Regulation on Internal Assessment of Own Risks and Solvency for Insurance Undertakings

1

NATIONAL BANK OF MOLDOVA

D E C I S I O N for the approval of the Regulation on the internal assessment of own risks and solvency of insurance and reinsurance undertakings and the requirements for carrying out tests for the assessment of the ability to maintain financial stability

No 243 of 26.09.2024 (in force as of 04.10.2024)

Official Monitor of the Republic of Moldova No 419-422 Art. 782 of 04.10.2024

---

UE Pursuant to Art.39 paragraph (2), Art.116 paragraph (3) of the Law No 92/2022 on insurance and reinsurance activity (Official Monitor of the Republic of Moldova, 2022, No 129-133, Art.229), the Executive Board of the National Bank of Moldova DECIDES:

1. The Regulation on the internal assessment of own risks and solvency of insurance or reinsurance undertakings and the requirements for carrying out tests for the assessment of the ability to maintain financial stability is hereby approved (attached).
2. The insurance or reinsurance undertaking shall draw up the Policy on the internal assessment of its own risks and solvency within 9 months from the date of entry into force of this Decision.
3. This Decision shall enter into force on the date of its publication in the Official Monitor of the Republic of Moldova. CHAIRMAN OF THE EXECUTIVE BOARD OF THE NATIONAL BANK OF MOLDOVA Anca-Dana DRAGU No 243. Chisinau, September 26, 2024.

Approved by the Decision of the Executive Board of The National Bank of Moldova No 243 of September 26, 2024

REGULATION on the internal assessment of own risks and solvency of insurance and reinsurance undertakings and the requirements for carrying out tests for the assessment of the ability to maintain financial stability This Regulation partially transposes (transposes point 1.1-1.9, point 1.11, point 1.13-1.21, point 1.24-1.29) Guide on own risk and solvency assessment EIOPA-BoS-14/259.

2 Chapter I GENERAL PROVISIONS

1. The Regulation on the internal assessment of own-risk and solvency for insurance or reinsurance undertakings and the requirements for carrying out tests to assess the ability to maintain financial stability (hereinafter - the Regulation) aims to lay down the rules and content of the assessment by insurance and reinsurance undertakings of own risks and solvency, as well as the regulation of quantitative tools, used to assess the ability of insurance or reinsurance undertakings to meet the solvency ratio requirements in the event of possible future events or changes in economic conditions that may have unfavorable effects on the financial situation.
2. The provisions of this Regulation shall apply to the following entities, hereinafter referred to as undertakings: 2.1. undertakings licensed to carry out insurance or reinsurance activity and operating on the territory of the Republic of Moldova, as well as their branches in third countries; 2.2. branches of third-country insurance or reinsurance undertakings with regard to their activities in the Republic of Moldova; 2.3. participating insurance or reinsurance undertakings which are part of a group.
3. The undertaking is obliged to carry out, in accordance with its business strategy, an internal assessment of its own risks and solvency, taking into account its own risk profile, at least once a year and whenever the risk profile is significantly changed. The undertakings shall develop its own procedures for the internal assessment of its own risks and solvency, adapted to its organizational structure and risk management system, taking into account the nature, scale and complexity of the risks inherent in its business. The composite insurance undertaking shall perform separately the internal own risk and solvency assessment for the “general insurance” and the “life insurance” categories.
4. The terms and expressions used in the Regulation shall have the meanings provided in the Law No 92/2022 on insurance or reinsurance activity. Also, for the purposes of the Regulation, the following concepts are used: 4.1. risk appetite – the absolute level of risks and types of risks that the undertaking is willing to take within the limits of its risk capacity according to its business strategy in order to achieve its objectives. 4.2. internal assessment of own risk and solvency (hereinafter - internal evaluation) – the set of strategies, processes and procedures used by the undertaking to identify, assess, monitor, manage and report the short-term and long-term risks that it faces or may face and the determination by the undertaking of the own funds necessary to ensure that its solvency needs are met at all times; 4.3. risk matrix – a tool that identifies and analyzes potential risks that impact the business; 4.4. risk profile – the totality of the risks to which an undertaking is exposed according to the risk appetite assumed by the governing bodies in decision-making and business strategy; 4.5. test for assessing the ability to maintain financial stability (hereinafter test/tests) – a risk management technique used to assess the potential effects of future events or changes in economic and/or financial conditions that could have an impact on the undertaking 's financial position; 4.6. sensitivity analysis - a stress test that measures the potential impact of one or more types of risk affecting own funds, solvency, liquidity on a particular portfolio or the undertaking as a whole; 4.7. scenario-based analysis – an assessment of the resilience of an undertaking or portfolio under a given scenario; 4.8. reverse testing – undertaking-wide simulation which includes the determination of a predefined outcome (e.g. failure to hold sufficient eligible own funds to cover solvency needs) and the identification of scenarios that could lead to such an outcome; 4.9. risk tolerance – the maximum level of risk accepted by the undertaking which corresponds to the risk appetite assumed by undertaking.

