Region

Jurisdiction

Regulator

2024-09-26

Regulation on the system of governance of insurance or reinsurance undertakings

The National Bank of Moldova issued Decision No 241/2024 to approve a new regulation establishing comprehensive governance requirements for insurance and reinsurance undertakings. The regulation mandates that undertakings implement effective systems of cooperation, clear organizational structures, and robust risk management policies aligned with their business strategies. It further defines the specific duties of governing bodies, including the board and executive body, while setting minimum standards for specialized committees and key governance functions.

Moldova

National Bank of Moldova

NATIONAL BANK OF MOLDOVA

D E C I S I O N for the approval of the Regulation on the system of governance of insurance or reinsurance undertakings

No 241 of 26.09.2024 (in force as of 31.12.2024)

Official Monitor of the Republic of Moldova No 418 Art. 773 of 03.10.2024

UE Pursuant to Art.34 paragraph (5), Art.35 paragraph (9) letter e), Art.36 paragraph (16), Art.38 paragraph (4), Art.41 paragraph (4), Art.42 paragraph (1), Art.43 paragraph (8) letter a), Art.114 paragraph (3) and Art.116 paragraph (2) letter a) of Law No 92 /2022 on insurance or reinsurance activity (Official Monitor of the Republic of Moldova, 2022, No 129-133, Art.229), with subsequent amendments, the Executive Board of the National Bank of Moldova DECIDES:

The Regulation on the system of governance of insurance or reinsurance undertakings is hereby approved (attached).
This Decision shall enter into force on December 31, 2024. CHAIRMAN OF THE EXECUTIVE BOARD OF THE NATIONAL BANK OF MOLDOVA Anca-Dana DRAGU No 241. Chisinau, September 26, 2024.

Approved by the Decision of the Executive Board of the National Bank of Moldova No 241 of September 26, 2024

REGULATION on the system of governance of insurance or reinsurance undertakings

This Regulation partially transposes (transposes Art.258 - 259 (1) - (3), Art.260 point.1 (a)

(g) and point 1a, Art.266 - 269 point 1, Art.270 - 274 (1), Art.275) Commission Delegated Regulation (EU) 2015/35 of October 10, 2014 supplementing Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II), published in the Official Journal of the European Community L 012 of January 17, 2015 (CELEX: 32015R0035), as last amended by Commission Delegated Regulation (EU) 2021/1256 of April 21, 2021 amending Delegated Regulation (EU) 2015/35 as regards the integration of sustainability risks in the governance of insurance and reinsurance undertakings.

2 Chapter I GENERAL PROVISIONS

The Regulation on the system of governance of insurance or reinsurance undertakings lays down the general governance requirements, the powers and organization of the governing bodies of the undertaking, minimum requirements for systems, functions, and policies within the system of governance and reporting (hereinafter - the Regulation).
For the purposes of this Regulation, the term "undertaking" shall include the insurance undertaking or a reinsurance undertaking whose head office is situated in the Republic of Moldova, as well as branches of insurance or reinsurance undertakings from a third State. The provisions of the Regulation shall also apply at group level unless otherwise provided.
The terms and expressions used in the Regulation shall have the meanings stipulated in the Law No 92/2022 on insurance or reinsurance activity (hereinafter - Law No 92/2022), as well as in the normative acts of the National Bank of Moldova elaborated for its application.

Chapter II GENERAL REQUIREMENTS OF THE SYSTEM OF GOVERNANCE 4. The undertaking shall adopt appropriate measures concerning the application of a system of governance which ensures fair, efficient, and prudent management based on the principle of business continuity. 5. The undertaking fulfills the following requirements: 5.1. establishes, implements and maintains an effective system of cooperation, internal reporting and communication of information at all levels of the undertaking; 5.2. establishes, implements and maintains effective decision-making procedures and a transparent organizational structure in which the reporting lines are clearly defined, functions and responsibilities are allocated and the nature, scale and complexity of the risks inherent in the undertaking's activities are taken into account; 5.3. ensures that the members of the management body meet the requirements of knowledge, competencies, skills and professional experience in the relevant fields of activity which are necessary for prudent and professional management and supervision of the undertaking, in accordance with the normative acts of the National Bank of Moldova; 5.4. ensures that each member of the management body is of good repute and possesses the qualifications, competencies, skills and professional experience necessary for the performance of the tasks assigned to him/her, in accordance with the normative acts of the National Bank of Moldova; 5.5. ensures the employment of persons who possess the skills, knowledge and experience necessary for the proper fulfillment of the responsibilities assigned to them; 5.6. ensures that all staff are aware of the procedures for the proper fulfillment of their responsibilities; 5.7. ensures that the assignment of several tasks to persons and structural subdivisions of the undertaking (organizationally determined unit within which part of the duties, tasks and competences oriented towards the achievement of the undertaking's predetermined objectives are performed) does not prevent or risk preventing the persons concerned from performing a particular function seriously, honestly and objectively; 5.8. establishes information systems in such a way that they produce complete, reliable, clear, consistent, timely and relevant information on economic activities, commitments made and risks to which the undertaking is exposed; 5.9. keeps an adequate and orderly record of the activity and internal organization of the undertaking; 5.10. ensures the security, integrity and confidentiality of information, taking into account the nature of the information in question;

3 5.11. ensures that clear reporting lines are in place to ensure that information is transmitted promptly to all those who need it, in a way that enables them to recognize the importance of that information to their respective responsibilities; 5.12. ensures the adoption of the general principles of remuneration policy. 6. In the risk management, internal control, internal audit and, where relevant, outsourcing policies, the undertaking clearly sets out the relevant responsibilities, objectives, processes and reporting procedures to be applied, all of which are in line with the undertaking 's business strategy. 7. The undertaking shall establish, implement, and maintain a business continuity policy to ensure, in the event of disruption of its systems and procedures, the preservation of data and core functions and the maintenance of insurance and reinsurance activities or, where this is not possible, the timely recovery of such data and functions and the resumption of insurance or reinsurance activities. 8. The undertaking shall have an organizational structure and an operational structure designed to support the strategic objectives, activities, and operations of the undertaking. Those structures shall be adapted to changes in the strategic objectives, activities, and operations of the undertaking or in the business environment over an appropriate period of time. 9. The undertaking shall establish, implement, and maintain appropriate policies/strategies, rules and procedures to ensure that senior management, key function personnel and employees conduct their business in a prudent and professional manner and continuously meet the requirements of training, professional competence and integrity (good repute) as required by law. 10. The undertaking shall monitor the adequacy and effectiveness of its system of governance, assess it regularly, and take appropriate measures to remedy any shortcomings. 11. In policies addressing the risk management, internal audit, compliance and actuarial functions, the undertaking shall also clearly and understandably establish the position, duties and powers of these functions. 12. In assessing the competence of a person, the undertaking shall evaluate that person's qualifications, knowledge, professional and formal experience in insurance, other financial or other areas of activity, and shall take into account the duties assigned to that person and, where relevant, that person's insurance, financial, accounting, actuarial and risk management skills. 13. In verifying the competence of the members of the management body, the undertaking shall take into account the duties assigned to the different members, aimed at ensuring an appropriate diversity of qualifications, in terms of qualifications, relevant knowledge and experience, with a view to ensuring that the undertaking is managed and supervised in a professional manner. 14. In verifying the integrity (trustworthiness) of a person, the undertaking shall assess that person's honesty and financial soundness on the basis of evidence of character, personal conduct and business conduct, including any criminal, financial or auditing matters that are relevant to the assessment. 15. The undertaking which outsources or proposes to outsource certain functions or activities to a service provider shall establish a written outsourcing policy taking into account the normative act of the National Bank of Moldova on outsourcing of functions and activities related to insurance or reinsurance activity by the undertaking.

