Decision on the System of Governance in an Insurance/Reinsurance Undertaking

RS Official Gazette, Nos 51/2015, 29/2018, 84/2020, 94/2022 and 82/2024 Pursuant to Article 147, paragraph 3, Article 150, paragraph 3 and Article 151, paragraph 4 of the Insurance Law (RS Official Gazette, No 139/2014) and Article 15, paragraph 1 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015 and 40/2015 – CC decision), the Executive Board of the National Bank of Serbia issues this DECISION ON THE SYSTEM OF GOVERNANCE IN AN INSURANCE/REINSURANCE UNDERTAKING Introductory provisions

1. This Decision sets forth the manner of organising the system of governance in an insurance/reinsurance undertaking (hereinafter: undertaking), types of risks in the insurance industry, more detailed conditions and manner of identification, measurement, monitoring and management of these risks, more detailed conditions and manner of organising and implementing the internal controls system, and conditions for outsourcing.
2. In accordance with the Insurance Law (hereinafter: Law) and this Decision, the system of governance in an undertaking (hereinafter: governance system) includes the following functions:

1. risk management;
2. internal controls system;
3. internal audit;
4. actuarial function. An undertaking shall ensure a clear division of functions referred to in paragraph 1 of this Section and prevent the conflict of interest in their performance. Authorities and responsibilities of employees relating to the system of governance shall be determined in such a way that those responsible for risk taking or management at the operational level may not at the same time be engaged in the performance of oversight and/or control activities.

3. An undertaking’s supervisory board shall be responsible for setting up an efficient system of governance ensuring the management of the undertaking’s activities in accordance with the principle of prudent and sound operation, the oversight of the system, which includes, in particular, the monitoring and assessment of adequacy of the system and its improvement.
4. The system of governance shall be proportionate to the nature, scope and

complexity of activities performed by the undertaking, and the undertaking’s size and organisational structure, its scope of operations and types of insurance it provides (principle of proportionality). In implementing individual risk management methods and techniques, and in determining the frequency and level of detail of individual analyses of operation, an undertaking shall be guided by the principle of proportionality referred to in paragraph 1 of this Section, in order to take necessary measures to ensure the continuity and legality of its operation. Types of risk in the insurance industry 5. In its operation, an undertaking is or may be exposed particularly to the following risks:

1. insurance risk;
2. market risk;
3. counterparty risk;
4. liquidity risk;
5. operational risk;
6. legal risk;
7. other material risks.

6. Insurance risk is the risk of loss or unfavourable change in the value of liabilities arising from insurance due to the undertaking’s inability to absorb the assumed risks that are inherent to the insurance business. The risk referred to in paragraph 1 of this Section includes in particular:

1. risk of inadequately set premium;
2. risk of inadequate formation of the undertaking’s technical provisions;
3. insurance risk arising from disasters;
4. special life and non-life insurance risks arising from: – a change in the level, trend (tendency) and volatility (deviation from expected) mortality rates (mortality and longevity risks), – a change in the level, trend and volatility of rates of expiry, termination, renewal and repurchase of insurance contracts (risk of insurance expiration), – a change in the level, trend and volatility of disability and morbidity rates (morbidity risk), – change in the moment of occurrence and frequency of insured events, and the amount of payment once these events occur;
5. risk of inadequate assessment of risk assumed in insurance;
6. risk of inadequately set self-retention limit of the undertaking or the assumption of risks in excess of the self-retention level, and/or failure to transfer the

excess of risk over the self-retention limit to coinsurance, reinsurance and/or retrocession; 7) other insurance risks (professional and technical) which depend on the nature, scope and complexity of the undertaking’s operation. 7. Market risk is the risk of loss or unfavourable change in the undertaking’s financial position which directly or indirectly arise from adverse changes in the market, notably in insurance and financial markets. The risk referred to in paragraph 1 of this Section includes in particular:

1. interest rate risk;
2. securities risk;
3. real estate risk;
4. risk of change in the value of investment units of open-ended alternative investment funds;
5. transfer risk;
6. FX risk;
7. competition risk;
8. risk of inadequate response to demands of insurance beneficiaries;
9. other market risks which depend on the nature, scope and complexity of the undertaking’s operation.

