Codes on Risk Management and Internal Control

Codes on Risk Management and Internal Control FINANCIAL SERVICES AUTHORITY Bois De Rose Avenue P.O. Box 991 Victoria Mahé Republic of Seychelles Tel: +248 4380800 Fax: +248 4380888 Website: www.fsaseychelles.sc Email: enquiries@fsaseychelles.sc

Page 2 of 17 Table of Contents

1. INTRODUCTION ................................................................................................................................... 3
2. OBJECTIVES ......................................................................................................................................... 3
3. DEFINITIONS ........................................................................................................................................ 3
4. GENERAL PRINCIPLES ............................................................................................................................. 4
5. RISK MANAGEMENT FRAMEWORK ..................................................................................................... 4
6. RISK MANAGEMENT SYSTEM .............................................................................................................. 6
7. INTERNAL CONTROLS SYSTEMS .......................................................................................................... 8
8. GENERAL REQUIREMENTS .................................................................................................................. 9
9. CONTROL FUNCTIONS ....................................................................................................................... 11 9.1 Risk Management Function ..................................................................................................... 11 9.2 Compliance Function ................................................................................................................. 12 9.3 Internal Audit Function.............................................................................................................. 14
10. ENFORCEMENT .............................................................................................................................17
11. EFFECTIVE DATE ............................................................................................................................ 17
12. ENQUIRY ........................................................................................................................................... 17

Page 3 of 17

1. INTRODUCTION Internal control, risk management and internal auditing are integral elements to effective corporate governance within an insurance company. Whilst the boards of directors are responsible for decision‐ making and oversight, the executive management is responsible for driving governance and risk practices throughout the company. On the other hand, the internal audit unit has a role in evaluating and helping to improve governance processes. Moreover, a functioning risk management system to be material for improving policy holder protection including maintaining a financially stable company. This code requires the insurers to examine whether their current risk management can be improved by setting up appropriate function and processes. It is expected the insurers will implement and maintain these criteria. Therefore, this code is being issued by the Financial Services Authority, (herein referred to as “the Authority”), to be observed by all insurance companies (herein referred to as “insurers”) licensed under the Insurance Act, 2008 in order to provide guidance on risk management and internal control functions.
2. OBJECTIVES The objective of this code is to ensure that insurers are managed in a sound and prudent manner by having in place systems for identifying, assessing, monitoring, and mitigating the risks that affect their ability to meet their obligations to policyholders. These systems, together with the structures, processes and policies supporting them, are referred to in this code as the insurer’s risk management framework.
3. DEFINITIONS “Authority” means the Financial Services Authority pursuant to the Financial Services Act, 2013; “Control Function” means an insurer’s functions (whether in the form of a person, unit or department) authorised to carry out specific activities relating to matters such as risk management, compliance, actuarial matters and internal audit. “Risk Appetite” refers to the total level and type of risk exposure that an insurer is willing to undertake to achieve its objectives. “Risk Management Strategy” includes a clearly defined risk appetite and takes into account the insurer’s overall business strategy and its business activities. “Risk Management System” is designed and operated at all levels of the insurer to allow for the identification, assessment, monitoring, mitigation and reporting of all risks of the insurer in a timely manner. It takes into account the probability, potential impact and time horizon of risks.