Chapter III ROLE AND COMPOSITION OF GOVERNING BODIES AND SPECIALIZED COMMITTEES

Section 1 Role and responsibilities of the governing bodies

4 16. The undertaking shall determine the structure and composition of its governing bodies and its system of governance, taking into account the nature, scale and complexity of the inherent risks, in accordance with the undertaking's business strategy and activities. 17. The duties and responsibilities of the governing bodies must be explicitly determined and must be expressly and effectively allocated between the board and the executive body. 18. The meetings of the undertaking's board, as the case may be, of the executive body, and their frequency, must be organized in such a way as to ensure the thorough examination of undertaking problems and a critical debate on the subjects in order to maintain the effectiveness of their activity. 19. The undertaking shall ensure that the minutes of the meetings of the governing bodies include full information on the examination of issues and discussion of topics, including the main theses of the speeches of people on the agenda, with the indication of their name and all proposals/opinions of the members of the governing bodies. 20. The undertaking is obliged to include in the primary internal regulations provisions on the employment and election of members of the executive body and the re-election of existing ones, in such a way as to ensure the functionality of the executive body. 21. The board of the undertaking and the executive body must interact and exchange sufficient information to enable them to adequately fulfill their entrusted duties and responsibilities. 22. The board of the undertaking and the executive body shall communicate with stakeholders on the basis of a communication system that complies at least with the following requirements: 22.1. ensuring fair treatment for shareholders and stakeholders; 22.2. timely communication of information; 22.3. ensuring a transparent communication framework.

Section 2 Responsibilities of the board of the undertaking 23. The structure and composition of the board of the undertaking shall be determined in accordance with the requirements of the law so that it can effectively fulfill its obligations. 24. The board of the undertaking shall adopt and review, at least once a year, the general principles of the remuneration policy in accordance with Article 35 paragraph (9) letter f) of Law No 92/2022. 25. The board of the undertaking is responsible for the prudent and correct management of the undertaking, for the fulfillment of the set objectives, for the adoption of the undertaking's business strategy and is obliged, on the basis of formal and transparent provisions, to carry out the assessment of the undertaking's financial position. 26. The board of the undertaking shall establish relevant criteria for the supervision of the activity of the executive body and the undertaking as a whole. 27. The board of the undertaking shall supervise the activity of the executive body, monitoring its actions to ensure that they are in line with the undertaking's business strategy and policies/strategies, by examining the information provided by the executive body and the compliance, internal audit, risk management and actuarial functions and by meeting regularly with the executive body and the heads of those functions. 28. The board of the undertaking shall be responsible for ensuring that there is an adequate framework for verifying the application of the legislation on reporting to the National Bank of Moldova and an appropriate framework for verifying the information submitted, at its request, on certain actions taken by the undertaking. 29. The board of the undertaking shall review the adequacy, effectiveness and updating of the risk management system for the efficient management of the assets held by the undertaking and the management of the related risks to which the undertaking is exposed.

5 30. The board of the undertaking shall ensure compliance with the requirements related to the outsourcing of functions or activities, both prior their performance and throughout the entire duration of such outsourcing. 31. The board of the undertaking in order to comply with legislation approves primary internal regulations such as: statute, strategies, codes, policies, regulations and other internal regulations for managing the undertaking's activity and the risks to which it is exposed. 32. The board of the undertaking may, depending on the nature, scale and complexity of the risks inherent in the undertaking 's activity, constitute specialized committees which may issue recommendations to the board.

Section 3 Organization of the specialized committees of the undertaking’s board 33. The specialized committees referred to in point 32 shall support the undertaking's board in certain specific areas and contribute to the development and improvement of the governance system of undertaking. 34. The undertaking's board may decide on the number and structure of specialized committees to facilitate its own activities. The existence of committees does not relieve the undertaking's board from fulfilling its duties and responsibilities. 35. The duties, functions and responsibilities of the specialized committees shall be laid down in the primary internal rules of procedure, which shall correspond to the provisions of the Regulation. 36. The chairman of the specialized committee shall be appointed by the undertaking's board from among the elected members of the committee. 37. The undertaking shall ensure that specialized committees: 37.1. have access to all relevant information and data necessary to carry out their tasks and responsibilities; 37.2. receive regular reports and information as necessary, communications and opinions from the functions of the governance system in order to carry out their assigned responsibilities; 37.3. periodically review and decide on the content, format and frequency of risk information to be reported to them; 37.4. ensure appropriate involvement of the governance system functions and other relevant functions in their specific areas of expertise and/or seek advice from external experts as necessary. 38. The specialized committees shall report to the board of the undertaking, at least annually, in the manner laid down in the primary internal regulations, on the activity carried out.

Section 4 Responsibilities of the executive body 39. The undertaking's executive body is responsible for the management and smooth running of the undertaking's activities, including the implementation of policies/strategies and the achievement of objectives. To this end, the executive body is obliged to ensure the proper implementation of the system of governance of the undertaking, to develop and approve, as appropriate, secondary internal regulations such as: instructions, procedures, guidelines, manuals, or other acts to implement the provisions of the primary internal regulations. 40. The executive body cannot take decisions that are contrary to the policies/strategies of the undertaking approved by the board of the undertaking. 41. The executive body must know and understand the organizational structure of the undertaking, the risks it generates to ensure the performance of activities, in accordance with the business strategy of the undertaking, risk appetite and undertaking’s policies/strategies approved by the undertaking’s board.

6 42. The executive body shall provide the board with qualitative and quantitative information in a timely manner, at its request or on its own initiative as a result of the fulfilment of the responsibilities for the implementation of the governance system.

Chapter IV MINIMUM REQUIREMENTS CONCERNING SYSTEMS, FUNCTIONS AND POLICIES WITHIN THE GOVERNANCE SYSTEM

Section 1 Risk management system 43. The undertaking shall establish, implement, and maintain a risk management system comprising the undertaking's primary internal rules and secondary internal rules, distinguishing between general rules applicable to all staff and specific rules applicable to certain categories of staff and which must include, as a minimum, the following: 43.1. a clearly defined risk management policy that is aligned with the undertaking's business strategy. That policy shall state its basic objectives and principles, including the reporting processes and procedures necessary to identify, assess, monitor, manage and report, on an ongoing basis, the risks to which the undertaking is exposed or may be exposed, and their interdependencies, approved risk tolerance limits and the assignment of responsibilities in all the undertaking's activities; 43.2. a clearly defined procedure for the decision-making process; 43.3. written procedures that effectively define and categorize the significant risks to which the undertaking is exposed and the approved tolerance limits for each type of risk. Through those procedures, the undertaking shall apply the undertaking 's risk management system, facilitate control mechanisms taking into account the nature, scope and time horizon of the activity and associated risks; 43.4. procedures and reporting processes which ensure that information about the significant risks facing the undertaking and the effectiveness of the risk management system are actively monitored and reviewed, and that, where necessary, appropriate changes are made to the system. 44. The undertaking shall ensure that senior management and key management personnel take into account the information reported under the risk management system in their decisionmaking process. 45. The undertaking shall include in the risk management system, where appropriate, the performance of tests for the assessment of the ability to maintain financial stability and scenario analysis on all relevant risks faced by the undertaking, in accordance with the normative acts of the National Bank of Moldova on the internal assessment of own risks and solvency by the insurance or reinsurance undertaking and the requirements on the performance of tests for the assessment of the ability to maintain financial stability. 46. The risk management policy will include provisions to ensure the development and approval of a risk management plan, internal risk management procedures, procedures for monitoring the implementation of risk management measures and will include, and at least: 46.1. the risk categories and the methods for their assessment; 46.2. how the undertaking carries out the management of each risk category and possible risk concentrations; 46.3 the linkage of the assessment of solvency needs, as identified in the internal own risk and solvency assessment, with capital requirements and risk tolerance limits; 46.4. the risk tolerance limits within risk categories according to risk appetite; 46.5. the frequency and description of the content of tests to assess the ability to maintain financial stability and the situations that would justify the conduct of other types of tests.