8. Counterparty risk is the risk of the undertaking’s inability to fully or partially collect receivables on various grounds, particularly due to a change in the credit position of the securities issuer and/or other counterparties. The risk referred to in paragraph 1 of this Section arises particularly from the concentration of counterparty exposure, when the potential loss is so high that it jeopardises the undertaking’s solvency or financial position – concentration risk. The risk referred to in paragraph 1 of this Section includes in particular:

1. risk of the inability to collect payment from invested funds of an undertaking;
2. risk of the inability to collect returns on invested funds of an undertaking and/or returns on leased property;
3. risk of the inability to collect receivables from the counterparty in respect of insurance, coinsurance, reinsurance and retrocession;
4. other counterparty risks which depend on the nature, scope and complexity of the undertaking’s operation.

9. Liquidity risk is the risk of the undertaking’s inability to cash in its investment and other assets in order to fully and timely settle its current and future liabilities as they fall due.

The risk referred to in paragraph 1 of this Section includes in particular:

1. asset-liability management risk;
2. risk of faulty assessment, recording, presentation and disclosure of the undertaking’s assets and sources of funding, as well as of its income, expenses and operating results;
3. risk of the failure to sell the undertaking’s assets at the book value and to collect payment in respect of such sale;
4. risk of maturity mismatch of assets and sources of funding, especially the mismatch of technical provision assets and technical provisions;
5. risk of the failure to settle obligations in respect of insurance and on other grounds;
6. other liquidity risks which depend on the nature, scope and complexity of the undertaking’s operation.

10. Operational risk implies the possibility of occurrence of negative effects on the undertaking’s operation due to omissions (non-wilful and wilful) in the work of employees and bodies of the undertaking, inadequate internal procedures and processes, inadequate management of information and/or other systems, and unforeseeable external events. The risk referred to in paragraph 1 of this Section includes in particular:

1. risk of faulty and/or inadequate selection of members of the executive and/or supervisory board, and persons to whom the management of some activities of the undertaking was delegated;
2. risk of faulty and/or inadequate selection, classification and appointment of employees in the undertaking (in terms of qualifications and numbers);
3. risk of inadequate organisation of the undertaking’s operation;
4. risk of faulty and financially damaging deals;
5. risk of fraud, abuse and other illegal activities of persons referred to in subparagraph 1) of this paragraph and employees in the undertaking;
6. risk of concluding, organising and conducting insurance operations contrary to the insurance code of practice;
7. risk of the absence of an adequate internal controls system and work procedures;
8. other operational risks which depend on the nature, scope and complexity of the undertaking’s operation.

11. Legal risk implies the possibility of the occurrence of negative effects on the undertaking’s financial result and capital due to the failure to harmonise the

undertaking’s operation and acts with regulations. This risk includes in particular:

1. risk of being ordered measures and/or pronounced a penalty by the National Bank of Serbia and/or sanctions by another competent authority;
2. risk arising from contracts which are not fully or partially executable (e.g. null and void contracts);
3. risk of possible losses arising from disputes;
4. risk of money laundering and terrorism financing;
5. other legal risks which depend on the nature, scope and complexity of the undertaking’s operation. 11a. The risk of money laundering and terrorism financing is the risk of the possible occurrence of adverse effects on the financial result, capital or reputation of an undertaking through the use of the undertaking (direct or indirect use of the business relations, transactions, services or products of the undertaking) for the purpose of money laundering and/or terrorism financing. The risk of money laundering and terrorism financing arises particularly as a consequence of the failure to align the operations of the undertaking with the law, regulations and internal acts of the undertaking which regulate the prevention of money laundering and terrorism financing, or as a consequence of a misalignment between the internal acts of the undertaking, which regulate the conduct of the undertaking and its employees regarding the prevention of money laundering and terrorism financing.

12. Other material risks are other risks which depend on the nature, scope and complexity of the undertaking’s operation, which include in particular:

1. reputational risk, arising from diminished public trust in the undertaking’s operation;
2. strategic risk, which implies the possibility of negative effects on the undertaking’s financial result or capital due to the absence of adequate policies and strategies, and their inadequate implementation, and due to changes in the environment in which the undertaking operates and/or the absence of the undertaking’s appropriate response to these changes;
3. risks arising from the introduction of new insurance products, including new activities relating to processes and systems in the undertaking;
4. risks associated with outsourcing;
5. other material risks which depend on the nature, scope and complexity of the undertaking’s operation.

