Risk Management and Internal Controls Regulation for Insurance Companies
The Board of Directors
Having perused Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities as amended;
Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations;
Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies;
The Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance; and
Based on the recommendation of the Governor and the approval of the Board of Directors;
Has resolved as follows:
Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the insurance sector. To this end, Companies are required to have a comprehensive approach to Risk Management and effective Internal Controls, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.
Risk Management, internal audit, compliance, and actuarial functions constitute key control functions in a Company. The control functions have a responsibility, independent of the management of the Company's business lines, to provide objective assessment, reporting and/or assurance. The control functions (as defined in article 1.11) are an essential foundation for effective corporate governance.
In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Companies' approaches to Risk Management and Internal Controls are in line with leading international standards and industry best practice.
This Regulation and the accompanying Standards establish an overarching prudential framework for Risk Management and Internal Controls. Standards and supervisory expectations for selected specific risks are, or will be, established in other Regulations.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
This Regulation and the accompanying Standards supplement Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations, Insurance Authority's Board of Directors' Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports, Insurance Authority Board of Directors' Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance, Insurance Authority Board of Directors' Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance, Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies, Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies, and the Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance. Additional requirements may be imposed pursuant to decisions to be issued by the Central Bank in this regard.
Objective
The objective of this Regulation is to establish the Central Bank's minimum requirements for Companies' approach to Risk Management and Internal Controls with a view to:
a. Ensuring the safety and soundness of Companies; and
b. Contributing to the financial stability of the UAE.
Scope of Application
This Regulation and the accompanying Standards apply to all Companies. Companies established in the UAE with Group relationships including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.
The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Companies may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited therein. The Central Bank will decide on the extent to which a Company is expected to meet the requirements.
Article (1): Definitions
1. Actuaries' Regulation: Insurance Authority Board of Directors Decision No. (9) of 2017 Concerning the Regulations on Licensing and Registration of Actuaries and Regulation of their Operations.
2. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity
3. Authorized Manager: The person appointed by the foreign insurance company to manage its branch in the State.
4. Board: The Company's board of directors.
5. Central Bank: The Central Bank of the United Arab Emirates.
6. Chief Executive Officer: The most senior executive appointed by the Board, and in the case of foreign branches, this refers to the Authorized Manager.
7. Central Bank Laws: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended; and Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended and its Executive Regulations.
8. Company: The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
9. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
10. Confidential Data: Account or other data relating to a Company customer, who is or can be identified, either from the Confidential Data, or from the Confidential Data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the Confidential Data.
11. Control Functions: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari'ah control and Shari'ah audit functions.
12. Enterprise Risk Management (ERM): The strategies, policies and processes of identifying, assessing, measuring, monitoring, controlling, reporting and mitigating risks in respect of the Company's enterprise as a whole.
13. Financial Regulations: Insurance Authority Board of Directors' Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors' Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies.
14. Group: A group of entities which includes an entity (the 'first entity') and:
a. any Parent of the first entity;
b. any Subsidiary of the first entity or of any Parent of the first entity;
c. any Affiliate.
15. Internal Controls: A set of processes, polices and activities governing a Company's organizational and operational structure, including reporting and Control Functions.
16. Life Insurance Regulation: Insurance Authority Board of Directors' Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance.
17. Material Business Activity: An activity of the Company that has the potential, if disrupted, to have a significant impact on the Company's business operations or its ability to manage risks effectively.
18. Matter of Significance: A matter, or group of matters, that would have a significant impact on the activities or financial position of the Company. Examples include failure of preserving the assets of the Company and policyholders, failure to comply with Central Bank Laws/the Financial Regulations, major deviations from the Risk Appetite and or other matters that are likely to be of significance to the function of the Central Bank as regulator.
19. Master System of Record: The collection of all data, including Confidential Data, required to conduct all core activities of a Company, including the provision of services to policyholders, managing all risks, and complying with all legal and regulatory requirements.
20. Model: A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
21. Outsourcing: An arrangement between a Company and a service provider, whether the service provider operates within or outside the UAE, for the latter to perform a process, service or activity which would otherwise be performed by the Company itself.