7 47. The undertaking shall identify the risk profile, determining the objectives for each risk and ensure systematic monitoring of compliance with the established risk management policy and procedures, as well as reporting, where applicable, to the appropriate body of the breaches found and their remediation. 48. The undertaking has an adequate information sharing system in place to identify, assess, monitor, and document risks on an ongoing basis both at undertaking level and at the level of its structural subdivisions, which includes reporting of risk exposures for decision making on the risks assumed by the undertaking. 49. The undertaking is obliged to prudently analyze new classes/types of insurance, markets or activities and ensure that these, significant changes in the characteristics of existing classes/types of insurance and major risk management initiatives are approved by the authorized body, to have in place internal tools and staff with appropriate experience to understand, manage and monitor the associated risks. 50. In the event of a high level of risk exposure and/or the use of non-compliant risk management methods, the undertaking shall take remedial measures, as appropriate, relating to: 50.1. the improvement of information and risk exposure estimation systems; 50.2. reducing the level of risk; 50.3. the application of other measures or a combination of these measures depending on the actual situation, state and conditions existing in the undertaking.

Section 2 Areas of risk management 51. In order to have an effective risk management system in the risk management policy the undertaking regulates the following areas: 51.1. underwriting risks, building up and placing technical provisions; 51.2. asset-liability management; 51.3. investment risk management; 51.4. market, credit, liquidity and concentration risk management; 51.5. operational risk management; 51.6. reinsurance and other risk mitigation techniques. 52. Risk underwriting, constitution, and placement of technical provisions, including: 52.1. the measures to be taken by the undertaking to assess and manage the risk of loss or adverse change in the value of insurance and reinsurance liabilities resulting from inappropriate premium-setting and reserving assumptions due to internal or external factors, including sustainability risks; 52.2. the sufficiency and quality of the relevant data to be taken into account in the underwriting and reserve calculation processes, as required by Article 69 of Law No 92/2022, as well as the consistency of this data with the sufficiency and quality standards; 52.3. the appropriateness of claims handling procedures, including the extent to which they cover the overall claims cycle; 52.4. the types and characteristics of insurance business, such as the type of insurance risk the undertaking is willing to take; 52.5. the way to ensure the adequacy of the level of premium income to cover estimated damage and expenses; 52.6. the identification of risks arising from insurance obligations, including options and guaranteed surrender values included in products; 52.7. how, in the process of developing a new insurance product and calculating the premium, the undertaking takes into account the investment regulations; 52.8. how, in the process of developing a new insurance product and calculating the premium, the undertaking takes into account reinsurance or other risk minimization techniques.

8 53. The management of assets and liabilities sets out the way they are managed by the undertaking and includes: 53.1. the description of the structural mismatch between assets and liabilities and in particular the mismatch between those assets and liabilities in terms of duration; 53.2. any dependencies between risks in different classes of assets and liabilities; 53.3. any dependency between the risks of different obligations arising out of insurance and reinsurance contracts; 53.4. any off-balance sheet exposure of the undertaking; 53.5. the effect of relevant risk mitigation techniques on asset and liability management; 53.6. the description of the procedure for identifying and assessing various mismatches between assets and liabilities, at least in terms and currency; 53.7. the description of the risk mitigation techniques used and their expected effect on assetliability management; 53.8. description of intentional admitted non-conformities; 53.9. description of the methodology and frequency of tests for assessing the ability to maintain financial stability and the scenario-based analysis to be carried out. 54.1. the measures taken by the undertaking to ensure that the undertaking 's investments comply with the requirements set out in Article 75 of Law No 92/2022; 54.2. the measures taken by the undertaking to ensure that the undertaking 's investments take into account the nature of activity, its approved risk tolerance limits, its solvency position and its long-term risk exposure; 54.3. the internal credit risk assessment of investment counterparties that the undertaking carries out; 54.4. where the undertaking uses derivatives or other financial instruments with similar characteristics or effects, the objectives of their use and the strategy underlying their use, how they facilitate efficient portfolio management or contribute to a particular risk mitigation, as well as the procedures for assessing the risk of such instruments and the risk management principles applicable to them; 54.5. where appropriate, to ensure effective risk management, internal quantitative limits on assets and exposures, including off-balance sheet exposures; 54.6. the measures to be taken by the undertaking to ensure that the risks to which the investment portfolio is exposed are properly identified, assessed, and managed. 55. With regard to investments, the undertaking shall provide at least the following: 55.1. the level of safety, quality, liquidity and profitability that it expects to achieve with respect to the entire portfolio of assets and how it intends to achieve it; 55.2. the quantitative limits on the assets and exposures, including off-balance sheet exposures, set to ensure that the undertaking achieves the expected level of safety, quality, liquidity, profitability and availability for the portfolio; 55.3. the level of availability the undertaking is aiming for in respect of the entire portfolio of assets and how it intends to achieve it; 55.4. consideration of the financial market environment; 55.5. the interdependence between market risk and other risks under adverse scenarios; 55.6. the procedure for assessing and verifying the adequacy of investments; 55.7. procedures for monitoring investment return and reviewing the strategy when necessary; 55.8. the way assets are selected in the best interests of policyholders, insured and reinsured persons, beneficiaries of insurance and injured third parties. 56. The undertaking shall not rely exclusively on information provided by third parties. In particular, the undertaking will develop its own set of key indicators compatible with the undertaking's investment strategy and business strategy.

9 57. When making investment decisions, the undertaking takes into account the risks associated with the investments. 58. Before making investments or investment activities of a non-recurring nature, the undertaking shall assess at least: 58.1. its ability to carry out and manage investments or investment activity; 58.2. the risks specifically related to the investments or investment activity and their impact on the undertaking's risk profile; 58.3. the consistency of the investment or investment activity with the interests of policyholders, insured persons, reinsurers, beneficiaries of insurance and injured third parties, the restrictions on the obligations set by the undertaking and the efficient portfolio management; 58.4. the impact of investment or investment activity on the quality, security, liquidity, profitability and availability of the entire portfolio. 59. The undertaking shall ensure that it has procedures in place requiring that, in the event of significant risk or a change in the risk profile of the undertaking's investments or investment activity, the undertaking's risk management function shall communicate the risk or change in the undertaking's risk profile to the undertaking's board. 60. The undertaking shall regularly assess the security, quality, liquidity and profitability of the entire portfolio taking into account at least the following: 60.1. the constraints related to obligations, including guarantees to contractors/policyholders, as well as the contractual terms and conditions and, where applicable, the reasonable expectations of contractors/policyholders; 60.2. the level and nature of risks which the undertaking is willing to accept; 60.3. the level of diversification of the whole portfolio; 60.4. asset characteristics, including: 60.4.1. credit quality of counterparties; 60.4.2. liquidity; 60.4.3. tangibility; 60.4.4. durability; 60.4.5. the existence and quality of collateral or other assets securing the assets; 60.4.6. the degree of net indebtedness or the strike of charges; 60.4.7. tranches; 60.4.8. events that could change the characteristics of the investments, including guarantees, or affect the value of the assets; 60.4.9. issues relating to the location and availability of assets, including: 60.4.9.1. nontransferability; 60.4.9.2. legal issues in other states; 60.4.9.3. currency measures; 60.4.9.4. risk associated with the depositary. 61. The undertaking shall set the levels of income it seeks to obtain from investments, taking into account the need to earn a consistent return on portfolios of assets in order to meet reasonable obligations towards the insured. 62. Market risk management shall comprise at least: 62.1. procedures for determining acceptable levels for all risks, taking into account the types of investments allowed the quality and quantity acceptable on each type of investment, and for currency risk will be taken into account the currency; 62.2. procedures for identifying, assessing and monitoring risks, and determining the types of instruments and activities allowed for the undertaking to manage its exposures to market risk, including the characteristics and purposes of their use. 62.3. control processes for managing market risk in accordance with the undertaking's internal regulations;