Risk management 13. An undertaking shall establish comprehensive, reliable and efficient risk management, which is incorporated in all its business activities, in the manner enabling the undertaking to manage the risks referred to in Section 5 of this Decision, by ensuring sustainable risk exposure at the level which shall not jeopardise the undertaking’s assets and operation and/or which shall ensure the protection of rights and interests of insurance beneficiaries. An undertaking shall establish, document and apply risk management strategies, policies, processes and procedures, and shall ensure their implementation, as well as regularly review the risk management policies, processes and procedures, in accordance with the changes in the level of exposure to risks. 14. An undertaking’s supervisory board shall adopt the risk management strategy as part of the undertaking’s business strategy, which clearly defines risk management, capacity to assume risk and risk management policies, which shall contain in particular:

1. the description of risks that an undertaking is or may be exposed to, acceptable limits of risk exposure along with the assessment of the undertaking’s ability to sustain risk (risk profile);
2. objectives and principles of risk management policies;
3. description of the system of reporting on risks and their interdependence;
4. internal organisation of risk management, with the description of obligations and responsibilities of employees and other persons;
5. relationship between the assessment of overall solvency needs and risk profile of the undertaking. An undertaking’s supervisory board shall regularly monitor the implementation of the risk management strategy and shall review that strategy at least once a year, its alignment with the undertaking’s risk profile, other elements of the undertaking’s business strategy and other relevant parameters, as well as amend and/or supplement the risk management strategy in case of significant changes in the undertaking’s risk profile. The risk management strategy shall be integral to the company’s business plan.

15. Risk management policies shall include, as a minimum, the activities specified in Article 148, paragraph 2 of the Law, in accordance with the undertaking’s risk profile.

Manner of identifying, assessing and managing risk of money laundering and terrorism financing 15a. The risk management system of an undertaking shall include in particular: – conditions and process of appointing persons tasked with the execution of obligations under law and other regulations governing the prevention of money laundering and terrorism financing, who are also responsible for reporting to the executive board of the undertaking, as well as for initiating and proposing adequate measures for the improvement of the system for the prevention and detecting of money laundering and/or terrorism financing; – obligation of all organisational units in the undertaking to provide assistance and support to persons referred to in indent one of this paragraph when performing tasks referred to in that indent; – process to draft an analysis of the risk of money laundering and terrorism financing which would also include the manner in which the analysis is taken into account when making a decision to assume other risks and/or when introducing new products of the undertaking; – processes and mechanisms for detecting suspicious transactions and/or clients and procedures for delivering information, data and documents to a relevant authority; – keeping records about clients, business relations and transactions, protecting and keeping data in those records; – protection from unauthorised disclosure of data about persons referred to in indent one of this paragraph and other procedures that might interfere with the performance of their duties. For the purpose of identifying, measuring and assessing the risk of money laundering and terrorism financing, the undertaking shall perform an analysis of the risks for each group or type of clients, business relations, services it provides or transactions, as applicable. The undertaking shall ensure that the process of identifying, measuring and assessing the risk of money laundering and terrorism financing includes at least the following activities:

1. determining the acceptability of the client in terms of the level of risk of money laundering and terrorism financing when establishing a business relation and for the duration of that business relation;
2. determining the risk category of the client, service, product and transaction according to risk factors relative to the risk of money laundering and terrorism financing;
3. knowing the client and regularly monitoring its business operations (due diligence), including checking whether a client’s activity corresponds to the nature of

its business relations and the customary scope and type of its operations, and any changes in its risk category; 4) determining a product or service which the undertaking would not offer to clients in a certain risk category. When assessing exposure to the risk of money laundering and terrorism financing, the undertaking shall particularly take into account the complexity of the organisational structure of the undertaking, the number of employees directly tasked with duties relating to the prevention of money laundering and terrorism financing relative to the total number of employees, the number of front-office staff, manner of organisation of tasks and responsibilities, as well as the pace of taking up new personnel and the quality of training. Management of risks arising from the introduction of new products 15b. The management of risks by the undertaking shall duly include all risks arising from the introduction of new life insurance products and activities relating to the processes and systems in the undertaking, including the risk of money laundering and terrorism financing. A new product shall also imply significantly altered products and activities from paragraph 1 of this Section. In appropriate internal acts, the undertaking shall define what constitutes new products (including significantly altered products) and regulate the decision￾making process for the introduction of those products. Before introducing a new product, the undertaking shall analyse the following: – all risks that might arise as a result of such introduction; – impact of such introduction on the risk profile of the undertaking; – impact of such introduction on the possibility of adequate management of risks arising therefrom. When making the decision from paragraph 3 of this Section, the undertaking shall also take into account the results of the analysis from paragraph 4 of that Section. Policy of reimbursements, wages and other income 15c. The undertaking must determine and implement an adequate and transparent policy of reimbursements, wages and other income of its employees. The policy from paragraph 1 of this Section shall be considered adequate if it fulfils the following conditions:

1. it is based on the implementation of acts of business policy and business strategy of the undertaking, and risk management strategy and policies;
2. it encourages prudent and cautious assumption of risks;
3. it is harmonised with long-term interests and results of the undertaking as a whole;
4. it includes measures to avoid conflict of interest. By its policy of reimbursements, wages and other income from paragraph 1 of this Section, the undertaking shall encourage prudent and cautious assumption of risks taking into account the undertaking’s internal organisation, and the nature, scope and complexity of all types of risks it is exposed to or may be exposed to based on individual activities. The company shall ensure that the system of reimbursements, wages and other income, including employee rewards and bonuses meets the following conditions:
5. it is based on the achievement of business objectives and is proportionate, which means that reimbursements, wages and other income, including employee rewards and bonuses, are harmonised with the determined responsibilities, duties and tasks of persons to whom they are paid in the Republic of Serbia, and that the largest amount of funds earmarked for the payment of bonuses and rewards is determined in line with the degree of achievement of the undertaking’s business objectives (including a significant reduction or cancellation of those funds, and/or their part pertaining to particular employees – in the case that business objectives have not been achieved as planned);
6. it is harmonised with the period that the risk relates to, i.e. the reward dynamics corresponds to that period. The company shall ensure that the policy from paragraph 1 of this Section is aligned with the provisions of laws and statutes, and the business ethics, and that reimbursements, wages and other income paid in line with such policy, particularly if paid to the undertaking’s management members, holders of management system functions and other employees whose activities can significantly influence the undertaking’s risk profile, do not jeopardise the undertaking’s capacity to ensure capital adequacy and meet its obligations, particularly towards insurance service users. By the policy of reimbursements, wages and other income, the undertaking shall determine the persons whose business activities can have a significant impact on the undertaking’s risk profile, and the criteria based on which those persons are determined. If a reimbursement, wage or other income consists of the fixed and variable part, the undertaking shall ensure that these parts are commensurate so that the share of the variable part in total reimbursement, wage or other income does not

encourage the employee to expose the undertaking to excessive risk. The undertaking’s body in charge of defining the policy of reimbursements, wages and other income shall also be responsible for the supervision of the implementation of such policy. The provisions of this Section shall accordingly apply to the determination of reimbursements, wages and other income for members of the undertaking’s executive and supervisory board, and other persons whose activities can significantly influence the undertaking’s risk profile. Insurance conditions and compulsory insurance premium tariff 15d. The undertaking shall separately regulate by internal acts the process of change of general and special insurance conditions and compulsory insurance premium tariffs (hereinafter: conditions and tariff), and especially the following: – the decision-making process in changing the conditions and tariff and all the factors underlying the decision; – manner (methodology) of analysing the justifiability of the planned change in conditions and tariff; – manner of checking the compliance of the planned change in conditions and tariff with the relevant regulations, the undertaking’s internal acts, risk management rules, rules of insurance and actuarial profession, good business practices and business ethics. The change in conditions and tariff, within the meaning of this decision, shall mean adopting new conditions and/or tariff of the undertaking whereby the previous conditions and/or tariff cease to be valid or an amendment/supplement to the current conditions and/or tariff of that undertaking. Prior to changing the conditions and tariff, in accordance with the acts referred to in paragraph 1 hereof, the undertaking shall take the following activities and actions: – make a detailed analysis of the planned change in conditions and tariff, containing in particular: a comparative overview of conditions and tariff before and after the change, assessment of the justifiability of the planned change in conditions and tariff with the clear and detailed reasons for changing specific provisions and amounts, the mechanisms used to form the changed amounts in the tariff, presented detailed structure of insurance costs and calculated changes in such costs due to which the undertaking plans to change the tariff, keeping in mind that insurance premium should be commensurate with the undertaken risk, as well as the assessment of the change in tariff on the undertaking’s operations and the manner of informing the insured persons on the intended change in conditions and tariff; – make its own analysis of a reasoned opinion of the certified

