Guidelines for Issue of Insurance Policy Documents in Digital Format

GUIDELINES FOR ISSUE OF INSURANCE POLICY DOCUMENTS IN DIGITAL FORMAT Issued under section 7(1)(a) of the Financial Services Act 2007 & section 130 of the Insurance Act 2005 [30 March 2017]

Contents CHAPTER 1 – INTRODUCTION........................................................................................................... 2 1.1 OBJECTIVE .................................................................................................................................. 2 1.2 SCOPE ........................................................................................................................................... 2 1.3 APPLICATION OF GUIDELINES............................................................................................. 3 1.4 EFFECTIVE DATE ...................................................................................................................... 3 CHAPTER 2 – DEFINITIONS................................................................................................................ 4 CHAPTER 3 – MINIMUM STANDARDS RELATING TO ISSUE OF INSURANCE POLICY DOCUMENTS IN DIGITAL FORMAT.................................................................................................. 5 3.1 ADVERTISING AND MARKETING OF INSURANCE ON THE INTERNET.................... 5 3.2 SALE OF INSURANCE ON THE INTERNET.......................................................................... 6 3.3 IDENTIFICATION OF A REGULATED ENTITY................................................................... 6 3.4 AUTHENTICATION OF DIGITAL POLICIES........................................................................ 7 3.5 CONFIDENTIALITY OF INFORMATION.............................................................................. 8 3.6 RETENTION OF ELECTRONIC RECORDS............................................................................ 9

2 CHAPTER 1 – INTRODUCTION 1.1 Objective The objective of the Guidelines for Issue of Insurance Policy Documents in Digital Format (the “Guidelines”) is to lay down a common set of standards for the guidance of Insurers regarding the issue of insurance policy documents in digital format. In effect, the Guidelines aim to ensure that the marketing and sale of insurance products through the Internet does not compromise the authenticity, validity and integrity of the insurance policy. The Guidelines are further intended to ensure that Insurers conduct their business in a way that promotes the best interests of consumers and the integrity of the financial services industry in the context of electronic marketing and sale of insurance. The Board of Insurers must adopt internal policies and must establish internal procedures to ensure compliance with the Guidelines. Furthermore, Insurers should incorporate in their internal control system, appropriate measures to verify compliance with the procedures, policies and controls set by its Board. 1.2 Scope The Guidelines are designed to serve as a statement of “minima criteria” and to describe the practices expected by Insurers. They are not intended to replace or override any provisions under the law. The Guidelines should be read in conjunction with the provisions of the Insurance Act 2005, any regulations made thereunder and any other rules, guidelines, circulars and notices that the Commission may issue from time to time as well as other applicable laws. The Commission expects Insurers to have regards to the Guidelines so as to ensure sound conduct and fair treatment to the consumers of the insurance sector and public in general.

3 Given that the Guidelines provide “minima criteria”, Insurers must consider what additional measures to adopt in line with its business model in order to foster best practices. Non-compliance with the Guidelines will expose the insurer to regulatory actions which may include a direction to ensure compliance with Guidelines issued under section 7(1) (b) of the Financial Services Act 2007 and sanctions under section 7(1) (c) of the Financial Services Act 2007. The Guidelines may be subject to review and may be amended by the Commission from time to time. 1.3 Application of Guidelines These Guidelines shall apply to all insurers licensed under the Insurance Act 2005. 1.4 Effective date The Guidelines shall come into effect on 01 July 2017.

4 CHAPTER 2 – DEFINITIONS In these Guidelines – “Advertising Guidelines” means the Guidelines for Advertising and Marketing of Financial Products issued by the Commission in October 2014. “consumer” means a person who enters or wishes to enter into a contract of insurance; “digital format” means in electronic form; “digital signature” has the same meaning as in Electronic Transactions Act 2000; “electronic signature” has the same meaning as in Electronic Transactions Act 2000; “insurance intermediaries” includes insurance agent, insurance broker and insurance salesperson as defined in the Insurance Act 2005; “insurer” has the same meaning as in the Insurance Act 2005; “premium” has the same meaning as in the Insurance Act 2005;

5 CHAPTER 3 – MINIMUM STANDARDS RELATING TO ISSUE OF INSURANCE POLICY DOCUMENTS IN DIGITAL FORMAT The minimum standards that insurers should observe are as follows￾3.1 Advertising and marketing of insurance on the Internet Advertisement of insurance products on the Internet should provide consumers with clear, adequate and necessary information about the products. Consumers should be given access to a suitable level of advice, taking into account, among others, the complexity of the product. The consumer should be given the opportunity at any time to speak with an insurance intermediary for explanations. Advertising on the Internet must comply with the Advertising Guidelines. Consumers must have access to a sufficient amount of information about the product, including but not limited to:  main characteristics of the product;  options and coverage provided by the product;  exclusions and limitations associated with the product;  the type of consumer for whom the product is intended;  a copy of the policy wording;  the total premium and other charges that the consumer will have to pay;  the basis for the calculation of the amount, so that the consumer can verify it;  any time limit for the validity of the information provided; and  the consumer’s right to cancel, if applicable, as well as the duration of the cancellation period and procedures for exercising that right. Insurers should ensure that online marketing provides consumers with the same level and quality of information and disclosure as applicable for traditional marketing channels such as insurance intermediaries.