10 62.4. approval procedures and notification processes for exceptions to market risk policies and the rationale for their necessity. 63. The undertaking shall establish market risk limits, approved by the board of the undertaking, which correspond to its absorptive capacity, the size and complexity of its activity and/or the transactions it undertakes, and that reflect all material market risks. 64. The undertaking shall analyze the results of stress tests, have contingency plans in place, where appropriate, and validate or test the systems used to quantify market risk. The approaches used by the undertaking shall be integrated into market risk management and the results shall be taken into account in the undertaking's business strategy. 65. Currency risk shall be managed by the undertaking for all on-balance-sheet and offbalance-sheet assets and liabilities in national and foreign currencies, including those linked to foreign exchange rates. 66. Credit risk management shall take into account the risk appetite and risk profile of the undertaking as well as market and macroeconomic conditions. This includes management procedures for the identification, assessment, monitoring and control of credit risk in a timely manner. 67. The liquidity risk management shall include: 67.1. the measures taken by the undertaking to take account of both short-term and longterm liquidity risks; 67.2. the appropriateness of the composition of the assets in terms of their nature, duration and liquidity to meet the undertaking's obligations as they fall due. 67.3. a plan to deal with changes in expected cash inflows and outflows; 67.4. the procedure for determining the level of the timing mismatch between cash inflows and outflows on assets and liabilities, including estimated cash flows from direct insurance and reinsurance, such as damages, resolutions or redemptions; 67.5. the assessment of the overall liquidity needs in the short and medium term, including an adequate liquidity fund in the event of a liquidity shortfall; 67.6. the assessment of the level and monitoring of liquid assets, including quantification of the potential costs or financial losses arising from a forced transformation of assets into liquid assets; 67.7. identification and cost of alternative funding instruments; 67.8. consideration of the effect of planned new activities on the liquidity situation. 68. Concentration risk management shall include: 68.1. measures taken by the firm to identify relevant sources of concentration risk with a view to keeping risk concentrations within established limits; 68.2. measures to analyze possible contagion risks between concentrated exposures; 69. Operational risk management shall include measures taken by the undertaking to assign clear responsibilities for the identification, recording and regular monitoring of relevant operational risk exposures; 70. The undertaking shall ensure that it has processes in place to identify, analyze and report operational risk events. To this end, the undertaking must develop a process for collecting and monitoring operational risk events. 71. The management referred to in point 69 shall include: 71.1. the internal activities and processes for identifying the operational risks to which it is or might be exposed and determining how to minimize those risks; 71.2. the internal activities and processes for the management of operational risks, including the information system on which they are based; 71.3. the risk tolerance limits in respect of key areas of operational risk. 72. For the purpose of operational risk management, the undertaking shall develop and analyze an appropriate set of operational risk scenarios based, as a minimum, on the following approaches:

11 72.1. failure of a key process, system, or personnel errors; 72.2. occurrence of external events. 73. The reinsurance and other insurance-related risk mitigation techniques shall include: 73.1. the measures taken by the undertaking to ensure the selection of appropriate reinsurance and/or other risk mitigation techniques; 73.2. the measures taken by the undertaking to assess which types of risk mitigation techniques are appropriate based on the nature of the risks assumed and the undertaking's ability to manage and control the risks associated with those techniques; 73.3. the own credit risk assessment of risk mitigation techniques carried out by undertakings; 73.4. the internal activities and processes to identify the appropriate level of risk transfer for the defined risk limits and the most appropriate types of reinsurance contracts given the risk profile; 73.5. the principles for selecting counterparties that minimize risk and the procedures for assessing and monitoring of the credit and their diversification; 73.6. the procedures for assessing the actual risk transfer; 73.7. the liquidity management procedures to manage the time lag between the payment of claims and the recovery of reinsurance amounts. 74. The undertaking shall integrate sustainability risks in the areas referred to in points 52 and 54 and, where appropriate, in the other areas of risk management referred to in this Section. 75. The undertaking shall develop and approve, on an annual basis, a risk management plan covering each type of risk to which the undertaking is exposed, internal risk management procedures and procedures for monitoring the implementation of risk management measures in accordance with this Section.

Section 3 Internal control system 76. The undertaking shall establish and implement its own internal control system, capable of ensuring the efficient management of the undertaking, the fair and prudent conduct of its business, compliance with the provisions of the legislation, as well as the protection of the interests of policyholders, insured persons, reinsureds, beneficiaries of insurance and injured third parties. 77. The objectives of internal control are to establish adequate administrative and accounting procedures, to disclose and report information at all levels, to identify and assess the risks to which the insurance or reinsurance activity is or might be exposed, and to assess and verify compliance with risk management requirements relating to technical provisions, solvency ratio and liquidity ratio requirements, minimum capital requirements and investments. 78. When developing, organizing and implementing the internal control system, the undertaking shall determine the scope and type of internal control procedures to be implemented. 79. The internal control system shall ensure at least the following: 79.1. activities are planned and conducted fairly, prudently and effectively; 79.2. activities are carried out and commitments are fulfilled within the limits of the professional and functional competencies of the members of the governing body and the staff of the undertaking; 79.3. the governing bodies are able to ensure the assessment and verification of fulfillment with risk management requirements relating to technical provisions, solvency ratio requirements, liquidity ratio requirements, minimum capital requirements and investments, the existence of measures to minimize the risk of losses, violations and fraud, errors, as well as measures to identify them; 79.4. the governing bodies are able to ensure the preparation of complete and correct reports in accordance with the regulatory acts and reflect the information truthfully, completely and timely in the undertaking's books.

12 80. The internal control system shall ensure the undertaking's compliance with regulatory and administrative acts, the effectiveness and efficiency of the undertaking's operations in the light of its objectives, and the availability and reliability of financial and non-financial information. 81. The undertaking must have both effective systems and controls to ensure that its estimates for asset and liability valuation purposes are reliable and appropriate to ensure compliance with Article 57 of Law 92/2022, as well as a process to regularly confirm that market prices or valuation model inputs are appropriate and reliable. 82. The undertaking shall establish, apply, maintain and document clearly defined policies and procedures for the valuation process, including the description and definition of the roles and responsibilities of the personnel involved in the valuation, the relevant valuation models and the sources of information to be used. 83. At the request of the National Bank of Moldova, the undertaking shall engage the services of an independent entity to perform a valuation or a value review of significant assets and liabilities. 84. Within the internal control system of the valuation of assets and liabilities the undertaking shall meet the following requirements: 84.1. to allocate sufficient resources, in terms of both quality and quantity, for the development, calibration, approval and review of valuation methods used for solvency purposes; 84.2. to establish internal control processes that include the following elements: 84.2.1. to ensure regular review and verification by an independent entity of the information, data and assumptions used in the valuation method, the results of the valuation method and the appropriateness of the valuation method; 84.2.2. to ensure the supervision by the persons with management positions, both of the internal processes for approving those valuations and the process in place for considering any independent assessment or verification of the value of significant assets or liabilities. 85. The control activities shall be proportionate to the risks arising from the activities and processes under control. 86. The undertaking must have procedures for disclosing information by ensuring its confidentiality and reporting at all levels. 87. Information systems must ensure information security, independently monitored and supported by appropriate contingency plans. 88. In order to establish a solid process of managing the business continuity, the undertaking will analyze its exposure to prolonged business interruptions and will evaluate, quantitatively and qualitatively, their potential impact, by using internal and/or external data and scenario analysis. 89. Based on the analysis provided in point 88, the undertaking must have: 89.1. contingency and business continuity plans to ensure that it reacts appropriately to emergencies and is able to maintain its most important activities if there is a disruption to business processes; 89.2. recovery plans or financing plans in situations of financial distress to enable it to return to normal business procedures within an appropriate period of time. Any residual risk from any business interruption must be within the undertaking's risk tolerance/risk appetite.

