Guernsey Financial Services Commission Thematic Review on Insurer Cash Management and Control of Funds

Guernsey Financial Services Commission, Glategny Court, Glategny Esplanade, St Peter Port, Guernsey, GY1 3HQ © Guernsey Financial Services Commission, 2020 Insurer Cash Management and Control of Funds Thematic Review February 2020

2 Executive Summary The Guernsey Financial Services Commission (the “Commission”) presents the findings of its Thematic Review of insurer cash management and control of funds (the “Thematic Review”). Given the inherent solvency and liquidity risk of insurance licensees, our objective for selecting this theme was to undertake a formal review to understand the control framework related to cash management. For the thematic review we aimed to cover various sectors of the insurance market, selected from entities licensed under the Insurance Business (Bailiwick of Guernsey) Law, 2002. Broadly, the thematic review uncovered a number of areas of good practice, for example in maintaining appropriate signatory lists and having adequate policies and procedures in place for the signing and approval of payments. However, we found some instances where more attention needs to be paid to policies and procedures. The Commission reminds General Representatives of their responsibilities under the Insurance Business (Duties of General Representatives) Regulations, 2008 to report to the Commission on compliance with relevant legislation. This report reflects the findings from the Thematic Review and we hope the content will be useful to all firms. We would encourage all licensees to read the findings of the review and satisfy themselves that their own arrangements reflect good practice. We would like to thank the licensees who have taken the time to contribute to this review and hosted site visits. Jeremy Quick Director, Banking and Insurance Division February 2020

3 Contents

1. Scope 4
2. Current responsibilities of Licensed Insurers 5
3. Approach 6
4. Key findings 7 4.1 Signing authorities 7 4.2 Payment processes 9 4.3 Signing authority levels 13 4.4 Banking services 14 4.5 Payment instructions 18 4.6 Management information 20 4.7 Outsourcing 21 4.8 Loans to third-parties 23 4.9 Reporting to the Commission 25 4.10 Additional information 26

4

1. Scope Insurance businesses licensed as insurers by the Commission (“Licensed Insurers”)1 were selected to be the subject of a Thematic Review. The objective of the Thematic Review was to ascertain the control framework of Licensed Insurers, related to their cash management and control of funds. This was triggered by the following observations:  During Full Risk Assessments (FRA), weaknesses of insurance licensees’ controls in relation to the opening and closing of bank accounts and processing of payments;  Issues arising when Insurers outsourced work to third parties and allowed those third parties to have custody of funds (for example third party claims handlers); and  Issues arising when other entities within the same group, or under the same control, do not correctly segregate the insurer’s funds. Given the inherent solvency and liquidity risk for Licensed Insurers, the Commission wished to understand what controls were in place to ensure effective cash management. Particular focus was paid to the signing authorities of the Licensed Insurers’ bank accounts, controls over payment systems, management information provided to the Board, outsourcing arrangements and loans to third parties. The Commission also wished to assess whether insurer cash and liquid assets had been correctly reported to the Commission in the most recently submitted annual returns. The legal and regulatory requirements of firms, as detailed in section 2, are intended to provide the Commission with the information it requires to perform its statutory duties in a proportionate manner. The Thematic Review was focused on those insurers that undergo largely reactive supervision under the Commission’s risk-based supervisory framework, PRISM. This enabled the Commission to gather information on a segment of its supervised population that, due to its impact profile, experiences less frequent engagement. The population sample was therefore restricted to low impact Licensed Insurers, selected to include a cross section of insurers in solvency Categories 1, 3 and 5. After excluding licensees for purposes of conflicts or other supervisory matters the sample population was 176 from which a sample of 12 Licensed Insurers were selected. Since Insurance Managers2 have a significant influence on the policies and procedures of the firms they manage, the sample was selected to ensure that the firms chosen were managed by a representative cross section of Insurance Managers. The Thematic Review examined current policies, procedures and controls and the most recent annual returns that were submitted to the Commission by Licensed Insurers, so that observations and findings were as relevant as possible. These were primarily annual returns for 2018 year-ends, with a small number of returns within the sampled population having a 31 March 2019 or 30 June 2019 year-end.

