Regulatory Alerts2022-08-11
Corporate Governance Code of Practice for Regulated Insurance Entities
The Isle of Man Financial Services Authority issued this Code of Practice to establish mandatory corporate governance standards for regulated insurance entities under the Insurance Act 2008. The document requires entities to implement effective governance systems, including specific board composition rules, clear separation of chairman and chief executive roles, and robust risk management frameworks. It further mandates annual directors' certificates, strict compliance with legal obligations, and the maintenance of adequate internal controls and business continuity arrangements.
Corporate Governance Code of Practice for Regulated Insurance Entities Index c SD No.2010/0880 Page 1 c CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Index Code of Practice Page 1 INTRODUCTION...........................................................................................................5 1.1 Corporate governance....................................................................................................5 1.2 These Guidance Notes in operation.............................................................................6 2 TITLE AND COMMENCEMENT................................................................................6 3 GOVERNANCE REQUIREMENT AND APPLICATION OF THE CGC...............6 3.1 Application of the CGC .................................................................................................6 3.2 [Revoked].........................................................................................................................6 3.3 Governance requirement and implementation of the CGC .....................................6 4 DIRECTORS’ CERTIFICATE ON CORPORATE GOVERNANCE.........................6 5 GENERAL GOVERNANCE REQUIREMENTS.........................................................6 5.1 Integrity............................................................................................................................6 5.2 Compliance......................................................................................................................7 5.3 Care, skill and diligence.................................................................................................7 5.4 Stakeholder interests ......................................................................................................7 5.5 Financial management...................................................................................................7 5.6 General management .....................................................................................................7 5.7 Asset protection ..............................................................................................................7 5.8 Records.............................................................................................................................8 5.9 Governance system documentation.............................................................................8 5.10 Business continuity.........................................................................................................8 6 BOARD COMPOSITION AND OPERATION ...........................................................8 6.1 Appointment and removal of directors.......................................................................8 6.2 Board composition..........................................................................................................8 6.3 Objective oversight and judgement .............................................................................9 6.4 Chairman and chief executive.......................................................................................9 6.5 Powers of the board........................................................................................................9 6.6 Matters reserved to the board.......................................................................................9 6.7 Frequency of board meetings......................................................................................10 6.8 Minutes of board and board committee meetings ...................................................10 7 KEY FUNCTIONS AND RESPONSIBILITIES OF THE BOARD...........................10 7.1 Ultimate accountability and responsibility, and delegation...................................10 7.2 Identification of responsibilities, authority and accountabilities...........................11 7.3 Board committees .........................................................................................................12
Index Corporate Governance Code of Practice for Regulated Insurance Entities Page 2 SD No.2010/0880 c 7.4 Directors and senior management............................................................................. 12 7.5 Outsourced providers of significant outsourced functions.................................... 13 7.6 Governance principles................................................................................................. 13 7.7 Standards of conduct ................................................................................................... 13 7.8 Strategies, significant policies and business plans .................................................. 13 7.9 Remuneration ............................................................................................................... 14 7.10 Financial reporting system.......................................................................................... 14 7.11 Information and communication systems ................................................................ 14 7.12 Risk management and financial management......................................................... 14 7.13 Internal control framework......................................................................................... 15 7.14 Other arrangements ..................................................................................................... 15 7.15 Culture ........................................................................................................................... 16 7.16 Self assessment.............................................................................................................. 16 8 KEY RESPONSIBILITIES OF DIRECTORS .............................................................. 16 9 KEY RESPONSIBILITIES OF SENIOR MANAGEMENT ...................................... 17 10 OUTSOURCED SIGNIFICANT FUNCTIONS......................................................... 18 11 [Revoked] ...................................................................................................................... 19 12 [Revoked] ...................................................................................................................... 19 13 COMPLIANCE FUNCTION ...................................................................................... 19 13.1 Meaning of “compliance function” in the CGC....................................................... 19 13.2 General........................................................................................................................... 19 13.3 Nature and location ..................................................................................................... 19 13.4 Reporting....................................................................................................................... 20 14 EXTERNAL AUDIT..................................................................................................... 20 14.1 General........................................................................................................................... 20 14.2 Engagement letter ........................................................................................................ 20 14.3 Governance communication....................................................................................... 