Page 4 of 17 “Risk Tolerance” takes into account all relevant and material categories of risk and the relationships between them; 4. GENERAL PRINCIPLES 4.1 The Board is responsible for overseeing that the insurer has in place effective systems and functions to address the key risks it faces. Management shall be required to implement these systems and provide the necessary resources and support for these functions. 4.2 The systems and functions need to be adequate for the nature, scale, and complexity of the insurer’s business and risks. 4.3 In regard to the nature, scale, and complexity of the insurer’s business and risks, the insurer shall be required to; 4.3.1 Develop strategies for dealing with specific areas of risk; 4.3.2 Develop policies defining the procedures and other requirements that members of the Board and employees need to follow; 4.3.3 Set out processes for the implementation of the developed strategies and policies; and 4.3.4 Set out controls to ensure that such strategies, policies and processes are in place, are being observed and are attaining their intended objectives. 4.4 An insurer also shall have properly authorised functions (whether in the form of a person, unit or department) to carry out specific activities relating to matters such as risk management, compliance, actuarial matters and internal audit. These are referred to as control functions. 4.5 In addition, insurers who are part of a group shall be required to: 4.5.1 Conduct risk management on a group‐wide basis as well as on a legal entity basis. 4.5.2 Ensure appropriate governance exists across the group and that risks are being identified, assessed, monitored and managed appropriately on a legal entity basis as well as on a group‐wide basis. 4.5.3 Ensure material information is delivered to all relevant Management and the Board in a timely manner on a group‐wide basis as well as on a legal entity or line of business basis. 5. RISK MANAGEMENT FRAMEWORK 5.1 An insurer shall at all times have a risk management framework to manage the risks arising from its business.

Page 5 of 17 5.2 The insurer’s risk management framework shall be required to provide assurance that the insurer’s risks are being prudently managed, having regard to such factors as the size, business mix and complexity of the insurer’s operations. 5.3 An insurer’s risk management framework shall, at a minimum, include a written Risk Management Strategy (“RMS”) that complies with this code, and is approved by the Board; 5.3.1 The RMS describes the key elements of the risk management framework, including the risk appetite, risk tolerance, policies, procedures, management responsibilities and controls; and 5.3.2 The risk management policies and procedures to identify, assess, mitigate, monitor and report all material risks, financial and non‐financial, likely to be faced by the insurer having regard to such factors as the size, business mix and complexity of the insurer’s operations, and a review process to ensure that the risk management framework remains effective. 5.4 The material risks to be covered in the RMS must, as a minimum, include: 5.4.1 Operational risk: this refers to all the risks associated with the operating units of an insurance company, such as the underwriting, claims and investment departments. Each department has its own risks which must be managed. For example, when writing a high value life insurance contract, the underwriting department must accept (straight out or with exclusions), decline, exclude (accept a risk but exclude certain conditions) or load (accept a risk but charge more for it) the application in accordance with strict internal codes. Cross‐ checks need to be in place to ensure that internal policies and procedure are duly followed. 5.4.2 Insurance risk: this relates to the types of insurance products the company writes. Some products have a much lower insurance risk than others. For example, products involving many small policies such as household contents insurance are much less risky, systemic events excepted, than products which insure single large risks such as commercial buildings or life insurance policies. Similarly, policies with a short duration during which claims can be made (for example, comprehensive car insurance) are much less risky than policies where claims can be made for a number of years after the insured event (for example, professional indemnity insurance). The relative risks are reflected in varying levels of capital which the insurer needs to hold. The higher the risk, the greater amount of capital required to support those risks. 5.4.3 Risks arising out of reinsurance arrangements: the insurer must specifically demonstrate that material and catastrophic risks are appropriately covered by reinsurance treaties and facultative arrangements. This forms part of insurance risk. 5.4.4 Concentration risk: the insurer must take into consideration both geographic risk and product risk, which arises when few product types are underwritten by the insurer. This forms part of both strategic & insurance risk. 5.4.5 Market risk: interest rate risk and foreign exchange risk, the risks resulting directly or indirectly from fluctuations in the level and/or volatility of market prices for assets, liabilities and financial instruments.

