriate to the scope of the audit and resources required to conduct the audit and specify the level of audit fees to be paid.
b. An undertaking by the external auditor that the audit is going to be conducted according to the applicable legislation and international standards.
c. Ensuring that the external auditor complies with internationally acceptable ethical and professional standards.
d. Ensuring that there are adequate policies to ensure the independence of the external auditor, including restrictions and conditions for the provision of non-audit services which are subject to approval by the Board, periodic rotation of members of the audit team and/or audit firm and the provision of safeguards to eliminate or reduce to an acceptable level identified threats to the independence of the external auditor.
e. Ensuring that there is unrestricted access to information or persons to conduct the audit.
5. The Board must have effective communication with the external auditor, including scope and timing of the audit to understand the nature of risk. The Board should hold regular meetings with the external auditor without the presence of Senior Management, and all internal audit weaknesses must be identified and communicated.
6. The Company must provide the Central Bank with the external auditor’s report.
7. The external auditor must promptly report to the Central Bank without the prior consent of the Company on all matters that are likely to be of material significance, such as breaches of applicable legislation, fraud or the suspicion of fraud.
10. Communications
1. Disclosures in the annual Corporate Governance statement must include, but not be limited to, information on the following:
a. Material information on the Company’s objectives, organisational and governance structures and policies;
b. Major share ownership and voting rights;
c. Related Party Transactions;
d. The recruitment approach for the selection of members of the Board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints;
e. Education and experience of members of the Board and key members of Senior Management;
f. Type and composition of Board and its committees; the number of times they met and attendance records;
g. Incentive and compensation policy including the decision-making process used to determine the Company-wide compensation policy, the most important design characteristics of the compensation system and aggregate quantitative information on compensation;
h. The individual compensation of the members of the Board and key members of Senior Management;
i. Individual board membership in any other companies;
j. Information on the policy as to, and actual figures of, female candidates’ consideration and representation on the Board;
k. Key points concerning its risk exposures and risk management strategies without breaching necessary confidential;
l. Information on the purpose, strategies, structures, and related risks and controls of material and complex or non-transparent activities;
m. Forward looking statements and foreseeable risk factors; and
n. In the case of Takaful Companies, Annual Shari`ah Reports on the compliance with Shari`ah rules and the resolutions of the Higher Shari`ah Authority, or any other disclosures required by the Company or the Higher Sharia Authority.
2. Where useful, Companies may make reference to the information contained in the financial statements’ notes.
3. Qualitative and quantitative disclosure requirements on compensation to be published annually in a Company’s Corporate Governance statement must include the following information for Board members, Senior Management and Material Risk Takers:
a. Description of the main elements of their compensation system and how the system has been developed;
b. Fixed and variable compensation awarded during the financial year;
c. Special Payments: guaranteed bonuses, sign-on awards and severance payments;
d. Deferred compensation;
e. Any sanctions imposed on any Board member by a national or foreign judicial or supervisory authority that is relevant to the matters stated herein.
4. Boards should approve and publicly disclose a statement providing assurance that the Corporate Governance arrangements of their Companies are adequate and efficient.
5. The Company’s communication policies and strategies should cater for providing the Central Bank with any commercially sensitive information in a timely and efficient manner. Such information may include assessments by the Board of the effectiveness of the Company’s governance system, internal audit reports, information on the compensation structures adopted by the Company for the Board, Senior Management, Control Functions and Material Risk Takers.
11. Duties of Senior Management
1. Senior Management is responsible and accountable to the Board for compliance, fair treatment of policyholders, record keeping and for the sound and prudent day-to-day management of the Company in accordance with the Company’s corporate culture, business objectives and strategies for achieving those objectives. The organization, procedures and decision-making of Senior Management must be transparent and provide clarity on the role, authority and responsibility of the various positions within Senior Management.
2. Consistent with the direction given by the Board, Senior Management must implement business strategies, risk management systems, risk culture, processes and controls for managing the risks to which the Company is exposed in alignment with the Risk Appetite. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior Management must recognise and respect the independent duties of the risk management, compliance and internal audit functions, and in the case of a Company offering Islamic financial services, Shari`ah compliance and audit functions, and must not interfere with the exercise of such duties.
3. Senior Management must provide oversight of those they manage, and ensure that the Company’s activities are consistent with the business strategy, Risk Appetite and the policies approved by the Board. Senior Management is responsible for delegating duties to Staff and must establish a management structure that promotes accountability and transparency throughout the Company.
4. Senior Management must provide the Board with comprehensive and timely reports to enable it to effectively discharge its responsibilities, including the oversight of Senior Management. Information that Senior Management must regularly provide to the Board includes, but is not limited to:
a. Performance relative to the Company’s strategy and Risk Appetite;
b. Performance against budget and other financial targets, and the financial condition of the Company;
c. Breaches of Risk Limits or compliance rules categorised by frequency, scope and impact;
d. Internal control failures;
e. Legal or regulatory concerns and remedial actions taken or proposed;
f. Current and developing market conduct issues, including a semi-annual analysis on client complaints and inquiries;
g. Issues raised as a result of the Company’s whistleblowing mechanism;
h. Breaches of Shari`ah rules and principles in the case of a Takaful Company; and
i. Proposed changes in Company strategy.
5. An ex-ante review and approval process must be completed before a member of Senior Management accepts nomination to serve on a board as permitted by the Regulation so as to ensure that the activity will not create a Conflict of Interest. In addition, each member of Senior Management must confirm annually that he/she has sufficient time available to manage the time commitments required for their role in the Company.
6. A Company is prohibited from terminating the services of a member of the Senior Management because of their compliance with the law, decisions, regulations, instructions and circulars issued pursuant thereto.
Risk Management and Internal Controls Regulation for Insurance Companies
The Board of Directors
Having perused Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities as amended;
Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations;
Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies;
The Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance; and
Based on the recommendation of the Governor and the approval of the Board of Directors;
Has resolved as follows:
Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the insurance sector. To this end, Companies are required to have a comprehensive approach to Risk Management and effective Internal Controls, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.
Risk Management, internal audit, compliance, and actuarial functions constitute key control functions in a Company. The control functions have a responsibility, independent of the management of the Company's business lines, to provide objective assessment, reporting and/or assurance. The control functions (as defined in article 1.11) are an essential foundation for effective corporate governance.
In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Companies' approaches to Risk Management and Internal Controls are in line with leading international standards and industry best practice.
This Regulation and the accompanying Standards establish an overarching prudential framework for Risk Management and Internal Controls. Standards and supervisory expectations for selected specific risks are, or will be, established in other Regulations.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
This Regulation and the accompanying Standards supplement Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations, Insurance Authority's Board of Directors' Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports, Insurance Authority Board of Directors' Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance, Insurance Authority Board of Directors' Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance, Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies, Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies, and the Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance. Additional requirements may be imposed pursuant to decisions to be issued by the Central Bank in this regard.
Objective
The objective of this Regulation is to establish the Central Bank's minimum requirements for Companies' approach to Risk Management and Internal Controls with a view to:
a. Ensuring the safety and soundness of Companies; and
b. Contributing to the financial stability of the UAE.
Scope of Application
This Regulation and the accompanying Standards apply to all Companies. Companies established in the UAE with Group relationships including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.
The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Companies may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited therein. The Central Bank will decide on the extent to which a Company is expected to meet the requirements.
Article (1): Definitions
1. Actuaries' Regulation: Insurance Authority Board of Directors Decision No. (9) of 2017 Concerning the Regulations on Licensing and Registration of Actuaries and Regulation of their Operations.
2. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity
3. Authorized Manager: The person appointed by the foreign insurance company to manage its branch in the State.
4. Board: The Company's board of directors.
5. Central Bank: The Central Bank of the United Arab Emirates.
6. Chief Executive Officer: The most senior executive appointed by the Board, and in the case of foreign branches, this refers to the Authorized Manager.
7. Central Bank Laws: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended; and Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended and its Executive Regulations.
8. Company: The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
9. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
10. Confidential Data: Account or other data relating to a Company customer, who is or can be identified, either from the Confidential Data, or from the Confidential Data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the Confidential Data.
11. Control Functions: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari'ah control and Shari'ah audit functions.
12. Enterprise Risk Management (ERM): The strategies, policies and processes of identifying, assessing, measuring, monitoring, controlling, reporting and mitigating risks in respect of the Company's enterprise as a whole.
13. Financial Regulations: Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies.
14. Group: A group of entities which includes an entity (the 'first entity') and:
a. any Parent of the first entity;
b. any Subsidiary of the first entity or of any Parent of the first entity;
c. any Affiliate.
15. Internal Controls: A set of processes, polices and activities governing a Company's organizational and operational structure, including reporting and Control Functions.
16. Life Insurance Regulation: Insurance Authority Board of Directors' Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance.
17. Material Business Activity: An activity of the Company that has the potential, if disrupted, to have a significant impact on the Company's business operations or its ability to manage risks effectively.
18. Matter of Significance: A matter, or group of matters, that would have a significant impact on the activities or financial position of the Company. Examples include failure of preserving the assets of the Company and policyholders, failure to comply with Central Bank Laws/the Financial Regulations, major deviations from the Risk Appetite and or other matters that are likely to be of significance to the function of the Central Bank as regulator.
19. Master System of Record: The collection of all data, including Confidential Data, required to conduct all core activities of a Company, including the provision of services to policyholders, managing all risks, and complying with all legal and regulatory requirements.
20. Model: A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
21. Outsourcing: An arrangement between a Company and a service provider, whether the service provider operates within or outside the UAE, for the latter to perform a process, service or activity which would otherwise be performed by the Company itself.
22. Own Risk and Solvency Assessment (ORSA): an internal process undertaken by a Company/ Group to assess the adequacy of its Risk Management and current and prospective solvency positions under normal and severe stress scenarios. It requires a Company to analyze all reasonably foreseeable and relevant material risks. It covers current and future risks and requires Company-specific judgment about risk management and the adequacy of their capital position that could have an impact on it's ability to meet both its business objectives as well as its policyholder obligations. This encourages management to anticipate potential business challenges, capital needs and to take proactive steps to reduce risks. ORSA is not a one-off exercise. It is a continuously evolving process and must be a component of a Company's Enterprise Risk Management (ERM) framework. Whilst there is not one specific way of conducting an ORSA, the output is expected to be a set of documents that demonstrate the results of management's proactive approach to its own self-assessment.
23. Parent: An entity (the 'first entity') which:
a. holds a majority of the voting rights in another entity (the 'second entity');
b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
d. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
24. Pricing Regulation: Insurance Authority Board of Directors' Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance.
25. Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
26. Risk Appetite: The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan
27. Risk Governance System: As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company's strategy and risk approach; articulate and monitor adherence to the Risk Appetite and Risks Limits relative to the Company's strategy; and identify, measure, manage and control risks.
28. Risk Culture: The set of norms, values, attitudes and behaviors of a Company that characterizes the way in which it conducts its activities related to risk awareness, risk taking and risk management and controls.
29. Risk Limits: Quantitative measure based on a Company's Risk Appetite, which gives clear guidance on the level of risk to which the Company is prepared to be exposed and is set and applied in aggregate or individual units such as risk categories or business lines.
30. Risk Profile: Point in time assessment of the Company's gross and, as appropriate, net risk exposures aggregated within and across each relevant risk category based on forward looking assumptions.
31. Risk Management: The process through which risks are managed allowing all risks of a Company to be identified, assessed, monitored, mitigated (as needed) and reported on a timely and comprehensive basis.
32. Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
33. Solvency Capital Requirement: Funds that the Company must maintain to cover current and projected operations during the next twelve months, which are measured to ensure that all quantitative risks have been taken into account.
34. Staff: All the persons working for a Company including the members of Senior Management, except for the members of its Board.
35. State: The United Arab Emirates.
36. Stress Testing: A method of assessment that measures the financial impact of stressing one or more factors which could severely affect the Company.
37. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
a. holds a majority of the voting rights in the first entity;
b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
d. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
38. Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance Company shall manage this account and invest the funds collected therein against certain compensation.
39. Takaful Regulation: The Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance, as amended from time to time.
Article (2): Systems of Risk Management and Internal Controls
1. A Company must have comprehensive and effective systems of Risk Management and Internal Controls that provide a Company-wide and, if applicable, Group-wide view of all material risks to which they are or could be exposed, and their interdependencies. This includes strategies, policies, processes, procedures, and controls to identify, assess, measure, monitor, control, report and mitigate material sources of risk, on a timely basis. A Company's definition and assessment of material risks must take into account its Risk Appetite, Risk Profile, nature, size and the complexity of its business and structure.
2. The Board must be in control of the Company and bears ultimate responsibility for ensuring that there are effective systems of Risk Management and Internal Controls appropriate to the Risk Profile, nature, size and complexity of the Company's business and structure
3. Senior Management is responsible for the implementation of sound policies, effective procedures and robust systems consistent with Board-approved systems of Risk Management and Internal Controls. The Board remains ultimately accountable, notwithstanding specific responsibilities delegated to Senior Management
4. A Company's organisational structure must incorporate a "three lines of defence" approach comprising of :
a. The business lines;
b. The risk, actuarial and compliance functions;
c. Independent internal audit function.
5. The Board must provide oversight of Senior Management. It must hold members of Senior Management accountable for their actions if they are not aligned with the Company's strategy and objectives.
6. Companies who have Group relationships must ensure the following:
a. Companies, for which the Central Bank is the primary regulator, who have significant Group relationships including Subsidiaries, Affiliates, or international branches must develop and maintain processes to coordinate the identification, assessment, measurement, evaluation, monitoring, reporting and control or mitigation of all internal and external sources of material risks across the Group. The process must provide the Board with a solo and Group-wide view of all material risks, including the roles and relationships of other Group entities to one another and to the Company.
b. The methods and procedures applied by Subsidiaries, Affiliates and international branches must support Risk Management on a Group-wide basis. Companies must conduct Group-wide Risk Management and prescribe Group policies and procedures, while Boards and Senior Management of Subsidiaries and Affiliates must have input with respect to the local and regional application of these policies and procedures and the assessment of local and regional risks.
Article (3): Effective Risk Management System
1. A Company's Risk Management system must be designed to operate at all levels to allow for the identification, assessment, monitoring, measuring, controlling, reporting and mitigating of all risks of the Company in a timely manner. It must take into account the probability, potential impact and time horizons of risk. An effective Risk Management system must include the following elements:
a. A documented Risk Management strategy, including a clearly defined Risk Appetite statement that is Board-approved, which mustbe in line with the Company's business activities.
b. Allocation of responsibilities for managing risks.
c. A documented process for the Board's approval for any deviation from the Risk Appetite.
d. Policies containing all material risks that the Company is exposed to and the levels of acceptable Risk Limits. The policies describe the obligations of Staff members in dealing with risk, including risk escalation and risk mitigation tools.
e. Processes and tools including Stress Testing, scenario analysis and Models for identifying, assessing, measuring, monitoring, controlling reporting and mitigating risks, along with contingency plans.
f. Regular reviews of the Risk Management system.
g. An effective Risk Management function.
2. The Risk Management system must cover, at a minimum underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business. It must also cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in the Financial Regulations as well as the risks which are not, or not fully, included in the calculation thereof.
3. In developing the Risk Management system, the following matters must be taken into consideration:
a. The Risk Profile of the Company must be modified according to circumstances, which requires incorporating new risks and updating the information related to risks that are already identified. The changing expectations of policyholders and other stakeholders must be taken into consideration.
b. Material changes, specifically that affect the Risk Profile, to the Risk Management system must be approved by the Board, documented and made available to internal audit, external audit and the Central Bank.
c. The Risk Management system must incorporate a feedback loop that provides for a process of assessing the effect of changes in risk leading to changes in Risk Management policy, Risk Limits and risk mitigating actions. Within a Group, sufficient coordination between the Parent and its Subsidiaries and Affiliates must be available, as part of their feedback loop
4. Where the Central Bank is not the primary regulator of a Company that is part of a Group and any element of its comprehensive approach to Risk Management is controlled or influenced by another entity in the Group, the Company's Risk Management system must specifically take into account risks arising from the Group relationship and clearly identify:
a. Linkages and any significant differences between the Company's and the Group's Risk Governance System.
b. Whether the Company's Risk Management function is derived wholly or partially from Group Risk Management functions.
c. The process for monitoring by, or reporting to, the Group on Risk Management.
5. As part of its Risk Management system the Company shall conduct its Own Risk and Solvency Assessment (ORSA) which must be conducted by the Risk Management function. That assessment must include at least the following:
a. The overall solvency needs, taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the Company. The Company shall demonstrate the methods used in that assessment.
b. The compliance, on an ongoing basis, with the capital requirements, as set out in the Financial Regulations;
c. The compliance, on an ongoing basis, with the requirements regarding technical provisions, as laid out in the Financial Regulations;
d. The significance with which the risk profile of the Company deviates from the assumptions underlying the Solvency Capital Requirement as laid down in the Financial Regulations. Companies must take an active assessment of whether changes in the standard Model are consistent with their actual exposures;
e. The completion of the ORSA which must be an integral part of the business strategy and business planning process and must be taken into account on an ongoing basis in the strategic decisions of the Company and without any delay following any significant change in the Company's Risk Profile;
f. The reporting to the Central Bank of the results of each ORSA at the same time as it submits the Company's annual business plan in accordance to the timetable published by the Central Bank.
g. The reporting to the Central Bank of any additional requirements concerning (ORSA) which may be imposed pursuant to Regulations/decisions to be issued by the Central Bank in this regard.
Article (4): Effective System of Internal Controls
1. The Internal Controls system must ensure effective operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported, compliance with Central Bank Laws and other relevant laws, Regulations and supervisory requirements and the Company's internal rules and decisions. It must cover all units and activities and must be regularly assessed, reviewed by the Board or the Board audit committee and updated as necessary. It must include appropriate control structure with control activities defined at every business unit level, as they must own, manage and report risks and must be accountable for establishing and maintaining effective Internal Controls policies and procedures. Control Functions must assess the adequacy of the controls used by the business units. The Internal Controls system must contain, at a minimum, the following components:
a. Segregation of duties and measures to prevent Conflicts of Interest, as follows:
1. Adequate independence and clear separation of duties and reporting lines between the persons who are responsible for certain processes or policies, and those who verify that the processes or policies are being applied.
2. Adequate independence, and clear separation of duties and reporting lines between those who design or operate certain controls and those who check if the controls are effective.
b. Policies and processes:
1. Incorporate adequate controls for all key business processes and policies, including processes for taking major business decisions and approving transactions, critical information technology functionalities, cyber security, access to critical information technology infrastructure by employees and related third parties and important legal and regulatory obligations.
2. Incorporate policies on training on controls, especially for Staff undertaking roles requiring elevated trust or responsibility, or Staff involved in the oversight of high-risk activities.
3. Centralised documented key processes and policies and their corresponding controls.
c. Information and communication:
1. All Staff must be fully aware of the requirements to comply with the Company's Internal Controls system.
2. The necessary information for decision making must be made available to decision makers in a timely manner, including, but not limited to, financial, operational, compliance and market information.
d. Monitoring and review:
1. Processes must be checked on a regular basis by the internal audit function to ensure that controls are effective.
2. The Internal Controls system must be assessed on a regular basis by the internal audit function, to determine its efficiency and effectiveness.
e. Reporting on the Internal Controls system must reference the policy for Internal Controls (such as responsibilities, compliance levels, validation and implementation of remediation plans), the stage of development, the performance of the business units, and deficiencies in application.
2. The Board must understand the control environment and direct Senior Management to ensure that for each business process and policy, there is an appropriate control. The Board must ensure the allocation of responsibilities for the design, documentation and operation of Internal Controls.
3. a. For branches of foreign Companies, a senior management committee or equivalent must be in place that consists of local functionaries. These internal Control Functions should report directly to their entity-level counterpart and/or to the board and/or relevant committees.
b. Local functionaries stated in the aforementioned paragraph (a) may not undertake more than one Control Function.
Article (5): Control Functions
1. A Company must have effective Control Functions with the necessary independence, authority and resources covering Risk Management, internal audit, compliance and actuarial. The effectiveness of the Control Functions must be assessed periodically by the Board.
2. The existence of a control function does not relieve the Board and Senior Management of their responsibilities.
3. Control functions must be well resourced, with qualified staff who must receive regular training relevant to their roles.
4. Control Functions must an have appropriate level of authority. The head of the control function must not participate in operational business responsibilities, such as underwriting, investment, reinsurance, sales or accounting.
5. The head of each control function must have access to the Board or the Board risk and/or audit committees and must submit periodic reports on the matters determined by the Board. The head of each control function must be able to meet regularly with the chair of any relevant Board committee without the presence of management.
6. Duties of the Board related to Control Functions include:
a. The Board must approve and document the authority and responsibilities of Control Functions, which must be reviewed periodically based on the recommendation of each Control Function.
b. The Board or the relevant Board committee must approve the appointment, dismissal, compensation, performance and any disciplinary action taken against the heads of Control Functions.
c. The Company must not dismiss the heads of Control Functions without first obtaining the no-objection of the Central Bank.
7. Compensation of employees in the Control Functions must be determined independently of the performance of the Company.
