Regulation for Electronic Insurance Operations

Decision No. 80/2023 On the Issuance of the Regulation for Electronic Insurance Operations ;Pursuant to the Insurance Companies Law promulgated by Oman Sultani Decree No. 12/1979 ;The Takaful Insurance Law promulgated by Oman Sultani Decree No. 11/2016 The Implementing Regulation of Insurance Companies Law issued by Oman Ministerial Decision ;No. 5/1980 ;Oman Decision No. 19/2017 on the Issuance of the Regulation of Insurance Brokerage Activities ;The Regulation for Insurance Products Marketing issued by Oman Decision No. 69/2017 and The Implementing Regulation of the Takaful Insurance Law issued by Oman Capital Market ;Authority Decision No. 103/2019 ;Based on the approval of the Board of Directors of the Capital Market Authority ;and The approval of the Ministry of Finance ,and The public interest requirements :Hereby issues the following Decision Article 1 The provisions of the Regulation for Electronic Insurance Operations attached hereto shall come .into force Article 2 Those who are addressed by the provisions of the attached Regulation shall adjust their situations in accordance with its provisions within (120) one hundred and twenty days from the .date of its entry into force Article 3 This Decision shall be published in the Official Gazette, and it shall come into force as of the day .following the date of its publication .Issued on: 05/03/1445 H Corresponding to: 21/09/2023 Abdullah bin Salem bin Abdullah Al Salmi CEO of the Capital Market Authority

The Regulation for Electronic Insurance Operations Chapter 1 Definitions and General Provisions Article 1 For the purposes of the provisions of this Regulation, the following terms and expressions shall :have the meanings assigned to each, unless the context requires otherwise .Authority: The Capital Market Authority -1 Companies; The company licensed to practice insurance activity in accordance with the -2 provisions of the Insurance Companies Law and the Takaful Insurance Law referred to here .above .Broker: The juristic person licensed to carry out insurance brokerage activity -3 .Policy: Insurance policies approved by the Authority -4 Electronic Insurance Operations: Insurance activities carried out by the Company or the -5 .Broker through the Internet or electronic or smart systems Approval: The authorisation issued by the Authority to the Company or the Broker to -6 .provide Electronic Insurance Operations Platform: The application or electronic portal designated for providing Electronic -7 .Insurance Operations Third Party The entity with which the Company or the Broker enters into a contract to -8 .manage the Platform, wholly or partially Article 2 .The provisions of this Regulation apply to all Electronic Insurance Operations Chapter 2 Requirements and Procedures for Approval Article 3 The Company or the Broker may not provide Electronic Insurance Operations except after .obtaining the Approval of the Authority Article 4 The Company shall create a Platform to provide Electronic Insurance Operations, which includes marketing and selling insurance Policies, collecting insurance premiums, receiving claims, .processing complaints, and other Electronic Insurance Operations .The Broker may create a Platform to provide the services it is licensed to provide electronically Article 5 An Approval is subject to the submission of an application to the Authority on the form prepared therefor, the payment of the fee prescribed to study the application in accordance with

the Table attached to this Regulation, and the completion of the following documents and :requirements A specific business plan for Electronic Insurance Operations, approved by the board of -1 directors or the regional management of the Company, and by the Broker’s association of :partners, which shall contain in particular the following .a- Types of operations that will be provided through the Platform b- An analysis of the size of Electronic Insurance Operations expected during (3) the first .three years c- An analysis of the risks associated with Electronic Insurance Operations, and the precautionary measures and procedures necessary to reduce them, such as the risks of negative selection, money laundering and terrorist financing crimes, strategic risks, illegal .entry into the Platform, and any other risks determined by the Authority .Proof of the existence of a specialised human cadre to manage the Platform -2 A statement of the mechanism for responding to Customer inquiries received through the -3 .Platform A user guide explaining the manner to complete Electronic Insurance Operations through the -4 .Platform .A plan to market the Platform through various media -5 An emergency plan that includes the measures that shall be taken in case of failure of one or -6 more procedures of the Platform’s automated system. This plan shall include corrective measures to ensure work continuity, the submission of reports necessary therefor, and a .mechanism for saving and backing up all data received through the Platform Controls for maintaining the security and confidentiality of information, security measures -7 and procedures to prevent any electronic hacking, and protecting information exchanged with .Platform users .Technologies used to protect financial payment transactions through the Platform -8 .A copy of the contract concluded between the Company/ Broker and a Third Party, if any -9 Article 6 The Authority shall study the application for Approval and verify that all prescribed documents and requirements are completed. The Authority may request clarification about Electronic Insurance Operations and subject them to testing and evaluation. The application shall be considered cancelled if the applicant does not complete all the required documents and .requirements within thirty (30) days from the date of their request Article 7 The Authority shall issue the Approval within a period not exceeding (30) thirty days from the date the application completes all documents and requirements, and after payment of the prescribed fee in accordance with the Table attached to this Regulation. The lapse of this period without deciding on the application shall be considered a decision of rejection. The concerned party may file a grievance with the Grievances Committee stipulated in the aforementioned Insurance Companies Law within sixty (60) days from the date of expiry of the period of thirty (30) days stipulated in the preceding paragraph, or from the date of being notified of the rejection decision. The grievance shall be decided upon within (30) thirty days from the date of its filing, and the expiry of such period without a response shall be considered a rejection of the .grievance