Section 4 Organization of functions within the governance system

Subsection 1 General provisions on functions 90. This section shall apply to the risk management function, the compliance function, the internal audit function and the actuarial function (hereinafter - functions). 91. The undertaking shall incorporate the functions and their hierarchical order in the organizational structure in such a way as to ensure that each function avoids any influence that

13 might compromise the ability of the person occupying that function to perform his or her duties objectively, honestly and independently. Each function shall operate under the ultimate responsibility of the board of the undertaking, be subordinate to it and, where appropriate, cooperate with the other functions in the performance of their tasks. 92. Persons performing a function shall have the right to communicate on their own initiative with any employee of the undertaking and shall have the necessary authority, resources and expertise, as well as free access to all relevant information necessary for the fulfillment of their responsibilities. 93. The risk management, compliance and actuarial functions should be audited by the internal audit function. 94. The risk management function and the compliance function may be combined, but the internal audit function cannot be combined with another function within the governance system. 95. If the undertaking is a branch of an undertaking in a third country, the functions shall comply with the principles laid down by the undertaking in the country of origin, provided that the requirements laid down by national law are complied with. 96. The functions must have access to sufficient financial and human resources to fulfill their role. They must have a sufficient number of qualified staff and receive training, where appropriate. 97. The functions must have appropriate information systems and support in place, with access to the internal and external information needed to fulfill their responsibilities. They must have access to all necessary information on all lines of risk-bearing activities, in particular those that may generate significant risks to the undertaking. 98. The functions must be independent. For this, the following criteria must be respected: 98.1. the staff of the functions do not perform operational tasks that fall within the scope of the activities that the functions are intended to monitor and/or control; 98.2. they are organizationally separate from the activities they are charged with monitoring and/or controlling; 98.3. without prejudice to the overall responsibility of the members of the management body for the undertaking, the head of the function should not be subordinate to a person who is responsible for the administration of the activities that the function monitors and controls within the governance system; 98.4. the remuneration of the staff exercising functions should not be correlated to the performance of the activities that the function monitors and/or controls and should not thereby compromise their objectivity. 99. The heads of function must be appointed by the board and cannot be dismissed without the prior approval of the board of the undertaking. 100. The board of the undertaking must give the heads of function the authority and status necessary to fulfill their responsibilities and ensure their independence from the business lines and structural subdivisions they control. To this end, the heads of the function are directly accountable to the board of the undertaking. 101. The heads of function must report promptly and directly to the board of the undertaking any problem that affects or could affect the undertaking's activity. 102. The performance of the functions of the governance system should be assessed by the board of the undertaking. 103. The undertaking must have documented processes in place for assigning the position of a head of a function or for withdrawing their responsibilities. 104. The risk management function and the compliance function should be involved in the approval of classes/types of insurance or significant changes to them, existing processes and systems. Their contribution must include a full and objective assessment of the risks arising from the new classes/types of insurance, under a variety of scenarios, any potential shortcomings in risk management and internal control policy, and the undertaking's ability to manage any new risk effectively. The risk management function must have a clear vision and perspective on the

14 introduction of new classes/types of insurance or significant changes thereof, existing processes and systems, and the ability to seek approval of changes to these classes/types at the governing body level.

Subsection 2 Risk management function 105. The undertaking must have a risk management function, whose independence in activity will be ensured by reporting directly to the undertaking's board. 106. The risk management function must be appropriate in relation to the nature, scale and complexity of the business carried on by the undertaking and consider the nature, scale and complexity of the various risks to which the undertaking is exposed. 107. The risk management function shall have the right of access to the information and processes deemed necessary to achieve the objectives and shall not be involved in the conduct or record keeping of the undertaking's transactions and/or operations. 108. The board of the undertaking ensures that the risk management function is actively involved at an early stage in the development of the undertaking's business strategy and ensures that the it has effective risk management processes in place. 109. The risk management function must provide the board of the undertaking with all relevant risk information to enable the board to determine the undertaking's risk appetite. The risk management function shall assess the soundness and sustainability of the risk management policy and risk appetite. 110. The risk management function will be responsible for at least the following: 110.1. identifying the risks to which the undertaking is exposed, measuring, evaluating and monitoring those risks and the undertaking's actual exposure to those risks; 110.2. determining the capital and liquidity position in the context of the risks to which the undertaking is exposed; 110.3. monitoring and assessing the consequences of accepting certain risks, mitigating their impact and corresponding the level of risks to the level of risk tolerance; 110.4. reporting to the board and issuing relevant recommendations. 111. The risk management function has the following tasks: 111.1. assisting the governing bodies and other key functions in the risk management activity; 111.2. monitoring the risk management system; 111.3. monitoring the overall risk profile of the undertaking as a whole; 111.4. providing detailed reports on risk exposures and advising governing bodies on risk management issues; 112. The role of the risk management function in identifying, quantifying, assessing, managing, mitigating, monitoring and reporting risks consists of the following: 112.1. to ensure that all risks have been properly identified, assessed, quantified, monitored, managed and reported by the relevant structural subdivisions of the undertaking; 112.2. to ensure that risk identification and assessment are not based solely on quantitative information or risk type results, but also take into account qualitative approaches, and keep the governing bodies informed of the assumptions used and possible shortcomings for each risk type and of the risk analysis; 112.3. to ensure that more favorable terms than those generally available to other persons are avoided in transactions with affiliated persons and that the risks they pose to the undertaking are properly identified and assessed; 112.4. to regularly monitor the undertaking's actual risk profile and examine it against strategic objectives and risk appetite; 112.5. to analyze trends and identify new or emerging risks and to analyze the escalation of risks arising from changing circumstances;

15 112.6. to periodically review actual risk results against previous estimates to assess and improve the accuracy and effectiveness of the risk management process; 112.7. to assess insurance risk mitigation techniques. 112.8. to ensure that tests are carried out to assess the ability to maintain financial stability and that appropriate scenarios are applied, taking into account the necessary management actions. 112.9. to ensure the effective triggering and performance of a run of the own risk and solvency assessment process is facilitated on a periodic, annual or more frequent basis as a result of an event triggering the own risk and solvency assessment process. 113. The risk management function shall coordinate the internal assessment of the undertaking's own risks and solvency, the risk management function shall coordinate the evaluation and reporting process, which shall ensure that both the information about the significant risks faced by the undertaking and the effectiveness of the risk management system are actively monitored and analyzed and that, where necessary, appropriate changes are made to the system. 114. The risk management function will work continuously with the undertaking's board and the board's specialized committees to make decisions regarding the undertaking's exposure to risk. The risk management function shall report as necessary to the undertaking 's board on the significant risks to which the undertaking is exposed and the techniques to mitigate them. 115. The risk management function will independently assess breaches of risk appetite or limits, including ascertaining the cause and carrying out a legal and economic analysis of the real cost of excluding, reducing or hedging the exposure in relation to the potential cost of maintaining it, informing the structural subdivisions concerned and the board of the undertaking, and recommending possible remedies. The risk management function shall report directly to the board of the undertaking when a breach is material, without prejudice to the fact that the risk management function reports to other/informs other specialized functions and committees. 116. Prior to deciding on significant changes, the risk management function shall engage in assessing the impact of such changes on the overall risk of the undertaking, assess how the identified risks may affect its ability to manage its risk profile, liquidity and own funds under normal and adverse conditions, and report its findings directly to the board of the undertaking. 117. The undertaking must employ staff in the risk management function who have sufficient experience and knowledge, including knowledge of the market, products, risk management techniques and procedures, and have access to regular training. 118. The head of the risk management function shall report to the board of the undertaking on developments that are contrary to the risk tolerance set out in the undertaking's policies/strategies and shall communicate this to the executive body and, where appropriate, to the audit committee. 119. The head of the risk management function shall have the necessary ability to supervise the undertaking's risk management activities. 120. The head of the risk management function must have the ability to analyze and manage risks in a clear and understandable manner on key risk-related topics.

Subsection 3 Compliance function 121. The undertaking must have a distinct compliance function whose independence in its activities is ensured by reporting directly to the undertaking's board. 122. The compliance function shall establish a policy and a compliance plan within the undertaking. The compliance policy shall define the responsibilities, powers and reporting obligations of the compliance function. The compliance plan shall set out the planned activities of the compliance function taking into account the relevant areas of the undertaking's activities and their exposure to compliance risk. 123. The compliance function will review the adequacy of the measures taken by the undertaking to prevent non-compliance.