20 15 RISK MANAGEMENT SYSTEM................................................................................ 21 15.1 General........................................................................................................................... 21 15.2 System............................................................................................................................ 21 15.3 Reporting....................................................................................................................... 22 16 INTERNAL CONTROL FRAMEWORK................................................................... 22 16.1 Framework .................................................................................................................... 22 16.2 Internal controls............................................................................................................ 22 17 FRAUD PREVENTION ............................................................................................... 23 18 WHISTLE BLOWING.................................................................................................. 23 19 [Revoked] ...................................................................................................................... 24 20 INTERACTION WITH THE AUTHORITY.............................................................. 24 21 INTERPRETATION ..................................................................................................... 24 22 SCHEDULES................................................................................................................. 26 SCHEDULE 1 27 SCHEDULE 2 27 DIRECTORS’ CERTIFICATE ON CORPORATE GOVERNANCE 27
Corporate Governance Code of Practice for Regulated Insurance Entities Index c SD No.2010/0880 Page 3 ENDNOTES 30 TABLE OF ENDNOTE REFERENCES 30
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 1 c SD No.2010/0880 Page 5 Statutory Document No. 2010/0880 Insurance Act 2008 c CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES1 Laid before Tynwald: 16 November 2010 Coming into Operation: 1 October 2010 1 INTRODUCTION 1.1 Corporate governance Corporate governance is the system by which the persons who are responsible for the regulated entity direct and control its affairs, and the means by which they are held accountable for their performance and actions. Corporate governance encompasses all aspects relating to the regulated entity’s organisation and business including its constitutional structures and rules, its corporate culture and environment, as well as its business and operational strategies, policies, procedures, internal controls, decision making processes and conduct. As a framework, corporate governance defines roles, responsibilities and accountabilities. It clarifies who possesses the duty and legal power to act on behalf of the regulated entity and under which circumstances. It sets out rules for decision making and requirements for documenting decisions and actions, along with their rationale, and for making adequate and appropriate disclosures to stakeholders. Furthermore, it provides for corrective action for non-compliance and ineffectual oversight and management. Corporate governance therefore addresses the allocation and oversight of power and accountabilities, as well as the avoidance of undue concentration and inappropriate use of power. There is no standard model of corporate governance and approaches will differ between entities to take account of their individual circumstances and preferences. However, a regulated entity’s corporate governance must recognise and protect the rights of all interested parties, and include active concern with, understanding of and diligent discharge of responsibilities in a sound, prudent and responsible manner. In particular, such governance requires the commitment of the regulated entity’s directors and senior managers, both individually and collectively, and their leadership in promoting a supportive internal culture and environment.2
Code of Practice 2 Corporate Governance Code of Practice for Regulated Insurance Entities Page 6 SD No.2010/0880 c 1.2 These Guidance Notes in operation These Guidance Notes are not intended to be, and should not be interpreted as being, exhaustive. They should be viewed as a component part of a regulated entity’s means of maintaining and demonstrating adequate and effective corporate governance appropriate to its circumstances. These Guidance Notes do not limit, and therefore should be read in conjunction with, other legal and regulatory requirements applicable to the regulated entity. These Guidance Notes should not be used as a substitute for legal advice. 2 TITLE AND COMMENCEMENT The title of these Guidance Notes is the Corporate Governance Code of Practice for Regulated Insurance Entities (“the CGC”) and they shall come into operation on 1 October 2010. 3 GOVERNANCE REQUIREMENT AND APPLICATION OF THE CGC 3.1 Application of the CGC The CGC applies to a person registered under Part 6 of the Act as an insurance manager (in these Guidance Notes, a “regulated entity”). 3 3.2 [Revoked]4 3.3 Governance requirement and implementation of the CGC A regulated entity shall have in place an appropriate and effective system of governance that provides for its sound and prudent management. This includes its board and senior management establishing, implementing and maintaining appropriate and effective measures that meet the CGC’s requirements in a way that is proportionate to the nature, scale and complexity of the regulated entity, its activities and the risks to which it is exposed.5 4 DIRECTORS’ CERTIFICATE ON CORPORATE GOVERNANCE A regulated entity shall, at the same time as its annual accounts are submitted to the Authority, provide to the Authority a completed certificate in the form set out in Schedule 2. This requirement is applicable to annual accounts for financial periods commencing on or after 1 April 2011.6 5 GENERAL GOVERNANCE REQUIREMENTS 5.1 Integrity A regulated entity shall —
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 5 c SD No.2010/0880 Page 7 (a) act honestly and in a straightforward manner; and (b) ensure that it makes clear to those with whom it has dealings in the course of its business, or prospective business, its name and regulatory status appearing on the relevant register kept under section 48 of the Act. 5.2 Compliance A regulated entity has an obligation to identify and comply with its legal and regulatory obligations and shall take all reasonable steps to do so. 5.3 Care, skill and diligence A regulated entity shall conduct its business with due care, skill and diligence, and with due regard for the potential consequences of its intended actions. 5.4 Stakeholder interests A regulated entity, in conducting its business, shall have due regard for the rights, interests and information needs of its stakeholders, and shall take account of those factors within its governance arrangements as necessary to ensure that its stakeholders are treated fairly. 5.5 Financial management A regulated entity shall manage its capital and other financial resources prudently. Accordingly, it shall — (a) maintain adequate capital and other financial resources to meet its liabilities that might reasonably be expected to arise out of the risks to which it is exposed; (b) maintain sufficient asset liquidity to meet the cash flows of those liabilities as they fall due; and (c) undertake periodic forward-looking analysis of its ability to meet its obligations under various adverse economic and business scenarios to ensure that it adequately covers the risks to which it is exposed. 5.6 General management A regulated entity shall have an appropriate level of management, with adequate and competent staffing and resources, that provides for its sound and prudent management. 5.7 Asset protection A regulated entity shall take all reasonable steps to safeguard its assets and any other assets in its keeping.
