GFSC Guidance Note on External Audit of and Responsibilities of the Governing Body in Relation to the Public Disclosure Requirement

Version: 1 Publication Date: 31/03/2025 www.gfsc.gi GFSC Guidance Note External audit of, and responsibilities of the administrative, management or supervisory body in relation to, the public disclosure requirement

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 2 governing body in relation to, the public disclosure requirement Table of Contents

1. Introduction..................................................................................................................................... 3 2 Administrative, management or supervisory body’s responsibility for the SFCR........................... 3 3 Level of assurance and scope.......................................................................................................... 3 Information in the group SFCR ........................................................................................................ 4 Information in the group SFCR compiled in accordance with the relevant law.............................. 4 Approvals, waivers and supervisory determinations...................................................................... 4 Other information in the SFCR public disclosure ............................................................................ 4 4 Audit Guidance................................................................................................................................ 5 General ............................................................................................................................................ 5 Audit of the Matching Adjustment (MA)......................................................................................... 5 Framework for considering the MA requirements in the context of the external audit requirements set out in Regulation 56G of the Insurance Companies Regulations....................... 5 Auditor assessment of the MA........................................................................................................ 6 GFSC review of the MA.................................................................................................................... 6 Expectations for auditor communication........................................................................................ 7 Use of actuaries............................................................................................................................... 8 Appendix: Solvency 2 public disclosure........................................................................................................ 9

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 3 governing body in relation to, the public disclosure requirement

1. Introduction 1.1 1.1 This Gibraltar Financial Services Commission (‘GFSC’) Guidance Note is relevant to insurance undertakings1 and reinsurance undertakings2 (collectively referred to as ‘insurers’ or ‘firms’ throughout this Guidance Note). It reminds the administrative, management or supervisory body of its responsibilities in respect of the ongoing appropriateness of the information disclosed, and that it must approve the Solvency and Financial Condition Report (‘SFCR’). It also sets out the level of assurance expected with respect to the external audit of the SFCR and the audit guidance that the GFSC expects auditors to follow in auditing a firm’s SFCR, where this is required by the GFSC under regulation 56G(1) of the Financial Services (Insurance Companies) Regulations 2020 (the ‘Insurance Companies Regulations’). This Guidance Note should be read alongside the Insurance Companies Regulations and the Financial Services Act 2019 (the ‘FSA 2019’). 1.2 By clearly and consistently explaining its expectations of insurers and audit firms in relation to the particular areas addressed, the GFSC seeks to advance its statutory objectives. This Guidance Note is intended to complement existing legislation, policies and guidance and is not intended to conflict with, amend or supersede them. 2 Administrative, management or supervisory body’s responsibility for the SFCR 2.1 Regulation 37(6) of the Insurance Companies Regulations requires that an insurer must have in place a written policy ensuring the ongoing appropriateness of any information disclosed and regulation 56(2) of those regulations requires that the insurer must ensure that its SFCR is subject to approval by its administrative, management or supervisory body. Therefore the GFSC expects the administrative, management or supervisory body to take responsibility for ensuring that the SFCR has been properly prepared in all material respects in accordance with the Insurance Companies Regulations. 2.2 As well as having a written policy in place to ensure the ongoing appropriateness of any information disclosed, the GFSC expects that the administrative, management or supervisory body should be satisfied that: (a) throughout the financial year in question, the insurer has complied in all material respects with all relevant legal requirements; and (b) it is reasonable to believe that, at the date of the publication of the SFCR, the insurer has continued so to comply, and will continue so to comply in future. 2.3 The GFSC expects the administrative, management or supervisory body to acknowledge and evidence in writing its responsibility for the SFCR and make this available to potential readers of the SFCR by signing the SFCR and attaching the written acknowledgment to the SFCR. 3 Level of assurance and scope 3.1 External audit of the SFCR refers to an independent auditor gathering sufficient appropriate evidence to provide an overall reasonable assurance opinion that the public disclosure in scope complies in all material respects with all relevant legal requirements. Reasonable assurance is a high level of assurance described in relevant auditing standards. It is achieved when the auditor has 1 Financial Services (Insurance Companies) Regulations 2020, Regulation 3 2 Ibid.