Chapter 3 Obligations of the Company and the Broker Article 8 The Company and the Broker shall enable the Customer to view the entire Policy through the :Platform, and in particular, the following data .Terms and conditions of the Policy -1 .Limits and benefits of insurance coverage and the exceptions contained therein -2 .Mechanism for calculating the insurance premium -3 Article 9 Before selling or issuing the Policy through the Platform, the Company and the Broker shall verify the authenticity of the Policy, the identity of Customers and the documents submitted by them and establish the necessary procedures therefor. Further, the Company and the Broker shall maintain registers of Customer Policies and identities obtained through the Platform for a period of at least ten (10) years from the date of obtaining them, and establish the necessary measures :to protect them, in particular the following .Setting security requirements on procedures for accessing the Customer’s register -1 Verifying the accuracy of Customer-related data, such as phone number and email, by -2 .sending the verification (activation) link Article 10 :When selling insurance Policies through the Platform, the Company and the Broker shall Provide an electronic leaflet that includes the terms, benefits and exclusions of insurance -1 .coverage, and a mechanism for responding to Customer inquiries in this regard Provide the Customer with a copy of the Policy and its annexes, and a payment receipt upon -2 its issuance via e-mail or any other method that enables the Customer to receive the Policy, .provided that it includes the serial number Provide the Customer with access to his electronic register, which shall include a complete -3 copy of the concluded Policy, the insurance premium, and the executory status of claims or any .other claim related to this Policy Provide the Customer - upon his request - with a paper copy of the Policy signed and stamped -4 .by the Company or the Broker, as the case may be Explain all available insurance services and coverage, the additional benefits of each insurance -5 .product, and their prices Ensure that the electronic insurance application form is consistent with the final format -6 .approved by the Authority Article 11 The Company and the Broker shall provide a division for after-sales services through the :Platform to carry out the following tasks Responding to any amendment requested by the Customer in the Policy or the Customer’s -1 .request to obtain any information about the current status of his Policy

.Informing the Customer of the procedures followed to cancel the Policy through the Platform -2 Informing the Customer, no less than (1) month before the expiry of the Policy term while -3 determining the insurance premium, so as to enable him to renew the Policy or obtain insurance coverage from another company Article 12 The Company shall, through the Platform, provide all the information necessary for the Customer or the injured person to submit their claims and download a copy of the claim documents. The company - after accepting the claim - shall provide the claimant with a reference number. The Company may, before paying the value of the claim, request to obtain the original .claim documents from the claimant to verify their alignment and authenticity Article 13 The Company and the Broker shall provide all the information necessary for the Customer or the injured person to submit complaints and follow up on their status through the Platform, :provided that this information includes - as a minimum - the following .The complaint’s form -1 Contact details of the department responsible for receiving complaints and inquiring about -2 .(them (e-mail, phone number, fax number, postal address A general description of the procedures for dealing with complaints, including the estimated -3 .time for processing them Article 14 The Company and the Broker shall provide an immediate response mechanism to respond to .inquiries before, during, and after the sales process Article 15 The Company and the Broker shall save data and backup copies, and provide a register of the electronically issued Policies, in accordance with the instructions issued by the Authority or the .competent authorities Article 16 The Company and the Broker shall conclude a contract with a specialised company to conduct an audit on the Platform at least once every (2) two years in accordance with the terms specified by .the Authority The Authority may also impose on the Company and the Broker to conduct an audit on the Platform annually, and in all cases a copy of the audit report shall be submitted to the .Authority Article 17 The Company and the Broker shall obtain the Authority’s approval to amend the data or documents submitted in the application for Approval or related to the management of the Platform or outsourcing operations related to the Third Party and pay the prescribed fee in .accordance with the Table attached to this Regulation Article 18 The Company and the Broker shall provide all necessary information and disclose the same clearly to Customers who wish to obtain any of its insurance services through the Platform, and

