Corporate Governance Standards for Insurance Companies

1 CORPORATE GOVERNANCE STANDARDS FOR INSURANCE COMPANIES

2 Table of Contents INTRODUCTION Subject Page

1. DEFINITIONS 3
2. CORPORATE GOVERNANCE FRAMEWORK 6
3. OVERSIGHT AND MANAGEMENT RESPONSIBILITIES 10
4. CORPORATE CULTURE, BUSINESS OBJECTIVES AND STRATEGY 11
5. STRUCTURE AND GOVERNANCE OF THE BOARD 12
6. DUTIES OF INDIVIDUAL BOARD MEMBERS 22
7. DUTIES RELATED TO RISK MANAGEMENT AND INTERNAL CONTROLS 23
8. DUTIES RELATED TO COMPENSATION 24
9. FINANCIAL REPORTING AND EXTERNAL AUDIT 26
10. COMMUNICATIONS 28
11. DUTIES OF SENIOR MANAGEMENT 30

3 INTRODUCTION

1. These Standards form part of the Corporate Governance Regulation (Circular No. 24/2022). All Insurance Companies must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.
3. DEFINITIONS
4. Affiliate : An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
5. Authorised Manager : The person appointed by the foreign insurance company to manage its branch in the State.
6. Board : The Company’s board of directors.
7. Central Bank : The Central Bank of the United Arab Emirates.
8. Chief Executive Officer : The most senior executive appointed by the Board, and in the case of foreign branches, this refers to the Authorised Manager.
9. Company The insurance company incorporated in the State, and the foreign branch of an insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
10. Compliance with Islamic Shari’ah : Refers to compliance with Shari’ah in accordance with : a. resolutions, fatwas, regulations, and standards issued by the Higher Shari’ah Authority in relation to the Company’s activities and businesses (“HSA’s Resolutions”), and b. resolutions and fatwas issued by the Internal Shari`ah Supervision Committee (“ISSC”) of the Company, in relation to its activities and businesses (“the Committee’s Resolutions”), provided they do not contradict HSA’s Resolutions.
11. Conflict of Interest : A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
12. Control Functions : Function (whether in the form of a person, unit or department) that has a responsibility in a Company to

4 provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit, and where applicable Shari’ah control and Shari’ah audit functions. 10. Controlling Shareholder : A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board, or the decisions made by the Board or by the general assembly of the Company, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence. 11. Corporate Governance : A set of relationships between a Company’s Board, Senior Management, customers and other stakeholders; and a structure through which the objectives of the Company are set, and the means of attaining those objectives and monitoring performance are determined. 12. Duty of Care : The duty to decide and act on an informed and prudent basis with respect to the Company. Often interpreted as requiring a member of the Board to approach the affairs of the Company and policyholders ahead of his/her own interests. 13. Duty of Confidentiality : The duty to observe confidentiality applies to all information of a confidential nature with which a member of the Board is entrusted by the Company or which is brought to his or her attention during or at any time after the carrying out of his/her assignment. 14. Duty of Loyalty : The duty to act in the good faith in the interest of the Company. The duty of loyalty should prevent individual members of the Board from acting in their own interest, or the interest of another individual or group, at the expense of the Company and shareholders. 15. Financial Regulations : Insurance Authority Board of Directors’ Decision number (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision number (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies. 16. Fit and Proper Process : The evaluation of a Company’s proposed members of the Board, Senior Management and other persons as determined by the Central Bank from time to time, in terms of expertise and integrity. The specific fit and proper criteria are listed in article 5.20.e.1 of the Standards. 17. Government : The UAE Federal Government or one of the governments of the member Emirates of the Union. 18. Group : A group of entities which includes an entity (the ‘first entity’) and: a. any Parent of the first entity;

5 b. any Subsidiary of the first entity or of any Parent of the first entity; c. any Affiliate. 19. Higher Shariah Authority : The Higher Shariah Authority that was established at the Central Bank. 20. Independent Member of the Board : A member of the Board who has no relationship with the Company or Group that could lead to benefit which may affect his/her decisions. He/she must not be under any other undue influence, internal or external, ownership or control, which would impede the Independent Member’s exercise of objective judgment. The Independent Member of the Board forfeits his/her independence in the cases specified in Article 5.7 of the Standards. 21. Material Risk Takers : Staff whose work is deemed to have a significant impact on the overall risk profile of the Company or the Group. 22. Regulations : Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank. 23. Relatives : Father, mother, brother, sister, children, spouse, father￾in-law, mother-in-law and children of the spouse. 24. Related Parties : The Group and its Controlling Shareholders, members of the Board and Senior Management (and their Relatives) and persons with control, joint control or significant influence over the Company (and their Relatives). 25. Related Party Transactions : Include on-balance sheet and off-balance sheet credit exposures and claims as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction incorporates not only transactions that are entered into with Related Parties but also situations in which an unrelated party (with whom a Company has an existing exposure) subsequently becomes a Related Party; disclosures must reflect all Related Party events and transactions for the financial period. 26. Risk Appetite : The aggregate level and types of risk a Company is willing to assume, within its risk capacity, to achieve its strategic objectives and business plan. 27. Risk Governance Framework As part of the overall approach to Corporate Governance, the framework through which the Board and Senior Management establish and make decisions about the Company’s strategy and risk approach; articulate and monitor adherence to the Risk Appetite and risks limits relative to the Company’s strategy; and identify, measure, manage and control risks. 28. Senior Management : The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the Chief

6 Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions. 29. State : The United Arab Emirates. 30. Subsidiary : An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity: a. holds a majority of the voting rights in the first entity; b. is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or d. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity. 31. Staff : All the persons working for a Company including the members of Senior Management, except for the members of its Board. 32. Takaful Insurance : A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution amount to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance company shall manage this account and invest the funds collected therein against certain compensation. 2. CORPORATE GOVERNANCE FRAMEWORK