3 Chapter II Internal assessment

Section 1 Organizing the internal assessment process 5. The internal assessment, in addition to the provisions of Art.39 paragraph (5) of No 92/2022 on insurance or reinsurance activity, shall include at least the following: 5.1. determining solvency needs taking into account the specific risk profile, approved risk tolerance limits and the undertaking's business strategy; 5.2. ensuring ongoing compliance with solvency ratio, capital, and technical reserve requirements. 6. For the purposes of Subsection 5.1, the undertaking shall have in place procedures commensurate with the nature, scale and complexity of the risks inherent in its business and which enable it to properly identify and assess, qualitatively and quantitatively, the risks it faces in the short and long term and to which it is or could be exposed as part of its own risk and solvency assessment policy. The undertaking shall demonstrate the methods used in that assessment. 7. The results of the internal assessment and the knowledge gained in this process are taken into account for the undertaking's strategic decisions, as well as for the governance system, short and medium term, business planning, insurance product development. 8. The undertaking takes into account any events that have or may have an impact on own funds such as, but not limited to: 8.1. dividend payments; 8.2. increase in purchase expenses; 8.3. bonuses; 8.4. changes in subordinated debt; 8.5. premium discounts. 9. In order to identify the risk profile, the undertaking shall ensure: 9.1. the creation of the risk matrix as a tool used in the decision-making process by the governing bodies and as a means of measurement applied during the own risk assessment process to describe the level of risk (severity) by considering the likelihood of occurrence of the risk in relation to the severity of the consequences; 9.2. defining risks and allocating them to the subdivisions involved within the undertaking. 10. At the request of the National Bank of Moldova, the undertaking shall demonstrate, by substantiated evidence, the use of the chosen method and its appropriateness to the complexity and nature of the activity of the undertaking in question. 11. The company shall submit to the National Bank of Moldova the report on the supervision of the internal own risk and solvency internal assessment, as well as the test results and corrective action plans, in electronic form, within two weeks of the completion of the internal assessment. 12. The internal assessment within a group shall be carried out using standardized group￾wide processes, taking into account group-specific risks, including those that may be less relevant at individual level than at group level.

Section 2 The role of governing bodies in internal assessment 13. The governing bodies of the undertaking are responsible for organizing and carrying out the internal assessment process, as well as for incorporating the results of the assessment into approved decisions and business strategy. 14. The governing bodies, within the limits of the powers set out in the Policy on the internal assessment of their own risks and solvency, are responsible for and actively participate in the internal assessment process, including, but not limited to: 14.1. coordinating the assessment process and testing results;

4 14.2. ensuring that internal assessment reflects the undertaking's business strategy; 14.3. taking into account risk appetite and risk tolerance; 14.4. critical review of the risk analysis underlying the internal assessment; 14.5. test model and scenario analysis; 14.6. approval of the methods for conducting internal assessment. 15. The undertaking shall communicate to the staff involved at least the results and conclusions on the internal evaluation as soon as the procedure and results have been approved by the governing bodies.