22. Own Risk and Solvency Assessment (ORSA): an internal process undertaken by a Company/ Group to assess the adequacy of its Risk Management and current and prospective solvency positions under normal and severe stress scenarios. It requires a Company to analyze all reasonably foreseeable and relevant material risks. It covers current and future risks and requires Company-specific judgment about risk management and the adequacy of their capital position that could have an impact on it's ability to meet both its business objectives as well as its policyholder obligations. This encourages management to anticipate potential business challenges, capital needs and to take proactive steps to reduce risks. ORSA is not a one-off exercise. It is a continuously evolving process and must be a component of a Company's Enterprise Risk Management (ERM) framework. Whilst there is not one specific way of conducting an ORSA, the output is expected to be a set of documents that demonstrate the results of management's proactive approach to its own self-assessment.
23. Parent: An entity (the 'first entity') which:
a. holds a majority of the voting rights in another entity (the 'second entity');
b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
d. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
24. Pricing Regulation: Insurance Authority Board of Directors' Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance.
25. Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
26. Risk Appetite: The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan
27. Risk Governance System: As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company's strategy and risk approach; articulate and monitor adherence to the Risk Appetite and Risks Limits relative to the Company's strategy; and identify, measure, manage and control risks.
28. Risk Culture: The set of norms, values, attitudes and behaviors of a Company that characterizes the way in which it conducts its activities related to risk awareness, risk taking and risk management and controls.
29. Risk Limits: Quantitative measure based on a Company's Risk Appetite, which gives clear guidance on the level of risk to which the Company is prepared to be exposed and is set and applied in aggregate or individual units such as risk categories or business lines.
30. Risk Profile: Point in time assessment of the Company's gross and, as appropriate, net risk exposures aggregated within and across each relevant risk category based on forward looking assumptions.
31. Risk Management: The process through which risks are managed allowing all risks of a Company to be identified, assessed, monitored, mitigated (as needed) and reported on a timely and comprehensive basis.
32. Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
33. Solvency Capital Requirement: Funds that the Company must maintain to cover current and projected operations during the next twelve months, which are measured to ensure that all quantitative risks have been taken into account.
34. Staff: All the persons working for a Company including the members of Senior Management, except for the members of its Board.
35. State: The United Arab Emirates.
36. Stress Testing: A method of assessment that measures the financial impact of stressing one or more factors which could severely affect the Company.
37. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
a. holds a majority of the voting rights in the first entity;
b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
d. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
38. Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance Company shall manage this account and invest the funds collected therein against certain compensation.
39. Takaful Regulation: The Central Bank of the UAE's Board of Directors' Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance, as amended from time to time.
Article (2): Systems of Risk Management and Internal Controls
1. A Company must have comprehensive and effective systems of Risk Management and Internal Controls that provide a Company-wide and, if applicable, Group-wide view of all material risks to which they are or could be exposed, and their interdependencies. This includes strategies, policies, processes, procedures, and controls to identify, assess, measure, monitor, control, report and mitigate material sources of risk, on a timely basis. A Company's definition and assessment of material risks must take into account its Risk Appetite, Risk Profile, nature, size and the complexity of its business and structure.
2. The Board must be in control of the Company and bears ultimate responsibility for ensuring that there are effective systems of Risk Management and Internal Controls appropriate to the Risk Profile, nature, size and complexity of the Company's business and structure
3. Senior Management is responsible for the implementation of sound policies, effective procedures and robust systems consistent with Board-approved systems of Risk Management and Internal Controls. The Board remains ultimately accountable, notwithstanding specific responsibilities delegated to Senior Management
4. A Company's organisational structure must incorporate a "three lines of defence" approach comprising of :
a. The business lines;
b. The risk, actuarial and compliance functions;
c. Independent internal audit function.
5. The Board must provide oversight of Senior Management. It must hold members of Senior Management accountable for their actions if they are not aligned with the Company's strategy and objectives.
6. Companies who have Group relationships must ensure the following:
a. Companies, for which the Central Bank is the primary regulator, who have significant Group relationships including Subsidiaries, Affiliates, or international branches must develop and maintain processes to coordinate the identification, assessment, measurement, evaluation, monitoring, reporting and control or mitigation of all internal and external sources of material risks across the Group. The process must provide the Board with a solo and Group-wide view of all material risks, including the roles and relationships of other Group entities to one another and to the Company.
b. The methods and procedures applied by Subsidiaries, Affiliates and international branches must support Risk Management on a Group-wide basis. Companies must conduct Group-wide Risk Management and prescribe Group policies and procedures, while Boards and Senior Management of Subsidiaries and Affiliates must have input with respect to the local and regional application of these policies and procedures and the assessment of local and regional risks.