1. A Company’s organisational structure must be transparent and support the strategic objectives and operations of the Company. The Board and Senior Management must understand the structure and the risks associated with it.
2. The Board must act in the best interests of its various stakeholders while meeting regulatory expectations. Treating customers fairly and policyholder protection must be an integral part of a Company’s governance and corporate culture.
3. Branches of foreign Companies must establish local governance structures, such as a Senior Management committee or equivalent, that fulfill the responsibilities of a Board required by these Standards. Branches must ensure their Control Functions are operating effectively. Branches must establish Control Functions that are robust, report to the local management structures and are accountable to

7 the Group’s heads of Control Functions. The local management structure of the branch must take steps, as necessary, to help the branch meet its own Corporate Governance responsibilities in line with the Regulation and Standards. It is the responsibility of the local governance structures to ensure that local legal and regulatory requirements are implemented and, where appropriate, make adjustments where the Group structures conflicts with a provision of these Standards. 4. Group Structure: a. In order to fulfil its responsibilities, the Board must ensure that:

1. There is a Corporate Governance framework at the Group level, with clearly defined roles and responsibilities, taking into account the complexity and significance of the individual entities;
2. There is an appropriate Group management structure and internal control framework which takes into account the material risks to which the Group and its individual entities are exposed;
3. The Group’s Corporate Governance framework includes adequate policies, processes and controls, and addresses risk management across the entities;
4. The Group’s Corporate Governance framework includes appropriate processes and controls to identify and address potential intragroup Conflicts of Interest, such as those arising from intragroup transactions;
5. There are Board-approved policies and clear strategies for establishing new structures and legal entities, which ensure that they are consistent with the policies and interests of the Group;
6. There are effective systems in place to facilitate the exchange of information and coordination among the various entities, to manage the risks of the individual entities as well as of the Group as a whole, and to ensure effective control of the Group;
7. There are sufficient resources to monitor the compliance of all entities with all applicable legal, regulatory and governance requirements; and
8. There is an effective internal audit function, and in the case of a Company offering Islamic financial services, an effective internal Shari`ah audit function, which ensures audits are being performed on all Group entities and the Group itself. b. While the Board of the Company must conduct strategic, Group-wide risk management and prescribe corporate risk profiles, the Company’s management and Affiliate boards must have appropriate input into their local or regional application and the assessment of local risks. It is the responsibility of the Companies’ boards, or equivalent in the case of foreign branches, to assess the

8 compatibility of the Group policies with local legal and regulatory requirements. c. The Board and Senior Management must take into account the financial, legal, reputational and other risks to the Company from operating through complex or non-transparent structures. Measures to avoid or mitigate these risks include, but are not limited to:

1. Avoiding setting up complex structures that lack economic substance or business purposes;
2. Continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the Company’s ability to manage those risks prior to setting up new structures and initiating associated activities;
3. Having a centralised process for approving the creation of new legal entities and dissolution of dormant entities based on established criteria, including the ability to monitor and fulfil each entity’s regulatory, tax, financial reporting, governance and other requirements;
4. Establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk, ensuring that structures are only approved if the material risks can be properly identified, assessed and managed; and
5. Ensuring that activities and structures are subject to regular internal and external audit reviews and Shari`ah audit reviews in case of providing Takaful Insurance products.
6. The Board must have a formal written Conflict of Interest policy for its members. The policy must include the following, at a minimum,: a. Duties of the members of the Board to avoid, to the extent possible, activities that could create Conflicts of Interests or the appearance of Conflicts of Interests; b. Examples of how Conflicts of Interest can arise when serving as a member of the Board; c. A process for management of Conflicts of Interests by the Board or an ethics committee, where one exists; d. A Board review and approval process applicable to members of the Board before they engage in specific activities, such as serving on another Board, to ensure that such activities will not create a Conflict of Interest;

9 e. A process to prevent members from holding directorships in other Companies; f. A member of the Board’s duty to promptly disclose any matter that may result, or has already resulted, in a Conflict of Interest; g. A member of the Board’s duty to abstain from voting on any matter where the member of the Board may have a Conflict of Interest (existing or potential) or where the member of the Board’s objectivity or ability to properly fulfil duties to the Company may be otherwise compromised; h. Procedures to ensure that transactions with Related Parties must be undertaken on an arm’s length basis; and i. The way the Board will deal with non-compliance with the Conflict of Interest policy. 6. Transactions with Related Parties must not be undertaken on more favourable terms than corresponding transactions with non-related counterparties. 7. Companies must have policies and processes in place to identify individual exposures to and transactions with Related Parties, as well as the total amount of such exposures; and monitor and report on them through an independent credit review or audit process. Exceptions to policies, processes and limits must be reported to the appropriate level of the Company’s Senior Management and, if necessary, to the Board for timely action, based on the stipulations of the policy. Senior Management must monitor Related Party Transactions on an ongoing basis, and the Board must also provide oversight of these transactions. 8. The Board must ensure that transactions with Related Parties (including intragroup transactions) are reviewed to assess risk and are subject to appropriate restrictions (e.g. by requiring that such transactions be conducted on arm’s length terms) and that corporate or business resources of the Company are not misappropriated or misapplied. 9. Transactions with Related Parties and the write-off of related-party exposures are subject to prior approval by the Company’s Board. Members of the Board with Conflicts of Interest must be excluded from the approval process for granting and managing Related Party Transactions. Companies must report any breaches promptly to the Central Bank. The Central Bank may impose additional capital and/or provisioning requirements to cover any such breaches. 10. Companies must have policies and procedures in place to prevent persons benefiting from a transaction that has an existing or potential Conflict of Interest and/or persons related to such a person, from being part of the process of granting and managing the transaction. 11. Companies must maintain a register of Related Parties and details of every Related Party Transaction.