Page 6 of 17 5.4.6 Liquidity risk: the insurer must ensure that it can draw on sufficient cash to meet its liabilities as and when they fall due, which are primarily payments of claims and benefits to policyholders. The company must have processes in place to convert investments and other assets into sufficient cash, as needed to meet its liabilities. 5.4.7 Credit risk: insurance companies rely on being paid by third parties, including the company’s reinsurers and investment counterparts. Counterparties may not be able to pay their ongoing obligations (for example, interest on a corporate bond or rent by a lessee) or they may not be able to meet their obligations at all or on time. Also, an investment may not be convertible into cash despite a legal obligation to do so (for example, a redeemable preference share) or such conversion to cash may not occur within the contracted time frame. 5.4.8 Contagion and related party risks: when an insurance company is a member of a large group of companies or a conglomerate, it is exposed to some of the risks of the group as a whole. In addition, under stress the owners of the group may divert capital and resources, including management, from the insurance company to other companies of the group. Such diversion may weaken the ability of the insurance company to meet its claims—or develop a long‐term competitive strategy; 5.4.9 Legal and regulatory risks: these risk arise from the conduct of the insurer. Legal risks can arise from operating procedures (for example, the denial of a claim can result in legal action), and non‐compliance with regulatory directives can result in administrative sanctions. This risk category includes reputational risks; and 5.4.10 Strategic risks: these risks arise out of the insurer’s business plan. Any strategic initiative carries risks, which must be identified and quantified. Corporate strategies can involve low risk levels (for example, remaining in the same market or distributing the existing product range) or they can involve elements of high risk (for example, purchasing a competitor or distributing a new and riskier product range.) 6. RISK MANAGEMENT SYSTEM 6.1 The insurer shall be required to design and operate a risk management system to identify, assess, mitigate, monitor and report on foreseeable material risks in a timely manner. 6.2 When designing an effective risk management system an insurer shall at minimum consider the following elements: 6.2.1 A clearly defined and well documented risk management strategy which takes into account the insurer’s overall business strategy (as approved by the Board) and its business activities, including any business activities which have been outsourced;

Page 7 of 17 6.2.2 Relevant objectives, key principles and proper allocation of responsibilities for dealing with risk across the business areas and organisational units of the insurer, including branches; 6.2.3 A clearly defined risk appetite approved by the Board in consultation with Management; 6.2.4 A written process defining the Board approval required for any deviations from the risk management strategy or the risk appetite and for settling any major interpretation issues that may arise; 6.2.5 Appropriate written policies that include a definition and categorisation of foreseeable relevant material risks (by type) to which the insurer is exposed, and the levels of acceptable risk limits for each type of risk. 6.2.6 Suitable processes and tools (including, where appropriate, models) for identifying, assessing, monitoring, managing, and reporting on risks. Such processes should also cover areas such as contingency planning, business continuity and crisis management; 6.2.7 Regular reviews of the risk management system to help ensure that necessary modifications and improvements are identified and made in a timely manner; 6.2.8 Proper attention to other matters set out in regulations and codes pertaining to solvency; and 6.2.9 An effective risk management functions. 6.3 The risk management system of an insurer shall be incorporated at both, the enterprise‐wide and the individual business unit levels. 6.4 Risk management system shall be integrated into the culture of the insurer and into the various business units of the insurer. 6.5 The insurer’s risk policies shall be written in a way to help employees understand their risk responsibilities and explain the relationship of the risk management system to the insurer’s overall governance framework and its corporate culture. 6.6 The insurer shall be required to regularly communicate internally and conduct training on risk policies. 6.7 The insurer’s risk escalation process needs to allow for reporting on risk issues within and outside established reporting cycles for matters of particular urgency. 6.8 The Board shall be required to review and approve the risk exposed by new significant activities and products of the insurer that may increase an existing risk or create a new type of exposure. 6.9 The Board and Management shall be required to modify the risk management system in light of new internal and /or external circumstances.