Article (3): Effective Risk Management System
1. A Company's Risk Management system must be designed to operate at all levels to allow for the identification, assessment, monitoring, measuring, controlling, reporting and mitigating of all risks of the Company in a timely manner. It must take into account the probability, potential impact and time horizons of risk. An effective Risk Management system must include the following elements:
a. A documented Risk Management strategy, including a clearly defined Risk Appetite statement that is Board-approved, which mustbe in line with the Company's business activities.
b. Allocation of responsibilities for managing risks.
c. A documented process for the Board's approval for any deviation from the Risk Appetite.
d. Policies containing all material risks that the Company is exposed to and the levels of acceptable Risk Limits. The policies describe the obligations of Staff members in dealing with risk, including risk escalation and risk mitigation tools.
e. Processes and tools including Stress Testing, scenario analysis and Models for identifying, assessing, measuring, monitoring, controlling reporting and mitigating risks, along with contingency plans.
f. Regular reviews of the Risk Management system.
g. An effective Risk Management function.
2. The Risk Management system must cover, at a minimum underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business. It must also cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in the Financial Regulations as well as the risks which are not, or not fully, included in the calculation thereof.
3. In developing the Risk Management system, the following matters must be taken into consideration:
a. The Risk Profile of the Company must be modified according to circumstances, which requires incorporating new risks and updating the information related to risks that are already identified. The changing expectations of policyholders and other stakeholders must be taken into consideration.
b. Material changes, specifically that affect the Risk Profile, to the Risk Management system must be approved by the Board, documented and made available to internal audit, external audit and the Central Bank.
c. The Risk Management system must incorporate a feedback loop that provides for a process of assessing the effect of changes in risk leading to changes in Risk Management policy, Risk Limits and risk mitigating actions. Within a Group, sufficient coordination between the Parent and its Subsidiaries and Affiliates must be available, as part of their feedback loop
4. Where the Central Bank is not the primary regulator of a Company that is part of a Group and any element of its comprehensive approach to Risk Management is controlled or influenced by another entity in the Group, the Company's Risk Management system must specifically take into account risks arising from the Group relationship and clearly identify:
a. Linkages and any significant differences between the Company's and the Group's Risk Governance System.
b. Whether the Company's Risk Management function is derived wholly or partially from Group Risk Management functions.
c. The process for monitoring by, or reporting to, the Group on Risk Management.
5. As part of its Risk Management system the Company shall conduct its Own Risk and Solvency Assessment (ORSA) which must be conducted by the Risk Management function. That assessment must include at least the following:
a. The overall solvency needs, taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the Company. The Company shall demonstrate the methods used in that assessment.
b. The compliance, on an ongoing basis, with the capital requirements, as set out in the Financial Regulations;
c. The compliance, on an ongoing basis, with the requirements regarding technical provisions, as laid out in the Financial Regulations;
d. The significance with which the risk profile of the Company deviates from the assumptions underlying the Solvency Capital Requirement as laid down in the Financial Regulations. Companies must take an active assessment of whether changes in the standard Model are consistent with their actual exposures;
e. The completion of the ORSA which must be an integral part of the business strategy and business planning process and must be taken into account on an ongoing basis in the strategic decisions of the Company and without any delay following any significant change in the Company's Risk Profile;
f. The reporting to the Central Bank of the results of each ORSA at the same time as it submits the Company's annual business plan in accordance to the timetable published by the Central Bank.
g. The reporting to the Central Bank of any additional requirements concerning (ORSA) which may be imposed pursuant to Regulations/decisions to be issued by the Central Bank in this regard.
Article (4): Effective System of Internal Controls
1. The Internal Controls system must ensure effective operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported, compliance with Central Bank Laws and other relevant laws, Regulations and supervisory requirements and the Company's internal rules and decisions. It must cover all units and activities and must be regularly assessed, reviewed by the Board or the Board audit committee and updated as necessary. It must include appropriate control structure with control activities defined at every business unit level, as they must own, manage and report risks and must be accountable for establishing and maintaining effective Internal Controls policies and procedures. Control Functions must assess the adequacy of the controls used by the business units. The Internal Controls system must contain, at a minimum, the following components:
a. Segregation of duties and measures to prevent Conflicts of Interest, as follows:
1. Adequate independence and clear separation of duties and reporting lines between the persons who are responsible for certain processes or policies, and those who verify that the processes or policies are being applied.