Code of Practice 6 Corporate Governance Code of Practice for Regulated Insurance Entities Page 8 SD No.2010/0880 c 5.8 Records A regulated entity shall — (a) keep proper books, accounts and documents (together “records”) appropriate to its business that provide legible, accurate, verifiable, timely, complete and comprehensible information; (b) maintain those records in a manner that is readily accessible in or from the Isle of Man and available for inspection and investigation by or on behalf of the Authority; and7 (c) without limiting any other applicable retention requirement, any such record shall be kept for at least six years from the date it is made or, if later, it ceases to be relevant. 5.9 Governance system documentation A regulated entity shall establish and maintain adequate and appropriate documentation of its significant systems of governance, including its — (a) governance principles and structures; (b) strategies, policies, procedures and internal controls; and (c) decision making processes. 5.10 Business continuity A regulated entity shall take all reasonable steps to reduce the likelihood, impact and possible duration of disruption to the continuity of its operations and establish, implement and maintain adequate and appropriate arrangements to ensure that it can continue to function effectively and comply with its legal and regulatory obligations (as identified in accordance with paragraph 5.2) in the event of anticipated or unforeseen disruption. 6 BOARD COMPOSITION AND OPERATION 6.1 Appointment and removal of directors A regulated entity shall establish, implement and maintain a documented and transparent board nomination, election and removal process. 6.2 Board composition (a) The board of a regulated entity shall include an adequate number of directors with an appropriate overall combined level of knowledge, skills, experience and commitment such that it can properly discharge its duties and responsibilities and carry out its functions in relation to the regulated entity. (b) The board of a regulated entity shall include at least two directors who are resident in the Isle of Man.8
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 6 c SD No.2010/0880 Page 9 (c) [Revoked]9 (d) [Revoked]10 (e) [Revoked]11 12 6.3 Objective oversight and judgement The board of a regulated entity shall be able to exercise an appropriate degree of objective oversight and judgement in the affairs of the regulated entity. 6.4 Chairman and chief executive Where a regulated entity has appointed a chairman and a chief executive (or equivalent) then, ordinarily, those posts shall not be combined in one individual within the same regulated entity. However, if for any reason the posts of chairman and chief executive (or equivalent) are combined, the board of the regulated entity shall — (a) establish and maintain adequate and appropriate internal controls to ensure that the management of the regulated entity is held effectively accountable to the board; and (b) at appropriate intervals, and at least annually, review — (i) the reasons for combining the posts of chairman and chief executive to ensure they remain valid; and (ii) the internal controls established under paragraph (a) to ensure they remain adequate, appropriate and effective. 6.5 Powers of the board The board of a regulated entity shall have adequate and appropriate powers and resources so it can properly discharge its duties and responsibilities and carry out its functions in relation to the regulated entity. For this purpose the board shall, amongst other things, be able to — (a) obtain timely, accurate, relevant and sufficiently comprehensive information and analyses relating to the regulated entity, its management and external environment; (b) delegate its functions as appropriate; and (c) obtain external expertise where necessary and as appropriate. 6.6 Matters reserved to the board The board of a regulated entity shall — (a) establish and maintain a formal, written schedule which clearly sets out those matters that are specifically reserved for the board’s decision in relation to the regulated entity; and
Code of Practice 7 Corporate Governance Code of Practice for Regulated Insurance Entities Page 10 SD No.2010/0880 c (b) monitor and review at appropriate intervals, and at least annually, the range and focus of the matters specified in that schedule to ensure they remain adequate and appropriate so the board can properly discharge its duties and responsibilities and carry out its functions in relation to the regulated entity. 6.7 Frequency of board meetings The board of a regulated entity shall meet with sufficient regularity so it can properly discharge its duties and responsibilities and carry out its functions in relation to the regulated entity. 6.8 Minutes of board and board committee meetings The board of a regulated entity shall ensure that the regulated entity keeps minutes and associated documents of all of its board and board committee meetings. These shall provide an adequate and appropriate record of corresponding proceedings including to, all material considerations, decisions and actions. Those minutes shall — (a) without undue delay after the meeting to which they relate, be written up and distributed in final draft to all persons entitled to receive a copy; and (b) within a reasonable timeframe, be accepted by the board (or, if a committee meeting, the committee) and signed as a formal record of the meeting by a duly authorised person.13 7 KEY FUNCTIONS AND RESPONSIBILITIES OF THE BOARD 7.1 Ultimate accountability and responsibility, and delegation (a) The board of a regulated entity is ultimately accountable and responsible for the affairs of the regulated entity. Delegating authority to board committees, management or others does not absolve the board of its duties and responsibilities in relation to the regulated entity. (b) Where the board of a regulated entity delegates any of its functions in relation to the regulated entity, it shall only do so in a manner that does not — (i) dilute its ultimate accountability in relation to the regulated entity; (ii) reduce its ability to discharge properly its duties and responsibilities or carry out its functions in relation to the regulated entity; or
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 7 c SD No.2010/0880 Page 11 (iii) lead to any person having unfettered powers in relation to the regulated entity. (c) The board of a regulated entity shall ensure that any authority it has delegated to carry out a function in relation to the regulated entity is properly authorised, communicated and documented. (d) Notwithstanding any delegation, the board of a regulated entity shall provide sound and prudent oversight in relation to the regulated entity’s affairs. Accordingly it shall — (i) ensure it receives timely, accurate, relevant and sufficiently comprehensive information and analyses relating to the regulated entity, its management and external environment such that it can properly discharge its duties and responsibilities and carry out its functions in relation to the regulated entity; (ii) ensure that the regulated entity has taken all reasonable steps to identify and comply with its legal and regulatory obligations in accordance with paragraph 5.2; (iii) satisfy itself that the strategies and significant policies and procedures it has established in relation to the regulated entity have been properly implemented and are being adhered to; and (iv) satisfy itself that any authority it has delegated in relation to the regulated entity has been responsibly and prudently exercised, and such authority has not been exceeded. 7.2 Identification of responsibilities, authority and accountabilities The board of a regulated entity shall — (a) establish and maintain, and distinguish between, the responsibilities, decision-making, interaction and cooperation of the regulated entity’s — (i) board; 13 (ii) where established, board committees; (iii) where appointed, chairman and chief executive (or equivalent); (iv) senior management; and (v) any outsourced provider of a significant function of the regulated entity; (b) establish and maintain decision-making processes and divisions of responsibility that ensure an appropriate balance of power and authority for the regulated entity, so that — (i) no person has unfettered powers of decision in relation to the regulated entity; and