1 Licensed under The Insurance Business (Bailiwick of Guernsey) Law, 2002, as amended. 2 Licensed under The Insurance Managers and Insurance Intermediaries (Bailiwick of Guernsey) Law, 2002, as amended.

5 2. Current Responsibilities of Licensed Insurers These may be summarised as follows:  All financial institutions should ensure that they maintain adequate financial resources to meet their future business commitments and to withstand the risks to which their businesses are subject.3  All financial institutions should deal with the Commission in an open and co-operative manner and should keep the Commission promptly informed of anything concerning the financial institution which might reasonably be expected to be disclosed.4  Schedule 7 of the Insurance Business (Bailiwick of Guernsey) Law, 2002, as amended, contains the Minimum Criteria for Licensing, which requires business to be carried on with prudence, integrity and professional skill. It sets out that the licensee shall not be regarded as conducting business in a prudent manner unless it maintains adequate liquidity and adequate systems of control.5  Appendix 3 to the Finance Sector Code of Corporate Governance requires that the insurer operates within effective systems of control, with oversight by the Board, including controls over outsourced functions.6  The Commission issued the Guidance Note for Licensed Insurers on Outsourcing in July 2018, which outlines further considerations where material activities or functions are outsourced by Licensed Insurers. The above requirements apply to all Guernsey incorporated Licensed Insurers, including entities in run￾off. Branch operations must comply with the relevant provisions of the Insurance Business (Bailiwick of Guernsey) Law, 2002, and the Minimum Criteria for Licensing. For the avoidance of doubt, this Thematic did not consider compliance with relevant AML/CFT requirements to which Licensed Insurers are subject. Licensed Insurers should take these requirements into account when considering their banking processes and procedures.7

3 See Principle 8 of the Principles of Conduct of Finance Business. 4 See Principle 10 of the Principles of Conduct of Finance Business. 5 See Sections 6(2)(b) and 6(2)(d) of Schedule 7 to The Insurance Business (Bailiwick of Guernsey) Law, 2002, as amended. 6 See Principles A:10 and A:16 of Appendix 3 to the Finance Sector Code of Corporate Governance. 7 Criminal Justice (Proceeds of Crime)(Bailiwick of Guernsey) Law, 1999, as amended

6 3. Approach The Thematic Review consisted of two stages:  A Thematic Questionnaire (the “Questionnaire”) was sent to 12 Licensed Insurers (the “Thematic Sample”), managed across 7 Insurance Managers, which were identified as insurers with a low impact rating. Questionnaire responses were completed by the Thematic Sample (“Respondents”), who provided appropriate documentation to support their responses.  Site visits were conducted for the Thematic Sample, where the implementation of the processes and controls identified in the Questionnaire responses was tested by selecting and reviewing one example of it being performed. The Questionnaire sought responses in a number of areas relating to the processes performed and controls in place surrounding cash management procedures. These responses are considered in section 4 of this report. The assessment was a desk-based review of the Questionnaire responses submitted using the Commission’s online portal and information gathered during the site visits. This approach enabled the Commission to identify a spread of good practice, relevant to Licensed Insurers in general, and to consider specific areas where improvements are required. This included where there was divergence among Licensed Insurers as to how cash management process and controls were managed. The following pages consider how firms are discharging their responsibilities. Areas of good practice have been highlighted by way of examples. These examples should not be taken as guidance and are in no way prescriptive as they may not be appropriate for every Licensed Insurer, but rather considered proportionately in light of the nature, scale and complexity of that Licensed Insurer’s business. Please note that all data contained within this report is based on Questionnaire and information request responses received unless otherwise stated. Respondents to the Questionnaire were either given free-form answer boxes or were able to select multiple options in answering a question.