actuary on the sufficiency of insurance premium for the conclusive meeting of all obligations from the compulsory insurance contract and other relevant elements of that opinion prior to changing the tariff and analyse the justifiability of the planned change in the tariff accordingly; – obtain a reasoned opinion of the organizational unit in charge of compliance, about the compliance of the change in conditions and tariff with the relevant regulations and internal acts of the undertaking. In deciding to change the conditions and tariff, the undertaking shall consider the results of the analysis, i.e. the opinions from paragraph 3 hereof. The undertaking shall submit to the National Bank of Serbia the internal acts from paragraph 1 hereof, including amendments and supplements to these acts, no later than 60 days prior to their entry into force. 15e. The undertaking shall notify the National Bank of Serbia of the planned change in premium tariff and the premium system with the technical bases of compulsory motor third party liability insurance (hereinafter: premium tariff) no later than 60 days prior to the planned change in the premium tariff and submit, along with this notification, the planned draft premium tariff, as well as the analyses, data and opinions from Section 15d, paragraph 3, indent one to three of this Decision. Apart from the documents from paragraph 1 hereof, the undertaking shall also submit other acts, i.e. documents corroborating the justifiability of the change in premium tariff, particularly considering the following: – the proportion of mutual payments in concluded compulsory insurance contracts from paragraph 1 hereof (e.g. considering the data from previous periods on the claims-premium balance, the profit-gross operating result etc.); ‒ impact on the protection of rights and interests of insured persons and other users of compulsory insurance from paragraph 1 hereof; – solvency and financial position of the undertaking; – risk management rules, rules of the insurance and actuarial profession, good business practice and business ethics; ‒ other relevant data and information. If following the notification from paragraph 1 hereof the National Bank of Serbia requires supplements to the documentation referred to in paragraphs 1 and 2 hereof, it may set an appropriate deadline before whose expiry the undertaking may not submit the supplementary documents. The deadline from paragraph 3 hereof shall not be longer than six months. The deadline from paragraph 1 hereof shall start to run from the day of submission of complete documents referred to in paragraphs 1 and 2 hereof.

It shall be considered that the member of the executive board of an undertaking does not have a good business reputation within the meaning of the law governing insurance in the case that he/she voted for the change in the premium tariff contrary to the provisions of this decision. Own risk and solvency assessment 16. In the context of risk management, an undertaking shall conduct its own risk and solvency assessment, which is integral to the business strategy and which is taken into account in making strategic decisions and in managing the undertaking’s capital adequacy. For the purpose of conducting its own risk and solvency assessment, an undertaking shall establish adequate processes for the identification, assessment, measurement and monitoring of risks that an undertaking is or may be exposed to, and for the establishment of the overall solvency needs. An undertaking shall ensure that the results of its own risk and solvency assessment are taken into account in the decision making and planning of the undertaking’s business activities. 17. Own risk and solvency assessment shall include in particular the following parameters:

1. overall solvency needs, considering an undertaking’s risk profile and business strategy;
2. continuous fulfilment of requirements relating to capital adequacy and technical provisions in accordance with regulations;
3. deviation of an undertaking’s risk profile from capital adequacy requirements as determined by regulations.

18. The assessment of an undertaking’s overall solvency needs reflects the assessment of its own risk profile, capital adequacy and relevant risk management measures, and shall include in particular:

1. material risks arising from an undertaking’s assets and liabilities, including off-balance sheet items;

2. adequacy and functioning of the management system, including risk mitigation measures.

3. the internal controls system and risks arising from the inadequacy of the system and manner of functioning;

4. relationship between business planning and solvency needs of an undertaking;

5. identification of potential future events and negative external circumstances.

19. The assessment of the continuity of fulfilment of requirements relating to capital adequacy and technical provisions in accordance with regulations shall include in particular:

1. potential significant changes in the undertaking’s risk profile and their impact on capital adequacy, required solvency margin, the amount, quality and structure of guarantee reserve and guarantee capital during the period of business planning;
2. processes and procedures which ensure the continuous and adequate monitoring of calculation of technical provisions, compliance of such calculation with regulations and identification of risks of uncertainty in the calculation of technical provisions.