Section 3 Internal assessment documents 16. The undertaking shall have at least the following internal assessment documents: 16.1. Policy on the internal assessment of own risks and solvency (hereinafter - Policy); 16.2. Evidence of each internal own risk and solvency assessment; 16.3. Internal report on the results of the internal own risk and solvency assessment (hereinafter - Internal report); 16.4. Supervisory report on the internal assessment of own risks and solvency (hereinafter – Supervisory report). 17. The policy is approved by the undertaking's board and reviewed as necessary, but at least annually. 18. The policy shall include at least the following: 18.1. a description of the processes and procedures put in place in accordance with point 6 for carrying out prospective own risk assessment; 18.2. the analysis of the link between risk profile, approved risk tolerance limits and solvency needs; 18.3. the methods used, including information on: 18.3.1. the manner and frequency with which tests, sensitivity analyses, reverse tests or other relevant tests are performed; 18.3.2. standards for the quality of data used; 18.3.3. the frequency of the assessment and the justification of its appropriateness, taking into account in particular the risk profile of the company and the volatility of its solvency needs in relation to the capital requirement; 18.3.4. the planned timeframe of the prospective own-risk assessment and the circumstances that determine the need for such an assessment outside the usual timeframe; 18.4. the structure of the internal assessment report; 18.5. the powers and competences of each management body in the internal assessment process and of each function involved in it; 18.6. actions to be taken if solvency and capital requirements are found. 19. The company must document each internal assessment and its results. The documents related to the internal assessment shall include the information, the results of the internal assessment process, with an indication of the source and how the company reached those results, as well as the reports, minutes of the governing bodies, minutes of the specialized committees, which are related to the internal assessment reports, as well as test results. 20. The internal report comprises: 20.1. a description of the risks to which the company is exposed, including any changes during the reporting period; 20.2. the qualitative and quantitative results of the internal own-risk and solvency assessment and the conclusions drawn therefrom; 20.3. methods and scenarios used in the internal assessment; 20.4. information on the solvency needs of the undertaking, and a comparison between the solvency needs concerned, the capital requirements and its own funds;

5 20.5. qualitative information on the extent to which certain quantifiable risks of the company are not reflected in the calculation of the capital requirement and, if significant deviations have been identified, a quantification in this respect; 20.6. a description of how the assets have been invested in accordance with the “prudent person” principle (the rule that companies invest only in assets whose risks can be adequately identified, measured, managed, monitored, controlled and reported and which are taken into account, including in the assessment of capital and solvency needs), so as to address the risks referred to in point 21; 20.7. forecasted profit value; 20.8. the results of the tests and a description of how they affect own funds and solvency before and after the decisions taken by the governing bodies; 20.9. potential contingency actions/plans where solvency needs are identified and available capital is expected to be insufficient to support future business plans or under stressed conditions; 20.10. any other relevant information on the undertaking's risk profile. 21. The internal report includes qualitative and quantitative information on the undertaking's risk profile presented for the following risk categories: 21.1. underwriting risk; 21.2. market risk; 21.3. credit risk; 21.4. liquidity risk; 21.5. operational risk; 21.6. concentration risk; 21.7. other significant risks that may have an impact on the undertaking. 22. For the purposes of subpoint 21.7, risks will not be limited to quantifiable risks, but may also include, but are not limited to, reputational, legislative, political, technological change, climate, sustainability, strategic and group risks. 23. The supervision report shall contain at least the following information: 23.1. qualitative and quantitative results of the internal assessment and the conclusions drawn by the undertaking from those results; 23.2. methods and main scenarios used in the internal assessment; 23.3. information on the undertaking's solvency needs and a comparison between the respective solvency needs, capital requirements and undertaking own funds; 23.4. qualitative information on the extent to which certain quantifiable risks of the company are not reflected in the calculation of the capital requirement and, if significant deviations have been identified, a quantification in this respect; 23.5. actions/emergency plans if solvency needs are found, as well as available capital is expected to be insufficient to support future business plans or under stress.