7 4. Key Findings In this section, we examine the responses to the Questionnaire regarding insurer cash management processes. Questions are framed within quotation marks below and areas of good practice, or areas which require improvement, are noted throughout. 4.1 Signing Authorities 4.1.1 Maintaining signing authorities POINT OF NOTE: In two of the instances where the signatory list was only reviewed annually, this was due to low activity levels of the Licensed Insurer. The Board had decided that annual Board meetings were sufficient to consider the level of insurer activity. The Insurance Managers in this case noted that they were considering increasing this to two meetings a year. Whilst the Commission does not prescribe the number or frequency of Board meetings to be held it expects the Board to set a policy appropriate to the nature, scale and complexity of the insurer. One of the Respondents has a member of the Executive Committee designated by the Board to appoint and remove signatories as and when required. For all other Respondents Board approval was required to update the signatory list. “Do you maintain a current list of signing authorities for your bank account mandates? Please describe the processes in place, or provide supporting policies and procedures, to update and maintain signing authorities.”  All 12 Respondents (100%) maintain a signatory list and policies for updating and maintaining signing authorities.  3 of the 12 Respondents (25%) review the banking mandate annually, whereas the other 9 respondents (75%) review the signatory list more than once a year.  2 of the 12 Respondents (17%) did not have the names of the individuals on the signatory list recorded in the Board minutes or Board packs.  1 of the 12 Respondents (8%) no longer holds physical Board meetings due to the insurer being in run off.

8 4.1.1 Maintaining signing authorities (continued) AREA FOR IMPROVEMENT: We noted one instance where the frequency of review and approval of the signing authorities did not comply with the insurer’s own internal policies, which required the signatory list to be approved at every Board meeting. The insurer’s signatory list was only reviewed annually or at trigger events, where necessary. We would expect internal policies to be followed accordingly. Where the names of the individuals on the signatory list were not recorded in the Board minutes or Board packs, reference was made to a pre-approved list of signatories. The Board should ensure that it is provided with sufficient, appropriate information, and the Board’s review and approval of the signing authorities should be documented. 4.1.2. Contingency arrangements for signing controls POINT OF NOTE: Two Respondents managed by one Insurance Manager were considering implementing a central signatory list which would be supplemented by additional signing authorities for individual entities, where required. This list would have the same signatories for all entities managed by the Insurance Manager so as to increase the number of available signatories. A similar process was already in place at another Insurance Manager. The Board and the Insurance Manager should consider the risk that payments may be authorised by individuals who are unfamiliar with the specific entity and its regular operations. “Are there contingency arrangements for signing controls in case of staff absences?”  All 12 Respondents (100%) had contingency arrangements to ensure sufficient signatory coverage.  No Respondents (0%) had an instance where there were not enough signatories to send out a payment on time.

9 4.2 Payment Processes 4.2.1 Payment systems POINT OF NOTE: The Respondents who used electronic banking systems had positive feedback about the systems. The majority of Respondents who did not yet have electronic banking systems cited the administration involved with setting up electronic banking as a key driver to not using such systems. Several Insurance Managers noted their concern for the additional security and administration required to maintain multiple key fobs across the entities they manage for each banking system. Continued reliance upon hard copy payment systems may prove difficult as banks increasingly move towards electronic systems and Boards should plan ahead for this eventuality. Regardless of the system used the Commission’s concern is with the procedures and controls around that system. 4.2.2 Initiating payments POINT OF NOTE: All Respondents follow a similar process of receiving the instruction and checking for legitimacy before the administrators or treasury departments initiate the payment process. For all Respondents, except one, the payment process is initiated by the Insurance Manager. During our site visits we did not identify any instances where the process for initiating payments differed from the stated procedures. “Please describe your payment systems. For example: do you process electronic payments through your own system/SWIFT account? Or does the bank process payments on your behalf?”  9 of the 12 Respondents (75%) did not use electronic banking systems.  3 of the 12 Respondents (25%) did use electronic banking systems. “Do you maintain documented policies, procedures and controls in place for initiating payments? If yes, please describe these controls or provide supporting policies and procedures with regard to initiating payments.”  All 12 Respondents (100%) have documented policies and procedures in place for initiating payments.