2. Adequate independence, and clear separation of duties and reporting lines between those who design or operate certain controls and those who check if the controls are effective.
b. Policies and processes:
1. Incorporate adequate controls for all key business processes and policies, including processes for taking major business decisions and approving transactions, critical information technology functionalities, cyber security, access to critical information technology infrastructure by employees and related third parties and important legal and regulatory obligations.
2. Incorporate policies on training on controls, especially for Staff undertaking roles requiring elevated trust or responsibility, or Staff involved in the oversight of high-risk activities.
3. Centralised documented key processes and policies and their corresponding controls.
c. Information and communication:
1. All Staff must be fully aware of the requirements to comply with the Company's Internal Controls system.
2. The necessary information for decision making must be made available to decision makers in a timely manner, including, but not limited to, financial, operational, compliance and market information.
d. Monitoring and review:
1. Processes must be checked on a regular basis by the internal audit function to ensure that controls are effective.
2. The Internal Controls system must be assessed on a regular basis by the internal audit function, to determine its efficiency and effectiveness.
e. Reporting on the Internal Controls system must reference the policy for Internal Controls (such as responsibilities, compliance levels, validation and implementation of remediation plans), the stage of development, the performance of the business units, and deficiencies in application.
2. The Board must understand the control environment and direct Senior Management to ensure that for each business process and policy, there is an appropriate control. The Board must ensure the allocation of responsibilities for the design, documentation and operation of Internal Controls.
3. a. For branches of foreign Companies, a senior management committee or equivalent must be in place that consists of local functionaries. These internal Control Functions should report directly to their entity-level counterpart and/or to the board and/or relevant committees.
b. Local functionaries stated in the aforementioned paragraph (a) may not undertake more than one Control Function.
Article (5): Control Functions
1. A Company must have effective Control Functions with the necessary independence, authority and resources covering Risk Management, internal audit, compliance and actuarial. The effectiveness of the Control Functions must be assessed periodically by the Board.
2. The existence of a control function does not relieve the Board and Senior Management of their responsibilities.
3. Control functions must be well resourced, with qualified staff who must receive regular training relevant to their roles.
4. Control Functions must an have appropriate level of authority. The head of the control function must not participate in operational business responsibilities, such as underwriting, investment, reinsurance, sales or accounting.
5. The head of each control function must have access to the Board or the Board risk and/or audit committees and must submit periodic reports on the matters determined by the Board. The head of each control function must be able to meet regularly with the chair of any relevant Board committee without the presence of management.
6. Duties of the Board related to Control Functions include:
a. The Board must approve and document the authority and responsibilities of Control Functions, which must be reviewed periodically based on the recommendation of each Control Function.
b. The Board or the relevant Board committee must approve the appointment, dismissal, compensation, performance and any disciplinary action taken against the heads of Control Functions.
c. The Company must not dismiss the heads of Control Functions without first obtaining the no-objection of the Central Bank.
7. Compensation of employees in the Control Functions must be determined independently of the performance of the Company.
8. Control Functions must avoid Conflicts of Interest. Where any conflicts remain and cannot be resolved with Senior Management, these must be brought to the attention of the Board for resolution.
Article (6): Risk Management Function
1. The Risk Management system must address the following:
a. A Company must have an effective Risk Management function to identify, assess, measure monitor, control, report and mitigate its key risks in a timely manner and to promote and sustain a sound Risk Culture.
b. The Risk Management function is responsible for assisting the Board, Board committees and Senior Management with developing and maintaining the Risk Governance System.
c. A Company must have an adequately resourced Risk Management function headed by a Chief Risk Officer (CRO) or equivalent. The function must be independent of the management and decision-making of the Company's risk-taking functions.
2. The Risk Management function must have direct access to the Board and/or the Board risk committee and must provide them with reports on the following matters, at a minimum:
a. Assessment of risk positions, exposures and the steps being taken to manage them;
b. Assessment of changes in the Company's Risk Profile relative to Risk Appetite, including the ORSA;
c. Assessment of pre-defined Risk Limits;
d. Risk Management issues resulting from strategic affairs such as corporate strategy, mergers, acquisitions, major projects and investments;
e. Assessment of risk events and the identification of appropriate remedial actions and the assessment of results after implementation.