Page 8 of 17 6.10 The insurer shall be required to document material changes in risk management system subject to approval by the Board. The reasons for the changes should be documented and made available to internal audit, external audit and the Authority for their respective assessments of the risk management system. 7. INTERNAL CONTROLS SYSTEMS 7.1 The internal controls system of an insurer shall be required to provide assurance from a control perspective that the business is being operated consistently within the strategy and risk appetite set by the Board; agreed business objectives; policies and processes; and applicable laws and regulations. 7.2 The Board shall be required to review and approve measures regarding internal controls. 7.3 The Board shall be required to ensure that there is clear allocation of responsibilities within the insurer, with appropriate segregation, including in respect of the design, documentation, operation, monitoring and testing of internal controls. 7.4 The Board shall be required to determine which function or functions report to it or to any existing Board Committees in respect of the internal controls system. 7.5 Reporting on the internal controls system shall be required to cover matters such as: 7.5.1 The strategy in respect of internal controls; 7.5.2 The stage of development of the internal controls system, including the scope that it covers, testing activity, and the performance against annual or periodic internal controls system goals being pursued; 7.5.3 Information on resources (personnel, budget, etc.) being applied in respect of the internal controls system, including an analysis on the appropriateness of those resources in light of the nature, scale and complexity of the insurer’s business, risks and obligations; 7.5.4 An assessment of how the various organizational units or major business areas of the insurer are performing against internal control standards and goals; and 7.5.5 Control deficiencies, weaknesses and failures that have arisen or that have been identified and the responses thereto. 7.6 When designing an effective internal control system an insurer shall at minimum consider the following: 7.6.1 Appropriate controls to provide assurance over the accuracy and completeness of the insurer’s books, records, and accounts and over financial consolidation and reporting, including the reports made to the Authority;

Page 9 of 17 7.6.2 Appropriate controls for other key business processes and policies, including for major business decisions and transactions (including intra‐group transactions), critical IT functionalities, access to databases and IT systems by employees, and important legal and regulatory obligations; 7.6.3 Appropriate segregation of duties where necessary and controls to ensure such segregation is observed; 7.6.4 A system of clearly defined management responsibilities and accountabilities including documentation for approvals, setting of limits and authorizations; 7.6.5 A centralized written inventory of insurer‐wide key processes and policies and of the controls in place in respect of such processes and policies; 7.6.6 Training in respect of controls, particularly for employees in positions of high trust or responsibility or involved in high risk activities; 7.6.7 Processes for regularly checking that the totality of all controls forms a coherent system and that this system works as intended; 7.6.8 Periodic testing and assessments (carried out by objective parties such as an internal or external auditor) to determine the adequacy, completeness and effectiveness of the internal controls system and its utility to the Board and Management for controlling the operations of the insurer. 8. GENERAL REQUIREMENTS 8.1 A control function should be headed by a person of appropriate seniority and expertise and the appointment, performance assessment, remuneration, disciplining and dismissal should be done with the approval of, or after consultation with, the Board. 8.2 Insurers should position each control function and its associated reporting lines into the insurer’s organizational structure in a manner that enables such function to operate and carry out its responsibilities effectively. 8.3 The control functions (other than internal audit) should be subject to periodic internal or external review by the insurer’s internal auditor or an objective external reviewer. The internal audit function should be subject to periodic review by an objective external reviewer. 8.4 Subject to approval of the Authority, an insurer may combine certain control functions or outsource a control function in whole or in part where appropriate in light of the nature, scale and complexity of the insurer’s business, risks, and legal and regulatory obligations. 8.5 Each control function should have the authority and independence necessary to be effective in fulfilling its duties and attaining its goals.

Page 10 of 17 8.6 The Board should set or approve the authority and responsibilities of each control function and determine the frequency and depth of reporting to it or to its’ Board Committees. 8.7 The authority and responsibilities of each control function should be set out in writing and made part of or referred to in the governance documentation of the insurer. The head of each control function should periodically review such document and submit suggestions for any changes to Management and the Board for approval. 8.8 Notwithstanding the possibility for insurers to combine certain control functions, a control function's independence from Management and from other functions should be sufficient to allow its staff to: 8.8.1 Serve as a further component of the insurer’s checks and balances; 8.8.2 Provide an objective perspective on strategies, issues, and potential violations related to their areas of responsibility; and 8.8.3 Implement or oversee the implementation of corrective measures where necessary. 8.9 Each control function should avoid conflicts of interest. Where any conflicts remain and cannot be resolved with Management, these should be brought to the attention of the Board for resolution. 8.10 Each control function should have the authority to communicate on its own initiative with any employee and to have unrestricted access to such information as it needs to carry out its responsibilities. 8.11 The head of each control function shall be required to attend all meetings of the Board Committee to which the head of the control function reports. 8.12 Persons who perform control functions should possess the necessary experience, skills and knowledge required for the specific position they exercise and meet any applicable professional qualifications. Higher expectations apply to the head of each control function. 8.13 To ensure that persons who perform control functions remain up to date on the developments and techniques related to their areas of responsibility, they should receive regular training relevant to their field and areas of responsibilities. 8.14 Insurers shall be required to seek approval from the Authority for the appointment of the head of each control function.