10 4.2.3 Approving payments GOOD PRACTICE: We noted several instances of good practice where electronic payment systems prevented the individual who had permission to input a payment on the system from being able to approve or release the payment on the system. Two Respondents had an internal payments system that prevented an individual from both entering and reviewing or approving payments. In all other instances there was a policy stipulating that the role for creating the payment request be segregated from review and approval duties. POINT OF NOTE: All Respondents follow similar controls surrounding approving and releasing a payment. Respondents had a minimum of four eyes checks. During our site visits we did not identify any instances where the process for approving payments differed from the stated procedures. “Do you have controls regarding the approval of payments? If yes, please describe these controls or provide supporting policies and procedures with regard to approving payments.”  All 12 Respondents (100%) have documented controls in place for approving payments.

11 4.2.4 Payment process training GOOD PRACTICE: One Insurance Manager, which managed two of the Respondents, held regular meetings for the administration team dealing with various clients to discuss processes. The purpose of these meetings was to help ensure that processes were correctly followed for all client entities, and any updates to processes were effectively communicated and understood throughout the licensee. 4.2.5 Bank reconciliations GOOD PRACTICE: One Insurance Manager that managed two of the Respondents had a checklist included in quarterly management accounts to confirm that all bank reconciliations had been performed during the quarter. “Are staff trained on the electronic payments process? If yes, please describe the training provided. (i.e. type / frequency).”  All 12 Respondents (100%) have at least on the job informal training.  3 of the 12 Respondents (25%) use an electronic payment process. All of these Respondents provide formal new joiner training.  Of those that do not have an electronic payment process:  4 of the 9 Respondents (44%) have formal new joiner training; and  5 of the 9 Respondents (56%) only provide on the job training. “Do you conduct reconciliations on the accounts that you hold? If yes, please describe your reconciliation process (i.e. frequency, individuals involved, etc.) or provide supporting policies and procedures with regard to account reconciliations.”  8 of the 12 Respondents (67%) conducted monthly reconciliations.  2 of the 12 Respondents (17%) conducted quarterly reconciliations.  1 of the 12 Respondents (8%) conducted a reconciliation every six months.  1 of the 12 Respondents (8%) did not conduct bank reconciliations in Guernsey.

12 4.2.5 Bank reconciliations (continued) POINT OF NOTE: The Board should consider whether a gap of more than three months between bank reconciliations increases the risk of fraud or other misuse of bank accounts, especially if the frequency of transaction is such that the bank account is not otherwise monitored during that period. During the site visits it was noted that one of the Respondents, which identified that it performs monthly bank reconciliations, did not have documentation to evidence a bank reconciliation had been performed for one month during the year under review. AREA FOR IMPROVEMENT: One of the Respondents did not conduct bank reconciliations in Guernsey, as it did not have access to the bank statements. The Group operations function carries out bank reconciliations and does daily balances tracking; this could not be verified during the local site visit. Licensed Insurers must ensure that adequate books and records are maintained in Guernsey, irrespective of group operational requirements. The General Representative of a Licensed Insurer shall ensure that adequate books and records of the Licensed Insurer’s business are maintained in Guernsey.8

8 Refer to Regulation 1(e) of the Insurance Business (Duties of General Representatives) Regulations, 2008.

13 4.3 Signing authority levels 4.3.1 Signing authorities GOOD PRACTICE: One Respondent noted that complex and non-standard transactions would require an additional level of approval before payment; in this instance, it had opted to escalate to the Board. AREA FOR IMPROVEMENT: One Respondent’s policies included a requirement for all payments over a certain threshold to be documented and provided to the Board for their approval. This had not occurred in recent payments. When raised with the Respondent they noted that the intention for this policy was that it would only apply to non-standard payments. The Respondent plans to minute this issue at future Board meetings and to update the narrative in the policy to clarify that only those non-standard payments over a specific threshold need to be reported to the Board. We would expect internal policies to be followed accordingly and updated where necessary. “When assigning signing authorities, do you consider the level of authority required? (i.e. management, director, shareholder sign off required). If yes, please describe, or provide supporting documentation with regard to, the varying limits to the power and authority of the signatories. (i.e. value or type of transactions).”  All 12 Respondents (100%) considered the level of authorisation required for signing authorities, such as the use of different “A” and “B” signatories across different levels of seniority for different sized payments.