Section 4 Continuous compliance with the capital requirement and technical reserves 24. The undertaking must consider whether it is in continuous compliance with the capital requirements and, as part of the internal assessment, must consider at least the following: 24.1. the nature and quality of own funds throughout the planning period of the undertaking's activity; 24.2. the categories of own funds and how this may change during the planning period of the undertaking’s activity as a result of redemption, repayment or maturity, where applicable; 24.3 the risks to which the company is or might be exposed, taking into account possible future changes in its risk profile as a result of its business strategy or the economic and financial environment. 25. The undertaking shall ensure that the actuarial function of the undertaking at least:

6 25.1. provides information on the ongoing compliance of the undertaking with the requirements for the calculation of technical provisions; 25.2. identifies potential risks arising from the uncertainties associated with the calculation in question. 26. The undertaking shall assess whether its risk profile deviates from the assumptions underlying the calculation of capital requirements and whether such deviations are significant. The undertaking, as a first step, carries out a qualitative analysis and if it finds that the deviation is not significant, it may not resort to a quantitative analysis, which is mandatory if the deviation is significant.

CHAPTER III THE TESTS

Section 1 General Provisions 27. The undertaking shall use testing as a means of assessing the ability to maintain financial stability in any situation of the undertaking. Testing shall be used in combination with other risk management and control tools. 28. The test results must be used by the governing bodies of the company to understand and evaluate, as a minimum: 28.1. the significant risks to the undertaking's business/risk profile, ensuring that the management process is appropriately aligned with them; 28.2. whether the undertaking's capital and its allocation provide sufficient coverage for possible adverse events. 29. The undertaking identifies specific risk factors whose changes may adversely affect the undertaking 's activity and which will be used for testing. 30. The undertaking may conduct a general performance test that assesses all of the undertaking's main risks, as well as assess the scenarios associated with certain separate classes of business. Section 2 Test methods and items 31. The testing methods are chosen by the undertaking, taking into account the nature, scale and complexity of its business and the risks to which it is exposed. 32. For sensitivity analyses, the classes of business, types of insurance or risks must be selected in such a way as to ensure adequate coverage of the undertaking's business and the individual risks to which it is exposed. 33. The scenario-based analysis includes an assessment of simultaneous changes in several risk factors and reflects events that, from the undertaking's perspective, are likely to occur in the future. The scenario-based analysis can be based on past events that have had a significant impact on the market or the undertaking as a historical scenario or on expected events that may occur in the future as a hypothetical scenario. 34. As part of the scenario-based analysis, the undertaking must provide a detailed description of the scenario, covering all risk factors and their influence on the undertaking in the future. Historical scenarios need to be based on exceptional but plausible events over a given period, using, where possible, data recorded over an entire economic cycle. 35. The reverse testing must be based on a qualitative assessment, allowing the development of a scenario covering significant risks. 36. The undertaking may use other testing methods, provided that their use must be reasoned, transparent, documented and objective. At the request of the National Bank of Moldova, the undertaking shall demonstrate the selected testing methodology and its relevance to the situation and risks to which the company is exposed.

7 37. The main elements of the testing process include, but are not limited to: 37.1. scenario identification: the undertaking must identify scenarios, related to the specifics of its business, that could affect financial stability, which may include natural disasters, financial market collapses, significant increases in claims, pandemics; 37.2. financial impact assessment: the undertaking assesses the financial impact of the scenarios on its own funds, capital requirement, and other prudential indicators, as appropriate; 37.3. portfolio testing: testing involves the assessment of the insurance portfolio to determine how different types of policies and classes of business might be affected by these tests; 37.4. in the risk management plans the undertaking takes into account the results of the tests in order to identify risk mitigation techniques, by adjusting the insurance portfolio, increasing capital, reducing risk exposure, adopting more restrictive policies in terms of underwriting new policies based on the test results, other measures appropriate to the situation, which need to be justified.