3. In developing the Risk Management system the following must be considered:
a. The head of the Risk Management function, the CRO or equivalent, must be of sufficient seniority and stature within the Company, to credibly challenge the heads of business lines and functions. The head of the Risk Management function must have the authority and obligation to inform the Board romptly of any circumstance that may have a material effect on the Risk Management system of the Company.
b. Outsourced activities must remain fully in scope of the Company's Risk Management responsibilities.
Article (7): Risk Measurement & Use of Models
1. A Company must have systems, including information technology capabilities, which are commensurate with the Risk Profile, nature, size and complexity of its business and structure, in order to identify, measure and monitor risk.
2. The Board must have sufficient expertise to understand and oversee the risk measurement systems, including any use of Models.
3. Where a Company uses Models to measure components of risk, it must have appropriate internal processes for the development and approval of use of such Models and must perform regular and independent validation and testing of the Models. The Board remains ultimately accountable whether the approval for use of such Models is provided by the Board or through authority delegated to management.
Article (8): Stress Testing of Material Risks
1. A Company must implement a forward-looking Stress Testing programme as part of its comprehensive approach to Risk Management. Extreme, but plausible, adverse scenarios for a range of material risks must be included in the Stress-Testing programme, commensurate with the size of the Company's risk exposures. The results of the Stress Testing programme must be reflected on an ongoing basis in the Company's risk management, in order to help the Company in maintaining an awareness of the impact of the stresses on its financial position, including contingency planning and the Company's internal assessment of its capital and liquidity.
2. A Company's internal process for assessing capital and liquidity requirements must take into account the nature and level of risks taken by the Company. In addition to the specific risks identified by the Central Bank in the Financial Regulations, a Company must consider all other material risks.
Article (9): Compliance Function
1. A Company must have an effective compliance function in order to fulfil its legal and regulatory obligations and to promote and sustain a compliance culture. The compliance function must establish and maintain appropriate mechanisms and activities to identify, assess, report on and address key legal and regulatory obligations, conduct training on key legal and regulatory obligations, facilitate confidential reporting and conduct assessments on matters related to compliance.
2. The Board is ultimately responsible for creating a corporate culture that is based on honesty, integrity and a commitment to comply with all relevant legislation, regulations and Internal Controls. Such commitment must be reflected in the code of conduct of the Company.
3. A Company must have a Board-approved compliance policy that is communicated to all members of Staff specifying the purpose, standing, and authority of the compliance function within the Company, and if applicable the Group.
4. The compliance function must have access to and provide written reports to the Board and Senior Management on matters related to compliance risks, including but not limited to:
a. Assessment of the key compliance risks the Company faces and the steps being taken to ddress them;
b. Assessment of how the various parts of the Company such as divisions, major business units, and products are performing against compliance standards and goals;
c. Any compliance issues involving management or persons in positions of major responsibility within the Company, and the status of any associated investigations or other actions being taken; and
d. Material compliance violations or concerns involving any other person or unit of the Company and the status of any associated investigations or other actions being taken.
5. The Head of the compliance function must have primary reporting obligations to the Chief Executive Officer and must have direct access to the Board and/or Board audit and/or risk committee. The head of the compliance function must have access to the Chair of the Board to report any delay on rectifying any material noncompliance issues.
6. The Staff within the compliance function must be adequate, competent and collectively have the appropriate experience to ensure that compliance risk within the Company is managed effectively.
7. Outsourced activities must remain fully in scope of the Company's compliance responsibilities.
8. The compliance function must prepare and regularly update a compliance risk programme that sets out its planned activities. The activities of the compliance function must be subject to periodic and independent review by the internal audit function.
Article (10): Actuarial Function
a. A Company must have an effective and independent actuarial function capable of evaluating and providing advice regarding, at a minimum, technical provisions, premium and pricing adequacy, solvency, capital adequacy and reinsurance, so as to contribute to the effective implementation of the risk management system to satisfy all of the actuarial requirements pursuant to the following, as amended from time to time:
1. Federal Law No. (6) of 2007 Concerning On the Organization of Insurance Operations, as amended and its Executive Regulations;
2. The Financial Regulations;
3. The Actuaries' Regulation;
4. The Pricing Regulation;
5. The Takaful Regulation;
6. The Life Insurance Regulation; and
7. Any other regulation or requirement issued by the Central Bank.
b. The Company's actuarial function must have primary reporting obligations to the Chief Executive Officer and a right of access to the Board or the Board audit committee and/or Board risk committee.