10 3. OVERSIGHT AND MANAGEMENT RESPONSIBILITIES

1. The Board must provide oversight of Senior Management. It must hold members of Senior Management accountable for their actions and document the consequences if these actions are not aligned with the Board’s expectations. This oversight involves ensuring that Senior Management is adhering to the Company’s values, Risk Appetite and risk culture. Oversight by the Board should include, but is not limited to: a. Monitoring Senior Management’s actions to ensure that they are consistent with the strategic objectives and policies approved by the Board and are aligned with the Company’s Risk Appetite; b. Overseeing implementation of the Company’s governance framework and reviewing it annually to ensure that it remains appropriate in the light of any material changes to the Company’s size, complexity, business strategy, markets and regulatory requirements; c. Overseeing the Company’s adherence to its Risk Appetite and Risk Limits; d. Overseeing the Company’s approach to Board and Staff compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the Company’s culture and Risk Appetite; e. Meeting regularly with Senior Management; f. Critically reviewing and challenging explanations and information provided by Senior Management; g. Setting appropriate performance and compensation standards for Senior Management consistent with the long-term strategic objectives and the financial soundness of the Company; h. Assessing whether Senior Management’s collective knowledge and expertise remain appropriate given the nature of the business and the Company’s risk profile; and i. Actively engaging in succession planning for the Chief Executive Officer and ensuring that appropriate succession plans are in place for all Senior Management positions.
2. The Board should review the Company’s policies and procedures on a regular basis to ensure that they are being implemented by those responsible within Senior Management. The Board should obtain reports from Senior Management in this regard, at least annually.

11 3. The responsibilities of the Board in this regard include, but are not limited to: a. Determining the Company’s Risk Appetite, taking into account the competitive and regulatory landscape and the Company’s long-term interests, risk exposures and ability to manage risk effectively; b. Approving and overseeing the implementation of key policies including, but not limited to, liquidity , capital adequacy, technical provisions and solvency margin; c. Overseeing the appointment of the external auditor; d. Approving the annual financial statements and requiring periodic independent review of critical areas of the business and internal controls; e. Approving the selection of and overseeing the performance of Senior Management; f. A Takaful Company must demonstrate full Compliance with Islamic Shari’ah and establish a sound and effective Shariah governance framework with key mechanisms and functionalities to ensure effective and independent Shariah oversight, as per the requirements of the Takaful Regulation and any other requirements set by the Central Bank and the Higher Shari`ah Authority. 4. CORPORATE CULTURE, BUSINESS OBJECTIVES AND STRATEGY

1. The Board is responsible for the implementation of an effective risk management culture and internal control framework across the Company and the Group. In order to promote a sound corporate culture, the Board must establish the “tone from the top” by: a. Setting and adhering to corporate values that create the expectation that all business must be conducted in a legal and ethical manner, and overseeing the adherence to such values by Staff; b. Promoting risk awareness within a strong risk culture, and setting the expectation that all Staff are responsible for ensuring that the Company operates within the established Risk Governance Framework, Risk Appetite and Risk Limits; c. Ensuring that appropriate steps have been taken to communicate throughout the Company the corporate values, professional standards and codes of conduct approved by the Board, together with supporting policies; and ensuring that Staff are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and breaches.
2. The Company’s corporate culture must recognise the critical importance of timely and frank discussion and escalation of problems to higher levels. Staff must be

12 encouraged and must be able to communicate legitimate concerns about illegal, unethical and/or questionable practices confidentially and without the risk of reprisal. 3. The Board must approve and oversee a whistleblowing policy mechanism and ensure that Senior Management appropriately addresses legitimate issues flagged through the whistleblowing mechanism. The Board is responsible for ensuring that Staff who raise concerns are protected from detrimental treatment or reprisals. The Board must oversee and approve how and by whom legitimate matters are investigated and that they are addressed by an objective internal or external body, Senior Management, and/or by the Board itself. 4. A Company must have a written code of conduct for Staff that defines acceptable and unacceptable behaviours. It must explicitly prohibit illegal activity including fraud, breach of sanctions, money-laundering, anti-competitive practices, bribery and corruption, and the violation of consumer rights. It must make clear that Staff are expected to conduct themselves ethically and perform their jobs with skill, due care and diligence. The code of conduct covers, at a minimum: a. The obligation to comply with all Regulations and the Company policies. b. Prevention and management of Conflicts of Interest. c. Guidance on decision-making. d. Reporting mechanisms on any breach of applicable laws and Regulations, and protection for whistle blowers from retaliation. e. Fair treatment of policyholders. f. Information sharing with stakeholders. 5. STRUCTURE AND GOVERNANCE OF THE BOARD

1. A Company’s Board must be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess qualifications commensurate with the size, complexity and risk profile of the Company. In assessing its collective suitability, the factors a Board should take into account include, but are not limited to: a. Whether members of the Board have a range of knowledge and experience in relevant areas and varied backgrounds to promote diversity of views; b. Relevant individual areas of competence which may include, but are not limited to, capital markets, financial analysis, financial stability, financial reporting, information technology, strategic planning, risk management, compensation, regulation, Corporate Governance, management, accounting, underwriting, actuarial, reinsurance, investment, audit and Shari`ah rules and principles in the case of a Takaful Company;