.verify the validity, accuracy, and clarity of that information Chapter 4 Platform Management, Outsourcing and Hosting Operations Article 19 The Company and the Broker shall set up a specialised department to manage all operational :aspects of the Platform, by performing the following tasks .Continuously updating information about the insurance activities and services provided -1 Monitoring the quality of performance of Electronic Insurance Operations in line with best -2 .practices .Continuously supervising and verifying data received and issued from the Platform -3 .Providing technical support to Platform users -4 Dealing with suspicious or questionable transactions in coordination with the relevant -5 .authorities .Carrying out periodic maintenance of the Platform -6 Article 20 When using the Platform by Customers, the Company and the Broker shall adhere to the :following .Making the Platform available around the clock -1 Placing links to access the Platform (quick links) on all its identifiers and electronic -2 .channels Establishing a fixed-term notice whenever the Platform is in a state of maintenance. In all -3 cases, the period of stopping the Platform for maintenance purposes shall not exceed (24) .twenty-four hours In the event that the Platform is stopped for a longer period, the Authority shall be forthwith .notified thereof, and the period required to put back the platform to work shall be mentioned Article 21 The Company and the Broker may assign any work related to Platform management to a Third :Party, in accordance with the following conditions .The Third Party shall have a headquarters in the Sultanate of Oman -1 The Third Party shall be licensed by the relevant authorities -2 A proof to the effect that the Third Party has a specialised staff the to carry out the operations -3 .stipulated in Article (19) of this Regulation shall be produced The ownership of the Platform shall belong to the Company and the Broker, as the case may -4 .be .The Authority’s approval shall be obtained -5

Article 22 The Company and the Broker may - after the Authority’s Approval - and in a manner that does not conflict with the laws, regulations, and instructions issued by the competent authorities, contract with an application or website to host the Platform link, provided that all data related thereto is displayed, such as the name of the Company or Broker, address, license data, types of .insurance products provided, and contact details in all channels Chapter 5 Security, Confidentiality and Privacy of Information Article 23 The Company and the Broker shall provide the Authority with a policy and procedures for information security and safety after their approval by the board of directors or the regional .management of the Company, and by the Broker’s association of partners Article 24 The Company and the Broker shall take all necessary measures to maintain the confidentiality of the information they obtained through the Platform, and not disclose the same to any other .party except after obtaining written approval from the Authority Article 25 The Company and the Broker shall ensure the security and integrity of the information provided :through the Platform at all times, especially the following information .Information provided to Customers -1 Information collected and stored by the Company, Broker, or the contracting Third Party, -2 whether it is an Internet connection service provider, host, or platform manager, with a commitment to protecting Customers’ personal information from loss, unauthorised access, modification, or disclosure, and take all additional security measures and procedures to .protect the information exchanged with visitors to the Platform from theft or misuse Article 26 The Company and the Broker shall provide the latest technologies and programs to ensure the protection and safety of financial payments made through the Platform, and they shall use .payment systems approved by the Central Bank of Oman Article 27 The Company and the Broker shall display a notice on the Platform stating that there are appropriate procedures regarding the security, confidentiality and privacy of data and .information Chapter 6 Administrative Penalties Article 28 In the event of a violation of the provisions of this Regulation, the Authority may impose any of :the following penalties Warning notice, while imposing on the violator to correct the violation within thirty (30) -1 .days

(An administrative fine of (OMR 2000 -2 .Suspension of the Platform for a duration that does not exceed (30) months -3 .Cancellation of the Approval -4 Fees Fee in Omani rials Service Type .No (50) Studyingthe application forapproval 1 two hundred (200) Issuingthe approval 2 twenty (20) Amending data 3