8. Control Functions must avoid Conflicts of Interest. Where any conflicts remain and cannot be resolved with Senior Management, these must be brought to the attention of the Board for resolution.
Article (6): Risk Management Function
1. The Risk Management system must address the following:
a. A Company must have an effective Risk Management function to identify, assess, measure monitor, control, report and mitigate its key risks in a timely manner and to promote and sustain a sound Risk Culture.
b. The Risk Management function is responsible for assisting the Board, Board committees and Senior Management with developing and maintaining the Risk Governance System.
c. A Company must have an adequately resourced Risk Management function headed by a Chief Risk Officer (CRO) or equivalent. The function must be independent of the management and decision-making of the Company's risk-taking functions.
2. The Risk Management function must have direct access to the Board and/or the Board risk committee and must provide them with reports on the following matters, at a minimum:
a. Assessment of risk positions, exposures and the steps being taken to manage them;
b. Assessment of changes in the Company's Risk Profile relative to Risk Appetite, including the ORSA;
c. Assessment of pre-defined Risk Limits;
d. Risk Management issues resulting from strategic affairs such as corporate strategy, mergers, acquisitions, major projects and investments;
e. Assessment of risk events and the identification of appropriate remedial actions and the assessment of results after implementation.
3. In developing the Risk Management system the following must be considered:
a. The head of the Risk Management function, the CRO or equivalent, must be of sufficient seniority and stature within the Company, to credibly challenge the heads of business lines and functions. The head of the Risk Management function must have the authority and obligation to inform the Board romptly of any circumstance that may have a material effect on the Risk Management system of the Company.
b. Outsourced activities must remain fully in scope of the Company's Risk Management responsibilities.
Article (7): Risk Measurement & Use of Models
1. A Company must have systems, including information technology capabilities, which are commensurate with the Risk Profile, nature, size and complexity of its business and structure, in order to identify, measure and monitor risk.
2. The Board must have sufficient expertise to understand and oversee the risk measurement systems, including any use of Models.
3. Where a Company uses Models to measure components of risk, it must have appropriate internal processes for the development and approval of use of such Models and must perform regular and independent validation and testing of the Models. The Board remains ultimately accountable whether the approval for use of such Models is provided by the Board or through authority delegated to management.
Article (8): Stress Testing of Material Risks
1. A Company must implement a forward-looking Stress Testing programme as part of its comprehensive approach to Risk Management. Extreme, but plausible, adverse scenarios for a range of material risks must be included in the Stress-Testing programme, commensurate with the size of the Company's risk exposures. The results of the Stress Testing programme must be reflected on an ongoing basis in the Company's risk management, in order to help the Company in maintaining an awareness of the impact of the stresses on its financial position, including contingency planning and the Company's internal assessment of its capital and liquidity.
2. A Company's internal process for assessing capital and liquidity requirements must take into account the nature and level of risks taken by the Company. In addition to the specific risks identified by the Central Bank in the Financial Regulations, a Company must consider all other material risks.
Article (9): Compliance Function
1. A Company must have an effective compliance function in order to fulfil its legal and regulatory obligations and to promote and sustain a compliance culture. The compliance function must establish and maintain appropriate mechanisms and activities to identify, assess, report on and address key legal and regulatory obligations, conduct training on key legal and regulatory obligations, facilitate confidential reporting and conduct assessments on matters related to compliance.
2. The Board is ultimately responsible for creating a corporate culture that is based on honesty, integrity and a commitment to comply with all relevant legislation, regulations and Internal Controls. Such commitment must be reflected in the code of conduct of the Company.
3. A Company must have a Board-approved compliance policy that is communicated to all members of Staff specifying the purpose, standing, and authority of the compliance function within the Company, and if applicable the Group.
4. The compliance function must have access to and provide written reports to the Board and Senior Management on matters related to compliance risks, including but not limited to:
a. Assessment of the key compliance risks the Company faces and the steps being taken to ddress them;
b. Assessment of how the various parts of the Company such as divisions, major business units, and products are performing against compliance standards and goals;
c. Any compliance issues involving management or persons in positions of major responsibility within the Company, and the status of any associated investigations or other actions being taken; and
d. Material compliance violations or concerns involving any other person or unit of the Company and the status of any associated investigations or other actions being taken.
5. The Head of the compliance function must have primary reporting obligations to the Chief Executive Officer and must have direct access to the Board and/or Board audit and/or risk committee. The head of the compliance function must have access to the Chair of the Board to report any delay on rectifying any material noncompliance issues.
6. The Staff within the compliance function must be adequate, competent and collectively have the appropriate experience to ensure that compliance risk within the Company is managed effectively.
7. Outsourced activities must remain fully in scope of the Company's compliance responsibilities.
8. The compliance function must prepare and regularly update a compliance risk programme that sets out its planned activities. The activities of the compliance function must be subject to periodic and independent review by the internal audit function.
Article (10): Actuarial Function
a. A Company must have an effective and independent actuarial function capable of evaluating and providing advice regarding, at a minimum, technical provisions, premium and pricing adequacy, solvency, capital adequacy and reinsurance, so as to contribute to the effective implementation of the risk management system to satisfy all of the actuarial requirements pursuant to the following, as amended from time to time:
1. Federal Law No. (6) of 2007 Concerning On the Organization of Insurance Operations, as amended and its Executive Regulations;
2. The Financial Regulations;
3. The Actuaries' Regulation;
4. The Pricing Regulation;
5. The Takaful Regulation;
6. The Life Insurance Regulation; and
7. Any other regulation or requirement issued by the Central Bank.
b. The Company's actuarial function must have primary reporting obligations to the Chief Executive Officer and a right of access to the Board or the Board audit committee and/or Board risk committee.
Article (11): Internal Audit Function
1. A Company must have an effective internal audit function that provides the Board/Board audit committee and Senior Management with independent evaluation and assurance of the adequacy and effectiveness of the Internal Controls system, Risk Management, compliance and other elements of the corporate governance framework.
2. Internal audit must also use general and specific audits, reviews and testing, in respect of:
a. Preserving the assets of the Company and policyholders, preventing fraud and misappropriation of assets, and assessing the effectiveness of the controls in place in this regard;
b. Assessing the reliability and efficiency of the accounting, financial, risk and compliance reporting information and the effectiveness of the controls in place; and
c. Other matters requested by the Board.
3. The internal audit function must be independent from management or any other Control Functions, and report directly to the Board or the Board audit committee, and must be able to meet with them without the presence of Senior Management, as needed.
4. The internal audit function must be independent of the audited activities and have sufficient standing and authority within the Company, thereby enabling the internal audit function to carry out its responsibilities and main activities as specified in the accompanying Standards, in an independent manner.
5. The Board must ensure that the internal audit function has the authority to:
a. Communicate with all members of Staff and obtain all records, files or data of the Company, and if applicable Group and Affiliates, whenever relevant to the performance of its duties.
b. Initiate a review of any area consistent with its mission; and
c. Require management's response to any audit report, and details on the remedial action taken.
6. The internal audit function must cover within its scope of work, all material areas of risk, including underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business, intra-group transaction(if any), compensation and timeliness of reporting. The Internal audit function must have full access to and communication with any member of Staff, as well as full access to records, files or data of the Company, and if applicable, the Group and Affiliates, whenever relevant to the performance of its duties.
7. The Internal Controls within a Company must address the following:
a. Outsourced activities must remain fully in scope of the Company's internal audit responsibilities.
b. The internal audit function must regularly review and report to the Board, or the Board audit committee, on compliance with and the ffectiveness of the Company's outsourcing policies and procedures.
8. Any findings and recommendations of the internal audit function must be reported to the Board and/or audit committee, which shall review what actions are to be taken with respect to each of the internal audit findings and recommendations and must ensure that those actions are carried out.
9. The Staff within the internal audit function must be adequate, competent and collectively have the appropriate experience to understand and evaluate all of the business activities, support and Control Functions of the Company, and if applicable, the Group.
10. The head of internal audit must ensure that the function complies with the Institute of Internal Auditors' (IIA) international Standards for the Professional Practice of Internal Auditing.
11. Companies must have an internal audit charter approved by the Board audit committee, that articulates the purpose, standing and authority of the internal audit function within the Company, and if applicable, the Group.
12. Senior Management must inform the internal audit function, on a timely basis, of any changes to the Company's, or if applicable, the Group's, Risk Governance System.
13. Senior Management must ensure that timely and appropriate actions are taken on all internal audit findings and recommendations.
Article (12): Outsourcing
1. The Risk Governance System must address the following matters:
a. Companies' Risk Governance Systems must include policies and procedures for the assessment of any proposed Outsourcing and the identification, assessment measurement, monitoring, controlling, reporting and mitigating of any risks associated with existing and proposed Outsourcing arrangements.
b. The Risk Governance System must provide an entity-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Company provides to, or receives from, other Group members.
c. Companies must maintain a comprehensive and updated register of all Outsourcing arrangements, including all material and non-material Outsourcing arrangements, on an entity and group-wide basis.
2. When a Company is Outsourcing, it must ensure that the following measures are in place, at a minimum:
a. Any outsourced Material Business Activity or function must be subject to oversight, accountability, review and assessment in the equivalent manner that non-outsourced activities or functions are. Outsourcing must not adversely affect the Company's ability to manage its risks.
b. A Company is fully responsible for the risks arising from any process or activity they outsource.
c. A Company must have a process for determining the materiality of outsourced activities. The process of identifying Material Business Activity must consider the potential of the outsourced activity to adversely affect the Company's operations and its ability to manage risks, if disrupted or performed poorly.
d. Companies must obtain the 'no objection' of the Central Bank prior to outsourcing any Material Business Activity.
3. The Board and Senior Management are ultimately responsible for any outsourced functions or activities. The Board must assess the ability of the Company's Risk Management and Internal Controls to manage the outsourced risks effectively in respect of business continuity.
4. Outsourced activity must be governed by written contracts that state the parties' rights and obligations. The Board and Senior Management must consider when outsourcing an activity, the effects of the Company's Risk Profile, the service provider's expertise, knowledge, governance, Risk Management, Internal Controls, financial viability along with the succession issues upon the ending of the contractual relationship with the service provider.
5. A Company is responsible for compliance with Central Bank Laws and Regulations and all other relevant laws and regulations applicable to their outsourced activities.
6. The compliance function must regularly review and report to Senior Management, or to the Board as necessary, on the compliance of Outsourcing service providers with the laws, regulations and policies applicable to the Company.