13 c. Whether the Board collectively has a good understanding of local, regional and global economic and market forces and of the legal and regulatory environments applicable to the Company’s operations; and d. Whether individual members of the Board can contribute to effective communication, collaboration and critical debate at the meetings of the Board and its committees. 2. The Board must have well-defined powers, including the ability to obtain timely information from Senior Management and key persons in Control Functions, in order to manage the Company. 3. The Board must have documented procedures for its own internal governance which must be periodically reviewed and assessed for their effectiveness. These may be included in organisational rules or by-laws, and should set out how the Board will carry out its roles and responsibilities, the nomination process, selection and removal of Board members, a specified term of office and succession planning. 4. The Board must be adequately funded and have access to resources, staff and facilities in order to carry out its responsibilities effectively. The Board must have documented procedures to access external, independent experts including procedures related to their appointment and dismissal. 5. Where the Board makes any delegations, it should ensure that: a. The delegation does not hinder the Board from discharging its roles and responsibilities effectively. b. The scope of delegation is well defined in terms of the powers, accountabilities and procedures related to the delegation. c. There is no undue concentration of powers, giving anyone inappropriate levels of power capable of affecting the Company. d. It has the ability to monitor and obtain reports on whether the delegated tasks are properly carried out. e. It retains the ability to withdraw the delegation if it is not properly discharged, and to have contingency plans in this regard. 6. Members of the Board, individually and collectively, must be and continue to remain qualified for their positions. Members of the Board must understand their oversight and Corporate Governance role and be able to exercise sound, objective judgement about the affairs of the Company. Members of the Board must not have any Conflict of Interest that may impede their ability to perform duties independently and objectively, or be subject to any undue influence from:

14 a. Other persons/business; b. Previous or current positions held; or c. Personal, professional or other economic relationships with other members of the Board or Senior Management, or d. Other entities within the Group. 7. A member of the Board shall lose his/her independence in the following cases: a. If his/her tenure as an Independent Member of the Board in the same Company exceeds twelve (12) consecutive years from the date of his or her appointment. This provision applies equally to persons appointed by a Government shareholder; b. If he/she, or any of his/her Relatives, has worked as Staff of the Company, or its Subsidiaries during the past two (2) years; c. If he/she has worked for, or is a partner, in a company that performs consulting works for the Company or its Group or he/she has acted in such capacity during the past two (2) years; d. If he/she has had any personal services contracts with the Company or its Group during the past two (2) years; e. If he/she has been affiliated with any non-profit organisation that receives significant funding from the Company or its Group; f. If he/she, or any of his/her Relatives, has been a partner or employee of the Company’s auditor during the past two (2) years; g. If he/she, or any of his/her Relatives, has or had a direct or indirect interest in the contracts and projects of the Company or its Subsidiaries during the past two (2) years, and the total of such transactions exceeds the lower of 5% of the Company’s paid capital or of the amount of five million Dirhams or its equivalent amount in a foreign currency, unless such relationship is part of the nature of the Company’s business and involves no preferential terms; and h. If he/she and/or any of his/her Relatives (individually or collectively) own directly or indirectly 10% or more of the Company’s capital or is a representative of a shareholder who owns directly or indirectly more than 10% of the Company’s capital. The provisions in items b to h above do not apply to members of the Board appointed by a Government shareholder.

15 8. All nominated members of the Board must have sufficient competence, knowledge and experience to effectively carry out their duties and be subject to the Fit and Proper Process. 9. An ex-ante review and approval process must be completed before a member of the Board accepts nomination to serve on another board as permitted by the Corporate Governance Regulation and these Standards, so as to ensure that the activity will not create a Conflict of Interest. In addition, each member of the Board must confirm annually that he/she has sufficient time available to manage the time commitments required from the role on the Board. 10. The chair of the Board must provide leadership to the Board and is responsible for its overall effectiveness. The chair must ensure that Board decisions are taken on a sound and well-informed basis, encourage and promote critical discussion, and ensure that dissenting views can be freely expressed during the decision-making process. The chair must: a. Ensure that the Board acts efficiently, fulfils its responsibilities and discusses all issues on a timely basis; b. Approve the agenda of each Board meeting, ensuring that the content, organisation, quality of documentation and time allocated to each topic allows for sufficient discussion and decision making; c. Encourage all Members of the Board to fully and efficiently participate in Board meetings in order to ensure that the Board acts in the best interests of the Company; d. Adopt suitable procedures to ensure efficient communication with the shareholders, and the communication of their views to the Board; and e. Facilitate the effective participation of Independent Members of the Board and the development of constructive relations between individual Board members. A Takaful Company must safeguard an effective independent oversight of Compliance with Islamic Shari’ah within the organisational framework. 11. The majority of the members of the Board must be present at each Board and its committees’ meetings to establish a quorum. Attendance at meetings must be by physical presence or via audio or audio-videoconferencing subject to appropriate safeguards to preserve confidentiality and accuracy of deliberations. 12. The Board’s and its committees’ resolutions must be approved by the majority of votes. In the case of parity, the Chair shall have a casting vote. 13. There must be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the Company’s Risk Governance Framework. The risk committee

16 must, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. 14. The Board must ensure that new members of the Board participate in an appropriate induction programme that must include an introduction to the strategy, structure, codes of conduct, main policies and material businesses of the Company. In addition, the induction programme must include an overview of the regulatory environment applicable to the Company, including the requirements of all relevant laws and Regulations. 15. The Board must dedicate sufficient time, budget and other resources to an ongoing training and development programme for its members and draw on external expertise, as needed. The Board must review annually its programme for ensuring that its members acquire, maintain and enhance knowledge and skills relevant to their responsibilities. 16. The Board, or the Board nomination committee, must carry out, at least annually, an assessment of the Board as a whole, its committees, and individual members. The Board must also ensure that an independent assessment is carried by an external third party at least once every five (5) years. 17. Annual assessments of the Board must include, but are not limited to: a. Reviewing the structure, size and composition of the Board as a whole and its committees; b. Reviewing the effectiveness of Board governance procedures, determining where improvements are needed and making any necessary changes; and c. Assessing the ongoing suitability of each member of the Board, taking into account the fit and proper criteria and his/her performance on the Board. 18. Factors to be considered in the assessment of the Board as a whole include, but are not limited to: a. Has the Board set clear performance objectives, and how well has it performed against these objectives? b. Has the Board been effective in the strategy development process? c. What has been the Board’s contribution to ensuring effective risk management? d. Is the membership of the Board appropriate with the right mix of skills and knowledge?