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 4 governing body in relation to, the public disclosure requirement obtained sufficient appropriate audit evidence to reduce audit risk (that is the risk that the auditor expresses an inappropriate opinion when the SFCR is materially misstated) to an acceptably low level. Regulation 56G(3) of the Insurance Companies Regulations describes the relevant elements of the public disclosure in scope in the ‘Valuation for solvency purposes’ and ‘Capital management’ sections of the SFCR subject to the two exemptions. First, the Solvency Capital Requirement (SCR) and information that derives from it, is exempt if calculated using an approved full or partial internal model (regulation 56G(4) and (5) of the Insurance Companies Regulations). Secondly, where the information in the SFCR is required to be produced in accordance with the relevant law, as referred to in regulation 56G(7) of the Insurance Companies Regulations. Information in the group SFCR 3.2 Whenever a SFCR is disclosed, whether at the solo or, where relevant, at the group and sub group level, information in relation to undertakings included in the SFCR (including undertakings established in Gibraltar and those established in a third country) will be within scope for any external audit required by the GFSC under regulation 56G(1) of the Insurance Companies Regulations (except where the information in the group SFCR has been compiled in accordance with sectoral requirements). Information in the group SFCR compiled in accordance with the relevant law 3.3 Where information for the group SFCR is compiled in accordance with the relevant law (as referred to in regulation 56G(7) of the Insurance Companies Regulations), and the GFSC requires an external audit of the relevant elements of the SFCR under regulation 56G(1) of the Insurance Companies Regulations, the group auditor should undertake an assessment of whether that information has been properly extracted in accordance with the relevant law, from information provided to the insurer by other undertakings of the insurance group and from the insurer’s own records. An external audit of sectoral information is not required. Approvals, waivers and supervisory determinations 3.4 The auditor is not expected to express an opinion on the validity of an approval, waiver or other supervisory determination. Instead, approvals, waivers and supervisory determinations provided by the competent authority should be considered as part of the framework against which the audit opinion is being given. For the purposes of transitional measures on technical provisions, Pillar 1 and 2 assets, liabilities and capital calculated in accordance with the previous regime, should be treated as part of the framework against which the audit opinion is being given. Other information in the SFCR public disclosure 3.5 Regulation 56G(6)(c) of the Insurance Companies Regulations requires that the auditor read and consider all information disclosed by the firm in its SFCR that is not subject to the reasonable assurance opinion as a relevant element of the SFCR (other information) to identify material inconsistencies with the relevant elements of the SFCR and any knowledge obtained during the course of the audit of the SFCR engagement, and (where applicable) audit of the financial

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 5 governing body in relation to, the public disclosure requirement statements. When complying with this rule, the GFSC expects the auditor to follow ‘International Standard on Auditing 720 (Revised) The Auditor’s Responsibilities Relating to Other Information’3 . 4 Audit Guidance General 4.1 The GFSC regards compliance with International Standards on Auditing (‘ISAs’) as the primary means by which auditors will be able to demonstrate that they have complied with the provisions relevant to auditors under the Insurance Companies Regulations. 4.2 Auditing standards and guidance will be updated from time to time. The GFSC may update this Guidance Note accordingly as appropriate. Audit of the Matching Adjustment (MA) 4.3 The scale of the matching adjustment (i.e. the extent to which the MA impacts on technical provisions) is within scope of audit where an external audit of the relevant elements of the SFCR is required under regulation 56G(1) of the Insurance Companies Regulations.4 This reflects the fact that the impact of the MA falls within the ‘relevant elements’ that external auditors of the SFCR are required to form a view on.5

4.4 However, the interaction of the requirements relating to the external audit of the SFCR under regulation 56G of the Insurance Companies Regulations and the requirements relating to firms’ use of the matching adjustment (MA) may be complex. This reflects the nature of the MA, the role of the GFSC in supervising its use, and the interaction of these with audit requirements. Framework for considering the MA requirements in the context of the external audit requirements set out in Regulation 56G of the Insurance Companies Regulations 4.5 In the context of Regulation 56G of the Insurance Companies Regulations, the main requirements relating to the MA can usefully be separated between the related but distinct: • conditions of eligibility (as specified by regulation 68 of the Insurance Companies Regulations ; • the calculation of the MA (specified by regulations 69, 69A and 69C of the Insurance Companies Regulations); and • the way that the MA is applied (specified by regulations 68(1) and 68D(1) to (5) of the Insurance Companies Regulations). 3 https://www.iaasb.org/publications/international-standard-auditing-isa-720-revised-auditor-s-responsibilities￾relating-other-7 4 The requirements relating to the external audit of ‘relevant Solvency and Financial Condition Reports’ are set out in this regulation. 5 For example, the quantification of the impact of a change to zero of the MA on that undertaking’s financial position is specified as a relevant element of the SFCR (Regulations 56G(3)(a) and 52(3)(a) and (b) of the Insurance Companies Regulations).