16 124. The role of the compliance function is to advise the governing bodies on the compliance of the business with the principles and legislation governing the insurance or reinsurance business, with internal regulations, by providing information related to changes in this area, identifying and assessing the risk of compliance of the undertaking's operations with the relevant regulations and other commitments, as well as notifying the governing bodies of this fact and assessing the impact that changes in the regulatory framework may have on the insurance or reinsurance business. 125. The compliance function has no powers in the direct conduct of insurance or reinsurance business. 126. The head of the compliance function shall report, at least annually, to the board of the undertaking on the identification and risk assessment of the compliance of the undertaking's operations with the relevant regulations and other commitments, and the assessment of the impact that changes in the regulatory framework may have on the insurance or reinsurance business. 127. The responsibilities of the compliance function must be carried out on the basis of a plan that comprises at least: 127.1. implementing and reviewing specific policies/strategies and procedures; 127.2. assessing compliance risk, testing and informing undertaking staff on compliance issues; 127.3. verification of the compliance of new classes/types of insurance and new procedures with the regulatory framework and its amendments included in the adopted normative acts, the provisions of which will become applicable at a later stage; 127.4. the development and application of compliance risk assessment methodologies using performance indicators, which will be developed by processing, aggregating or filtering data indicating potential compliance issues. 128. Compliance staff have the following rights: 128.1. to communicate with any employee of the undertaking and have access to any records, information or documents necessary to enable him/her to fulfill his/her responsibilities; 128.2. to conduct investigations into possible breaches of the compliance policy and to disclose the findings without hindrance to the undertaking's board; 128.3. to propose recommendations in order to correct non-compliance situations. 129. If, in the course of investigations, irregularities or breaches of the compliance policy are found, the head of the compliance function shall immediately report to the undertaking's board and inform the executive body. 130. The compliance function staff must have the necessary qualifications, relevant experience, personal and professional qualities and professional experience to perform these specific activities. They must also have a good knowledge of the law and professional and ethical standards.

Subsection 4 Internal audit function 131. The head of the internal audit function may not be a person affiliated with the undertaking, except for affiliation determined by the head of the internal audit function. 132. The undertaking is responsible for ensuring that the internal audit function does not perform other operational functions and is not improperly influenced by other functions. 133. When carrying out an audit and reporting audit results, the undertaking shall take steps to ensure that the internal audit function is not influenced by the governing bodies, which could affect its independence and impartiality. 134. The internal audit function is responsible for the following tasks: 134.1. establishing, implementing and maintaining an internal audit plan setting out the audit activities to be undertaken in the coming years, taking into account all the undertaking's activities and its system of governance; 134.2. adopting a risk-based approach in setting priorities;

17 134.3. informing the board of the undertaking about the internal audit plan; 134.4. formulating recommendations based on the results of the activity carried out in accordance with sbp.134.1. and submitting a written report on its findings and recommendations to the undertaking’s board at least once a year; 134.5. verifying compliance with the decisions taken by the board of the undertaking on the basis of the recommendations referred to in sbp. 134.4. When necessary, the internal audit function may perform audit missions not included in the internal audit plan. 135. The undertaking shall ensure that the internal audit plan: 135.1. is based on methodical risk analysis, taking into account all activities and the entire governance system, as well as the expected evolution of activities; 135.2. includes significant activities to be reviewed within a reasonable period of time. 136. The internal audit function shall have the following tasks in relation to ensuring the systematic assessment of the risks related to the business of insurance or reinsurance undertakings: 136.1. to ensure that business strategy and impact on risk profile and risk tolerance have been taken into account in business planning; 136.2. to assess the extent to which capital management incorporates risks identified or likely to arise; 136.3. to verify that the risk tolerance/risk appetite limit has been reviewed and approved by the board at least once a year; 136.4. in the assessment of significant risks and repeatedly identified risks that would damage the undertaking's reputation or business, confirm the adequacy of the processes for identifying and assessing significant risks (credit, operational, market, liquidity, concentration, underwriting and other risks that may arise in the course of the undertaking's business); 136.5. related to the modeling capacity to verify that the models used for the purpose of the internal assessment of own risks and solvency by the undertaking and the requirements on the conduct of tests for the assessment of the ability to maintain financial stability have been validated and tested for relevant output results; 136.6. related to risk assessment, verify that the undertaking's internal assessment of its own risks and solvency and the requirements on the conduct of tests to assess the ability to maintain financial stability has a full coverage of the risk exposure and the measures necessary to manage those risks; 136.7. related to the reporting, to verify whether the internal report is approved on the basis of a sound documentation that would demonstrate the subjects covered. 137. The undertaking shall establish the internal audit function taking into account at least the following principles: 137.1. the internal audit function carries out its work on the basis of the regulation on internal audit, approved by the board of the undertaking, which includes information on the organization, rights and responsibilities, cooperation with other structural subdivisions of the undertaking, etc. The regulation must be made known to all the undertaking's staff; 137.2. in the operational activity, the internal audit function is guided by the internal audit manual which includes instructions on the conduct of the audit by areas of activity, with priority being given to structural subdivisions subject to a high level of risk. Each internal audit engagement shall be performed on the basis of a risk-centered plan. The conduct of the internal audit engagement outside the internal audit plan shall be justified; 137.3. the structure and number of staff of the internal audit function shall be determined by the board of the undertaking. The undertaking shall ensure that sufficient staff are employed to accomplish the aims and objectives of internal audit and to deal with related matters. 138. In order to fulfill the responsibilities in accordance with Art.41 paragraph (1) of Law No 92/2022, the internal audit function shall: 138.1. develop, on the basis of the risk-based approach, implement and review at least annually the internal audit plan, approved by the board of the undertaking, which shall include an

18 assessment of the systems used by the undertaking to identify, estimate, monitor and control the risks to which it is exposed; 138.2. assess the quality and verify compliance with the undertaking's policies/strategies and procedures in all the undertaking's activities and structural subdivisions, including risk management, to analyze risk scenarios and control mechanisms if they are sufficient and appropriate to the activity carried out; 138.3. draw up a report containing findings and recommendations following the audit in order to eliminate and prevent the recurrence of the violations and shortcomings detected, as well as to optimize and develop the activity, and to submit it to the undertaking's board, the audit committee and the persons whose activity was covered by the audit mission; 138.4. oversee the implementation of audit findings and recommendations; 138.5. inform the undertaking's board and the audit committee in due time, in accordance with the undertaking's internal rules, about: 138.5.1. the shortcomings in internal regulations or in the functioning of structural subdivisions and/or cases of violation by staff of the provisions of legislation, internal regulations, which could affect the activity of the undertaking; 138.5.2. the measures taken by the heads of the structural subdivisions subject to controls on the liquidation of the infringements committed and their results; 138.5.3. the aggregated results of the internal audit activity including an analysis of the degree of achievement of the annual internal audit plan, the opinion on the undertaking's exposure to significant risks and the effectiveness of the undertaking's internal control mechanism with a reporting frequency of at least annually; 138.6. to assess the efficiency of the processes underlying the outsourcing of the undertaking's functions and activities and determine the risks that may affect the undertaking's business operations and compliance with the law. In this respect, the undertaking's audit plan should include missions to verify the outsourcing, including the adequacy of data protection measures, controls, risk management and measures taken to ensure business continuity. 139. In order to carry out the activity in accordance with Art.41 paragraph (3) of the Law No 92/2022 the internal audit function has the following rights: 139.1. initiative on communication with any employee of the undertaking; 139.2. to examine the activities of structural subdivisions of the undertaking, branches of the undertaking; 139.3. to have access, within the limits of functional competence, to information and to the data communication system, records, files and internal information, including information intended for the undertaking's governing bodies; 139.4. to have access to the minutes and other material of a similar nature of all governing and advisory bodies which are relevant to the performance of their duties; 139.5. to propose to the undertaking's board to hire external consultants to understand a particular area subject to audit; 139.6. to have other necessary resources, including human and technical resources. 140. The undertaking shall keep records of the activity in order to allow the evaluation of the efficiency of the internal audit function and the documentation of the audit actions so that the audit actions performed and the findings resulting from them can be reconstructed. 141. The undertaking shall ensure that the internal audit function includes in the report to the undertaking's board the estimated time frame for the implementation of previous audit recommendations, including the remediation of any nonconformities found. 142. The current way of reporting by the internal audit, as set out in the undertaking's internal audit regulation, must include reporting to the undertaking's board, the audit committee and informing the persons, whose activity was covered in the audit engagement, within a reasonable time after the completion of the audit, about the findings and recommendations of the internal audit function.