14 4.4 Banking Services 4.4.1 Opening and closing bank accounts GOOD PRACTICE: The two Respondents that had formal, documented policies for both opening and closing bank accounts also required that, before proceeding with the opening or closing procedures, the administrator was provided with an extract of the Board meeting minute evidencing approval. This was included with the account opening or closing forms to evidence appropriate level of approvals. POINT OF NOTE: All Insurance Managers noted the increasing requirements set by banks for opening bank accounts in Guernsey, leading to an onerous process. Due to these delays, one Respondent commented that they prefer to leave dormant bank accounts open. Whilst this is understandable, it does increase the risk of misuse of those accounts. AREA FOR IMPROVEMENT: For the Respondents where there are no formal processes in place, 9 of the 10 Respondents clarified that in practice any bank account opening or closing would require Board approval, however we would expect policies and procedures to be appropriately documented. One of the Respondents did not have formal policies for opening or closing bank accounts, although they understood accounts could only be opened or closed by authorised signatories to whom the Board had delegated the authority in lieu of Board approval. One Respondent noted that on a recent occasion the Group operations function had opened a bank account without the Board’s explicit authorisation. This is unacceptable and could lead to funds being diverted to an account with signatories who have not been authorised by the Board. Ultimate responsibility must remain with the Board although, where appropriate, delegated authority could be granted to local executive management. “Do you maintain documented policies, procedures and controls for opening and closing bank accounts? If yes, please describe or provide supporting policies and procedures with regard to opening and closing bank accounts.”  2 of the 12 Respondents (17%) had formal documented policies for both opening and closing bank accounts.  6 of the 12 Respondents (50%) had formal documented policies for opening bank accounts but not for closing bank accounts.  4 of the 12 Respondents (33%) did not have formal documented policies for opening or closing bank accounts.

15 4.4.2 Suitability of new banking institutions GOOD PRACTICE: For those Respondents who noted that this question was not applicable, one Respondent only banks with a financial institution that is a related party; however, they noted that the local Board sufficiently challenged this decision. POINT OF NOTE: One of the Respondents who previously considered suitability no longer discusses the suitability of institutions, as its operations are in run-off. AREA FOR IMPROVEMENT: One of the Respondents follows the Group’s investment policy, and any assessment of the suitability is done by Group. We would expect there to be sufficient level of scrutiny and challenge by the Board to ensure that a Group assessment is appropriate for the local business and its regulatory requirements. For one of the Respondents who noted that this question was not applicable, they have a list of authorised banks, as determined by their parent entity, that they would take into account in an assessment of suitability locally. The Respondent should ensure that they have sufficiently challenged the recommendations of the parent entity. “When you are looking to open a new bank account, do you consider multiple providers and assess the suitability of the available institutions? If yes, please describe the process, or provide supporting policies and procedures, with regard to assessing the suitability of new financial institutions. ”  9 of the 12 Respondents (75%) considered the suitability of available institutions.  1 of the 12 Respondents (8%) noted that the suitability is assessed by the Group operations.  2 of the 12 Respondents (17%) noted that this question was not applicable.

16 4.4.3 Ongoing suitability of banking institutions GOOD PRACTICE: Six Respondents review the suitability of the banking institutions at every Board meeting and this is discussed and included in the minutes of the Board meetings. The Board should ensure that it is provided with sufficient information to monitor regularly the suitability of the banking institutions it uses, depending upon the nature, scale and complexity of the insurer. POINT OF NOTE: One of the Respondents no longer discusses the suitability of institutions, as its operations are in run￾off. The Board should ensure that it retains sufficient oversight, as its responsibilities remain whilst the firm is in runoff. Three Respondents reviewed the suitability of the banking institutions annually. Two Respondents had the suitability of the banking institutions noted in the board packs; however, the minutes did not record any discussion of the suitability of said banking institutions. The Board should ensure that minutes fully reflect all discussions and decisions. “Do you regularly review the suitability of the banking institutions that you use? If yes, please describe, or provide supporting policies and procedures, with regard to assessing the suitability of current financial institution.”  11 of the 12 Respondents (92%) considered the suitability of the banking institutions that they use.  1 of the 12 Respondents (8%) noted that the ongoing suitability is assessed by the Group.