6 3.2 Sale of insurance on the Internet Consumers must be reminded of the implications of the statements they make when entering into insurance contracts and their duties to make necessary disclosures in good faith at appropriate time intervals and when required by insurers. The importance of giving precise information and the consequences of making improper disclosure or of breaching the duty of good faith should be clearly explained to consumers. The process of online purchase of insurance should allow customers to review the information and statements they give in application forms to enable the discovery of any errors or inconsistencies which could affect them negatively. Consumers who complete an application form online without assistance should be given the opportunity to validate their answers before final submission. Furthermore, before concluding an insurance contract, a summary of the information provided by the consumer in the application form should be shown. Insurers should give customers the opportunity to choose between receiving their insurance policy documents in paper-based form, in digital format, or both which should be properly recorded. Where a consumer has opted to receive his insurance policy documents in digital format, the insurer should ascertain that the documents have been delivered to the consumer, for example through the use of acknowledgment of receipt by the consumer. 3.3 Identification of a Regulated Entity Consumers should be provided with full information on the insurer they are contracting with and which is undertaking their liability. It is important for consumers to be able to verify that they are dealing with a licensed insurer. Insurers should accordingly have the following verifiable information on their websites:  legal name  business address

7  contact information  how to access the complaint process It is also important that the insurer provide on its website a statement that it is licensed with the Commission. 3.4 Authentication of Digital Policies Contracts of insurance that are made over the Internet should include a form of signature, from all parties, to authenticate the document, i.e. to identify the parties to the electronic contract and the electronic signature of the consumer certifying that the information and details submitted are true and correct, records the consumer’s intention to purchase the insurance product, and which serve as a statement that the consumer has read and submitted information in good faith. An electronic signature aims at preserving the trustworthiness of the document and should be in a form to ensure that they have the same legal effect as a written signature. The electronic signature is unique to the signer, its authenticity can be verified, and the data in the document has not been altered. Insurers should put in place appropriate measures to address security concerns over the authentication of electronic documents, including but not limited to:  ensuring that information transmitted electronically is not altered in the transmission process by third parties or accidentally altered during the transmission process;  preventing misappropriation of personal and credit card information transferred from the consumer to the insurer or any authorised third party;  demonstrating that unauthorised persons or programs are prevented from altering records; and  ensuring that the electronic signature is and remains valid and verifiable.

8 3.5 Confidentiality of Information To initiate an insurance transaction, a consumer is often asked to disclose personal information. When divulging personal information, the consumer expects that the information remains confidential, unless he either waives his right to confidentiality of the information or expressly agrees to the latter’s disclosure. Insurers are therefore required to provide clearly understood opt-in mechanisms for consumers to consent that their personal information be used for purposes not directly related to the purchase of insurance, which purposes should as far as possible be clearly defined. Furthermore, where insurers are willing to accept payment of premium via credit card and where consumers have to disclose their credit card information over the Internet, the insurers are required to establish a secure credit card environment in which confidentiality of the credit card information is ensured. Separate and express consent is required for use of such information for purposes not directly related to the purchase of insurance. Using the Internet to carry out insurance transactions has the potential to put the consumers’ personal information at risk through leaking of personal information, identity theft, fraud and misappropriation, or money laundering. Insurers should therefore set up and maintain appropriate mechanisms to address security concerns relating to confidentiality of information, including but not limited to:  privacy and confidentiality of personal information transmitted between a consumer and an insurer;  alteration of information provided by the consumer by a third party with access to the information;  tampering by unauthorised individuals of insurers’ websites which may affect the accuracy of information which consumers receive regarding insurance sales over the Internet; and  financial transaction safeguards when making credit card purchases over the Internet, including secure payment gateways. In addition, insurers should at all times ensure that they comply with the Data Protection Act 2004.

9 3.6 Retention of Electronic Records Electronic records should be preserved in a way that satisfies all legal requirements governing the retention of records, including but not limited to the Insurance Act 2005 and the Electronic Transactions Act 2000. A rigorous audit trail should be kept logging the time of creation of a document, by whom it was created, when it is sent and received and when and by whom changes to the document are made. The integrity of electronic records should be capable to be proven so that a Court of law can be satisfied that the electronic record produced as evidence is unaltered from the original document, and that there was correct operation of hardware and software. Insurers should also have regard to the durability of storage media and readability of records. As technology changes, it may be impossible to access documents stored on an outdated storage device. Accordingly, good maintenance procedures are required to ensure that both the hardware and software by which electronic records are stored do not become superseded. The three key strategies for ensuring electronic records remain readable in the future are technology preservation, migration and emulation, during which process the insurer should have regard to the following:  there should be minimal loss of functionality of the electronic record;  the authenticity and integrity of the electronic record should continue to be guaranteed;  important information such as formatting and structural components should be preserved in any migration process; and  if a digital signature is used, the digital signature may have become degraded or obsolete and there may be a need for the digital signature also to be migrated. Insurers should at all times have business continuity arrangements in place to avoid business disruptions and ensure availability of their platform. FSC House, 54 Cybercity, Ebène, Republic of Mauritius Tel: (230) 403 7000 Fax: (230) 467 7172 E-mail: fscmauritius@intnet.mu, Website: www.fscmauritius.org