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 6 governing body in relation to, the public disclosure requirement 4.6 The GFSC takes into account the firm’s description of its process to calculate the MA during the MA application process. It does not approve the firm’s calculation methodology as part of that process. The GFSC supervises firms’ use of the MA and the scale of MA benefit claimed on an ongoing basis, in a way that is consistent with the GFSC’s published approach to insurance regulation6 . As part of supervisory work, the GFSC may decide to review a firm’s MA calculation in order to ensure that this is done to an appropriate standard and complies with relevant requirements. The GFSC may apply closer scrutiny and, where appropriate, would consider use of its relevant supervisory powers under section 70 of the FSA 2019 where it has concerns about the compliance of a firm’s MA calculation with the legislative requirements (e.g. regulations 69, 69A and 69C of the Insurance Companies Regulations). Auditor assessment of the MA 4.7 In forming the opinion referred to in regulation 56G(1) and (6) of the Insurance Companies Regulations, auditors are not required to assess whether a firm meets the eligibility conditions for use of the MA. As noted in paragraph 3.4, auditors are not expected to express an opinion on the validity of an approval, waiver or other supervisory determination. 4.8 However, to provide the audit opinion that may be required in relation to the SFCR under regulation 56G(1) of the Insurance Companies Regulations, to the extent it is material to their opinion, auditors are expected to consider the scale of the MA claimed by the firm. This reflects the fact that the impact of the MA on technical provisions falls within the relevant elements that are within the required scope of audit as set out by regulation 56G(3)(b) of the Insurance Companies Regulations. The MA calculation depends in part on the application of the MA calculation requirements (set out including in regulations 69, 69A and 69C of the Insurance Companies Regulations). However, the scale of the MA could also be affected if the assets and liabilities used to calculate the MA were not within scope of an MA permission. 4.9 Any additions made to the fundamental spread to ensure that it covers all risks retained, other than those arising from the uncertainty regarding the timing and amount of cash flows from assets with highly predictable cash flows, remain at the discretion of firms, and hence the GFSC does not expect these to be covered by an external audit. The GFSC also considers that neither the attestation report nor the underlying evidence are within the scope of an external audit, as the attestation is directed to the GFSC. 4.10 The GFSC is not prescriptive about the audit work necessary to support the auditor's opinion on the SFCR, or the approach that it should take in forming its view. The GFSC notes that the audit approach taken is likely to vary based on circumstances, materiality, risk and other factors. GFSC review of the MA 4.11 The MA calculation does not form part of the eligibility conditions under which the GFSC would be obliged (if the conditions were met) to grant permission in accordance with regulation 68(2) of the Insurance Companies Regulations. As the calculation methodology is not part of the eligibility conditions, the GFSC’s permission does not cover the firm’s calculation of the MA.7 Therefore, 6 https://www.fsc.gi/publications/2019/05/Approach%20to%20Insurance%20Regulation.pdf 7 This includes the calculation methodologies, processes, and judgements that are used to determine the scale of the MA. Examples of methodologies, processes, and judgements relevant for calculating the MA include the

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 7 governing body in relation to, the public disclosure requirement auditors should not treat these factors as being part of the framework that they audit against. Instead, auditors are expected to form their own view on the calculation of the MA, as part of their work to give an opinion as to whether the relevant elements of the SFCR are prepared in all material respects in accordance with the relevant requirements.8