Page 11 of 17 9. CONTROL FUNCTIONS 9.1 Risk Management Function 9.1.1 Insurers shall be required to have a robust risk management function that is well positioned, resourced and properly authorized and staffed. The head of the risk management control function must be subject to a fit and proper assessment and approval by the Authority. 9.1.2 The risk management function shall be required to have access to and report to the Board typically on matters such as: 9.1.2.1 Assessment of risk positions and risk exposures and steps being taken to manage them; 9.1.2.2 Assessment of changes in the insurer’s risk profile; 9.1.2.3 Where appropriate, an assessment of pre‐defined risk limits; 9.1.2.4 Where appropriate, risk management matters in relation to strategic affairs such as corporate strategy, mergers and acquisitions and major projects and investments; and 9.1.2.5 An assessment of risk events and the identification of appropriate remedial actions. 9.1.3 The head of the risk management function should have the authority and obligation to inform the Board promptly of any circumstance that may have a material effect on the risk management system of the insurer and is detrimental to the insurer or its policyholders. The Chairman of the Board will be required to report to the Authority of any such occurrence. 9.1.4 The risk management function should establish, implement and maintain appropriate mechanisms and activities to: 9.1.4.1 Assist the Board and Management in carrying out their respective responsibilities, including by providing specialist analyses and performing risk reviews; 9.1.4.2 Identify the risks the insurer faces; 9.1.4.3 Assess, aggregate, monitor and help manage and otherwise address identified risks effectively; this includes assessing the insurer’s capacity to absorb risk with due regard to the nature, probability, duration, correlation and potential severity of risks;

Page 12 of 17 9.1.4.4 Gain and maintain an aggregated view of the risk profile of the insurer at a legal entity and at the group‐wide level; 9.1.4.5 Evaluate the internal and external risk environment on an on‐going basis in order to identify and assess potential risks as early as possible; 9.1.4.6 Consider risks arising from remuneration arrangements and incentive structures; 9.1.4.7 Conduct regular stress testing and scenario analyses; 9.1.4.8 Regularly report to Management, Key Persons in Control Functions and the Board on the insurer's risk profile and details on the risk exposures facing the insurer and related mitigation actions as appropriate; 9.1.4.9 Document and report material changes affecting the insurer’s risk management system to the Board to help ensure that the framework is maintained, reviewed and improved; and 9.1.4.10 Conduct regular assessments of the risk management function and the risk management system and implement or monitor the implementation of any needed improvements. 9.2 Compliance Function 9.2.1 Insurers shall be required to have an effective compliance function capable of assisting the insurer to meet its legal and regulatory obligations and promote and sustain a corporate culture of compliance and integrity. The head of the compliance control function must be subject to a fit and proper assessment and approval by the Authority. 9.2.2 The Board shall ensure that the insurer complies with all applicable laws, regulations, supervisory decisions, and internal policies, and conducts its business ethically and responsibly. 9.2.3 The insurer shall have in place a robust and well positioned, resourced and properly authorised and staffed compliance function. 9.2.4 The compliance function should have access to and report to the Board on matters such as: 9.2.4.1 An assessment of the key compliance risks the insurer faces and the steps being taken to address them;