19 143. The regulation referred to in point 142 must provide for the obligation of the internal audit function to report quarterly to the undertaking's board and the audit committee on the results of the internal audit activity.

Subsection 5 Actuarial function 144. The undertaking shall ensure that it has an effective and permanent actuarial function in order to fulfill the duties and responsibilities provided for in Article 42 of the Law No 92/2022, Regulation and other normative acts issued by the National Bank of Moldova. 145. To coordinate the calculation of technical provisions, the actuarial function shall perform the following tasks: 145.1. application of methodologies and procedures for analyzing the sufficiency of technical provisions and for ensuring that they are calculated in accordance with the requirements of Art.65-66 of the Law No 92/2022 and the normative acts of the National Bank of Moldova; 145.2. assessment of the uncertainty associated with the estimates used in the calculation of technical provisions; 145.3. ensuring that all data limitations used in the calculation of technical provisions are treated appropriately; 145.4. ensuring that in certain circumstances, where the undertaking does not have sufficient data of adequate quality to apply a reliable actuarial method to the portfolio of insurance and reinsurance liabilities or amounts recoverable from contracts, the approximations best suited to the calculation are used; 145.5. ensuring the definition of similar risks related to obligations arising from insurance or reinsurance contracts in order to properly assess the risks covered by those contracts; 145.6. ensuring that relevant information provided by the financial markets and generally available data on underwriting risks is taken into account and incorporated in the assessment of technical provisions; 145.7. annual comparison and justification of any significant differences in the calculation of technical provisions; 145.8. ensuring proper assessment of the options and guarantees included in the insurance and reinsurance contracts. 146. The actuarial function shall verify, on the basis of the available data, that the methodologies and assumptions used in the calculation of technical provisions are appropriate to the specific lines of business of the undertaking and the way in which the business is managed. 147. The actuarial function, within the coordination mandate of the calculation of technical provisions, shall also coordinate the assessment of the sufficiency and quality of the data and the validation of the relevant data used in the valuation process. The actuarial function shall verify that the IT systems used in the calculation of technical provisions sufficiently support the actuarial and statistical procedures. 148. The actuarial function shall be responsible for identifying inconsistencies with regulatory requirements in the calculation of technical provisions and shall propose appropriate corrections and, where necessary, make recommendations on internal procedures to improve data quality. 149. The undertaking shall ensure that the actuarial function explains the material effects of changes made on data, methodologies or assumptions between the data for the valuation of the technical provisions. 150. The actuarial function carries out the comparison of best estimates with the previous experience, in the part related to technical provisions, according to the Law No 92/2022 and the normative acts of the National Bank of Moldova. 151. The undertaking shall ensure that the actuarial function reports to the undertaking's board any significant deviations as a result of comparing best estimates with past experience. The

20 report shall analyze the causes of the deviations and, where appropriate, propose changes to the assumptions and valuation model with a view to optimizing the calculation of technical provisions. 152. The information communicated to the board of the undertaking on the calculation of technical provisions shall include at least a reasoned analysis of the reliability and appropriateness of the calculation of provisions, the sources of the estimate of technical provisions and the degree of uncertainty of that estimate. The reasoned analysis shall be accompanied by a sensitivity analysis which shall include an examination of the sensitivity of technical provisions to each of the major risks underlying the obligations covered by technical provisions. The actuarial function shall clearly specify and explain any concerns about the adequacy of technical provisions. 153. With regard to the overall underwriting policy, the opinion of the actuarial function within the meaning of Article 42 paragraph (5) letter g) of Law No 92/2022 includes at least the conclusions regarding: 153.1. the sufficiency of the premiums to be earned to cover future claims and expenses, taking into account in particular the risks covered (including underwriting risks) and the impact of options and guarantees included in insurance and reinsurance contracts on the sufficiency of premiums; 153.2. the effect produced by inflation, legal risk, changes in the composition of the undertaking's portfolio and systems for adjusting the premiums that contractors/insureds overpay or underpay, depending on claims history (bonus-malus systems) or similar systems introduced in certain types/products of insurance; 153.3. the progressive tendency of a portfolio of insurance contracts to attract or retain policyholders with a higher risk profile (anti-selection). 154. As regards the adequacy of reinsurance contracts, the opinion to be expressed by the actuarial function in accordance with Article 42 paragraph (5) letter h) of Law No 92/2022 shall include an analysis of the adequacy of the following: 154.1. the risk profile of the undertaking and its overall underwriting policy; 154.2. reinsurers, taking into account their creditworthiness; 154.3. expected coverage in crisis scenarios in relation to the overall underwriting policy; 154.4. the calculation of amounts recoverable under reinsurance contracts. 155. The undertaking shall ensure that the actuarial function, when giving an opinion on the overall underwriting policy and reinsurance program, takes into account the interdependence between them and the technical provisions. 156. In the process of implementing the risk management system, in particular with regard to the process of assessing own risks and solvency, the actuarial function performs the following tasks: 156.1. to select and apply actuarial and statistical methods to generate and analyze data; 156.2. to ensure the appropriateness of the methodologies and underlying models used, as well as the assumptions used in the calculation of technical provisions; 156.3. to contribute to the effective implementation of the risk management system, in particular with regard to risk modeling underpinning the internal solvency assessment; 156.4. to expresses its opinion on the overall underwriting policy. 157. The actuarial function shall draw up at least once a year the annual actuarial report of the undertaking and submit it to the board of the undertaking in accordance with the normative acts of the National Bank of Moldova regulating the actuarial report. 158. In order to perform the duties and responsibilities of the actuarial function set out in Article 42 of Law No 92/2022, the actuary has the following rights and obligations: 158.1. Rights: 158.1.1. making any statement/opinion, providing consulting especially in the areas directly related to the duties and responsibilities of the actuary;

21 158.1.2. requesting any document and/or information, including explanations from senior management and other employees of the undertaking, necessary for the fulfillment of its duties and responsibilities and for the issuance of conclusions/opinions; 158.1.3. participating in the meetings organized within the undertaking concerning the actuarial function, with the presentation of qualified opinions, especially in the areas directly related to the duties and responsibilities of the actuary provided in Law No 92/2022; 158.1.4. participating as a member of the external audit team, drawn in as an independent expert, in accordance with the regulatory acts, in order to examine the insurance or reinsurance activity in the light of actuarial responsibilities. 158.2. Obligations: 158.2.1. assessment of the adequacy of technical provisions and the quality of the data used in their calculation, including through comparative analysis of the best estimates with previous experience, the value of own funds and the Minimum Capital Requirement (MCR), the solvency ratio, the liquidity ratio, the sufficiency of the assets eligible to cover technical reserves and the MCR; 158.2.2. coordination of the development and validation of the technical bases for the calculation of insurance premiums and technical provisions, including the certification of the sufficiency of insurance premiums and charges related to insurance products; 158.2.3. elaboration, confirmation and presentation of the annual actuarial report, opinions, conclusions and actuarial statements drawn up in accordance with the normative acts of the National Bank of Moldova; 158.2.4. confirmation by signature of the specialized reports and documents of the undertaking, submitted to the supervisory authority or other interested parties, which contain conclusions, estimates and calculations made. In this case, the head of the actuarial function shall be liable, in accordance with the law, only for the part relating to its own conclusions, estimates and calculations; 158.2.5. information in any form to the governing bodies of the undertaking of any problem or risk in respect of which the actuary considers that action is necessary in order to avoid breaches of legislation or any situation which may prejudice the interests of the insured; 158.2.6. ensuring the sufficiency of the data and information necessary for actuarial valuations/calculations of the undertaking's assets and liabilities; 158.2.7. provision of actuarial services in insurance or reinsurance in such a way as to ensure that the interests of policyholders, reinsurers, beneficiaries of insurance, injured third parties and other persons whose rights may be affected; 158.2.8. keeping acquired information confidential; 158.2.9. compliance with individual administrative and normative acts of the National Bank of Moldova; 158.2.10. notifying the National Bank of Moldova of the impossibility to exercise its obligations in case the undertaking does not provide complete information, provides false information or in other reasoned situations.