17 4.4.4 Approved banking institutions GOOD PRACTICE: Six Respondents have a designated formal list of approved banking institutions that they would use. POINT OF NOTE: All Respondents were confident that they would be able to access alternative banking services, if required, as all Insurance Managers had existing relationships with various financial institutions. However, as noted in section 4.4.1, opening alternative bank accounts can be an onerous process. One of the Respondents who stated that the question was not applicable does not maintain a list of banking arrangements, as they only bank with a financial institution that is a related party. One of the Respondents who stated that the question was not applicable does not maintain a list of banking arrangements, as they consider that, as they are a small company, a list is not required. This is a matter for consideration by the Board. “Do you maintain a list of approved banking institutions? Do you have contingent arrangement to access alternative banking services, if required? If yes, please describe the contingent arrangements and any alternative banking services in place.”  6 of the 12 Respondents (50%) maintained a list of approved banking institutions.  4 of the 12 Respondents (33%) did not maintain a list of the approved banking institutions.  2 of the 12 Respondents (17%) noted that this question was not applicable.  All 12 Respondents (100%) identified that they were confident they would be able to access alternative banking services, if required.

18 4.5 Payment instructions 4.5.1 Signing payment instructions GOOD PRACTICE: All Respondents required at least two signing authorities, with supporting evidence to document the rationale for the payment provided to the signatories. For additional discussion of maintenance and level of signing authorities refer to section 4.3. 4.5.2 Guernsey resident signatories GOOD PRACTICE: The Commission’s long-standing policy is that all Licensed Insurers should ensure that a Guernsey resident signatory is required for all payments. Signing authorities are submitted as part of the application process and, thereafter, it is the responsibility of the Board and General Representative to ensure that this requirement continues to be met. Four Respondents had the requirement for a Guernsey resident signatory specifically mentioned in the signatory list, and one Respondent had the requirement listed in their compliance manual.  All 12 Respondents (100%) maintained documented policies and procedures in respect of payment instructions. “Do you maintain documented policies, procedures or controls for signing payment instructions? If yes, please describe, or provide supporting policies and procedures, with regard to signing payment instructions.” “Do you require payment instructions to be signed by at least one Guernsey resident individual?”  All 12 Respondents (100%) had a Guernsey resident signatory on all payments.  5 of the 12 Respondents (42%) had the requirement specifically described in their documented procedures.  7 of the 12 Respondents (58%) did not have the requirement specifically mentioned in their documented procedures.

19 4.5.2 Guernsey resident signatories (continued) POINT OF NOTE: The seven Respondents that did not have the requirement for a Guernsey resident specifically documented did follow the requirement in practice; for example, by having a requirement for an “A” and a “B” signatory, where all “A” signatories were resident in Guernsey.

20 4.6 Management information 4.6.1 Management information to the Board POINT OF NOTE: One of the Respondents that did not provide management information to the Board noted that its operations were in run-off, so it no longer held physical Board meetings. The Board still receives financial accounts once a year. Even when in run-off the Board remains responsible for such matters, and should ensure that it receives sufficient management information to enable it to discharge its responsibilities. The other Respondent that did not provide management information to the Board was in the start-up phase and, therefore, no cash information had yet been escalated to the Board. The Board should ensure that, as soon as possible, it is in receipt of sufficient management information. AREA FOR IMPROVEMENT: Three Respondents provided the Board with cash summaries annually, three provided summaries on an ad hoc basis, and one provided cash summaries on an exceptions basis. The Board should ensure that it is provided with sufficient management information to be able to regularly monitor their cash assets. “Is management information on the banking arrangements provided to the Board? If yes, does this management information provided to the Board include items such as liens, covenants, separation and recoverability? How often is this information reported to the Board?”  9 of the 12 Respondents (75%) provide banking arrangement information to the Board at least annually.  2 of the 12 Respondents (17%) do not provide banking arrangement information to the Board.  1 of the 12 Respondents (8%) did not have oversight on what was reported to the Board.