Page 13 of 17 9.2.4.2 An assessment of how the various parts of the insurer (e.g. divisions, major business units, product areas) are performing against compliance standards and goals; 9.2.4.3 Any compliance issues involving management or persons in positions of major responsibility within the insurer, and the status of any associated investigations or other actions being taken; 9.2.4.4 Material compliance violations or concerns involving any other person or unit of the insurer and the status of any associated investigations or other actions being taken; and 9.2.4.5 Material fines or other disciplinary actions taken by any regulator or supervisor in respect of the insurer or any employee. 9.2.5 The head of the compliance function should have the authority and obligation to promptly inform the Chair of the Board directly in the event of any major non‐compliance by a member of management or a material non‐compliance by the insurer with an external obligation if in either case he or she believes that Management or other persons in authority at the insurer are not taking the necessary corrective actions and a delay would be detrimental to the insurer or its policyholders. The Chairman of the Board will be required to report to the Authority of any such occurrence. 9.2.6 The compliance function should establish, implement and maintain appropriate mechanisms and activities to: 9.2.6.1 Promote and sustain an ethical corporate culture that values responsible conduct and compliance with internal and external obligations; 9.2.6.2 Identify, assess, report on and address key legal and regulatory obligations, including obligations to the Authority, and the risks associated therewith; 9.2.6.3 Ensure the insurer monitors and has appropriate policies, processes and controls in respect of key areas of legal, regulatory and ethical obligation; 9.2.6.4 Hold regular training on key legal and regulatory obligations particularly for employees in positions of high responsibility or who are involved in high risk activities; 9.2.6.5 Facilitate the confidential reporting by employees of concerns, shortcomings or potential or actual violations in respect of insurer internal policies, legal or regulatory obligations, or ethical considerations; 9.2.6.6 Address compliance shortcomings and violations, including ensuring that adequate disciplinary actions are taken where appropriate and any necessary reporting to the Authority or other authorities is made; and

Page 14 of 17 9.2.6.7 Conduct regular assessments of the compliance function and the compliance systems and implement or monitor needed improvements. 9.3 Internal Audit Function 9.3.1 The insurer shall be required to have an effective internal audit function capable of providing the Board with independent assurance in respect of the insurer’s governance, including its risk management and internal controls. The head of the internal audit control function must be subject to a fit and proper assessment and approval by the Authority. 9.3.2 The internal audit function should provide independent assurance to the Board through general and specific audits, reviews, testing and other techniques in respect of matters such as: 9.3.2.1 The overall means by which the insurer preserves its assets and those policyholders, and seeks to prevent fraud, misappropriation or misapplication of such assets; 9.3.2.2 The reliability, integrity and completeness of the accounting, financial reporting and management information and IT systems; 9.3.2.3 The design and operational effectiveness of the insurer’s individual controls in respect of the above matters, as well as of the internal controls system; 9.3.2.4 Other matters as may be requested by the Board, Management or the Authority; and 9.3.2.5 Other matters which the internal audit function determines should be reviewed to fulfill its mission, in accordance with its terms of reference or other documents setting out its authority and responsibilities. 9.3.3 The internal audit function shall be required to be independent from management and is not involved operationally in the business. 9.3.4 The Board shall grant suitable authority to the internal audit function, including the authority to: 9.3.4.1 Access and review any records or information of the insurer which the internal audit function deems necessary to carry out an audit or other review; 9.3.4.2 Undertake on the internal audit function’s initiative a review of any area or any function consistent with its mission;