Section 3 Organization of tests 38. The internal assessment includes a sufficient number of tests derived from the business strategy and significant risks identified during the internal assessment process. 39. The frequency of testing shall be determined by the board of the undertaking, but not less frequently than once a year. The tests may also be carried out unplanned, by decision of the executive body, for specific purposes. Following the results of the tests carried out, the board of the undertaking shall determine the deadline and the way to remedy the deficiencies found. 40. The undertaking is required to have documented policies and procedures related to testing, including at a minimum: 40.1. the types of testing and the main purpose of each component of the testing program; 40.2. the frequency of tests and the criteria by which they are applied; 40.3. relevant information and information sources; 40.4. the methodological details of the organization and conduct of each type of test, including the role of the personnel involved and the stages; 40.5. the scenarios applied and how to remedy the deficiencies found, based on the purpose, type, and result of the tests. 41. For each stage of the tests, the undertaking must document the scenarios and fundamentals of the exercise. These will include the reasoning and judgments underlying the chosen scenarios and the sensitivity of the results to the type and severity of the scenarios. An assessment of such scenarios must be carried out by the undertaking on a regular basis or as internal and external conditions change. 42. The undertaking shall ensure, at least once a year, a verification that the risk profile scenarios, the selected methodology and the environment in which it operates remain valid over time. In this respect, the undertaking shall verify the relevance of the following elements: 42.1. the scope of exposures to which the tests are applied; 42.2. appropriateness of assumptions; 42.3. adequacy of the information management system; 42.4. integration into the undertaking governance process, including clarity of reporting lines; 42.5. the policy for approving the testing process, including changes; 42.6. the relevance, accuracy and integrity of the data incorporated in the testing process; 42.7. the timeliness of the methodology and its appropriateness to the risks faced by undertaking; 42.8. the quality of the formalization of the testing process. 43. The undertaking must use truthful, accurate, current and representative data to carry out the tests.

8 44. The undertaking shall determine all the risks that may be subject to testing by carrying out analyses of the nature and portfolios of the undertaking and the environment in which it operates. Based on the identified risks, the undertaking determines the risk factors to be used for testing. The testing program shall contain at least the following: 44.1. analysis of areas of activity, risk types and separate components of portfolios and classes of activity; 44.2. interdependence between risks; 44.3. a flexible mechanism that allows a variety of tests to be modeled on any possible business domain, type of risk or event; 44.4. data reflecting the activities of the undertaking in order to get a complex picture of its resilience to potential scenarios that could occur. 45. The undertaking must justify the choice of risk factors for testing and the results should be used to determine the undertaking's risk tolerance and set limits on exposures in order to substantiate strategic options for short and long-term business planning. 46. The board of the undertaking has ultimate responsibility for the institutional testing framework, and the executive body approves the way of designing the analyses and tests based on the determined scenarios, participates in the review and identification of potential crisis scenarios, and contributes to the implementation of risk mitigation strategies. 47. Both the board of the company and the executive body shall consider the results of the tests and the implications of the test results for the undertaking's risk appetite and limits, financial and own funds planning, contingency planning and remedial actions. The test results should be used in the company's portfolio management process, approval processes for new insurance products, and to support any other decision-making processes at the company. 48. The company must include the testing process as part of risk management and have clear reporting and communication lines in a comprehensive format. The process for reporting test results involves, at least, the following: 48.1. the test results must be reported to the governing bodies in time for appropriate action to be taken and with appropriate frequency; 48.2. the reports on test results should provide the governing bodies with an overview of the risks to which the undertaking is or might be exposed; 48.3. the reports on test results should draw attention to potential risks, present the main assumptions of the scenarios and provide recommendations for remedial measures or actions. 49. The governing bodies of the undertaking, in accordance with their competence, depending on the level of risk exposure determined by the tests, and depending on the objectives and risk tolerance set, shall apply some of the following measures, but not limited to: 49.1. the use of risk mitigation techniques; 49.2. the reduction in the exposures held by the undertaking in certain insurance classes, geographic regions and a review of the degree of diversification, provided that these exposures are sufficiently sensitive to possible adverse events; 49.3. the review of the financing plan; 49.4. the implementation of the way of remedying the identified deficiencies. 50. Decisions on measures taken under point 49 by the competent management body shall be reasoned and formalized. 51. Testing procedures should be reviewed periodically, based on the needs of the undertaking. 52. When reviewing test procedures, the undertaking must take into account at least the following: 52.1. the adequacy of the IT system to prepare, conduct and finalize the testing process; 52.2. whether the testing process has been integrated into the undertaking's risk management system;

9 52.3. whether the testing process is properly documented and the persons responsible have knowledge of the procedures for carrying out the tests. 53. Information on the tests results is presented to the governing bodies immediately after completion and is used to take appropriate decisions.