7. When Outsourcing outside the State:
a. The Master System of Record, which includes all Confidential Data, must be ontinuously maintained and stored within the State.
b. As an exception to paragraph (12.7.a) above and subject to Central Bank approval, branches of foreign Companies may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the State.
c. A Company's customers' Confidential Data must not be shared outside the State without Central Bank approval and obtaining prior written consent from the customer. Companies must also obtain written acknowledgement from their customers that their Confidential Data may be accessed as part of legal proceedings or pursuant to an order of a court of competent jurisdiction outside the State in such circumstances.
d. A Company must not enter into Outsourcing agreements that involve sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the tate. This applies to all jurisdictions applicable to all parties to the agreement.
e. Companies are not permitted to enter into Outsourcing agreements that propose the storage of data in any jurisdiction where Company secrecy, or other laws, restrict or limit access to data necessary for supervisory and regulatory purposes.
Article (13): Countering Fraud in Insurance
1. In order to reduce fraud risks, a Company must undertake the following, at a minimum:
a. A Company must have effective measures to deter, prevent, detect, report and remedy internal and external fraud.
b. The Board and Senior Management are ultimately responsible for fraud Risk Management.
c. A Company's fraud Risk Management system must cover strategy, organizational structure, policies and procedures. The fraud management strategy must be regularly reviewed by the Board and Senior Management to ensure that it continues to be effective.
d. A Company must identify, assess, measure, monitor, control, report and mitigate fraud risk and create appropriate fraud Risk Management policies and procedures in its processes across the Company.
2. A Company must require high standards for integrity in its Board and Staff as part of its business values and organizational culture. These standards must be communicated throughout the Company.
3. The Board must approve the fraud Risk Management strategy and ensure that there are adequate resources, support and expertise for the effective implementation of such strategy. Any deviation from the fraud Risk Management strategy must require the Board's approval.
4. Additional requirements concerning countering fraud in insurance may be imposed pursuant to Regulations or decisions, which may be issued by the Central Bank in this regard.
Article (14): Duty To Report To The Central Bank
1. The heads of Risk Management, compliance, actuarial and/or internal audit must promptly report to the Central Bank any violations of the Central Bank Laws, any of the Regulations and/or instructions issued by the Central Bank and any Matters of Significance. Heads of Risk Management, compliance, actuarial and internal audit making such reports in good faith shall not be considered to have breached any of their obligations.
2. Companies must promptly notify the Central Bank in case of resignation of their heads of Risk Management, compliance or internal audit and the reasons thereto.
3. Companies must also promptly notify the Central Bank when they become aware of a significant deviation from their Board-approved Risk Management and/or compliance and actuarial policies, and internal control charters.
Article (15): Takaful Insurance
A Company offering Takaful Insurance must ensure compliance with Shari'ah provisions pursuant to the Financial and Takaful Regulations, in addition to the requirements of this Regulation.
Article (16): Enforcement
1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action and sanctions as deemed appropriate by the Central Bank.
2. Without prejudice to the provisions of the Central Bank Law, supervisory action and sanctions by the Central Bank may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Company, or barring individuals from the UAE insurance sector.
Article (17): Interpretation of the Regulation
The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (18): Publication And Application
1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.
2. On the effective date of this Regulation, any Company which is not compliant with the Regulation must, within ninety (90) days, provide the Central Bank with a detailed plan for coming into compliance with the requirements herein. The Central Bank will decide on the adequacy of the proposed plan.
Risk Management and Internal Controls Standards for Insurance Companies
Introduction
1. These Standards form part of the Risk Management and Internal Controls Regulation for Insurance Companies (Circular No. 25/2022 dated 30 December 2022). All Companies must comply with these Standards which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. A Company’s Board is in ultimate control of the Company and therefore responsible for ensuring that a comprehensive approach to the systems of Risk Management and Internal Controls is implemented. There is no one-size-fits-all or single best solution. Accordingly, each Company could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organisational framework appropriate to the Risk Profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented a comprehensive approach to systems of Risk Management and Internal Controls. Companies are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.
3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.
Article (1): Definitions
1. Affiliate: An entity that, directly or indirectly, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2. Authorized Manager: The person appointed by the foreign insurance company to manage its branch in the State.
3. Board: The Company’s board of directors.
4. Central Bank: The Central Bank of the United Arab Emirates.
5. Chief Executive Officer: The most senior executive appointed by the Board, and in the case of foreign branches, this refers the Authorized Manager.
6. Central Bank Laws: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended and Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended and its Executive Regulations.
7. Company: The insurance company incorporated in the State, or a foreign branch of an insurance Company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
8. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
9. Confidential Data: Account or other data relating to a Company customer, who is or can be identified, either from the Confidential Data, or from the Confidential Data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the Confidential Data.
10. Control Function: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari’ah control and Shari’ah audit functions.
11. Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board, or the decisions made by the Board or by the general assembly of the Company, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence.
12. Enterprise Risk Management (ERM): The strategies, policies and processes of identifying, assessing, measuring, monitoring, controlling, reporting and mitigating risks in respect of the Company’s enterprise as a whole.
13. Financial Regulations: Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies.
14. Group: A group of entities which includes an entity (the ‘first entity’) and:a. any Parent of the first entity;
b. any Subsidiary of the first entity or of any Parent of the first entity;
c. any Affiliate.
15. Internal Controls: A set of processes, polices and activities governing a Company’s organisational and operational structure, including reporting and control functions.
16. Insurance Related Professions: Any person licensed to practice any of the activates of an insurance agent, actuary, insurance broker, surveyor and loss adjuster, insurance consultant or any other insurance-related profession that the Central Bank decides to regulate.
17. Model: A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
18. Outsourcing: An arrangement between a Company and a service provider, whether the service provider operates within or outside the UAE, for the latter to perform a process, service or activity which would otherwise be performed by the Company itself.
19. Own Risk and Solvency Assessment (ORSA): an internal process undertaken by a Company/ Group to assess the adequacy of its Risk Management and current and prospective solvency positions under normal and severe stress scenarios. It requires a Company to analyze all reasonably foreseeable and relevant material risks. It covers current and future risks and requires Company-specific judgment about risk management and the adequacy of their capital position that could have an impact on it’s ability to meet both its business objectives as well as its policyholder obligations. This encourages management to anticipate potential business challenges, capital needs and to take proactive steps to reduce risks. ORSA is not a one-off exercise; it is a continuously evolving process and must be a component of a Company’s Enterprise Risk Management (ERM) framework. Whilst there is not one specific way of conducting an ORSA, the output is expected to be a set of documents that demonstrate the results of management's proactive approach to its own self-assessment.
20. Parent: An entity (the 'first entity') which:
a. holds a majority of the voting rights in another entity (the 'second entity');
b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board of directors or managers of the second entity; or
c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
d. if the second entity is a Subsidiary of another entity which is itself a Subsidiary of the first entity.
21. Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
22. Risk Appetite: The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan.
23. Risk Culture: The set of norms, values, attitudes and behaviors of a Company that characterizes the way in which it conducts its activities related to risk awareness, risk taking and risk management and controls.
24. Risk Governance System: As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company’s strategy and risk approach; articulate and monitor adherence to the Risk Appetite and Risks Limits relative to the Company’s strategy; and identify, measure, manage, and control risks.
25. Risk Limits: Quantitative measure based on a Company’s Risk Appetite which gives clear guidance on the level of risk to which the Company is prepared to be exposed and is set and applied in aggregate or individual units such as risk categories or business lines.
26. Risk Profile: Point in time assessment of the Company’s gross and, as appropriate, net risk exposures aggregated within and across each relevant risk category based on forward looking assumptions.
27. Risk Management: The process through which risks are managed allowing all risks of a Company to be identified, assessed, monitored, mitigated (as needed) and reported on a timely and comprehensive basis.
28. Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
29. Staff: All the persons working for a Company including the members of Senior Management, except for the members of its Board.
30. State: The United Arab Emirates.
31. Stress Testing: A method of assessment that measures the financial impact of stressing one or more factors which could severely affect the Company.
32. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:a. holds a majority of the voting rights in the first entity;
b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
d. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
33. Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution fees to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance Company shall manage this account and invest the funds collected therein against certain remuneration.
2. Systems of Risk Management and Internal Controls
1. A Company must establish, implement and maintain systems of Risk Management and Internal Controls that enable it to identify, assess, measure, monitor, control, mitigate and report on risk. Systems of Risk Management and Internal Controls will vary with the specific circumstances of the Company, particularly the Risk Profile, nature, scale and complexity of its business and structure.
2. The Board is responsible for the implementation of an effective Risk Culture and Internal Controls across the Company and its Subsidiaries, Affiliates and international branches, where applicable. The Board approved systems of Risk Management and Internal Controls must incorporate a "three lines of defense" approach which includes the business lines being the first line, Control Functions of Risk Management, compliance and actuarial, being the second line and an independent and effective internal audit function as the third line.
a. Business line management - must take the responsibility of identification and control of risks. The business line management must : 1. Manage and identify risks arising from the activities of the business line;
2. Ensure that activities are within the Company's Risk Appetite, Risk Management policies and limits;
3. Design, implement and maintain effective system of Internal Controls; and
4. Monitor and report on business line risks.
b. Risk Management, actuarial and compliance functions- must take responsibility for setting standards and challenging business lines. The following must be adhered to: 1. The Risk Management function must establish Company-wide, or if applicable, Group-wide risk and control strategies and policies, provide oversight and independent challenge of business lines' accountabilities, develop and communicate risk and control procedures, and monitor and report on compliance with Risk Appetite, policies and Risk Limits.
2. The Compliance function must assess Company-wide adherence to requirements, develop and communicate compliance policies and procedures, measure, monitor and report on compliance with Central Bank laws and other relevant laws, corporate governance and Internal Controls rules, Regulations and policies to which the Company is subject.
3. The actuarial function must provide advice on technical provisions, premium and pricing activities, capital adequacy, reinsurance and compliance with related statutory and regulatory requirements, at a minimum.
c. Internal audit function has the duty of providing independent assurance. The function is responsible to the following matters, at a minimum: 1. Independently assess the effectiveness and efficiency of the Internal Controls, Risk Management and governance systems and processes.
2. Independently assess the effectiveness of business line management in fulfilling their mandates and managing risks.
3. The Risk Management and Internal Controls systems must be comprised of the following at a minimum: a. Strategies setting out the approach of the Company to dealing with specific areas of risk and regulatory obligations in accordance with the Company's nature, Risk Profile, scale and complexity.
b. Policies defining the procedures and other requirements that members of the Board and Staff need to follow in order to ensure consistency in approach.
c. Process for the implementation of the Company's strategies and policies in order to ensure completeness in approach.
d. Controls to ensure that strategies, policies and processes are in fact in place, are being observed and are attaining their intended objectives in order to ensure adequacy and appropriateness in approach.