21 4.7 Outsourcing 4.7.1 Outsourcing agreements AREA FOR IMPROVEMENT: One of the Respondents had the contract with the outsourcing party pending execution. The outsourcing party in question was a related party; however, we would still expect a formal outsourcing agreement to be in place. 4.7.2 Monitoring outsourcing arrangements GOOD PRACTICE: One of the Respondents conducted quarterly monitoring of the balances and transactions, which is reconciled and then reviewed by the Board. There was also a summary of the escrow account, which is reconciled and reviewed quarterly. One of the Respondents had an independent auditor review the claims handling processes conducted by the outsourced party, and provided a technical assurance report of the outsourced party and their risk management processes. While the report focussed on claims management it also covered cash management. “Where applicable, do you maintain formal outsourcing agreements for accounts that are not directly under your control? If yes, are these agreements monitored?”  3 of the 12 Respondents (25%) have outsourcing arrangements in place.  2 of the 3 Respondents with outsourcing arrangements (67%) have formal agreements in place.  1 of the 3 Respondents with outsourcing arrangements (33%) has a contract still pending execution. “Please describe the processes, or provide supporting policies and procedures, with regard to monitoring outsourcing arrangements, reconciling the funds and verifying the funds are held in accordance with your expectations (i.e. third-party confirmations).”  2 of the 3 Respondents with outsourcing arrangements (67%) monitor these arrangements quarterly.  1 of the 3 Respondents with outsourcing arrangements (33%) monitor these arrangements annually.

22 4.7.2 Monitoring outsourcing arrangements (continued) AREA FOR IMPROVEMENT: One of the Respondent Boards noted that, because the outsourced function was a related party, it limits oversight to a review of the quarterly account balance. Licensed Insurers should ensure that the Board receives sufficient information to allow for adequate monitoring of outsourcing arrangements, reconciliation of funds and verification that funds are held in accordance with its expectations, especially when the outsourced provider is a related party. The Commission expects that the Board would require that the outsourced provider submit supporting evidence of relevant account balances, such as an original bank statement, and should not simply rely upon a declaration from the outsourced provider. There is a risk that funds managed by a third party could be co-mingled with other funds held by that third party, or with the third party’s own funds. The Board should ensure the correct legal segregation of funds, especially where there is a risk that a group controller wishes to retain centralised control of funds. The Commission expects insurers to keep funds held by third parties to the minimum necessary, and not to allow balances to build up such that a significant credit risk is created.

23 4.8 Loans to third parties 4.8.1 Loan policies and procedures GOOD PRACTICE: One of the Respondents considered the loan granted to a third party at each Board meeting, being either two or three times a year. At the year-end, this insurer also discussed the solvency of the counterparty (the parent entity) and their ability to repay the loan. POINT OF NOTE: One of the Respondents at least annually reviewed the loan agreement and performed a regulatory solvency assessment. The Respondent should consider whether this provides sufficient monitoring and oversight of the loan with regard to recoverability and the insurer’s solvency requirements. AREA FOR IMPROVEMENT: One of the Respondents, who granted a loan to its parent company, did not conduct formal monitoring procedures of the loan. It noted that the Respondent’s Board had full visibility of the parent’s operations, given the commonality of their boards’ members. This is not acceptable and the Commission expects formal processes and documentation to be in place to evidence consideration and oversight over the management of funds and recoverability of parental loans by the Licensed Insurer itself. “Do you maintain documented policies, procedures and controls with regard to loans to third parties? (i.e. initiation, approval, ongoing monitoring). If yes, please describe the processes, or provide supporting policies and procedures, with regard to loans to third parties.”  3 of the 12 Respondents (25%) have granted loans to third parties, of which:  1 Respondent (33%) considers the loan at each Board meeting.  1 Respondent (33%) conducts a review of the loan at least annually.  1 Respondent (33%) does not conduct formal monitoring of the loan.