Article (11): Internal Audit Function
1. A Company must have an effective internal audit function that provides the Board/Board audit committee and Senior Management with independent evaluation and assurance of the adequacy and effectiveness of the Internal Controls system, Risk Management, compliance and other elements of the corporate governance framework.
2. Internal audit must also use general and specific audits, reviews and testing, in respect of:
a. Preserving the assets of the Company and policyholders, preventing fraud and misappropriation of assets, and assessing the effectiveness of the controls in place in this regard;
b. Assessing the reliability and efficiency of the accounting, financial, risk and compliance reporting information and the effectiveness of the controls in place; and
c. Other matters requested by the Board.
3. The internal audit function must be independent from management or any other Control Functions, and report directly to the Board or the Board audit committee, and must be able to meet with them without the presence of Senior Management, as needed.
4. The internal audit function must be independent of the audited activities and have sufficient standing and authority within the Company, thereby enabling the internal audit function to carry out its responsibilities and main activities as specified in the accompanying Standards, in an independent manner.
5. The Board must ensure that the internal audit function has the authority to:
a. Communicate with all members of Staff and obtain all records, files or data of the Company, and if applicable Group and Affiliates, whenever relevant to the performance of its duties.
b. Initiate a review of any area consistent with its mission; and
c. Require management's response to any audit report, and details on the remedial action taken.
6. The internal audit function must cover within its scope of work, all material areas of risk, including underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business, intra-group transaction(if any), compensation and timeliness of reporting. The Internal audit function must have full access to and communication with any member of Staff, as well as full access to records, files or data of the Company, and if applicable, the Group and Affiliates, whenever relevant to the performance of its duties.
7. The Internal Controls within a Company must address the following:
a. Outsourced activities must remain fully in scope of the Company's internal audit responsibilities.
b. The internal audit function must regularly review and report to the Board, or the Board audit committee, on compliance with and the ffectiveness of the Company's outsourcing policies and procedures.
8. Any findings and recommendations of the internal audit function must be reported to the Board and/or audit committee, which shall review what actions are to be taken with respect to each of the internal audit findings and recommendations and must ensure that those actions are carried out.
9. The Staff within the internal audit function must be adequate, competent and collectively have the appropriate experience to understand and evaluate all of the business activities, support and Control Functions of the Company, and if applicable, the Group.
10. The head of internal audit must ensure that the function complies with the Institute of Internal Auditors' (IIA) international Standards for the Professional Practice of Internal Auditing.
11. Companies must have an internal audit charter approved by the Board audit committee, that articulates the purpose, standing and authority of the internal audit function within the Company, and if applicable, the Group.
12. Senior Management must inform the internal audit function, on a timely basis, of any changes to the Company's, or if applicable, the Group's, Risk Governance System.
13. Senior Management must ensure that timely and appropriate actions are taken on all internal audit findings and recommendations.
Article (12): Outsourcing
1. The Risk Governance System must address the following matters:
a. Companies' Risk Governance Systems must include policies and procedures for the assessment of any proposed Outsourcing and the identification, assessment measurement, monitoring, controlling, reporting and mitigating of any risks associated with existing and proposed Outsourcing arrangements.
b. The Risk Governance System must provide an entity-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Company provides to, or receives from, other Group members.
c. Companies must maintain a comprehensive and updated register of all Outsourcing arrangements, including all material and non-material Outsourcing arrangements, on an entity and group-wide basis.
2. When a Company is Outsourcing, it must ensure that the following measures are in place, at a minimum:
a. Any outsourced Material Business Activity or function must be subject to oversight, accountability, review and assessment in the equivalent manner that non-outsourced activities or functions are. Outsourcing must not adversely affect the Company's ability to manage its risks.
b. A Company is fully responsible for the risks arising from any process or activity they outsource.
c. A Company must have a process for determining the materiality of outsourced activities. The process of identifying Material Business Activity must consider the potential of the outsourced activity to adversely affect the Company's operations and its ability to manage risks, if disrupted or performed poorly.
d. Companies must obtain the 'no objection' of the Central Bank prior to outsourcing any Material Business Activity.