Code of Practice 7 Corporate Governance Code of Practice for Regulated Insurance Entities Page 12 SD No.2010/0880 c (ii) contractual arrangements and other transactions of the regulated entity are only entered into with appropriate authority; and (c) satisfy itself that the regulated entity is organised and controlled in a way that provides for its sound and prudent management including accountability to the board and proper oversight by the board of its board committees, senior management and any outsourced provider of a significant function of the regulated entity.14 7.3 Board committees The board of a regulated entity shall assess the need for and, where appropriate, establish committees of the board. Where such a committee is established, the board shall — (a) define adequate and appropriate terms of reference of the committee and these shall set out the committee’s purpose, responsibilities, authority, composition and the means by which the committee is monitored and held accountable to the board; (b) ensure that the committee is composed of persons with the appropriate combined level of knowledge, skills, experience and commitment for the committee’s role in relation to the regulated entity; and (c) ensure that the committee’s terms of reference are in writing and are made available to relevant parties, including the regulated entity’s senior management (where appropriate) and external auditor.15 7.4 Directors and senior management The board of a regulated entity shall — (a) establish the means by which the regulated entity’s senior management is monitored and held accountable to the board; and (b) subject to paragraph (c) insofar as its powers permit, (i) approve the selection, appointment, removal and any applicable succession planning of the regulated entity’s directors and senior management; and (ii) ensure that the regulated entity’s individual directors and senior managers possess the appropriate integrity, competence, experience and qualifications for their respective roles in relation to the regulated entity. (c) [Revoked]16
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 7 c SD No.2010/0880 Page 13 7.5 Outsourced providers of significant outsourced functions The board of a regulated entity shall — (a) ensure that the arrangements for any outsourced significant function of the regulated entity are consistent with paragraph 10; and (b) approve the selection, appointment, removal and any applicable succession planning of any outsourced provider of a significant function of the regulated entity. 7.6 Governance principles The board of a regulated entity shall — (a) establish and maintain specific corporate governance principles in respect of the regulated entity that are adequate and appropriate to the nature, scale and complexity of the regulated entity, its activities and the risks to which it is exposed; and (b) ensure that the strategies, significant policies and other systems of governance established by the board in relation to the regulated entity have due regard for, and are consistent with, those principles. 7.7 Standards of conduct The board of a regulated entity shall establish and maintain policies defining standards of business conduct for its directors, senior managers, employees, and any outsourced providers of a significant function of the regulated entity, that address in an adequate and appropriate manner — (a) conflicts of duty or interest in relation to the regulated entity; (b) matters in relation to the regulated entity involving private transactions, self-dealing, preferential treatment of favoured internal and external parties, covering trading losses and any other practices of a potentially non-arm’s length nature; and (c) the fair treatment of, and information sharing with, the regulated entity’s stakeholders. 7.8 Strategies, significant policies and business plans The board of a regulated entity shall — (a) establish and maintain adequate and appropriate strategies and significant policies in relation to the regulated entity for all of its significant business decision areas; (b) establish and maintain the means of pursuing those strategies and adhering to those policies;
Code of Practice 7 Corporate Governance Code of Practice for Regulated Insurance Entities Page 14 SD No.2010/0880 c (c) review and approve the significant business plans of the regulated entity; (d) evaluate at appropriate intervals, and at least annually, the regulated entity’s performance against those business plans in light of those strategies and policies; and (e) review the strategies and significant policies of the regulated entity at appropriate intervals, and at least annually, and adapt them as necessary to ensure they remain adequate, appropriate and effective in relation to the regulated entity and its external environment. 7.9 Remuneration The board of a regulated entity shall establish and maintain a remuneration policy for its directors, senior managers and employees as well as any outsourced provider of a significant function of the regulated entity, That policy, together with any relevant internal controls, shall ensure that corresponding remuneration is consistent with the effective risk management of the regulated entity such that imprudent or improper behaviour is not encouraged. 7.10 Financial reporting system The board of a regulated entity shall establish and maintain a system for the regulated entity’s financial reporting that ensures the integrity, reliability and transparency of that reporting both for public, where applicable, and regulatory purposes. 7.11 Information and communication systems The board of a regulated entity shall establish and maintain information and other communication systems in relation to the regulated entity which — (a) are reliable; (b) ensure the prompt and effective transfer of information between — (i) all levels of management within the regulated entity; (ii) the regulated entity and any outsourced provider of a significant function of the regulated entity; and (iii) the regulated entity and its stakeholders; and (c) are secure such that the regulated entity’s information is safeguarded. 7.12 Risk management and financial management The board of a regulated entity shall —