20. The assessment of deviation of an undertaking’s risk profile from the requirements which relate to capital adequacy and are determined by regulations, shall include the qualitative and quantitative analysis of the significance of the established deviation from the required solvency margin.
21. In conducting its own risk and solvency assessment, an undertaking shall identify all risks that it is or may be exposed to in its operation – both short- and long-term.
22. An undertaking shall document each of its own risk and solvency assessments, and submit a report thereon to members of the undertaking’s management. An undertaking shall prepare a report on its own risk and solvency assessment which contains, at a minimum, qualitative and quantitative results of the assessment referred to in Section 17 of this Decision, conclusions which are based on these results and the description of applied methods and assumptions. The report referred to in paragraph 2 of this Section shall not be published and shall be integral to the annual report on an undertaking’s operation. Internal controls system
23. An undertaking shall establish an internal controls system that includes at a minimum management, accounting, administrative and other procedures, processes and actions aimed at preventing the undertaking’s excessive exposure to risks, and illegalities and irregularities in its operation, the internal controls framework,

adequate reporting structure at all levels of the undertaking, and monitoring and control of the undertaking’s compliance. An undertaking shall re-examine the established internal controls system and adjust it to changes in its operation, and shall timely amend all procedures and activities of the undertaking which are assessed as inadequate, and adjust them to changes in organisation and the business environment. 24. The internal controls system shall include the control of the undertaking’s operations, in particular:

1. monitoring the compliance of the undertaking’s operation with procedures, adopted strategies, business policy acts and other acts;
2. the analysis of business results by type of insurance and comparison of achieved business results with plans;
3. control of cash flows, business documents and systems of processing data on business changes;
4. control of risk assumption procedures and the conclusion of insurance contracts;
5. control of claim resolution procedures and decision making on complaints referred to an undertaking;
6. taking anti-money laundering measures;
7. detection and prevention of insurance frauds;
8. monitoring the collection of receivables, particularly receivables relating to securities, and monitoring the solvency of legal persons in an undertaking’s portfolio;
9. control of assets and liabilities management, especially in terms of the matching of technical provision assets and technical provisions, having in mind the risks that may cause a change in the value of technical provision assets and/or technical provisions;
10. regular control of the agency and brokerage network; 11)re-examination of the adequacy of an undertaking’s general acts and business policy acts; 12)control of the system of decision making on certain issues and delegation of authority for such decision making, implementation of decisions, implementation of rules on incompatible activities, conflict of interest and overlapping of responsibilities of an undertaking’s organisational units;
11. control of the reliability of the information system and protection of access to information system data.

25. At least once a year, an undertaking’s executive board shall report to the supervisory board on the functioning of the internal controls system and shall, when needed, propose changes.

26. All employees in the undertaking shall be responsible for implementation of the internal controls system and shall, in performing their tasks, comply with the defined procedures, processes and actions, and with defined ethical and professional standards of insurance business. An employee in the undertaking shall timely report on all irregularities detected in organisation and the internal controls system to members of the company’s management and managers, for the purpose of elimination of these irregularities.

27. The compliance control referred to in Section 23, paragraph 1 of this Decision shall include the control of an undertaking’s operation in accordance with regulations and reporting thereon, including the assessment of a possible impact of changes in the legal environment on an undertaking’s operation, and identification and assessment of legal risk. Employees who perform compliance control activities shall be aware of and follow changes in regulations and internal acts of an undertaking. At the level of all organisational units, an undertaking shall establish appropriate procedures which enable continuous monitoring and measurement of legal risk, and which are aligned with regulations and internal acts of an undertaking, as well as with rules of the profession, good business practice and business ethics of the undertaking. At least once a year, the person in charge of compliance control in an undertaking shall report to members of the management about the assessment of a possible impact of a change in regulations on the undertaking’s operation, and the identified legal risks. Internal audit

28. An undertaking shall organise internal audit which is autonomous and independent in the performance of its tasks, in accordance with the Law, this Decision, principles of the profession and practice, internationally recognised standards and ethical principles of internal audit.

29. In addition to regular reviews, internal audit shall also conduct more detailed periodical reviews of risk management, internal controls system and actuarial function.

30. Internal audit employees shall have the right to inspect all documents of an undertaking and shall oversee its operation without limitations.