17 e. Is the organisational structure and interaction between the Board and Senior Management working effectively? f. How well has the Board responded to problems and challenges? g. Is the Board dealing with the right issues? h. Is the relationship between the Board and its committees working effectively? i. Is the Board taking the necessary steps to stay up to date with regulatory and market developments? j. Is the Board taking the necessary steps to acquire timely information of the right depth and quality? k. Are Board meetings of the right frequency and length to enable proper consideration of issues? l. Is the content of the agenda appropriate for the size, nature and complexity of the Company? m. Are Board procedures adequate for effective performance? 19. Factors to be considered in the assessment of the performance of individual members of the Board include, but are not limited to: a. Does the member of the Board continue to meet the requirements of the Fit and Proper Process, and in the case of Independent Members of the Board, independence? b. Has the member of the Board actively contributed to the work of the Board, and if applicable, Board committees? c. If newly appointed, has the member of the Board participated in the Board’s induction programme? d. Has the member of the Board participated in ongoing training on relevant issues? e. Is the member of the Board taking the necessary steps to stay up to date with regulatory and market developments? f. Has the member missed meetings of the Board without an excuse acceptable by the Board?

18 20. COMMITTEES: a. The Board elects the audit committee and sets its mandate and responsibilities, including, but not limited to:

1. Assessing the adequacy of Senior Management, and the extent of their application of the Board’s directions.
2. Assessing and following up on the efficiency of the internal controls, through: a. Holding regular meetings with persons who are primarily responsible for internal controls over financial reporting, including but not limited to the heads of internal audit, risk management and accounting functions. b. Mitigating key financial reporting risks through discussing controls with Senior Management, including fraud risks. c. Understanding how Senior Management plans to assess internal controls and what role internal audit and other Related Parties will play. d. Understanding the external auditors' scope and plan to test the controls. e. Conducting regular meetings with Senior Management, internal and external audit to discuss findings and relevant action plans.
3. Assessing the extent of compliance with relevant laws and Regulations.
4. Nominating external auditors to be selected by the general assembly; terminating their services, when required; and determining their fees.
5. Effectively overseeing and supporting the internal audit function, that incudes, but is not limited to: a. Understanding internal audit resources. b. Being involved in hiring the head of internal audit, evaluating his/her performance, and verifying the sufficiency of his/her compensation. c. Reviewing the internal audit's charter annually, and approving any changes to the charter. d. Approving the annual internal audit plan and reviewing the recommendations issued by the internal auditor.

19 6. Approving the appointment and dismissal of the head of internal audit. 7. Following up on the recommendations made by internal and external audit and the Central Bank. 8. Overseeing the integrity and accuracy of the financial statements and related disclosures, that includes: a. Taking an active role in overseeing annual and interim financial statements and related disclosures. b. Assessing whether the significant accounting policies the company uses are reasonable and appropriate. This includes discussions with the chief financial officer and external auditors about the impact on the results and financial disclosures of any new accounting development. c. Assessing and making submissions to the Board regarding the suitability of the Company’s accounting policies. This includes discussions with the chief finance officer or equivalent and the external auditors about the impact on the results and financial disclosures of any changes to accounting standards and policies. d. Reporting to the Board, any limitations in the reliability of accounting and financial processes, including management information systems. 9. Meeting with internal and external auditors and appointed actuaries at least twice a year, without the presence of representatives from Senior Management. 10. Enabling Staff to report in confidentiality, any violation concerning the financial statements or internal controls, and producing a report to the Board in this regard. 11. To report to shareholders by preparing a report to be included in the annual financial statements describing how the committee carried out its functions, confirming the independent nature of the audit, and commenting on the financial statements, accounting practices and internal financial control measures of the Company. 12. Ensuring integrated reporting to the Central Bank (integrating financial and sustainability reporting, to the extent that it is relevant). At a minimum, the audit committee should provide the following information in the integrated report: a. A summary of the role of the audit committee; b. A statement on whether or not the audit committee has adopted a formal terms of reference that has been approved by the Board, and

20 if so, whether the committee satisfied its responsibilities for the year in compliance with its terms of reference; c. The names and qualifications of all members of the audit committee during the period under review, and the period for which they served on the committee; d. The number of audit committee meetings held during the period under review and members’ attendance at these meetings; e. A statement on whether or not the audit committee considered and recommended the internal audit charter for approval by the Board; f. A description of the working relationship with the chief audit executive; g. Information about any other responsibilities assigned to the audit committee by the Board; h. A statement on whether the audit committee complied with its legal, regulatory and/or other responsibilities; and i. A statement on whether or not the audit committee has reviewed the integrated report and submitted the report to the Board with a recommendation for approval. b.The Board elects a risk management committee and sets its mandate and responsibilities including, but not limited to:

1. Proposing the Company's risk management policies, risk tolerance and Risk Appetite to the Board for approval, and to follow up on their implementation and update them on an annual basis. The committee should ensure that risk assessments are performed regularly, monitor the whole risk management process, and receive assurance from internal and external assurance providers regarding the effectiveness of the risk management process.
2. Assessing and making submissions to the Board regarding the Company’s risk management through: a. Satisfying itself with regard to the expertise, resources and experience of the risk management function; b. Meetings with individuals who are primarily responsible for the design, implementation and effectiveness of risk management, as well as continual risk monitoring; and c. Meeting regularly with management to discuss the controls in place to: assume and accept risk, avoid risk, control risk, transfer risk, watch and monitor risk, amongst other things.