3. Effective Risk Management System
1. The Risk Management system must address the following:
a. Identification:
1. All reasonably foreseeable and relevant material risks are taken into consideration.
2. New activities and products must be subject to risk review and must be approved by the Board, including strategic affairs, such as corporate strategy, mergers, acquisitions, major projects and investments.
b. Assessment:
1. Qualitative and quantitative assessments of all reasonably foreseeable and relevant material risks and risk interdependencies for risk and capital management.
2. Quantification of risk and risk interdependencies using appropriate tools under a sufficiently wide range of techniques for risk and capital management.
3. As necessary, include the results of Stress Testing to assess the resilience of the Company's total balance sheet against severe but plausible stresses including considerations of macroeconomic stresses.
c. Monitoring:
Early warning indicators that enable the appropriate response to all identified material risks. This shall reflect the relationship between the Company's Risk Appetite, Risk Limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk. A Company must have its own view on how much capital it needs over and above the regulatory capital to fulfill its wider economic needs and manage risks.
d. Mitigation:
1. Strategies and tools are in place to mitigate material risks.
2. The Company must reduce or control material risks to within Risk Appetite and Risk Limits, or transfer to/share with a third party.
3. If a Company cannot mitigate or control the risk, then it must cease or change the activity.
e. Reporting:
1. Risks and assessments must be reported to the Board using qualitative and quantitative indicators, including ORSA along with effective action plans, at least annually.
2. The Board is ultimately responsible for risk oversight. The Risk Management policy covers the frequency of reporting. Any deviation from Risk Appetite is subject to Board review and approval.
f. Risk Management policies:
1. Must enable Staff to understand their risk responsibilities.
2. Must explain the relationship between the Risk Management system and how it addresses risks according to the insurer's Risk Appetite and Risk Limits, and the overall corporate governance framework.
3. Must outline how relevant material risks are managed.
4. On-going communication and training on risk policies must be conducted.
2. Groups must adopt a strong and consistent Risk Management and compliance culture across the Group and at the entity levels. Coordination between the Group and the Company is required to ensure the overall effectiveness of Risk Management and Internal Controls.
3. The Risk Appetite statement is a written articulation of the aggregate level and types of risk that a Company is willing to accept or avoid in order to achieve its business objectives. At a minimum, it must include the following:
a. For each material risk, the maximum level of risk that the Company is willing to operate within, expressed as a limit in terms of:
1. Quantitative measures expressed relative to earnings, capital, liquidity and other relevant measures as appropriate.
2. Qualitative statements or limits, as appropriate, particularly for reputation, compliance and legal risks.
b. Delineation of any categories of risk that the Company is not prepared to assume.
c. The process for ensuring that the Risk Limits are set at an appropriate level for each risk, considering both the probability of loss and the magnitude of loss in the event that each material risk is realised.
d. The process for monitoring compliance with each Risk Limit and for taking appropriate action in the event that they are breached.
e. The timing and process for review of the Risk Appetite and Risk Limits.
f. Quantitative Risk Limits and metrics must include, but not be limited to:
1. Capital targets beyond regulatory requirements, such as economic capital or capital-at-risk;
2. Various liquidity ratios and survival horizons;
3. Earnings volatility;
4. Value at risk;
5. Risk concentrations by internal or external rating;
6. Expected loss, expense, commission and/or combined ratios;
7. Economic value added; and
8. Stressed targets of capital, liquidity and earnings.
9. Underwriting risk, including growth and renewal rates of business, risk retention, balance between lines of business, premium rate adequacy versus technical rates, and claim settlement.
10. Credit risk, including credit quality of reinsurers, credit quality of investment assets and receivable delay management.
11. Investment risk, including asset allocations to achieve adequate diversification and target investment returns. This must be linked to the asset-liability management (ALM) policy and investment policy which specifies the nature, role and extent of ALM activities and their relationship with product development, pricing and investment management.
12. Operational risk, including consideration of risks arising from people, systems, processes as well as cyber security.
4. The Risk Management system must include risk policies that cover at least the following areas:
a. Credit risk;
b. Balance sheet and market risk (including investment, asset-liability management, liquidity and derivatives risks);
c. Reserving risk;
d. Insurance risk (including underwriting, product design, pricing and claims settlement risks);
e. Reinsurance risk;
f. Operational risk (including business continuity, outsourcing, fraud, technology, legal and project management risks);
g. Concentration risk; and
h. Group risk.
4. Effective System of Internal Controls
1. The Board or the Board audit committee must review, at least annually, the effectiveness of the Company's Internal Controls system and processes, by means of:
a. Periodic discussions with Senior Management about the effectiveness of the Internal Controls system.
b. A timely review of evaluations of Internal Controls conducted by Senior Management, internal auditors, the Risk Management function and external auditors.
c. Periodic follow up to ensure that Senior Management has promptly complied with the recommendations and concerns on control weaknesses expressed by Risk Management, internal auditors and external auditors and the Central Bank.
d. A periodic review of the appropriateness of the internal controls, commensurate to the Company's strategy and Risk Limits.
2. The Company's Internal Controls system must, at a minimum, address:
a. Organisational structure: definitions of duties and responsibilities including clear delegations of authority, such as decision-making policies and processes and procedures, separation of critical functions, including, but not limited to, Risk Management, actuarial, accounting, audit and compliance.
b. Accounting and financial reporting policies and processes.
c. Checks and balances (or "four eyes" principle): segregation of duties, cross checking, dual control of assets and double signatures.
d. Safeguarding assets and investment: physical control and computer access, measures of prevention and early detection and reporting of misuse, such as fraud, embezzlement, unauthorised trading and computer intrusion.
5. Control Functions
1. The authority and responsibilities of each control function must be set out in writing and made part of the Company's governance documentation.
2. Staff who perform Control Functions must be suitable for their role and meet any applicable professional qualifications and standards. Higher expectations must be placed on the head of each control function.
3. The head of each control functions must regularly review the adequacy of the function's resources and request adjustments from Senior Management/ Board as necessary.
4. Each control function must have the authority to communicate on its own initiative with any employee and to have unrestricted access to information in any business unit that it needs to carry out its responsibilities. The control functions must have the right to conduct investigations of possible breaches and to request assistance from specialists from within or outside of the Company.
6. Risk Management Function
1. The Risk Management function must have responsibility for the following, at a minimum:
a. Providing risk analysis and performance risk reviews to the Board and Senior Management;
b. Identifying individual and aggregated risks (actual, emerging and potential) that the Company faces;
c. Identifying, assessing, monitoring, mitigating, controlling and reporting risks, including the Company's capacity to absorb risk with due regard to the nature, probability, duration, correlation and potential severity of risks;
d. Gaining and maintain an aggregated view of the Risk Profile of the Company on an entity and/or Group-wide basis;
e. Assessing the impact of the compensation arrangements and incentives;
f. Evaluating the internal and external risk environment on an on-going basis in order to identify and assess potential risks as early as possible. This may include looking at risks from different perspectives, such as by geographic region or by line of business;
g. Establishing a process for conducting forward-looking assessments of the Risk Profile on a regular basis;
h. Providing periodical reports to the Board, Senior Management and other Control Functions on the Risk Profiles, risk exposures and the necessary mitigation actions; and
i. Reporting material changes affecting the Risk Management system to the Board along with recommendations to improve the system.
2. The CRO, or equivalent, must:
a. Not have a decision-making role in the Company's risk-taking functions, including underwriting or other equivalent function.
b. Have no revenue-generating responsibilities.
c. Have no compensation based on the performance of any of the Company's risk-taking functions.
d. Not be the Chief Executive Officer of the Company, or the head of underwriting or reinsurance, or the head of the compliance or internal audit functions.
e. Have a direct reporting line to the Board and/or risk committee and appropriate reporting lines to Senior Management.
f. Have unfettered access directly to the Board's risk committee, including the ability to meet without other Senior Management present.
3. The Board must ensure that the Risk Management function is properly staffed, resourced and carries out its responsibilities independently and effectively. This includes unrestrained access to all information needed for the Risk Management function to fulfill its duties.
7. Risk Measurement and the Use of Models
1. A Company must use measurement methodologies commensurate with the Risk Profile, nature, size and complexity of the business and the structure of the Company, including, but not limited to, scenario analysis and Stress Testing. Common metrics must be employed on a Company (or Group)-wide basis to foster a Company (or Group)-wide approach and effective identification and monitoring of risks across the Company (or Group).
2. Risk measurement and modelling techniques must be used in addition to qualitative risk analysis and monitoring. The comprehensive approach to risk management must include policies and procedures for the development and internal approval for the use of Models or other risk measurement methodologies. Where the Models, or data for the Models, are supplied by a third party, there must be a process for the validation of the Model and data relative to the specific circumstances of the Company.
3. A Company must perform regular validation and testing of Models. This must include evaluation of the conceptual soundness, ongoing monitoring including process verification and benchmarking and outcomes analysis, including back-testing. Stress Testing and scenario analysis must be used to take into account the risk of Model error and uncertainties associated with valuations and concentration risks.
4. Model-based approaches must be supplemented by other measures. These include qualitative assessment of the logic, judgement and types of information used in Models, as well as assessment of policies, procedures, Risk Limits and exposures, especially with respect to difficult to quantify risks such as operational, compliance and reputational.
8. Stress Testing of Material Risks
1. A Company must have a forward looking Stress Testing programme that addresses inter alia, underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business , taking into account, that based on the Risk Profile of the Company, capital may be required in excess of the minimum capital requirements. The Stress Testing programme must also include any risks that are material for the Company given the nature of the business. These may include, but are not limited to, Credit risk, balance sheet and market risks, reserving; pricing, claims, reinsurance, operational, concentration and Group risks.
2. A Company's Stress-Testing programme must be undertaken on a regular basis to facilitate the tracking of trends over time and developments in key risk factors and exposure amounts, in addition to ad hoc Stress Tests, when needed. The programme must cover at a minimum a range of scenarios based on reasonable and plausible assumptions regarding dependencies and correlations. Senior Management and, as applicable, the Board or Board risk committee must review and approve the scenarios.
3. Stress Test programme results must be periodically reviewed by the Board or the Board risk committee. Results must be incorporated into reviews of the Risk Appetite, capital and liquidity planning processes. The Risk management function is responsible for recommending any action required, for example adjustments of Risk Limits or contingency arrangements, based on Stress Test results. The results of Stress Tests and scenario analysis must be communicated to the relevant business line management and functional heads within the Company to assist them in understanding and mitigating the risks inherent in their activities. Stress test programme results must factor into the Company's contingency planning, particularly liquidity Risk Management and contingency funding.
9. Compliance Function
1. Compliance Staff must have a sound understanding of the Central Bank laws and other relevant laws, Regulations, rules and standards, relevant to the Company's business and keep abreast with their development and any amendments thereof. The professional skills of compliance Staff must be maintained through regular and systematic education and training, including courses on real cases relating to money laundering, financing of terrorism and proliferation financing.