Section 5 General principles of remuneration policy 159. The remuneration policy referred to in sbp.5.12, established and applied by the undertaking, takes into account the following: 159.1. the remuneration policy and remuneration practices are established, implemented and maintained in line with the undertaking's business strategy and risk management policy, the undertaking's risk profile, its objectives, its risk management practices and the long-term interests and performance of the undertaking as a whole; 159.2. the remuneration policy promotes fair and effective risk management and does not encourage risk-taking beyond the undertaking's risk tolerance limits;

22 159.3. the remuneration policy applies to the undertaking as a whole and contains specific measures that take into account the duties and performance of senior management and key management; 159.4. clear, transparent and effective governance of remuneration is ensured, including oversight of remuneration policy; 159.5. the remuneration policy is designed to take account of the internal organization of the undertaking and the nature, scale and complexity of the risks inherent in the business; 159.6. the remuneration policy is made known to all employees of the undertaking. 160. The specific measures referred to in sbp.159.3 shall take into account the following: 160.1. where remuneration systems include both fixed and variable components, they shall be balanced in such a way that the fixed or guaranteed component represents a sufficiently high proportion of the total remuneration in order to avoid a situation where employees would be overly dependent on the variable components and to allow the undertaking to apply a fully flexible premium policy, including the possibility of not paying any variable component; 160.2. where variable remuneration is linked to performance, the total amount of variable remuneration shall be based on a combination of the assessment of the performance of the individual and the business unit concerned and the overall result of the undertaking or group to which the undertaking belongs; 160.3. the payment of a substantial part of the variable remuneration component, irrespective of the form in which it is to be paid, contains a flexible, deferred component which takes into account the nature and duration of the undertaking's business: the deferral period shall be no less than three years and the period shall be properly aligned with the nature of the business, its risks and the activities of the employees concerned; 160.4. Both financial and non-financial criteria are taken into account when assessing a person's performance; 160.5. the performance measurement, as the basis for variable remuneration, shall include a downward adjustment of current and future risk exposure, taking into account the risk profile of the undertaking and the cost of capital; 160.6. payments granted upon termination of the contract are related to the performance over the entire period of employment and may be designed in such a way that failures are not rewarded; 160.7. persons covered by the remuneration policy undertake not to use any personal hedging or insurance strategies relating to remuneration or liability that would undermine the effects of risk alignment, which are embedded in their remuneration contract. 161. The variable part of the remuneration of the persons exercising the functions referred to in Section 4 shall be independent of the performance of the structural subdivisions controlled by those persons. The remuneration of the heads of function shall be determined by the board of the undertaking. 162. The undertaking's remuneration policy shall be established on the basis of a reasoned analysis and well-defined indicators of the individual performance of the remunerated person, linked to the collective performance and on the basis of a judicious allocation of the undertaking's expenses, where possible, and with a view to avoiding incentives that encourage excessive risktaking or in accordance with the principles set out in the undertaking's internal rules, as the case may be. 163. The level of remuneration shall be closely aligned with the responsibilities and commitments of the duties. The remuneration policy shall include information on how it considers the integration of sustainability risks into the risk management system.

23 Chapter V REPORTING PROVISIONS 164. The undertaking shall prepare and submit to the National Bank of Moldova annually, by March 1 of the current year, the information provided for in Article 34 paragraphs (1) to (4) of the Law No 92/2022 in the form of a report, which shall include: 164.1. an inventory of the main deficiencies identified within each function and the measures taken to remedy them; 164.2. a description of significant changes in functions during the reporting period; 164.3. a description of the conditions of application of the control procedures related to the new classes/types of insurance; 164.4. conducting internal control within the undertaking's structural subdivisions; 164.5. information on the audit activity carried out during the reporting period, showing the findings and recommendations of the internal audit and the degree of implementation of the recommendations by the undertaking's executive body; 164.6. the undertaking's level of compliance with the prudential requirements set by the regulatory framework. 165. The report referred to in point 164 shall be signed by the Chairman of the Board of the undertaking and shall be submitted in Romanian, in electronic format. 166. The undertaking shall notify the National Bank of Moldova within up to 5 working days of any significant changes in its activity, structure and general situation, including breaches of regulatory requirements. 167. The undertaking shall inform the National Bank of Moldova of any situations that may adversely affect the activity of the management body within up to 5 working days. 168. Without prejudice to the provisions of point 164, the undertaking shall notify the National Bank of Moldova about the cases of detected illegalities, no later than the next working day from the date of detection, if they may affect the safety and reputation of the undertaking. The information shall include a description of the illegality found, the amount of damages incurred by the undertaking as a result of the illegality. Where the amount of the loss has not been accurately determined, the undertaking will provide an estimate of it at the time of reporting. 169. The undertaking shall submit to the National Bank of Moldova its internal regulations, drawn up in Romanian, except for the secondary internal regulations in the field of information and communication technology, in electronic format, within 10 working days from the date of approval by the authorized management body, through the WEB portal of the Information System of the National Bank of Moldova on licensing, authorization and notification, in accordance with the Guide on the use of the WEB portal of the Information System of the National Bank of Moldova on licensing, authorization and notification for the purpose of transmission by undertakings / branches of the undertaking of third countries of internal regulations, as well as their electronic storage. 170. If the undertaking's internal regulations have been subject to amendments, they shall be submitted to the National Bank of Moldova with the incorporated amendments within 10 working days from the date of their approval. 171. The internal regulations approved by the date of registration on the WEB portal of the Information System of the National Bank of Moldova of the undertaking / branch of the undertaking from other states, shall be submitted to the National Bank of Moldova in electronic format through the WEB portal of the Information System of the National Bank of Moldova on licensing, authorization and notification within 30 days from the date of registration. 172. In accordance with point 169, the undertaking shall submit to the National Bank of Moldova the information prepared in Romanian, as follows: 172.1. quarterly, within 20 working days of the end of each quarter, the following documents drawn up during that quarter:

24 172.1.1. minutes of the meetings of the board of the undertaking and of the collegial executive body / management of the undertaking's branch in a third state; 172.1.2. orders, decisions, resolutions or any decision-making acts adopted by the singlemember executive body, which have a significant impact on the financial and accounting aspects, compliance, risk management, internal policies and regulations or involve major changes to the business strategy and the structure and activity of the undertaking; 172.1.3. minutes of the meetings of the specialized committees of the undertaking’s board. 172.1.4. reports prepared by the internal audit function, the actuarial function, the risk management function and the compliance function submitted to the undertaking's board and/or the executive body/management of the undertaking's branch in a third country. 172.2. annually, within 10 working days from the date of approval by the undertaking board/the management of the undertaking branch in a third country, the undertaking internal audit plan/the branch of the undertaking in a third country for the management year. 172.3. within 15 working days from the closing date of the general meeting of shareholders of the undertaking, the minutes of the general meeting of shareholders (without annexes); 172.4. within 20 working days from the date of closure of the general meeting of shareholders of the undertaking in a third country, the extract from the minutes of the general meeting of shareholders which includes matters relating to the activity of the branch of the undertaking in a third country. 173. Failure to comply with the provisions of the Regulation shall be sanctioned by the National Bank of Moldova in accordance with the Law No 92/2022.