21 3. Proposing the Company's reinsurance strategy and ensuring appropriate oversight and consistent implementation of reinsurance programmes. The committee should consider the Company’s business objectives, levels of capital and business lines, with particular reference to the following: a. Risk Appetite; b. Large exposures and frequency of perils; c. Level of diversification; and d. The ability of reinsurers to fulfill their obligations. 4. Assessing the extent to which the Company applies the provisions contained in the Financial Regulations, and submitting reports to the Company’s Board in this regard. 5. Without prejudice to the tasks of the compensation committee, proposing a compensation policy for management that is aligned to the business strategy and risk levels. 6. Ensuring detailed job descriptions for the roles, duties, and responsibilities of each Board member, and that controls for measuring their performance are in place. c. The Board elects from among its members an investment committee, and sets its mandate and responsibilities including, but not limited to:

1. Preparing and reviewing the investment policy, reviewing its performance, implementation and managing its risks, on an annual basis.
2. Reviewing the performance of the Company's assets annually.
3. Submitting quarterly reports to the Board on the performance of the Company's investment portfolio.
4. Establishing the necessary controls to prevent investments in related companies, unless it is proven that this is in the interest of the Company; maintain relevant information, documents, restrictions and studies in this regard. d. The Board elects from among its members a compensation committee, and sets its mandate and responsibilities including, but not limited to:
5. Providing the Board with the design and oversight of the Company’s compensation system.

22 6. DUTIES OF INDIVIDUAL BOARD MEMBERS

1. Members of the Board are fully responsible for the overall interests of the Company. This applies to members of the Board representing or appointed by an individual shareholder or group of shareholders. The Duty of Loyalty precludes individual members of the Board acting in their own interest, or the interest of
2. Periodically reviewing the compensation policies and determining if they are appropriate to each Board member and the Staff.
3. Preparing a policy for granting allowances and incentives to Senior Management.
4. Reviewing the performance of Senior Management. e. The Board elects from among its members a nomination committee, and sets its mandate and responsibilities, including, but not limited to:
5. Identifying, assessing fitness and propriety of candidates for the Board and Senior Management. Fit and proper criteria must ensure that selected candidates: a. Possess the necessary knowledge, skills, and experience; b. Have a record of integrity and good repute; c. Have sufficient time to fully discharge their responsibilities; d. Provide for collective suitability and added value to the Board/ Senior Management; e. Do not have any Conflict of Interest; and f. Have a record of financial soundness. Before providing the non-objection for nominations, appointments or renewals, the Central Bank will conduct additional interviews and/or background checks to ensure that the candidates are fit and proper, including assessing their ability to manage the time commitments required for their role in the Company, and confirm the accuracy and completeness of the information and documentation provided by the Company.
6. Establishing a policy to require at least 20% of candidates for consideration for the Board to be female. Information on the policy and actual numbers of female candidates’ consideration and representation on the Board must be disclosed in the Company’s annual Corporate Governance statement.

23 another individual or group, at the expense of the Company, its policyholders or shareholders. Policyholders’ interests must take precedence over shareholders’ interests. 2. Members of the Board must exercise their Duty of Care, Duty of Confidentiality and Duty of Loyalty to the Company when carrying out their activities, which include, but are not limited to: a. Actively engaging in the affairs of the Company to ensure strategy and policies are implemented as designed as well as acting in a timely manner to protect the long-term interests of the Company; b. Overseeing the development of and approving the Company’s business objectives and strategy, and monitoring their implementation; c. Playing a lead role in establishing the Company’s corporate culture and values. 7. DUTIES RELATED TO RISK MANAGEMENT AND INTERNAL CONTROLS

1. The Board approved Risk Governance Framework must incorporate a “three lines of defense” approach including Senior Management of the business lines, the functions of risk management, actuarial and compliance, and an independent and effective internal audit function. In the case of a Takaful Company, independent and effective internal Shari`ah Control and internal audit functions must be in place.
2. The Risk Governance Framework may vary with the specific circumstances of the Company, particularly its risk profile, size, business mix and complexity. Companies must incorporate the minimum requirements specified in the Central Bank Regulations and Standards on risk management and internal controls.
3. The internal controls framework must contain the following elements, at a minimum: a. Empowering Senior Management according to the organisational structure, commensurate to the nature of the Company, which clearly defines lines of communication and responsibilities for each unit in the Company. b. Segregation of duties, along with separation between managing risks and supervising the management of such risks. c. Written procedures accredited by the Board for applying and reviewing information technology strategies, in a manner that guarantees the provision of information to decision makers in a timely manner, along with a crisis management strategy.
4. A Company shall set up a documented internal control system approved by its Board in line with the Company’s business and volume, and it shall be supported by information systems that ensure the accuracy of such information. This system shall be reviewed periodically by the internal audit, external audit and actuarial auditors to ensure its compliance with the legal framework in force and to assess its effectiveness and adequacy.

24 5. The internal auditor shall assess the effectiveness and adequacy of the internal controls system and the company’s operations, to make sure that the Company operates in compliance with the legal framework and within the strategic objectives of the Company. A report in this regard along with the relevant recommendations must be submitted to the audit committee. 6. Governance requirements for risk management and internal controls are contained in separate Regulations issued by the Central Bank. 8. DUTIES RELATED TO COMPENSATION

1. The compensation committee is responsible for the overall oversight of management’s implementation of the compensation system for the entire Company. In addition, the compensation committee must regularly monitor and review outcomes to assess whether the Company-wide compensation system is creating the desired incentives for managing risk, capital and liquidity. It must have clear terms of reference, be properly constituted to exercise competent and independent judgement on the Company’s compensation policies and practices and work closely with the Company’s risk committee in the evaluation of incentives created by the compensation system. The committee must review the compensation plans, processes and outcomes, at least annually. An independent assessment of the compensation system by an external third party must be conducted at least once every five (5) years.
2. The Board must have oversight of the compensation system for the whole Company, not just for Senior Management. The compensation structure must be in line with the strategy, Risk Appetite, objectives, values and long-term interests of the Company. Incentives embedded within compensation structures should not incentivise Staff to take excessive risk.
3. Issues that the compensation committee of the Board must consider in overseeing the operation of Company-wide compensation policies include, but are not limited to: a. the ratio and balance between the fixed (basic salary and any routine employment allowances that are predetermined and not linked to performance) and variable components of compensation; b. the nature of the duties and functions performed by the relevant Staff and their seniority within the Company; c. the assessment criteria against which performance-based components of compensation are to be awarded; and d. the integrity and objectivity of the process of performance assessment against the set criteria.
4. The annual fixed amount paid to the members of the Board should be comprised of payment for their service on the Board and for their participation on Board