2. The compliance function must have access to any member of Staff and all records and data of the Company, and if applicable, the Company's Affiliates and Subsidiaries, which are required to comply with the Central Bank's requirements.
3. A consistent approach to compliance across the Group may be achieved through the establishment of a Group compliance function accountable to the Board of the Controlling Shareholder, or through compliance functions established in each entity (or branch) and accountable to those entities' Boards and also reporting to the Group's head of compliance.
4. The compliance function must be assigned responsibility for the following, at a minimum:
a. Establishing a compliance policy and a compliance plan. The compliance policy must define the responsibilities, competencies and reporting duties of the compliance function. The compliance plan must set out the planned activities of the compliance function which take into account all relevant areas of the activities of the Company and exposure to compliance risk.
b. Assessing the adequacy of the measures adopted by the Company to prevent non-compliance with Central Bank Laws and Regulations.
c. Maintaining a corporate culture that is based on responsible conduct and compliance with internal and external obligations.
d. Identifying, assessing, monitoring, mitigating, reporting on, and addressing regulatory obligations and the risks associated therewith.
e. Conducting on-going training on regulatory obligations for Staff responsible for high risk activities.
f. Enabling confidential reporting by Staff regarding any breach of legal or regulatory obligations or internal policies.
g. Addressing any instances of non-compliance and ensuring that disciplinary action is taken, along with the required reporting to the Central Bank.
10. Actuarial Function
An effective actuarial function must be well resourced and properly authorised and staffed as it plays a major role in the Company's overall system of Risk Management and Internal Controls. The actuarial function conducts all the actuarial undertakings per Article (10) of the Regulation, which must include, among other undertakings, the following:1. Applying methodologies and procedures to assess the sufficiency of the Company's liabilities, including policy provisions and aggregate claim liabilities, as well as determination or reserves for financial risks and to ensure that their calculation is consistent with the requirements set out in the Financial Regulations. This must also include assessing the uncertainty associated with the estimates made in the calculation of the Company's liabilities;
2. Asset liability management with regards to the adequacy and the sufficiency of assets and future revenues to cover the Company's obligations to policyholders and capital requirements, as well as other obligations or activities;
3. Reviewing the Company's investment policies and completing the valuation of assets;
4. The solvency position of the Company, including a calculation of minimum capital required for regulatory purposes and liability and loss provisions;
5. Advising on the Company's prospective solvency position by conducting capital adequacy assessments and Stress Tests under various scenarios, and measuring their relative impact on assets and/or liabilities, and actual and future capital levels;
6. Developing risk assessment and management policies and controls relevant to actuarial matters or the financial condition of the Company;
7. Ensuring the fair treatment of policyholders with regard to distribution of profits awarded to them, when their policies contain elements of bonus/dividend.
8. Ensuring the adequacy and soundness of underwriting policies, which must at least include conclusions on the following matters:
a. Sufficiency of the premiums to be earned to cover future claims and expenses, taking into consideration the underlying risks (including underwriting risks), and the impact of options and guarantees included in insurance and reinsurance contracts;
b. The effect of inflation, legal risk, change in the composition of the Company's portfolio, and of systems which adjust the premiums policy-holders pay upwards or downwards depending on their claims history (bonus-malus systems) or similar systems, implemented in specific homogeneous risk groups; and
c. The progressive tendency of a portfolio of insurance contracts to attract or retain insured persons with a higher risk profile (anti-selection).
9. The development, pricing and assessment of the adequacy of reinsurance arrangements must include analysis of the following matters:
a. The Company's risk profile and underwriting policy;
b. Reinsurance providers, taking into account their credit standing;
c. The expected cover under stress scenarios in relation to the underwriting policy; and
d. The calculation of the amounts recoverable from reinsurance contracts and special purpose vehicles, if any.
10. Product development and design, including the terms and conditions of insurance contracts and pricing, along with estimation of the capital required to underwrite the product;
11. Ensuring the sufficiency, accuracy and quality of data, the methods and the assumptions used in the calculation of technical provisions and ensure that any limitations of data used to calculate technical provisions are properly dealt with;
12. Comparing best estimates against experience, review the quality of past best estimates and use the insights gained from this assessment to improve the quality of current calculations. The comparison of best estimates against experience shall include comparisons between observed values and the estimates underlying the calculation of the best estimate, in order to draw conclusions on the appropriateness, accuracy and completeness of the data and assumptions used as well as on the methodologies applied in their calculation.
13. Reporting to the Board and Senior Management on the calculation of the Company's insurance liabilities which must include at least a reasoned analysis on the reliability and adequacy of their calculation and on the sources and the degree of uncertainty of the estimates. That reasoned analysis shall be supported by a sensitivity analysis that includes an investigation of the sensitivity to each of the major risks underlying the obligations which are covered in the Company's liabilities. The actuarial function shall clearly state and explain any concerns it may have concerning the adequacy of Company's liabilities.
14. The actuarial function must produce a written report to be submitted to the Board, at least annually. This report must document all of the tasks that have been undertaken by the actuarial function and a summary of their results, and must clearly identify any deficiencies and give recommendations as to how such deficiencies must be remedied.
15. Any other actuarial or financial matters determined by the Board.
11. Internal Audit Function
The internal audit function must be responsible for the following matters, at a minimum:
1. Establishing, implementing and maintaining an audit plan, setting out the audit work to be undertaken in the upcoming years, taking into account all activities and the Company's complete system of governance. The plan must be developed taking a risk-based approach in deciding its priorities and the audit plan must be presented to the Board for approval. Where necessary, the internal audit function may carry out audits which are not included in the audit plan.
2. Disclosing any adverse matters affecting the function's independence.
3. Disclosing any material findings, and the extent of management's compliance with agreed upon corrective measures.
4. Conducting risk-based audits to assess the Company's alignment with the Company's Risk Culture, Risk Appetite, Risk Profile and Risk Limits.
5. Assessing the Company's processes, policies and the documentation thereof on an entity and Group-wide basis and on an individual Subsidiary and business unit basis.
6. Assessing the employees' and business units' compliance with applicable Central Bank Laws, Regulations and internal controls.
7. Assessing the reliability of management information systems and processes.
8. Evaluating the methods of safeguarding Company and policyholder assets and, as appropriate, verifying the existence of such assets and the required level of segregation in respect of Company and policyholder assets;
9. Monitoring and evaluating the effectiveness of the Company's other Control Functions, particularly the Risk Management, actuarial and compliance functions.
10. Coordinating with the external auditors and, to the extent requested by the Board and consistent with applicable law, evaluating the quality of performance of the external auditors.
11. Issuing recommendations based on the result of work carried out in accordance with the audit plan and submit a written report on the findings and recommendations to the Board on at least an annual basis;
12. Verifying compliance of Senior Management with the decisions taken by the Board on the basis of those recommendations referred to in the internal audit report.
12. Outsourcing
1. The Risk Governance System must, at a minimum, provide for the following with respect to Outsourcing:
a. A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or the risk/audit committee of the Board;
b. Policies and procedures to ensure that potential Conflicts of Interest are identified, managed and appropriately mitigated, or avoided;
c. Policies and procedures that clearly identify and assign to the Company's departments, committees, Internal Controls functions, and other individuals, the roles and responsibilities with regard to Outsourcing and determine in which cases and at which stage, they must be involved;
d. Policies and procedures to ensure that all material risks related to Outsourcing are identified, assessed, measured, monitored, controlled, mitigated, and reported to the Board in a timely and comprehensive manner;
e. Ensure that any outsourced critical business functions are covered in their disaster recovery and business continuity plans, that Outsourcing service providers are fully prepared to implement them and that Outsourcing service providers have their own disaster recovery and business continuity plans to resolve disruptions at their end.
2. All outsourced activity must be governed by written contracts that state the parties' rights and obligations. The Board and Senior Management must consider the effects on the Company's Risk Profile, and assess the service provider's expertise, knowledge, governance, Risk Management, Internal Controls, and financial viability along with the succession issues upon the ending of the contractual relationship with the service provider. The Company must conduct the following: a. Perform a detailed examination to ensure that the potential service provider has the ability, the capacity and any authorisation required by law to deliver the required functions or activities satisfactorily, taking into account the Company's objectives and needs;
b. Ensure The service provider has adopted all means to ensure that no explicit or potential Conflict of Interests jeopardise the fulfilment of the deliverables of the outsourcing Company;
c. Execute a written contract with the service provider which clearly defines the respective rights and obligations of the Company and the service provider;
d. Ensure that the general terms and conditions of the outsourcing contract are clearly explained to the Company's Board and authorised by them;
e. Ensure that the outsourcing agreement does not entail the breaching of any law in particular with regard to rules on data protection; and
f. Ensure that the service provider is subject to the same provisions on the safety and confidentiality of information relating to the Company or to its policyholders or beneficiaries that are applicable to the Company.
3. A Company must have an outsourcing register that contains key information for each Outsourcing arrangement, and includes at a minimum: a. Key non-risk related data, such as the details of the Outsourcing service provider, start and end date of the arrangement, and a brief description of the services being provided.
b. Whether the Outsourcing arrangement involves any Confidential Data; and
c. Whether the Outsourcing arrangement is considered Material Business Activity.
4. a. Companies must ensure compliance with all the applicable State legislation and regulations in managing and processing data, when using Outsourcing services.
b. Companies must ensure that they retain ownership of all data provided to an Outsourcing service provider, and that their customers retain ownership of their data, including but not limited to, Confidential Data, and can effectively exercise their rights and duties in this regard.
c. Where the Outsourcing service provider subcontracts elements of the service which involve Confidential Data, Companies must ensure that the subcontractor fully complies with the applicable requirements as established by law and under this and other applicable regulations.
d. Companies must ensure their data is secured from unauthorised access, including unauthorised access and/or use by the Outsourcing service provider or its Staff.
5. a. Outsourcing agreements must ensure that the Company has unfettered access to all of its data for the duration of the contract, including upon termination of the contract.
b. Outsourcing agreements must include appropriate provisions to protect a Company's data, including non-disclosure agreements and provisions related to the destruction of the data and/or transfer to the Company upon termination of the agreement.
c. Outsourcing agreements must specifically establish standards for data protection, including any nationally recognised information assurance and/or data protection and confidentiality of information requirements in the State.
d. Outsourcing agreements must specifically establish that the Outsourcing service provider, or any of its subcontractors must not provide any other party with access to Confidential Data without first obtaining the specific authorisation of the Company, or the customer, as the case may be.
e. Outsourcing agreements must specify to what extent subcontracting is allowed and under what conditions.
f. Outsourcing agreements must include an explicit provision giving the Central Bank, and any agent appointed by the Central Bank, access to the Outsourcing service provider. This provision must include the right to conduct on-site visits at the Outsourcing service provider, if deemed necessary by the Central Bank and require the Outsourcing service provider to provide the Central Bank, or its appointed agent, any data or information required for supervisory purposes.
g. Outsourcing agreements must include an obligation for the Outsourcing service provider to notify the Company without undue delay of any breach of the Company's data and in particular, breaches of Confidential Data.