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 7 c SD No.2010/0880 Page 15 (a) establish and maintain a risk management system for the regulated entity that is consistent with paragraph 15; (b) allocate responsibility for, and ensure it receives, risk management reports in accordance with paragraph 15.3; (c) establish and maintain the risk strategies and significant risk policies and procedures of the regulated entity;17 (d) review at appropriate intervals, and at least annually, the regulated entity’s risk profile; and (e) coordinate the risk management and financial management of the regulated entity to ensure that the capital and other financial resources of the regulated entity are managed in accordance with paragraph 5.5. 7.13 Internal control framework The board of a regulated entity shall, as part of the regulated entity’s risk management system — (a) establish and maintain an internal control framework for the regulated entity that is consistent with paragraph 16; (b) allocate responsibility for, and ensure it receives, reports in accordance with paragraph 13.4;18 (c) ensure timely action is taken, where necessary, to correct any identified — (i) weaknesses or deficiencies in the regulated entity’s internal controls, procedures or other systems of governance; (ii) material instances of non-compliance with the regulated entity’s internal policies or procedures; and (iii) non-compliance with the regulated entity’s legal or regulatory obligations; and (d) review at appropriate intervals, and at least annually, the regulated entity’s material — (i) internal controls; (ii) procedures; and (iii) other systems of governance, to ensure they remain adequate, appropriate and effective (and, for the avoidance of doubt, in undertaking such a review the board may place reasonable reliance upon any internal audit or compliance function work it has delegated).19 7.14 Other arrangements The board of a regulated entity shall ensure that the regulated entity has in place arrangements for —
Code of Practice 8 Corporate Governance Code of Practice for Regulated Insurance Entities Page 16 SD No.2010/0880 c (a) fraud prevention in accordance with paragraph 17; (b) whistle blowing in accordance with paragraph 18; and (c) [Revoked]20 (d) interaction with the Authority in accordance with paragraph 20.21 7.15 Culture The board of a regulated entity shall promote a culture throughout the regulated entity that supports the — (a) corporate governance principles established by the board in relation to the regulated entity; (b) ongoing and effective risk management and financial management, and compliance, of the regulated entity; and (c) fair treatment of the regulated entity’s stakeholders. 7.16 Self assessment The board of a regulated entity shall at appropriate intervals, and at least annually, evaluate its own composition (as referred to in paragraph 6.2(a)) and performance, and implement remedial measures as necessary to address any identified inadequacies in its ability or performance in discharging its duties and responsibilities or carrying out its functions in relation to the regulated entity. 8 KEY RESPONSIBILITIES OF DIRECTORS A director of a regulated entity shall — (a) act on a well informed basis, in good faith, with due care, skill and diligence, with integrity and in the best interests of the regulated entity; (b) have due regard for the interests of the regulated entity’s stakeholders in his decision making; (c) identify and either avoid or promptly disclose to the board of the regulated entity any conflicts of duty or interest he has or may have in relation to the regulated entity; (d) be free from any undue influence in exercising his judgement in respect of the regulated entity; (e) ensure he has the appropriate integrity, competence, experience, qualifications and commitment so he can properly discharge his duties and 19 responsibilities and carry out his functions in relation to the regulated entity; and (f) properly discharge his duties and responsibilities and carry out his functions in relation to the regulated entity.
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 9 c SD No.2010/0880 Page 17 9 KEY RESPONSIBILITIES OF SENIOR MANAGEMENT The senior management of a regulated entity shall — (a) establish, implement and maintain internal controls and procedures to ensure the sound and prudent management of the regulated entity within — (i) the strategies and policies of the regulated entity established by its board; and (ii) the regulated entity’s legal and regulatory obligations as identified in accordance with paragraph 5.2; (b) manage the day to day operations of the regulated entity, ensuring those operations are carried out in accordance with the regulated entity’s — (i) strategies, policies and procedures established by its board; and (ii) legal and regulatory obligations as identified in accordance with paragraph 5.2; (c) promote a culture throughout the regulated entity that supports the — (i) regulated entity’s corporate governance principles established by its board; (ii) ongoing and effective risk management and financial management, and compliance, of the regulated entity; and (iii) fair treatment of the regulated entity’s stakeholders; (d) individually identify and either avoid or promptly disclose to the board of the regulated entity any conflicts of duty or interest he has or may have in relation to the regulated entity; (e) provide to the regulated entity’s board such risk management reports as the board may specify in relation to the requirements of paragraph 15.3; (f) provide the regulated entity’s board with timely, accurate, relevant, and sufficiently comprehensive information to enable the board to review — (i) the regulated entity’s performance and the performance of its senior management; (ii) the regulated entity’s business strategy and policies established by the board in relation to the regulated entity; and (iii) such other matters in relation to the regulated entity as the board may specify; and (g) provide the regulated entity’s board with recommendations, as appropriate, for its review and approval on the strategy, significant
Code of Practice 10 Corporate Governance Code of Practice for Regulated Insurance Entities Page 18 SD No.2010/0880 c policies and business plans that govern the operation of the regulated entity. 22 10 OUTSOURCED SIGNIFICANT FUNCTIONS Where a significant function of a regulated entity has been outsourced, the regulated entity shall ensure that — (a) where the outsourced provider is required to have any regulatory consents in order to carry out the outsourced function, those consents have been obtained and remain in force; (b) the outsourced provider has the appropriate integrity, competence, experience and qualifications to carry out the outsourced function; (c) the outsourced provider has the capacity to carry out the outsourced function taking into account the size and timing of corresponding workloads; (d) its use of the outsourced provider is consistent with the — (i) ongoing and effective risk management and financial management, and compliance, of the regulated entity; (ii) standard of control that would apply if the outsourced function was carried out internally by the regulated entity; (iii) fair treatment of the regulated entity’s stakeholders (as applicable); (iv) effective operation of the external audit of the regulated entity; and (v) ongoing, open, honest and timely communication with the Authority in relation to the activities of the regulated entity; and23 (e) a written agreement is in place with the outsourced provider, where the board of the regulated entity understands and authorises the terms and conditions of that agreement, and that agreement — (i) is binding on both parties; (ii) sets out clearly the rights, expectations and obligations of both parties; (iii) provides for the termination and orderly winding up of the outsourced arrangement; and (iv) includes the means by which the outsourced provider is monitored and held accountable to the regulated entity in relation to the outsourced function.