24 4.8.2 Loan agreements AREA FOR IMPROVEMENT: One Respondent could not evidence that there was a 2019 signed loan agreement in place, although a signed agreement for 2018 was provided. The Board were provided with an unsigned copy of the loan agreement in the Board pack, but there were no discussions in the minutes surrounding the loan or the agreements. The Respondent did not have formal procedures in place for monitoring the loan and, therefore, appeared to lack oversight of loans with related parties. The Board should ensure that loans are given due consideration at regular intervals and are not simply rolled over without challenge. The Board should ensure that there are appropriate policies, procedures and controls for the review, approval and execution of all material lending. “Do you maintain formal agreements for all third-party loans, including loans to related entities?”  2 of the 3 Respondents with loans (67%) had signed agreements in place.  1 of the 3 Respondents with loans (33%) did not have a signed agreement in place.

25 4.9 Reporting to the Commission 4.9.1 Annual return reporting The Commission felt reassured by the responses that reporting to the Commission on cash & cash equivalents as part of the annual return appeared complete and accurate, particularly in light of the findings of the 2018 Thematic Review on Insurer Annual Returns. Licensed Insurers should continue to review diligently their annual returns, to ensure that the financial information submitted to the Commission is materially complete and accurate. “Please provide supporting documentation of the insurer cash reported to the Commission in your most recent Annual return. (i.e. reconciliations to third party statements). Please provide supporting documentation of the liquid assets reported to the Commission in your most recent Annual return. (i.e. reconciliations to third party statements).”  11 of the 12 Respondents (92%) provided information that reconciled to the annual return.  1 of the 12 Respondents (8%) did not have to submit an annual return as they had not yet had a full year of operations.

26 4.10 Additional information 4.10.1 Breaches POINT OF NOTE: Three Respondents had minor administrative breaches that were all appropriately raised internally, logged on a breach register and reported to the Board and the Commission, where necessary. One Insurance Manager had a breach of policy pertaining to cash management controls on an entity outside of the Thematic Sample. Following this breach, the related policies and procedures were fully reviewed and updated across all entities managed by the Insurance Manager, including those licensees managed by the Insurance Manager that fell within the Thematic Sample. AREA FOR IMPROVEMENT: One of the Respondents had two breaches that were not listed on the breaches register. The Group maintained the breaches register and, at the time of our visit, the Respondent only had access up to the Q3 breaches register, where the breaches had occurred subsequently. We also noted that formal documentation and tracking of these breaches were performed following notification of the Thematic Review. We would expect all breaches would be dealt with in a timely manner. “Have there been any breaches of the policies, procedures or controls relevant to this questionnaire in the last 12 months? If yes, please describe the nature of the breach(es), the actions taken and the status of the incident(s).”  All 12 Respondents (100%) maintained a breach register, whether centrally maintained by compliance or held by the individual client teams.  8 of the 12 Respondents (67%) had not had any breaches of policy in the last 12 months.  4 of the 12 Respondents (33%) had breaches occurring in the last 12 months.

27 4.10.2 Tests of policies and procedures GOOD PRACTICE: One Insurance Manager had a Group internal audit function, which performs ongoing monitoring of all jurisdictions. The tests in Guernsey are conducted approximately every five years, but the local office also had a local Compliance Monitoring Plan and performed regular self-assessments on its policies and procedures. One of the Respondents, which did not conduct internal audit or independent party testing of adherence to policies and procedures, did have an independent auditor perform a review of the third party who processed small claims on its behalf. POINT OF NOTE: Three Respondents did not have either internal audit or independent testing of policies or procedures. This is a breach of Principle A:15 of Appendix 3 to the Finance Sector Code of Corporate Governance. The Boards of those Respondents should ensure there is sufficient monitoring of the insurer’s policies and procedures to ensure they are functioning appropriately. “Do any individuals who are independent from your cash management process (i.e. compliance, internal audit, or other individuals who do not initiate/check/authorise any payments) perform procedures to verify that cash management and payment policies are being appropriately followed? If yes, please describe the verification procedures used, (including: nature, extent and frequency of testing).”  5 of the 12 Respondents (42%) have a formal Compliance Monitoring Plan, internal audit function or employ an independent party to test policies and procedures.  2 of the 12 Respondents (17%) are developing a new internal audit programme.  1 of the 12 Respondents (8%) has a parent entity which tests policies and procedures.  1 of the 12 Respondents (8%) has testing of policies and procedures conducted by the Group.  3 Respondents (25%) do not have internal audit or independent testing of policies and procedures.