6. When Outsourcing outside of the State:
a. Any Outsourcing agreement with a party located outside of the State, must stipulate that the Company and the customer retain ownership of the data at all times, and that the Central Bank can access the Company's data upon request.
b. A Company must explicitly consider the possibility that changes in economic, political, social, legal or regulatory conditions may affect the ability of a service provider outside of the State to fulfil the terms of the agreement. This risk must be managed by a careful selection of service providers and jurisdictions, adequate contractual and practical arrangements, and appropriate business continuity planning.
c. A Company must explicitly consider any other relevant risks arising when the service provider is located outside of the State. These must include, but are not limited to: 1. Higher levels of operational risk due to poor infrastructure in another jurisdiction;
2. Legal risk due to differing laws and possible shortcomings in the legal system in the countries where the service is provided; and
3. Reputational risk due to the breach of the service agreement by the service provider.
d. A Company must ensure compliance with all relevant personal data protection legislation and regulations prior to entering into an Outsourcing agreement with an Outsourcing service provider or third party outside of the State.
e. A Company must establish policies, processes and procedures regarding controls and monitoring activities specifically addressing the business relationship of the Company with an Outsourcing service provider, which includes the sharing of Confidential Data outside of the State.
f. For each of its business relationships a Company holds with an Outsourcing service provider, which includes the sharing of Confidential Data outside of the State, the Company must define concrete security requirements and must ensure that its Staff are sufficiently trained in respect of these requirements.
g. Companies must ensure that third parties implement and maintain the appropriate level of information security and service delivery.
h. With regard to Outsourcing service providers located outside of the State, the Central Bank may exercise its powers through collaboration with the relevant authorities of any relevant jurisdiction.
7. Prior to Outsourcing any material activity, including to any related party, Companies must obtain a prior notice of non-objection from the Central Bank. When requesting the non-objection, Companies must provide the Central Bank with the following at a minimum:
a. A brief explanation of the business activity to be outsourced;
b. A summary of the materiality assessment;
c. A summary of the risk assessment;
d. A summary of the due diligence performed and its outcome;
e. A confirmation of the agreement of the internal audit function and the compliance function;
f. An overview of any closely related outsourcing agreements;
g. Confirmation of compliance with the requirements of the Risk Management and Internal Controls Regulation for Insurance Companies and these Standards.
h. Evidence of the approval of the proposed Outsourcing by the Board or Board committee.
The Central Bank will either grant the non-objection, request further information, or decline the request. Companies are encouraged to discuss their material Outsourcing plans early and coordinate with the Central Bank to avoid the non-objection process delaying the Outsourcing.
8. Although all requests for non-objection will be considered on their individual merits, the Central Bank, will in general, not permit the Outsourcing of core insurance activities, and key management and Control Functions, including but not limited to Senior Management oversight and internal audit. The Central Bank may determine adding further requirements in this regard, from time to time.
13. Countering Fraud in Insurance
1. A Company must have policies, procedures and controls to minimise the risk of internal and external fraud in the following areas, at a minimum: a. Product development;
b. Onboarding clients;
c. Hiring and dismissal Staff;
d. Outsourcing;
e. Claims' management and settlements; and
f. Dealing with practitioners of Insurance Related Professions.
2. Insurance fraud categories include: a. Internal fraud, which is committed by a Board member, Senior Manager or other member of Staff on his/her own or in collusion with others who are either internal or external to the Company.
b. Insurance Related Professions' fraud, which is committed by practitioners against the Company, policyholders or beneficiaries.
c. Policyholder fraud, which is committed against the Company in the purchase and/or execution of an insurance product by one or more persons by obtaining wrongful coverage or payment.
3. Preventive policies, procedures and controls to manage internal fraud must include:
a. Creating a culture based on integrity;
b. Developing and maintaining policy and guidelines on ethical behavior;
c. Adequate supervision of Staff;
d. Performing pre-employment and in-employment screening of permanent or temporary Staff;
e. Documented job descriptions;
f. Periodical job rotation and mandatory vacations for Staff in fraud sensitive positions;
g. Observing the "four eyes" principle.
h. Segregation of duties;
i. Having procedural safeguards over the use, handling and availability of cash;
j. Establishing a transparent policy in dealing with internal fraud by Board members and Staff, including a policy on reporting to the relevant law enforcement agency;
k. Establishing a clear dismissal policy for internal fraud cases in order to deter potential perpetrators.
4. Preventive policies, procedures and controls to manage policyholder fraud must include:
a. Customer due diligence prior to inception.
b. Requesting additional supporting documents to verify the policyholder's sources of wealth.
c. In terms of claims settlement, procedures must include:
1. Using professional judgement based on experience;
2. Identifying red flag lists;
3. Conducting peer reviews;
4. Reviewing internal and/or external databases or other sources;
5. Using information technology tools, such as voice stress analysis, data mining, neural networks and tools to verify the authenticity of documents; and
6. Interviewing claimants.
5. Preventive policies, procedures and controls to manage Insurance Related Professions' fraud must include:
a. Having in place a documented policy and procedure for the appointment of new practitioners of Insurance Related Professions.
b. Having an application form and terms of business agreement that have to be completed and signed by the practitioners of Insurance Related Professions.
c. Ensuring the application form requires applicants to disclose relevant facts about themselves, including qualifications, experience, and qualifying body.
d. Verifying the financial soundness of the applicant and checking references.
e. Having an effective sanction policy in case of non-compliance by the practitioners of Insurance Related Professions.
6. A Company must collect information in respect of insurance fraud from the market and to provide same to the Board and Staff. Such information must be used to evaluate the effectiveness of policies, procedures and controls, and to make changes were necessary.
7. A Company must establish and maintain an independent audit function to test fraud, fraud risk management, procedures and controls.
8. A Company must encourage Staff to report all irregularities and must have a whistle blowing policy in place for this purpose.
9. A Company's fraud management strategy must be aligned with the Risk Profile of the Company. In determining the Risk Profile, the following factors must be taken into consideration: 1. size of the Company;
2. organisational structure;
3. products and services offered;
4. payment methods used for premiums and claims;
5. types of policyholder; and
6. market conditions.
10. A Company must retain records of all reported cases of fraud along with the findings, and must establish standards relating to the turnaround time for the assessment of fraud, documentation of analysis and keeping records of fraud incidents.
11. A Company must have effective reporting systems to the Board in terms of frequency of incidents, along with recommendations to address the issues.
12. A Company must report any suspected or confirmed fraud cases to the proper law enforcement authorities immediately and notify the Central Bank of such reporting.
13. A Company must provide the Board and Staff with guidance on fraud indicators and training on preventing, detecting, reporting and remedying fraud. Such training must be commensurate with the position that the person holds within the Company.
Decision No. (50) of 2019 Concerning Enhancing the Shari’a Controller’s Role in Takaful Insurance Companies Operating in the State
Effective from 17/4/2019Director General of the Insurance Authority,
Having pursued:
- The Federal Law No. (6) of 2007, concerning the Establishment of the Insurance Authority and the Organization of Insurance Operations and the amendments thereof;
- Insurance Authority Board of Directors Resolution No. (2) of 2009 concerning the issuance of the Executive Regulation of Federal Law No. (6) of 2007 pertinent to the Establishment of the Insurance Authority and Organization of its Operations;
- And, Takaful Insurance Regulations issued by The Insurance Authority’s Board of Directors Resolution No (4) of 2010 Concerning the Takaful Insurance Regulations,
Has Decided:
Conditions that must be met in Shari’a Controller
Article (1)
To approve the employment of a Shari’a Controller at Takaful insurance companies, following conditions must be met:
- To be a natural person.
- The Shari’a Controller shall be appointed in the company by its Board of Directors, and based on the recommendation of the Shari'a Supervisory Committee in the Company.
- To practice the Shari’a Controller duties on full-time basis, and it is not permissible to combine between the job of a Shari’a Controller and any other job in the Company.
- To be a Muslim with full legal capacity, and has a sound reputation and good conduct and to be knowledgeable in the Arabic language.
- Has never been dismissed from service for disciplinary reasons.
- Submit a certificate confirming that he has not been sentenced in a felony or misdemeanor that violates honor or honesty and public morals, and to submit a declaration that he has not been declared bankrupt unless he is rehabilitated.
- The following qualifications and experience are required:
- Must be a holder of a university qualification in Shari’a and a degree in either law, insurance, business or economics.
- Must have passed training courses in Shari’a or any legal, insurance, business or financial training courses.
- To be knowledgeable in the jurisprudence of Islamic financial transactions.
- To have practical experience for a period of not less than three years in the field of insurance or have worked in the field of Shari’a Control and other related activities. The experience shall be for one year for UAE Nationals.
- To be a natural person.
Duties and Functions of the Shari’a Controller
Article (2)
The Shari’a Controller shall conduct and ensure the following:
- Review Insurance contracts and transactions to confirm that they comply with the provisions of the Islamic Shari’a Principles and the Fatwa(s) issued to newly originated transactions.
- Takaful insurance operations in the company are carried out in accordance with the provisions of Islamic Shari’a Principles.
- The Company carries out its business either in accordance with the basis of WAKALA or WAKALA and MUDARABA together.
- The Participants' accounts and the accounts of shareholders are separated.
- Covering the realized deficit in participants' account is followed up through interest-free loan “QARD HASSAN”
- The existence of a documented and approved mechanism for the distribution of surplus to the participants in the Company’s Takaful insurance operations.
- The company has prepared the membership document, attached to the insurance policy and its clauses are reviewed.
- There are no charges imposed on the participants' accounts in the general insurance more than the percentage of the WAKALA remuneration prescribed in the Financial Regulations for Takaful Insurance companies.
- The company is providing the Insurance Authority with a copy of the report of the Shari'a Supervisory Committee.
- The company has implemented the recommendations contained in the reports of the Shari'a Supervisory Committee.
- The External Auditor's report is prepared to review the extent of compliance with the Anti Money Laundering and Terrorist Financing Instructions and other relevant decisions.
- The Actuary has carried out his role in terms of reviewing the actuarial aspects in the family Takaful insurance.
- The Zakat Fund is established in the company in accordance with the provisions of the Regulations.