Actuarial function 31. An undertaking shall establish an efficient actuarial function which, in addition to activities established by regulations, shall contribute to efficient risk management, particularly in regard to the calculation of the required solvency margin and its own risk and solvency assessment. It shall be considered that the undertaking did not ensure an adequate actuarial function in the undertaking if the certified actuary acts contrary to the regulations, rules of the insurance and actuarial profession, good business practice and business ethics. Outsourcing 32. An undertaking may outsource some activities needed for the performance of its operation to a third party by concluding a contract (hereinafter: service provider) if this would lower the undertaking’s operating costs and/or if the quality of these activities would thereby be improved, bearing in mind the principle of proportionality referred to in Section 4 of this Decision. An undertaking must be able to give instructions in relation to outsourced activities to the service provider at any moment, and/or to terminate the contract on outsourcing when this serves its interest. An undertaking shall be responsible for the outsourced activities, for all actions of the service provider and all its omissions. A service provider may be a legal or natural person assessed by an undertaking to possess appropriate qualifications, as well as the organisational, personnel and technical capacity needed for the performance of outsourced activities. The activities referred to in this Section may be outsourced from an insurance undertaking and a reinsurance undertaking, on condition that they are closely linked within the meaning of the Law. 33. An undertaking may outsource activities if that would not have the following consequences:

1. the failure to fulfil obligations to insurance beneficiaries or jeopardise their rights and interests;

2. jeopardise the undertaking’s operation;

3. significant deterioration in the quality of the management system;

4. unjustified increase in operational risk;

5. disable or aggravate the supervision of an undertaking’s operation;

6. conflict of interest between an undertaking and service provider.

34. Before outsourcing, an undertaking shall assess and document the impact that such outsourcing would have on it, particularly given the following:

1. quality of service provision to insurance beneficiaries;
2. financial results, continuity of operation and reputation of an undertaking;
3. risk profile of an undertaking;
4. costs, solvency and liquidity of an undertaking;
5. actions that must be taken in case of suspension or termination of outsourcing, including the duration and cost of these actions.

35. When concluding an outsourcing contract with a service provider, an undertaking shall take into account the risks involved in outsourcing, as well as the scope and complexity of these activities. The contract referred to in paragraph 1 of this Section must be made in writing.
36. An undertaking shall regulate the procedure relating to outsourcing by an internal act, which shall contain at least the following elements:

1. reasons and criteria for outsourcing;
2. procedure for adopting the decision on outsourcing;
3. manner of assessing outsourcing-related risks;
4. procedure for a detailed analysis and manner of selecting the service provider;
5. manner of managing the contractual relationship with the service provider;
6. manner of monitoring the exposure to risks associated with outsourcing and the manner of reporting thereon to members of an undertaking’s management;
7. tasks and responsibilities of organisational units or persons in charge of overseeing outsourced activities and their management, who must have an appropriate level of knowledge and experience;
8. actions to be taken by an undertaking in case of early contract termination and/or the inability to fulfil contractual obligations.

37. An undertaking shall inform the National Bank of Serbia about the activities that it intends to outsource to the service provider, 30 days before the conclusion of the outsourcing contract. The notification referred to in paragraph 1 of this Section shall contain results of the assessment referred to in Section 34 of this Decision.

An undertaking shall notify the National Bank of Serbia of any change in activities referred to in paragraph 1 of this Section, 15 days prior to the change, duly applying paragraph 2 of this Section. 38. The service provider to which an undertaking outsourced some activities may delegate them to another person only with the prior consent of the undertaking, which it gives in each individual case in the manner established by Sections 34 and 37 of this Decision. Transitional provision and concluding provisions 39. By no later than 26 December 2015, an undertaking shall establish an efficient management system, conduct its own risk and solvency assessment and align outsourcing contracts with the provisions of this Decision, and shall inform the National Bank of Serbia thereof. 40. The Decision on Internal Controls System and Risk Management in Insurance Companies (RS Official Gazette, No 12/2007) shall cease to apply on the day of effectiveness of this Decision. 41. This Decision is published in the RS Official Gazette and enters into force on 27 June 2015. NBS Executive Board No 48 Chairperson 11 June 2015 Executive Board of the Belgrade National Bank of Serbia Governor National Bank of Serbia Dr Jorgovanka Tabakovic Separate provision of the Decision Amending the Decision on the System of Governance in an Insurance/Reinsurance Undertaking (RS Official Gazette, No 94/2022) 3. The National Bank of Serbia may request from an undertaking to submit a reasoned opinion of a certified actuary on whether the motor third party liability insurance premium tariffs, adopted before the entry into force of this Decision, ensured a conclusive meeting of the undertaking’s obligations from the insurance contract prior to their adoption, as well as other relevant data about the tariff.