25 committees, with greater weighting applied to members chairing committees. The payment may also include the value of other non-monetary benefits, e.g. insurance and healthcare. The agreement with each member of the Board must specify all the details of his/her compensation. 5. Negative financial performance or net loss reported by a Company in a financial year should generally lead to a contraction of the Board’s total compensation and Senior Management bonus. The Central Bank may impose additional reductions to the Board’s total compensation where the negative financial performance was due to non-compliance with laws or Regulations, omission or error by the Board. In addition, a net loss reported by a Company in a financial year is expected to lead to a contraction of the Staff bonus pool. 6. Staff in the Control Functions of risk management, compliance and internal audit and in the case of Takaful Companies, Shari`ah control and Shari’ah audit, must be compensated in a way that makes their incentives independent of the lines of business whose risk taking they monitor and control. Instead, their performance measures and performance incentives must be based on achievement of their own objectives so as not to compromise their independence. This also applies to the compliance function staff embedded in independent support or control units. 7. If Staff in the Control Functions receive variable compensation, their total compensation must be made up of a higher proportion of fixed relative to variable compensation. 8. Companies must identify, both on a solo basis and at the Group level, the Staff who have the potential to take or commit the Company to significant risk, including reputational and other forms (Material Risk Takers), and consider the extent to which the structure of their compensation is effectively risk aligned. The identification must be performed by means of an annual assessment and based primarily on control and influence over risk; i.e. Staff who receive incentive compensation and have an ability, either alone or as a member of a group of Staff, to take or influence risk that is significant to the Company. These may include, but are not limited to: a. Senior Management and key Staff (including but not limited to the Chief Executive Officer and other members of Senior Management who are responsible for oversight of the Company’s key business lines and, if applicable, the Control Functions). b. Staff whose duties involve the assumption of risk or the taking on of exposures on behalf of the Company (including but not limited to proprietary traders, dealers, and loan officers). c. Staff who engage in the design, sales and management of insurance products. d. Staff who are incentivised to meet certain quotas or targets by payment of variable remuneration (including, but not limited to, those in marketing, sales and distribution functions).

26 e. Staff in the Control Functions. 9. For Senior Management and Material Risk Takers: a. a proportion of compensation must be variable and paid on the basis of individual, business-unit and Company-wide measures that adequately measure performance; b. a substantial portion of the variable compensation must be payable under deferral arrangements over at least three (3) years. These proportions should increase significantly along with the level of seniority and/or responsibility. For Senior Management and the most highly paid staff, the percentage of variable compensation that is deferred should be substantially higher than other Staff; c. a portion of variable compensation may be awarded in shares or equivalent ownership interests or share-linked or equivalent non-cash instruments in the case of non-listed Companies, as long as these instruments create incentives aligned with long-term value creation and the time horizons of risk. Awards in shares or share-linked instruments must be subject to an appropriate share retention policy; and d. The remaining portion of the deferred compensation can be paid as cash compensation vesting gradually. In the event of negative financial performance or net loss of the Company and/or the relevant line of business in any year during the vesting period, any unvested portions should be clawed back, subject to the realised performance of the Company and the business line. 10. Contractual payments related to the termination of employment should be examined to ensure there is a clear basis for concluding that they are aligned with long-term value creation and prudent risk-taking; any such payments must be related to performance achieved over time and designed in a way that does not reward failure. 11. Where the Company makes any severance payments, such payments must be subject to appropriate governance, limits and controls, and should relate to performance over time. Severance payment must not reward failure or potential failure of the Company. 12. Companies are encouraged to follow best international practices in sound compensation, Including the guidance provided by the Financial Stability Board in its issued Principles and Standards on Sound Compensation Practices as updated from time to time. 9. FINANCIAL REPORTING AND EXTERNAL AUDIT

1. Governance requirements for financial reporting and external audit must be adhered to as stipulated in the Financial Regulations, Insurance Authority’s Board

27 of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and any separate Regulations issued by the Central Bank in this regard. 2. The Board is responsible for overseeing the necessary controls to ensure the soundness and accuracy of the financial reports, including: a. Overseeing the financial statements, financial reporting and disclosure process. b. Assessing the effectiveness of the accounting policies and practices. c. Overseeing the internal audit process (reviews by internal audit of the Company’s financial reporting controls) and reviewing the internal auditor’s plans and material findings. d. Significant findings and observations regarding the weakness in the financial reporting process are promptly rectified. This should be supported by a formal process for reviewing and monitoring the implementation of recommendations by the external auditor. e. Reporting to the Central Bank on significant issues regarding the financial reporting process, and the remedial action taken in this regard. 3. The Board is responsible for ensuring the sound governance and oversight of the external audit process, including: a. Approving, recommending, appointing, reappointing, dismissing and determining the compensation of the external auditor. b. Ensuring the independence of the external auditor through robust processes to ensure that the appointed external auditor has the necessary knowledge, skills, expertise, integrity and resources to conduct the audit and meet any additional regulatory requirements. c. Assessing the effectiveness of the external audit. d. Investigating circumstances of resignation or removal of the external auditor, and reporting the same to the Central Bank. 4. The Board must ensure an effective relationship with the external auditor, through: a. Setting clear and adequate terms of engagement of the external auditor, along with a defined scope of work and resources required to conduct the audit. For this purpose the Board must ensure that the terms of engagement of the external auditor are clear and appropriate to the scope of the audit and resources required to conduct the audit and specify the level of audit fees to be paid. b. An undertaking by the external auditor that the audit is going to be conducted according to the applicable legislation and international standards.