- The nature of clients and properties to be insured, to what extent they are compliant with Islamic Shari'a provisions, and whether the approval of the Shari'a Supervisory Committee is acquired.
- To prepare periodic reports and submit them to the Shari'a Supervisory Committee and the Board of Directors on the extent to which the company's operations are compliant with the Shari'a Supervisory Committee’s decisions and opinions.
- To attend the Shari'a Supervisory Committee’s meetings and to present their report in the general assembly of the company.
- Any other matters affecting the Company's compliance with the Islamic Shari’a provisions and the related legislation.
- Issues requiring clarification, interpretation or Fatwa are collected in order to be introduced to the Shari'a Supervisory Committee at its periodic meetings to take the necessary action to issue Fatwa concerning them.
- Violations and deficiencies are clarified for Takaful insurance operations and General Manager of the Company was informed for correction.
- Any other duties assigned to him are carried out.
Regularization
Article (3)
Takaful insurance companies shall regularize the positions of Shari’a Controllers in accordance with the provisions of the decision herein within six months from the date of issuance.
Board of Directors’ Decision No. (15) of 2019 On the Instructions Concerning the Rules of Ownership Ratios in the Capital of Insurance Companies
Effective from 17/4/2019The Chairman of the Insurance Authority,
Having pursued,
- Federal Law No. (4) of 2000 Concerning the Emirates Securities and Commodities Authority and Market, and the amendments thereof;
- The Federal Law No. (6) of 2007 Concerning the Establishment of the Insurance Authority and Organization of its Operations, and the amendments thereof;
- - Federal Law No. (4) of 2012 on the Regulation of Competition;
- Federal Law No. (2) of 2015 Concerning Commercial Companies and its amending laws;
- Cabinet Resolution No. (42) of 2009 Concerning Insurance Company Minimum Capital Regulations and the amendments thereof;
- The Insurance Authority Board of Directors Decision No. (2) of 2009 Concerning the. Issuance of the Executive Regulations of the Law No. (6) of 2007 Concerning the Establishment of the Insurance Authority and Organization of its Operations;
- Insurance Authority Board Resolution No. (13) of 2015 on the Instructions Concerning Anti-Money Laundry and Combating Terrorism Financing in Insurance Activities;
-And, based on the recommendation of the Director General of the Insurance Authority and the approval of the Board of Directors,
Has decided,
Definitions
Article (1)
1. The following words and phrases shall have the meanings ascribed thereto hereunder unless the context indicates otherwise:
State: The United Arab Emirates
Law: Federal Law No. (6) of 2007 Concerning the Establishment of the Insurance Authority and Organization of its Operations and the amendments thereof.
Authority/IA: The Insurance Authority established by virtue of the provisions of the Law.
Board: The Board of Directors.
Chairman: The Chairman of the Board.
Director General: The Director General of the Insurance Authority.
Company: The insurance company incorporated in the State, and the foreign insurance company licensed to carry out insurance activities in the State, either through a branch or an Insurance Agent, including Takaful insurance companies.
Person: Any natural or legal person.
Strategic Partner: A partner whose contribution in the company provide Technical, operational or marketing support to the company for its benefit.
Control: The Insurance company shall be in controlling position in the following cases:
(a) A single person or with the Related Parties possesses 10% or more of the capital or financial instruments (such as convertible bonds to shares) or voting rights in the company.
(b) Any agreement or position leading to the empowerment to appoint and disqualify most of the Board of Directors members, managers and executive committees in the company.
Related Parties: Shall mean the following:
1- The persons who are linked with an agreement or arrangement for the purpose of controlling a company.
2- The Natural person and his minor children.
3- The legal person, in addition to any of the Board of Directors members, or companies to which he contributes at least 30% of its capital, or sister, subsidiary or associated companies, unless they prove that there is no agreement or arrangement between them for the purpose of control.
4- Relatives such as father, mother, brother, sister, children, spouse, spouse's father, spouse's mother and spouse's children, unless they prove that there is no agreement or arrangement between them for the purpose of control.
Rules of Ownership Ratios in the Capital of Insurance Companies: Controls and conditions that are necessary for the entry of persons as shareholders in insurance companies.
Electronic Systems: Electronic and smart or any other services adopted by the Insurance Authority.
2. Exception to what was provided above, the words and phrases contained in this Instructions shall have the meanings given to them pursuant to the provisions of the Law and its Executive Regulations.
Scope of Applicability
Article (2)
1- The provisions of these Instructions shall apply to any changes may occur to the Ownership Ratios Rules after their entry into force and shall not apply to any changes in Ownership Ratios of existing shareholders.
2- Without prejudice to the provisions of legislations and companies’ articles of association with respect to the minimum ownership limit of a UAE Nationals in the capital of insurance companies, and taking into consideration the provisions of Federal Law No. (2) of 2015 Concerning Commercial Companies, and mergers and acquisitions rules of public joint stock and the Strategic Partner requirements issued by Securities and Commodities Authority, the provisions of these instructions shall apply to the controlling operations of insurance companies.
Requisites for the Shareholders Wishing to Control
Article (3)
- Natural persons wishing to control shall comply with the following:
- Providing information, documents and data with respect to their address, nationality, jobs, previous experience in the field of insurance and related professions inside and outside the State, the share of each of them and their financial solvency.
- Submitting a statement indicating if there is a relationship with the company to be controlled or not.
- Submitting a statement of his membership in one or more boards of directors of a financial institution or his ownership of more than 20% of the issued and paid up capital for any financial institution or more inside or outside the State.
- Submitting a certificate showing that he has never been convicted on a felony or misdemeanour prejudicial to honour, trustworthiness or public morals, and submitting a declaration that he has not been declared bankrupt unless he has been rehabilitated.
- Submitting a declaration on his financial resources of the applicant and an undertaking of his ability to provide more capital and other support forms to the insurance company when needed
- The legal person wishing to control shall commit to providing the following:
- Complete information regarding his addresses, nationality, legal form, branches, field of work and geographical scope of his activity.
- Names and nationalities of those who are responsible for managing the legal person;
- Two audited balance sheets for the last two financial years at least;
- Providing an undertaking or a letter of guarantee in an admissible form, stating that he is committed to providing financial support to the company he is wishing to control;
- Full information about the main owners, the nature of their work, their experience and shares in the insurance or reinsurance companies or related professions inside and outside the country;
- Providing the consent of the main regulatory authority to which the legal person is subject concerning the ratio or for his entry as a controlling person, as the case may be, with respect to the company that he is requesting to control if he is subject to a regulatory authority.
- Natural persons wishing to control shall comply with the following:
Strategic Partner Requisites
Article (4)
The Following Requisites should be fulfilled in the Strategic Partner:
- His activity is similar or supplementary to the activity of the issuing company and leads to a real benefit thereof;
- has issued at least two audited balance sheets for at least two financial years. This shall not apply to the Federal Government or the Local Government in the State;
- A Strategic Partner may be a foreign person provided that his entry as a Strategic Partner in the company's capital shall not affect the UAE Nationals’ ownership ratios or the company's articles of association;
- The Strategic Partner shall conclude a contract with the company, indicating the mechanisms of his contribution, disassociation, and the company's development plan.
5- The availability of minimum required capital as well as the ability to provide more capital or any other form of support to the insurance company, if needed.
6- Documents and data referred to in paragraph (2) of the previous Article shall be made available.
Requesting Clarifications
Article (5)
In the light of the application of these Instructions, the Authority may request any clarifications, information, data or additional procedures from the companies or the person who submits the controlling application, including any requirements pertaining to applying instructions concerning Anti-Money Laundering and Terrorist Financing in Insurance Activities, and all other relevant legislation applicable in the State.
Approving the Application for Controlling
Article (6)
1- A person, whether individually or with the Related Parties may not increase his ownership more than 10% or double this Ratio of the issued and paid up share capital of the company or any Ratio leading to the control over the company without obtaining the approval of the Authority.
2- Subject to the Ratio mentioned in the previous clause, if any person wishes to increase his ownership more than 5% and not exceeding 10% of the issued and paid up capital, he shall notify the Insurance Authority within fifteen days from the date of ownership.
3- Exception from the provisions of this Article, with regards to obtaining prior consent in the event of increasing the person’s ownership ratios more than the ratios referred to herein or any ratio that leads to controlling the company, is by inheritance or bequest.
Submitting an Application to Control
Article (7)
The application to approve the ownership of more than 10% of the issued and paid up capital shall be submitted to the Insurance Authority at least 60 days prior to the date of the control in accordance with the electronic systems prepared for this purpose or other means adopted by the Insurance Authority.
Decision on the Control Application
Effective from 17/4/2019Article (8)
The Insurance Authority shall take its decision on the application within thirty days from the date of submitting the application, fully completed with all required data and information, and shall notify the applicant of the acceptance or rejection in accordance with the electronic systems prepared for this purpose or other means adopted by the Insurance Authority. In case the decision was to reject the application, then the reason for such decisions must be provided. If the decision was to approve, then the decision shall specify the period of validity of such approval or the Insurance Authority shall restrict its approval with any conditions it deems appropriate for the public interest.
Article (9)
The Authority may reject the request for control if the conditions referred to in Articles (3), (4) and (5) of the Instructions herein are not met or if the request for control may cause unjustifiable harm to the policy holders, the company or the insurance sector or in case of a potential conflict of interest when controlling the company or breach of the objectives to protect and promote competition and anti-monopoly practices or in accordance with the criteria determined by the Insurance Authority.
Grievance
Article (10)
A grievance against the Decision to reject the application for control may be filed before the Authority within (Twenty) working days from the date of notification of such Decision in accordance with the electronic systems prepared for this purpose or other means adopted by the Authority. the grievance shall be submitted to the Board, which will decide on the application at its first meeting from the day following the submission of the complete application. The decision of the Board on such grievance shall be final.
Company Obligations
Article (11)
The company shall comply with the following:
- Notify the Authority of any potential controlling operation and provide all information about the persons wishing to control as soon as such information is available.
- Notify the Authority in case the ownership of the shareholders has decreased from the levels of control specified in the Instructions herein.
- Provide the Authority with the information and data it has with regard to the controlling persons or any other person who practices control directly or indirectly in the preceding financial year within one month of the end of the financial year in accordance with the electronic systems prepared for this purpose or other means adopted by the Authority.
- The branches of foreign companies shall inform the Authority in case changes made to the control of the parent company as soon as they occur, and shall provide the Authority with the approval of the regulatory body to which the parent company is subject.
Penalties
Article (12)
Penalties stipulated in the relevant legislation, shall be applied to the acts violating the provisions of the Instructions herein.
Article (13)
The Director General shall issue decisions and circulars as required for the implementation of these Instructions.
Article (14)
These Instructions shall be published in the Official Gazette and shall come into force from the following day of its publication.