4.12 Where the GFSC has carried out work to review the MA calculation (including the methodologies, processes, or judgements that contribute to the MA), an auditor of the SFCR would still be expected to incorporate its own views on this calculation into its audit opinion. Similarly, the GFSC does not expect auditors to assume that an absence of GFSC challenge (e.g. in relation to the MA calculated) overrides a need for auditors to form their own views in the SFCR audit opinion. Expectations for auditor communication 4.13 If through the course of their work, an auditor becomes aware that the firm may not be compliant with MA requirements (whether or not those requirements are within the scope of the auditor’s opinion on the relevant elements of the SFCR), then the GFSC would expect the auditor to inform the firm in the first instance.9 Auditors may also choose to remind the firm of the requirement in regulation 68D(4) of the Insurance Companies Regulations to inform the GFSC if it is not able to comply with the conditions specified and to take the necessary measures to restore compliance as soon as possible. 4.14 If a firm materially changes its approach to calculating the MA, then the GFSC would usually expect this to be discussed by the firm with its main supervisory contact. 10 However, if the auditor is aware that the GFSC has not been informed of such a change then the auditor would be expected to pass this information on to the GFSC. 4.15 The expectations for auditor communication in paragraphs 4.13 and 4.14 above relate to information that auditors become aware of in the course of their work and are not intended to require additional audit procedures. These expectations are subject to other communication requirements that may be relevant, including the auditor’s statutory duty to report and do not override or alter existing expectations or communications requirements. These paragraphs should therefore be read in conjunction with existing communication requirements. approach used by a firm to estimate internal credit ratings and the mapping of these ratings to credit quality steps. Other relevant methodologies may include the firm's approach to aggregating data as well as other judgements and processes used to calculate the matching adjustment in line with Solvency II requirements. 8 For example, the GFSC would expect that auditors form their own view about whether assets and liabilities are in scope of the MA permission that is provided. If assets or liabilities were included in the MA calculation that are not within the scope of the permission then the MA benefit would be miscalculated. 9 For the purposes of paragraph 4.13, MA requirements refers to the eligibility conditions set out in regulation 68 of the Insurance Companies Regulations as well as the requirements stated in regulations 68D to 69E of those regulations. The term MA requirements for this purpose does not include GFSC guidance or expectations introduced through correspondence between the firm and its supervisory team. However, these other aspects may be covered by the existing expectation that the overriding consideration should be to disclose information that in the judgement of the lead audit partner would assist the GFSC in carrying out its functions. 10 At a minimum this would include changes that would be expected to have a material impact on the calculation of the MA at the time of change or in the future. In the context of the SFCR, information shall be considered as material if its omission or misstatement could influence the decision-making or the judgement of the users of that document, including a supervisory authority.

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 8 governing body in relation to, the public disclosure requirement Use of actuaries 4.16 ISAs specify that the auditor shall determine whether, to obtain sufficient appropriate audit evidence, he or she should use the work of an auditor’s expert, and should evaluate the expert’s competence, capabilities and objectivity. As a minimum, for firms that write life insurance business, the GFSC expects that auditors, in undertaking the external audit, will obtain and pay due regard to the work of a suitably qualified actuary who is independent of the firm.

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 9 governing body in relation to, the public disclosure requirement Appendix: Solvency 2 public disclosure The table below lists the elements of the SFCR and highlights which are considered to be part of the ‘relevant elements of the SFCR’ and which should be treated as ‘other information’ [in accordance with ISA 720 (revised). Gibraltar legislation reference Subject matter Assurance Regulation 56A of the ICR Business and performance Other information Regulation 56B of the ICR System of governance Other information Regulation 56C of the ICR Risk profile Other information Regulation 56D of the ICR Valuation for solvency purposes Relevant element* Regulation 56E(1)-(2) & (3) to (6) of the ICR Capital management Relevant element* Article 57A of the ISR TS Group solvency and financial Relevant element* Valuation and capital management sections Templates IR.02.01.02 Balance Sheet Relevant element* IR.05.03.02 Revenue Account (Life) Other information IR.05.04.02 Income and expenditure by line of business (Non-life) Other information IR.05.02.01 Premiums, claims and expenses by country Other information IR.12.01.02 Life and Health SLT Technical Provisions Relevant element* IR.17.01.02 Non-Life Technical Provisions Relevant element* IR.19.01.21 Non-life insurance claims Other information IR.22.01.21 Impact of long term guarantees and transitional measures Relevant element* IR.22.01.22 Impact of long term guarantees and transitional measures Relevant element* IR.23.01.01 Own funds Relevant element* IR.23.01.04 Own funds Relevant element* IR.25.04.21 Solvency Capital Requirement

• for all undertakings Relevant element* IR.25.04.22 Solvency Capital Requirement – for groups - all undertakings Relevant element* IR.28.01.01 Minimum Capital Requirement - Only life or only non-life insurance or reinsurance activity Relevant element* IR.28.02.01 Minimum Capital Requirement - Both life and non-life insurance activity Relevant element* IR.32.01.22 Undertakings in the scope of the group Relevant element*

Gibraltar Financial Services Commission Guidance Note - External audit of, and responsibilities of the 10 governing body in relation to, the public disclosure requirement *SCR calculated using an internal model is out of scope Note: • The Financial Services (Insurance Supervisory Reporting) (Technical Standards) Regulations 2025 are referred to as “ISR TS”; and • The Financial Services (Insurance Companies) Regulations 2020 are referred to as “ICR”.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2025 Gibraltar Financial Services Commission