28 c. Ensuring that the external auditor complies with internationally acceptable ethical and professional standards. d. Ensuring that there are adequate policies to ensure the independence of the external auditor, including restrictions and conditions for the provision of non￾audit services which are subject to approval by the Board, periodic rotation of members of the audit team and/or audit firm and the provision of safeguards to eliminate or reduce to an acceptable level identified threats to the independence of the external auditor. e. Ensuring that there is unrestricted access to information or persons to conduct the audit. 5. The Board must have effective communication with the external auditor, including scope and timing of the audit to understand the nature of risk. The Board should hold regular meetings with the external auditor without the presence of Senior Management, and all internal audit weaknesses must be identified and communicated. 6. The Company must provide the Central Bank with the external auditor’s report. 7. The external auditor must promptly report to the Central Bank without the prior consent of the Company on all matters that are likely to be of material significance, such as breaches of applicable legislation, fraud or the suspicion of fraud. 10. COMMUNICATIONS

1. Disclosures in the annual Corporate Governance statement must include, but not be limited to, information on the following: a. Material information on the Company’s objectives, organisational and governance structures and policies; b. Major share ownership and voting rights; c. Related Party Transactions; d. The recruitment approach for the selection of members of the Board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; e. Education and experience of members of the Board and key members of Senior Management; f. Type and composition of Board and its committees; the number of times they met and attendance records; g. Incentive and compensation policy including the decision-making process used to determine the Company-wide compensation policy, the most important

29 design characteristics of the compensation system and aggregate quantitative information on compensation; h. The individual compensation of the members of the Board and key members of Senior Management; i. Individual board membership in any other companies; j. Information on the policy as to, and actual figures of, female candidates’ consideration and representation on the Board; k. Key points concerning its risk exposures and risk management strategies without breaching necessary confidential; l. Information on the purpose, strategies, structures, and related risks and controls of material and complex or non-transparent activities; m. Forward looking statements and foreseeable risk factors; and n. In the case of Takaful Companies, Annual Shariah Reports on the compliance with Shariah rules and the resolutions of the Higher Shari`ah Authority, or any other disclosures required by the Company or the Higher Sharia Authority. 2. Where useful, Companies may make reference to the information contained in the financial statements’ notes. 3. Qualitative and quantitative disclosure requirements on compensation to be published annually in a Company’s Corporate Governance statement must include the following information for Board members, Senior Management and Material Risk Takers: a. Description of the main elements of their compensation system and how the system has been developed; b. Fixed and variable compensation awarded during the financial year; c. Special Payments: guaranteed bonuses, sign-on awards and severance payments; d. Deferred compensation; e. Any sanctions imposed on any Board member by a national or foreign judicial or supervisory authority that is relevant to the matters stated herein. 4. Boards should approve and publicly disclose a statement providing assurance that the Corporate Governance arrangements of their Companies are adequate and efficient.

30 5. The Company’s communication policies and strategies should cater for providing the Central Bank with any commercially sensitive information in a timely and efficient manner. Such information may include assessments by the Board of the effectiveness of the Company’s governance system, internal audit reports, information on the compensation structures adopted by the Company for the Board, Senior Management, Control Functions and Material Risk Takers. 11. DUTIES OF SENIOR MANAGEMENT

1. Senior Management is responsible and accountable to the Board for compliance, fair treatment of policyholders, record keeping and for the sound and prudent day￾to-day management of the Company in accordance with the Company’s corporate culture, business objectives and strategies for achieving those objectives. The organization, procedures and decision-making of Senior Management must be transparent and provide clarity on the role, authority and responsibility of the various positions within Senior Management.
2. Consistent with the direction given by the Board, Senior Management must implement business strategies, risk management systems, risk culture, processes and controls for managing the risks to which the Company is exposed in alignment with the Risk Appetite. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior Management must recognise and respect the independent duties of the risk management, compliance and internal audit functions, and in the case of a Company offering Islamic financial services, Shari`ah compliance and audit functions, and must not interfere with the exercise of such duties.
3. Senior Management must provide oversight of those they manage, and ensure that the Company’s activities are consistent with the business strategy, Risk Appetite and the policies approved by the Board. Senior Management is responsible for delegating duties to Staff and must establish a management structure that promotes accountability and transparency throughout the Company.
4. Senior Management must provide the Board with comprehensive and timely reports to enable it to effectively discharge its responsibilities, including the oversight of Senior Management. Information that Senior Management must regularly provide to the Board includes, but is not limited to: a. Performance relative to the Company’s strategy and Risk Appetite; b. Performance against budget and other financial targets, and the financial condition of the Company; c. Breaches of Risk Limits or compliance rules categorised by frequency, scope and impact; d. Internal control failures;

31 e. Legal or regulatory concerns and remedial actions taken or proposed; f. Current and developing market conduct issues, including a semi-annual analysis on client complaints and inquiries; g. Issues raised as a result of the Company’s whistleblowing mechanism; h. Breaches of Shari`ah rules and principles in the case of a Takaful Company; and i. Proposed changes in Company strategy. 5. An ex-ante review and approval process must be completed before a member of Senior Management accepts nomination to serve on a board as permitted by the Regulation so as to ensure that the activity will not create a Conflict of Interest. In addition, each member of Senior Management must confirm annually that he/she has sufficient time available to manage the time commitments required for their role in the Company. 6. A Company is prohibited from terminating the services of a member of the Senior Management because of their compliance with the law, decisions, regulations, instructions and circulars issued pursuant thereto.