LogoRegulatory Alerts
2022-12-30

Risk Management and Internal Controls Regulation for Insurance Companies

The Central Bank of the UAE issued this regulation to establish minimum requirements for insurance companies' risk management and internal control frameworks, aiming to ensure company safety and contribute to national financial stability. The document mandates comprehensive governance structures, including independent control functions such as risk management, compliance, actuarial, and internal audit, while applying a principle of proportionality for enforcement. It defines key terms and scopes of application, requiring adherence to international standards and specific operational protocols like ORSA, stress testing, and outsourcing management.

Central Bank of UAE logo

United Arab Emirates

Central Bank of UAE

Click to view thumbnail

RISK MANAGEMENT AND INTERNAL CONTROLS REGULATION FOR INSURANCE COMPANIES

CONTENTS Page Subject Introduction 4 Objective 5 Scope of Application 5 Article (1) Definitions 6 Article (2) Systems of Risk Management and Internal Controls 12 Article (3) Effective Risk Management System 13 Article (4) Effective Internal Controls System 16 Article (5) Control Functions 19 Article (6) Risk Management Function 20 Article (7) Risk Measurement & Models Use 21 Article (8) Stress Testing for Material Risks 22 Article (9) Compliance Function 22 Article (10) Actuarial Function 24 Article (11) Internal Audit Function 24 Article (12) Outsourcing 27 Article (13) Countering Insurance Fraud 29 Article (14) Duty to Report to the Central Bank 30 Article (15) Takaful Insurance 31 Article (16) Enforcement 31 Article (17) Interpretation of Regulation 31 Article (18) Publication and Application 32

Circular No: 2022/25 Date: 30/12/2022 To: All Insurance Companies Subject: Risk Management and Internal Controls Regulation and Standards for Insurance Companies

===================================================================

The Board of Directors, having perused Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities as amended; Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations; Insurance Authority Board of Directors’ Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance; Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies; Insurance Authority Board of Directors’ Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance; Insurance Authority Board of Directors’ Decision No. (9) of 2017 Concerning the Regulations on Licensing and Registration of Actuaries and Regulation of their Operations; Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports; and The Central Bank of the UAE’s Board of Directors’ Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance; and based on the recommendation of the Governor and approval of the Board of Directors;

Has resolved as follows:

Introduction

The Central Bank seeks to promote the effective and efficient development and functioning of the insurance sector. To this end, Companies are required to have a comprehensive approach to Risk Management and effective Internal Controls, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.

Risk Management, internal audit, compliance, and actuarial functions constitute key control functions in a Company. The control functions have a responsibility, independent of the management of the Company's business lines, to provide objective assessment, reporting and/or assurance. The control functions (as defined in article 1.11) are an essential foundation for effective corporate governance.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Companies' approaches to Risk Management and Internal Controls are in line with leading international standards and industry best practice.

This Regulation and the accompanying Standards establish an overarching prudential framework for Risk Management and Internal Controls. Standards and supervisory expectations for selected specific risks are, or will be, established in other Regulations.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

This Regulation and the accompanying Standards supplement Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended, and its Executive Regulations, Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports, Insurance Authority Board of Directors’ Resolution No. (11) of 2016 Concerning the Revision of the Pricing Policy Applied by a Company in the Classes of Property and Liability Insurance, Insurance Authority Board of Directors’ Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance, Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies, Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies, and the Central Bank of the UAE’s Board of Directors’ Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance.

Additional requirements may be imposed pursuant to decisions to be issued by the Central Bank in this regard.

Objective

The objective of this Regulation is to establish the Central Bank’s minimum requirements for Companies' approach to Risk Management and Internal Controls with a view to: a. Ensuring the safety and soundness of Companies; and b. Contributing to the financial stability of the UAE.

Scope of Application

This Regulation and the accompanying Standards apply to all Companies. Companies established in the UAE with Group relationships including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.

The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Companies may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited therein. The Central Bank will decide on the extent to which a Company is expected to meet the requirements.

Article (1): Definitions

  1. Actuaries’ Regulation: Insurance Authority Board of Directors Decision No. (9) of 2017 Concerning the Regulations on Licensing and Registration of Actuaries and Regulation of their Operations.

  2. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.

  3. Authorized Manager: The person appointed by the foreign insurance company to manage its branch in the State.

  4. Board: The Company’s board of directors.

  5. Central Bank: The Central Bank of the United Arab Emirates.

  6. Chief Executive Officer: The most senior executive appointed by the Board, and in the case of foreign branches, this refers to the Authorized Manager.

  7. Central Bank Laws: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended; and Federal Law No. (6) of 2007 Concerning the Organization of Insurance Operations, as amended and its Executive Regulations.

  8. Company: The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.

  9. Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.

  10. Confidential Data: Account or other data relating to a Company customer, who is or can be identified, either from the Confidential Data, or from the Confidential Data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the Confidential Data.

  11. Control Functions: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari’ah control and Shari’ah audit functions.

  12. Enterprise Risk Management (ERM): The strategies, policies and processes of identifying, assessing, measuring, monitoring, controlling, reporting and mitigating risks in respect of the Company’s enterprise as a whole.

  13. Financial Regulations: Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies.

  14. Group: A group of entities which includes an entity (the ‘first entity’) and: a. any Parent of the first entity; b. any Subsidiary of the first entity or of any Parent of the first entity; c. any Affiliate.

  15. Internal Controls: A set of processes, polices and activities governing a Company’s organizational and operational structure, including reporting and Control Functions.

  16. Life Insurance Regulation: Insurance Authority Board of Directors’ Decision No. (49) of 2019 Concerning Instructions for Life Insurance and Family Takaful Insurance.

  17. Material Business Activity: An activity of the Company that has the potential, if disrupted, to have a significant impact on the Company’s business operations or its ability to manage risks effectively.

  18. Matter of Significance: A matter, or group of matters, that would have a significant impact on the activities or financial position of the Company. Examples include failure of preserving the assets of the Company and policyholders, failure to comply with Central Bank Laws/ the Financial Regulations, major deviations from the Risk Appetite and or other matters that are likely to be of significance to the function of the Central Bank as regulator.

  19. Master System of Record: The collection of all data, including Confidential Data, required to conduct all core activities of a Company, including the provision of services to policyholders, managing all risks, and complying with all legal and regulatory requirements.

  20. Model: A quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.

  21. Outsourcing: An arrangement between a Company and a service provider, whether the service provider operates within or outside the UAE, for the latter to perform a process, service or activity which would otherwise be performed by the Company itself.

  22. Own Risk and Solvency Assessment (ORSA): an internal process undertaken by a Company/ Group to assess the adequacy of its Risk Management and current and prospective solvency positions under normal and severe stress scenarios. It requires a Company to analyze all reasonably foreseeable and relevant material risks. It covers current and future risks and requires Company-specific judgment about risk management and the adequacy of their capital position that could have an impact on it’s ability to meet both its business objectives as well as its policyholder obligations. This encourages management to anticipate potential business challenges, capital needs and to take proactive steps to reduce risks. ORSA is not a one-off exercise. It is a continuously evolving process and must be a component of a Company’s Enterprise Risk Management (ERM) framework. Whilst there is not one specific way of conducting an ORSA, the output is expected to be a set of documents that demonstrate the results of management's proactive approach to its own self-assessment.

  23. Parent: An entity (the 'first entity') which: a. holds a majority of the voting rights in another entity (the 'second entity'); b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of voting rights in the second entity;

Share