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 11 c SD No.2010/0880 Page 19 11 [Revoked]24 12 [Revoked]25 13 COMPLIANCE FUNCTION 13.1 Meaning of “compliance function” in the CGC The compliance function of a regulated entity is the means applied by the regulated entity to — (a) identify and understand the regulated entity’s legal and regulatory obligations in accordance with paragraph 5.2; and (b) establish, implement and maintain compliance strategies, policies, procedures and training, in order to ensure that the regulated entity complies with its legal and regulatory obligations as identified in accordance with in paragraph 5.2. 13.2 General A regulated entity shall have an ongoing and effective compliance function that is adequate and appropriate to the nature, scale and complexity of the regulated entity, its activities and the risks to which it is exposed. This includes the compliance function having adequate and appropriate expertise, resources and authority to carry out its activities effectively. 13.3 Nature and location Without limiting paragraph 13.1 or 13.2, the compliance function of a regulated entity — (a) may be carried out internally by the regulated entity or by a suitable external party or a combination of both; (b) shall be ultimately controlled in or from the Isle of Man; and (c) subject to paragraph (d), shall be substantially carried out in or from the Isle of Man; or (d) where operational functions of the regulated entity are carried out outside of the Isle of Man, the regulated entity’s corresponding compliance function may be carried out by parties that are either located in the Isle of Man or located outside of the Isle of Man. For the avoidance of doubt, this paragraph does not restrict a regulated entity from obtaining advice from outside of the Isle of Man as appropriate to its activities.
Code of Practice 14 Corporate Governance Code of Practice for Regulated Insurance Entities Page 20 SD No.2010/0880 c 13.4 Reporting The compliance function of a regulated entity shall report at appropriate intervals, and at least annually, to the regulated entity’s board on compliance matters in accordance with its role in relation to the regulated entity. 14 EXTERNAL AUDIT 14.1 General A regulated entity shall — (a) take all reasonable steps to ensure it affords its external auditor all of the rights and entitlements applicable to the position of external auditor; and (b) permit and not deter its external auditor from providing to the Authority such information and confirmations as the Authority requests for the purposes of carrying out of the functions of the Authority. 26 14.2 Engagement letter Prior to commencement of its audit, a regulated entity shall obtain from its external auditor a letter of engagement which — (a) contains an undertaking of the external auditor to provide to the regulated entity, and upon request to the Authority, the governance communications referred to in paragraph 14.3;27 (b) defines clearly the extent of the rights and duties of the external auditor; and (c) is signed and accepted in writing by both parties. 14.3 Governance communication A regulated entity shall at the same time as its annual accounts are submitted to the Authority — (a) provide to the Authority a copy of the communication, in relation to those accounts, made by its external auditor to those charged with the regulated entity’s governance pursuant to International Standard on Auditing 260 (“ISA 260”) or International Standard on Auditing (UK and Ireland) 260 (“ISA (UK and Ireland) 260”), or equivalent;28 (b) inform the Authority whether the regulated entity has implemented or is in the process of implementing the recommendations, or has addressed or is in the process of addressing the weaknesses, identified (if any) in that
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 15 c SD No.2010/0880 Page 21 communication, or, if not, provide its reasons for not doing so; and29 (c) where the regulated entity receives no ISA 260 or ISA (UK and Ireland) 260 communication, or equivalent, provide the Authority with a copy of its external auditor’s confirmation that no such communication has been or is anticipated to be issued.30 A regulated entity shall, without undue delay, provide to the Authority a copy of any other formal communication it receives from its external auditor that identifies any material weakness relating to the regulated entity’s internal controls, procedures or other systems of governance.31 15 RISK MANAGEMENT SYSTEM 15.1 General A regulated entity shall — (a) establish, implement and maintain an effective risk management system that is adequate and appropriate to the nature, scale and complexity of the regulated entity, its activities and the risks to which it is exposed, and is — (i) consistent with paragraph 15.2; and (ii) able to report in accordance with paragraph 15.3; (b) maintain a thorough understanding of its risk profile, including the types, characteristics, interdependencies, sources and potential impact of those risks on an individual and aggregate basis; and (c) integrate its risk management system into its decision making processes so that decisions can be taken with due regard for the risks involved. 15.2 System The risk management system of a regulated entity shall — (a) be ongoing and comprehensive including strategies, policies, and procedures that promptly and effectively — (i) identify, assess and measure; (ii) monitor and control; and (iii) where appropriate, mitigate; all reasonably foreseeable, material risks to which the regulated entity is exposed;32 (b) encompass all relevant and material risks on an individual and aggregate basis to which the regulated entity is exposed; and33
Code of Practice 16 Corporate Governance Code of Practice for Regulated Insurance Entities Page 22 SD No.2010/0880 c (c) ensure that the operations and risk exposures of the regulated entity are within the risk strategies and significant risk policies and procedures of the regulated entity as referred to in paragraph 7.12(c).34 15.3 Reporting The board of a regulated entity shall ensure it receives at appropriate intervals, and at least annually, risk management reports and all other relevant information that will enable it to adequately and effectively — (a) oversee the regulated entity’s risk management system; (b) review its risk profile; and (c) assess the adequacy of its capital and other financial resources in accordance with paragraphs 5.5(a) and 5.5(b). 16 INTERNAL CONTROL FRAMEWORK 16.1 Framework The internal control framework of a regulated entity is part of its risk management system and includes its — (a) [Revoked] 35 (b) compliance function as referred to in paragraph 13; and (c) internal controls as referred to in paragraph 16.2. A regulated entity’s internal control framework shall also have due regard for the findings and recommendations communicated to the regulated entity by its external auditor.36 16.2 Internal controls A regulated entity shall establish, implement and maintain effective internal controls including — (a) arrangements for delegating authority and segregation of duties; and (b) other checks and balances, that are adequate and appropriate to the nature, scale and complexity of the regulated entity, its activities and the risks to which it is exposed to ensure that the regulated entity and other persons (as applicable) adhere to the — (i) regulated entity’s strategies, policies and procedures established by its board; (ii) requirements of the CGC; and