3. The Board and Senior Management are ultimately responsible for any outsourced functions or activities. The Board must assess the ability of the Company's Risk Management and Internal Controls to manage the outsourced risks effectively in respect of business continuity.
4. Outsourced activity must be governed by written contracts that state the parties' rights and obligations. The Board and Senior Management must consider when outsourcing an activity, the effects of the Company's Risk Profile, the service provider's expertise, knowledge, governance, Risk Management, Internal Controls, financial viability along with the succession issues upon the ending of the contractual relationship with the service provider.
5. A Company is responsible for compliance with Central Bank Laws and Regulations and all other relevant laws and regulations applicable to their outsourced activities.
6. The compliance function must regularly review and report to Senior Management, or to the Board as necessary, on the compliance of Outsourcing service providers with the laws, regulations and policies applicable to the Company.
7. When Outsourcing outside the State:
a. The Master System of Record, which includes all Confidential Data, must be ontinuously maintained and stored within the State.
b. As an exception to paragraph (12.7.a) above and subject to Central Bank approval, branches of foreign Companies may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the State.
c. A Company's customers' Confidential Data must not be shared outside the State without Central Bank approval and obtaining prior written consent from the customer. Companies must also obtain written acknowledgement from their customers that their Confidential Data may be accessed as part of legal proceedings or pursuant to an order of a court of competent jurisdiction outside the State in such circumstances.
d. A Company must not enter into Outsourcing agreements that involve sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the tate. This applies to all jurisdictions applicable to all parties to the agreement.
e. Companies are not permitted to enter into Outsourcing agreements that propose the storage of data in any jurisdiction where Company secrecy, or other laws, restrict or limit access to data necessary for supervisory and regulatory purposes.
Article (13): Countering Fraud in Insurance
1. In order to reduce fraud risks, a Company must undertake the following, at a minimum:
a. A Company must have effective measures to deter, prevent, detect, report and remedy internal and external fraud.
b. The Board and Senior Management are ultimately responsible for fraud Risk Management.
c. A Company's fraud Risk Management system must cover strategy, organizational structure, policies and procedures. The fraud management strategy must be regularly reviewed by the Board and Senior Management to ensure that it continues to be effective.
d. A Company must identify, assess, measure, monitor, control, report and mitigate fraud risk and create appropriate fraud Risk Management policies and procedures in its processes across the Company.
2. A Company must require high standards for integrity in its Board and Staff as part of its business values and organizational culture. These standards must be communicated throughout the Company.
3. The Board must approve the fraud Risk Management strategy and ensure that there are adequate resources, support and expertise for the effective implementation of such strategy. Any deviation from the fraud Risk Management strategy must require the Board's approval.
4. Additional requirements concerning countering fraud in insurance may be imposed pursuant to Regulations or decisions, which may be issued by the Central Bank in this regard.
Article (14): Duty To Report To The Central Bank
1. The heads of Risk Management, compliance, actuarial and/or internal audit must promptly report to the Central Bank any violations of the Central Bank Laws, any of the Regulations and/or instructions issued by the Central Bank and any Matters of Significance. Heads of Risk Management, compliance, actuarial and internal audit making such reports in good faith shall not be considered to have breached any of their obligations.
2. Companies must promptly notify the Central Bank in case of resignation of their heads of Risk Management, compliance or internal audit and the reasons thereto.
3. Companies must also promptly notify the Central Bank when they become aware of a significant deviation from their Board-approved Risk Management and/or compliance and actuarial policies, and internal control charters.
Article (15): Takaful Insurance
A Company offering Takaful Insurance must ensure compliance with Shari'ah provisions pursuant to the Financial and Takaful Regulations, in addition to the requirements of this Regulation.
Article (16): Enforcement
1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action and sanctions as deemed appropriate by the Central Bank.
2. Without prejudice to the provisions of the Central Bank Law, supervisory action and sanctions by the Central Bank may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Company, or barring individuals from the UAE insurance sector.
Article (17): Interpretation of the Regulation
The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (18): Publication And Application
1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.
2. On the effective date of this Regulation, any Company which is not compliant with the Regulation must, within ninety (90) days, provide the Central Bank with a detailed plan for coming into compliance with the requirements herein. The Central Bank will decide on the adequacy of the proposed plan.