Page 15 of 17 9.3.4.3 Require an appropriate management response to an internal audit report, including the development of a suitable remediation, mitigation or other follow‐up plan as needed; and 9.3.4.4 Decline doing an audit or review, or taking on any other responsibilities requested by management, if the internal audit function believes this is inconsistent with its mission or with the strategy and audit plan approved by the Board. In any such case, the internal audit function should inform the Board and seek its guidance. 9.3.5 The head of the internal audit function shall report to the Board or to the Audit Committee. 9.3.6 In its reporting, the internal audit function should cover matters such as: 9.3.6.1 The function’s annual or other periodic audit plan, detailing the proposed areas of audit focus; 9.3.6.2 Any factors that may be adversely affecting the internal audit function’s independence, objectivity or effectiveness; 9.3.6.3 Material findings from audits or reviews conducted; and 9.3.6.4 The extent of management's compliance with agreed upon corrective or risk mitigating measures in response to identified control deficiencies, weaknesses or failures, compliance violations or other lapses. 9.3.7 In addition to periodic reporting, the head of internal audit shall be authorised to communicate directly, and meet periodically, with the head of the Audit Committee or the Chair of the Board without the presence of management. 9.3.8 The audit function should carry out such activities as are needed to fulfill its responsibilities. These activities include among others: 9.3.8.1 Establishing, implementing and maintaining a risk‐based audit plan to examine and evaluate general or specific areas, including on a preventive basis; 9.3.8.2 Reviewing and evaluating the adequacy and effectiveness of the insurer’s policies and processes and the documentation and controls in respect of these, on a legal entity and group‐wide basis and on an individual subsidiary, business unit, business area, department or other organisational unit basis; 9.3.8.3 Reviewing levels of compliance by employees and organisational units with established policies, processes and controls, including those involving reporting;

Page 16 of 17 9.3.8.4 Evaluating the reliability and integrity of information and the means used to identify, measure, classify and report such information; 9.3.8.5 Ensuring that the identified risks and the agreed actions to address them are accurate and current; 9.3.8.6 Evaluating the means of safeguarding insurer and policyholder assets and, as appropriate, verifying the existence of such assets and the required level of segregation in respect of insurer and policyholder assets; 9.3.8.7 Monitoring and evaluating governance processes; 9.3.8.8 Monitoring and evaluating the effectiveness of the organisation’s control functions; 9.3.8.9 Coordinating with the external auditors and actuaries and, to the extent requested by the Board and consistent with applicable law, evaluating the quality of performance of the external auditors and actuaries; and 9.3.8.10 Conducting regular assessments of the internal audit functions and audit systems and incorporating needed improvements. 9.3.9 In carrying out the above tasks, the internal audit function should ensure all material areas of risk and obligation of the insurer are subject to appropriate audit or review over a reasonable period of time. Among these areas are those dealing with: 9.3.9.1 Market, underwriting, credit, liquidity, operational and reputational risk; 9.3.9.2 Accounting and financial policies and whether the associated records are complete and accurate; 9.3.9.3 The extent of compliance by the insurer with applicable laws, regulations, rules and directives from all relevant jurisdictions; 9.3.9.4 Intra‐group transactions, including intra‐group risk transfer and internal pricing; 9.3.9.5 Adherence by the insurer to the insurer’s remuneration policy; 9.3.9.6 The reliability and timeliness of escalation processes and reporting systems, including whether there are confidential means for employees to report concerns or violations and whether these are properly communicated, offer the reporting employee adequate protection from retaliation, and result in appropriate follow up; and 9.3.9.7 The extent to which any non‐compliance with internal policies or external legal or regulatory obligations is documented and appropriate corrective or

Page 17 of 17 disciplinary measures are taken including in respect of individual employees involved. 9.3.9.8 Subject to applicable laws on record retention, the internal audit function should keep records of all areas and issues reviewed so as to provide evidence of these activities over time. 10. ENFORCEMENT The Authority shall enforce compliance to this code by exercising its powers to any person who contravene this code or take any other measure as prescribed in the relevant law. 11. EFFECTIVE DATE The effective date of this code is October 01st, 2018. 12. ENQUIRY Enquiries on any aspect of this code shall be referred to; The Director of Insurance and Pension Supervision Section Financial Services Authority P.O. Box 991, Victoria, Mahé SEYCHELLES Telephone: +248 4 380 800 Facsimile: +248 4 380 888 E‐mail: insuranceservices@fsaseychelles.sc