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 17 c SD No.2010/0880 Page 23 (iii) regulated entity’s other legal and regulatory obligations as identified in accordance with paragraph 5.2. For the avoidance of doubt, this paragraph does not limit any other requirement in relation to internal controls or procedures included elsewhere within the CGC.37 17 FRAUD PREVENTION A regulated entity shall ensure that high standards of integrity apply to all aspects of its business, and shall — (a) establish, implement and maintain adequate and appropriate internal controls and procedures to deter, detect, record and as required promptly report any fraud it becomes aware of to the appropriate authorities; (b) assign operational responsibility for the regulated entity’s fraud prevention and reporting to suitably senior officers or employees of the regulated entity; (c) take adequate and appropriate measures to prevent fraud, including providing counter-fraud training to its directors, senior managers and employees; and38 (d) ensure that the internal controls and procedures, as referred to in paragraph (a), form an integral part of the regulated entity’s risk management system. 18 WHISTLE BLOWING A regulated entity shall establish, implement and maintain an adequate and appropriate policy and procedures to encourage the reporting of any improper or unlawful behaviour, which shall — (a) define the scope of improper or unlawful behaviour covered by the policy, including — (i) failure to comply with the regulated entity’s legal and regulatory obligations; (ii) financial malpractice or fraud; (iii) criminal activity; (iv) improper conduct or unethical behaviour; and (v) attempts to conceal any malpractice or fraud;39 (b) set out a reporting structure to enable the regulated entity’s directors, senior managers and employees to raise concerns outside of the normal management reporting structure; (c) state how, and ensure that, matters so reported are considered objectively and that appropriate and timely actions are taken;
Code of Practice 19 Corporate Governance Code of Practice for Regulated Insurance Entities Page 24 SD No.2010/0880 c (d) adequately and appropriately protect the whistleblower from any negative repercussions arising from reporting in good faith their concerns, including ensuring confidentiality; and40 (e) be communicated effectively to all relevant persons to whom it applies. 19 [Revoked]41 20 INTERACTION WITH THE AUTHORITY42 A regulated entity shall — (a) maintain open, honest and timely communications with the Authority, including communicating with the Authority as required and meeting with the Authority when requested;43 (b) maintain open, honest and timely communications with any other regulatory body to which it is accountable; and (c) establish, implement and maintain adequate and appropriate internal controls to ensure the accuracy and timeliness of any information it provides to the Authority and any other regulatory body to which the regulated entity is accountable.44 21 INTERPRETATION In the CGC — “the Act” means the Insurance Act 2008; “actuary” [Revoked]45 “annual accounts”, in relation to a regulated entity, mean the audited annual accounts required to be produced to the Authority under section 27A(3) of the Act and regulation 6 of the Insurance Regulations 2021; 46 “asset-liability management” [Revoked]47 “board”, in relation to a regulated entity, means the board of directors of the regulated entity or, where the regulated entity has no board of directors, its equivalent governing body; “business plans”, in relation to a regulated entity, mean the detailed activity plans and financial projections of the material operations of the regulated entity; “the CGC” means these Guidance Notes, titled the Corporate Governance Code of Practice for Regulated Insurance Entities; “class 2 business” [Revoked]48 “compliance function” has the meaning as given in paragraph 13.1;
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 21 c SD No.2010/0880 Page 25 “constitutional documents”, in relation to a regulated entity, mean its memorandum and articles of association, or their equivalent, and any other formal document of the regulated entity that establishes the existence of the regulated entity or regulates its structure, control or members; “derivative” [Revoked]49 “dormant” [Revoked]50 “front office” [Revoked]51 “group”, in relation to a regulated entity, means — (a) the regulated entity, (b) any other legal person which is — (i) its subsidiary; (ii) its holding company; or (iii) a subsidiary of that holding company; “holding company” has the meaning given in section 220 of the Companies Act 2006;52 “independent non-executive director” [Revoked]53 “insurance provisions” [Revoked]54 “insurer” [Revoked]55 “internal audit function” [Revoked]56 “member policyholder” [Revoked]57 “outsourced function”, in relation to a regulated entity, refers to a function of the regulated entity that is carried out by a person external to the regulated entity; “outsourced provider”, in relation to a regulated entity, refers to a person external to the regulated entity (whether within or external to the regulated entity’s group) that carries out an outsourced function of the regulated entity; “participating policyholder” [Revoked]58 “policyholder” [Revoked]59 “regulated entity” means a person to whom the CGC applies in accordance with paragraph 3.1; “risk profile”, in relation to a regulated entity, means the particular range and significance of risks to which the regulated entity is exposed; “risk tolerance limits” [Revoked]60
Code of Practice 22 Corporate Governance Code of Practice for Regulated Insurance Entities Page 26 SD No.2010/0880 c “senior management”, in relation to a regulated entity, means any person whose appointment is required to be notified to the Authority under the Act, excluding its — (a) non-executive directors; (b) external auditor; and (c) controllers where such a controller is not a person whose appointment is required to be notified to the Authority under the Act other than as a controller;61 62 “senior manager”, in relation to a regulated entity, means a member of its senior management; “shareholders” [Revoked]63 “stakeholders” in relation to a regulated entity, means any person with a direct or indirect interest or involvement (a stake) in the regulated entity because that person can affect or be affected by the regulated entity’s actions, strategies, policies or procedures (a regulated entity’s stakeholders include the insurers it manages and may prospectively manage, its shareholders and other investors, creditors, employees, the general public, the Isle of Man Government and the Authority); and64 “subsidiary” has the meaning given in section 220 of the Companies Act 2006. 65 22 SCHEDULES The Schedules listed below form part of the CGC’s binding guidance. 22.2 Schedule 2 — Directors’ Certificate on Corporate Governance66 MADE 1 OCTOBER 2010
Corporate Governance Code of Practice for Regulated Insurance Entities Code of Practice 22 c SD No.2010/0880 Page 27 SCHEDULE 167 SCHEDULE 2 Paragraph 4 and 22.2 DIRECTORS’ CERTIFICATE ON CORPORATE GOVERNANCE68 To the Authority …………………………………………………………………………………………………….. (State the name of the regulated entity for which this certificate is given (herein the “regulated entity”)) We certify that: To the best of our knowledge and belief, throughout the financial period ended (INSERT BALANCE SHEET DATE OF ACCOMPANYING ANNUAL ACCOUNTS), except as specified in the attached report, the regulated entity complied with the requirements of the CGC. Signed for and on behalf of the board of directors of the regulated entity on (INSERT DATE) by a duly authorised person or persons: ………………………………………………………………………… (State name and position held within the regulated entity) The report referred to above shall include —
- reference to any instances where the regulated entity has been unable to comply with the requirements of the CGC;
- the reasons why the regulated entity has been unable to so comply; and
- actions proposed or taken, including relevant timeframes, to address any matters referred to in paragraph 1.