Section 4 Basic test requirements 54. When determining the frequency of the tests, the undertaking shall take into account, at least, the following: 54.1. objectives and purpose of the testing program; 54.2. significant changes in the environment in which the company operates or in its risk profile; 54.3. availability of internal data necessary to perform the tests. 55. The National Bank of Moldova shall have the right to require the undertaking to perform tests at a frequency other than the one established in item 54. 56. As part of the tests, the undertaking should also assess factors in the external environment that are outside the undertaking's control but which may have an impact on its financial stability. 57. If a company decides to use historical data for scenario-based analysis as part of the testing process, it should assess market developments as a result of the events in question, new products, risk mitigation techniques. 58. In testing, the undertaking establishes a testing period, in determining which the company takes into account the planned period of activity, as well as the possibilities over time of changing the tested situations. 59. The tests must be based on exceptional but admissible events. The tests may be simulated on scenarios that have not previously occurred and are intended to assess the applicability of the models to possible changes in the economic and financial environment. When choosing the tests, the undertaking must consider at least the following: 59.1. the tests must be performed at different degrees of severity and probability of occurrence; 59.2. the tests must be dynamic and include the simultaneous occurrence of multiple events across society. Development of a portfolio of hypothetical scenarios, including a scenario based on relevant historical developments of risk parameters; 59.3. in the case of historical scenarios, the tests shall be based on exceptional but plausible scenarios over a given period, using, where possible, data recorded over an entire economic cycle; 59.4. the undertaking needs to understand how severely its own funds can be affected by future profitability or lack of it and how it copes with a crisis situation such as the one being tested. 60. The performance of tests on the activities of an undertaking must include at least the following material risks, but not limited to: 60.1. concentration risk; 60.2. underwriting risk; 60.3. market risk; 60.4. operational risk; 60.5. credit risk; 60.6. liquidity risk; 60.7. other risks. 61. The sensitivity or scenario test must identify assumptions about how risk factors are likely to evolve and model a range of possible scenarios of varying degrees of severity. 62. The undertaking shall ensure that the change in the selected risk factors is sufficiently large in absolute and/or relative terms. 63. The scenario test must also anticipate exceptional shocks, but the scenario must be realistic, i.e. likely to materialize.

10 64. As part of the testing process, the undertaking considers the identification of the most severe scenario associated with a crisis or shock, the effects of which could affect the undertaking's financial stability. 65. In the testing process, the undertaking takes into account the following aspects, but not limited to: 65.1. related to underwriting risk: 65.1.1. price adequacy and uncertainties related to the pricing of new insurance products; 65.1.2. rapid growth or decrease of the insurance portfolio; 65.1.3. catastrophic events and latent damage; 65.1.4. possible exhaustion of the limits set in the reinsurance program; 65.1.5. scale and frequency of major damage claims; 65.1.6. outcome of legal claims; 65.1.7. influence of inflation; 65.1.8. adequacy of technical reserves; 65.1.9. changes in mortality, longevity and morbidity indicators; 65.1.10. changes in trends in the resolution of insurance contracts; 65.1.11. changes in the behavior of policyholders leading to a greater tendency to request complaints or disputes with an insurance undertaking; 65.1.12. other social, economic, legal or technological changes. 65.2. related to market risk: 65.2.1. a severe economic or market downturn; 65.2.2. the extent of incompatibilities between assets and liabilities; 65.2.3. reinvestment risk; 65.2.4. change in the interest rate curve. 65.3. related to operational risk: 65.3.1. the legal environment in which the undertaking operates and changes thereto; 65.3.2. information technology used in the activities of an undertaking; 65.3.3. internal structural changes, internal undertaking processes and procedures; 65.3.4. human factor; 65.3.5. the risk that contract terms are treated more broadly than expected; 65.3.6. risks associated with dependence on particular sales channels; 65.3.7. risks associated with purchasing services from third parties; 65.3.8. cyber risks; 65.3.9. climate risks; 65.3.10. sustainability risk; 65.3.11. risks related to the lack or omission of control procedures.