Corporate Governance Code of Practice for Regulated Insurance Entities SCHEDULE 2 c SD No.2010/0880 Page 29
Endnotes Corporate Governance Code of Practice for Regulated Insurance Entities Page 30 SD No.2010/0880 c ENDNOTES Table of Endnote References 1 The format of this legislation has been changed as provided for under section 75 of, and paragraph 2 of Schedule 1 to, the Legislation Act 2015. The changes have been approved by the Attorney General after consultation with the Clerk of Tynwald as required by section 76 of the Legislation Act 2015. 2 Para 1.1 amended by SD2021/0277. 3 Para 3.1 substituted by SD2021/0277. 4 Para 3.2 revoked by SD2021/0277. 5 Para 3.3 amended by SD2021/0277. 6 Para 4 amended by SD2015/0317. 7 Subpara (b) amended by SD2015/0317. 8 Subpara (b) substituted by SD2021/0277. 9 Subpara (c) revoked by SD2021/0277. 10 Subpara (d) revoked by SD2021/0277. 11 Subpara (e) revoked by SD2021/0277. 12 Para 6.2 amended by SD2021/0277. 13 Para 6.8 amended by SD2021/0277. 14 Subpara (c) amended by SD2021/0277. 15 Subpara (c) amended by SD2021/0277. 16 Subpara (c) revoked by SD2021/0277. 17 Subpara (c) substituted by SD2021/0277. 18 Subpara (b) substituted by SD2021/0277. 19 Subpara (d) amended by SD2021/0277. 20 Subpara (c) revoked by SD2021/0277. 21 Subpara (d) amended by SD2015/0317. 22 Subpara (g) amended by SD2021/0277. 23 Para (v) amended by SD2015/0317. 24 Para 11 revoked by SD2021/0277. 25 Para 12 revoked by SD2021/0277. 26 Subpara (b) amended by SD2015/0317. 27 Subpara (a) amended by SD2015/0317. 28 Subpara (a) amended by SD2015/0317. 29 Subpara (b) amended by SD2015/0317. 30 Subpara (c) amended by SD2015/0317. 31 Para 14.3 amended by SD2015/0317. 32 Subpara (a) amended by SD2021/0277. 33 Subpara (b) substituted by SD2021/0277. 34 Subpara (c) substituted by SD2021/0277. 35 Subpara (a) revoked by SD2021/0277.
Corporate Governance Code of Practice for Regulated Insurance Entities Endnotes c SD No.2010/0880 Page 31
36 Para 16.1 amended by SD2021/0277. 37 Para 16.2 amended by SD2021/0277. 38 Subpara (c) amended by SD2021/0277. 39 Subpara (a) amended by SD2021/0277. 40 Subpara (d) amended by SD2021/0277. 41 Para 19 revoked by SD2021/0277. 42 Para 20 heading amended by SD2015/0317. 43 Subpara (a) amended by SD2015/0317. 44 Subpara (c) amended by SD2015/0317. 45 Definition of “actuary” revoked by SD2021/0277. 46 Definition of “annual accounts” substituted by SD2021/0277. 47 Definition of “asset-liability management” revoked by SD2021/0277. 48 Definition of “class 2 business” revoked by SD2021/0277. 49 Definition of “derivative” revoked by SD2021/0277. 50 Definition of “dormant” revoked by SD2021/0277. 51 Definition of “front-office” revoked by SD2021/0277. 52 Definition of “holding company” substituted by SD2021/0277. 53 Definition of “independent non-executive director” revoked by SD2021/0277. 54 Definition of “insurance provisions” revoked by SD2021/0277. 55 Definition of “insurer” revoked by SD2021/0277. 56 Definition of “internal audit function” revoked by SD2021/0277. 57 Definition of “member policyholder” revoked by SD2021/0277. 58 Definition of “participating policyholder” revoked by SD2021/0277. 59 Definition of “policyholder” revoked by SD2021/0277. 60 Definition of “risk tolerance limits” revoked by SD2021/0277. 61 Subpara (c) amended by SD2015/0317. 62 Definition of “senior management” amended by SD2015/0317. 63 Definition of “shareholders” revoked by SD2021/0277. 64 Definition of “stakeholders” substituted by SD2021/0277. [Editorial note: original definition was “stakeholder”.] 65 Definition of “subsidiary” substituted by SD2021/0277. 66 Para 22 amended by SD2021/0277. 67 Sch 1 revoked by SD2021/0277. 68 Amended by SD2015/0317.