Insurance Intermediaries (Corporate Governance) (General Business) Code 2020

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Index c SD No. 2020/0438 Page 1 c INSURANCE INTERMEDIARIES (CORPORATE GOVERNANCE) (GENERAL BUSINESS) CODE 2020 Index Article Page 1 Title ...................................................................................................................................3 2 Commencement..............................................................................................................3 3 Interpretation...................................................................................................................3 4 Application ......................................................................................................................4 5 Introduction.....................................................................................................................4 6 These Guidance Notes in operation.............................................................................5 7 Corporate Governance...................................................................................................5 8 Skill, care and diligence .................................................................................................5 9 Compliance......................................................................................................................5 10 Responsible behaviour in dealings ..............................................................................5 11 Conflicts of interest.........................................................................................................5 12 Financial management...................................................................................................6 13 Business continuity.........................................................................................................6 14 Systems and controls for record keeping ....................................................................6 15 Governance system documentation.............................................................................7 16 Clients’ records................................................................................................................7 17 Board composition..........................................................................................................7 18 Directors...........................................................................................................................8 19 Powers and resources of the board ..............................................................................8 20 Frequency of board meetings........................................................................................8 21 Board meeting documents.............................................................................................8 22 Minutes of board and board committee meetings .....................................................8 23 Key responsibilities of directors ...................................................................................9 24 Management controls...................................................................................................10 25 Culture............................................................................................................................11 26 Risk management .........................................................................................................11 27 Business plan.................................................................................................................11 28 Remuneration policy....................................................................................................11 29 Relations with regulators.............................................................................................12 30 Outsourced significant activities and functions .......................................................12 31 Fraud prevention ..........................................................................................................13 32 Whistleblowing policy .................................................................................................14 33 Requirement for a compliance function ....................................................................14

Index Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 2 SD No. 2020/0438 c 34 Nature and location of a compliance function......................................................... 14 35 Reporting of compliance function.............................................................................. 15 36 Audit – general ............................................................................................................. 15 37 Audit – engagement letter........................................................................................... 15 38 Governance communication....................................................................................... 15 ENDNOTES 17 TABLE OF ENDNOTE REFERENCES 17

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 1 c SD No. 2020/0438 Page 3 Statutory Document No. 2020/0438 Insurance Act 2008 c INSURANCE INTERMEDIARIES (CORPORATE GOVERNANCE) (GENERAL BUSINESS) CODE 20201 Laid before Tynwald: 17 November 2020 Coming into Operation: 31 December 2020 The Isle of Man Financial Services Authority makes the following Guidance Notes under section 51 of the Insurance Act 2008 as binding guidance, after carrying out the consultations required by section 51(6) of that Act. 1 Title This are the Insurance Intermediaries (Corporate Governance) (General Business) Code 2020. 2 Commencement This comes into operation on 31 December 20201 . 3 Interpretation In these Guidance Notes — “the Act” means the Insurance Act 2008; “auditor” means the auditor of the intermediary appointed under section 27B of the Act; “client” means the intermediary’s client and includes a prospective client; “compliance function” is the means applied by the intermediary to — (a) identify and understand its regulatory requirements; and (b) establish, implement and maintain compliance strategies, policies, procedures and training, in order to ensure that the intermediary complies with its regulatory requirements;

1 Under section 51(7) of the Insurance Act 2008 Guidance Notes must be laid before Tynwald as soon as practicable after being issued.

Article 4 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 4 SD No. 2020/0438 c “implement” in relation to a requirement, does not limit appropriate delegation in relation to that requirement; “intermediary” means an insurance intermediary registered under Part 6 of the Act as such, but does not include a reinsurance intermediary; “packaged bank account” means an arrangement under which a person provides a bank account for a customer as part of a package which includes access to other goods and services; “regulatory requirements” in relation to an intermediary means its legal and regulatory obligations; “senior management” means, in relation to an intermediary, any person whose appointment is required to be notified to the Authority under the Act, excluding its — (a) non-executive directors; (b) auditor; and (c) controllers where any such controller is not a person whose appointment is required to be notified to the Authority under the Act other than as controller. 4 Application (1) Subject to sub-paragraph (2), these Guidance Notes apply to an intermediary. (2) A person acting as an intermediary in relation to insurance provided as part of a packaged bank account is exempt from these Guidance Notes if the person — (a) is licensed under section 7 of the Financial Services Act 2008 to carry on regulated activities falling within Class 1(1) or 1(2) of Schedule 1 to the Regulated Activities Order 20112 ; and (b) complies with the requirements set out in the Schedule to the Insurance Intermediaries (Conduct of Business) (General Business) Code 20203 in relation to the provision of insurance within the packaged bank account. 5 Introduction (1) Corporate governance, in relation to an intermediary, is the system of rules, practices and processes by which those responsible for an intermediary direct, manage and control its affairs and the means by which they are held accountable for their performance and actions.

2 SD 0884/11 as amended 3 SD 2020/0437

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 6 c SD No. 2020/0438 Page 5 (2) Corporate governance encompasses all aspects relating to an intermediary’s organisation and business, including its constitutional structures and rules, its corporate values, culture and environment, as well as its business objectives, strategies, policies, procedures, internal controls and decision-making processes. 6 These Guidance Notes in operation (1) These Guidance Notes are not intended to be, and should not be interpreted as being, exhaustive. (2) These Guidance Notes should be viewed as a component part of an intermediary’s means of having in place and demonstrating adequate and effective corporate governance appropriate to its circumstances. (3) These Guidance Notes do not limit, and should be read in conjunction with, other legal and regulatory requirements applicable to an intermediary. (4) These Guidance Notes should not be used as a substitute for legal advice. 7 Corporate Governance Pursuant to section 27D of the Act, the board of directors and senior management of an intermediary must establish, implement and maintain adequate, appropriate and effective measures that meet the requirements of these Guidance Notes in a way that is proportionate to the nature, scale and complexity of the intermediary and its activities and the risks to which it is or may be exposed. 8 Skill, care and diligence An intermediary must act with due skill, care and diligence in carrying on its general intermediation business for which it is registered under Part 6 of the Act. 9 Compliance An intermediary must identify and comply with its regulatory requirements and must take all reasonable steps to do so. 10 Responsible behaviour in dealings An intermediary must have procedures for ensuring that its business is carried on openly and fairly. 11 Conflicts of interest (1) An intermediary must establish, implement and maintain an adequate and effective conflicts of interest policy which must be — (a) in writing; and

Article 12 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 6 SD No. 2020/0438 c (b) appropriate to its size and organisation. (2) The policy must — (a) identify, with reference to the specific activities of the intermediary, the circumstances which constitute or may give rise to conflicts of interest entailing a material risk of damage to the interests of one or more of its clients; and (b) specify procedures to be followed and measures to be adopted in order to manage such conflicts. (3) The procedures referred to in sub-paragraph (2)(b) must ensure that an intermediary’s business is carried out so far as possible in a way that avoids any conflict of interest, and that any unavoidable conflict of interest is disclosed to any client concerned. (4) Sub-paragraph (3) applies whether any such conflict relates to the intermediary, its officers or staff. 12 Financial management Without limiting regulation 19 of the Insurance Intermediaries (General Business) Regulations 20204 , an intermediary must — (a) manage its capital and other financial resources prudently; (b) maintain adequate capital and other financial resources to meet its liabilities that might reasonably be expected to arise out of the risks to which it is or may be exposed; and (c) maintain sufficient asset liquidity to meet its liabilities as they fall due. 13 Business continuity An intermediary must — (a) take all reasonable steps to reduce the likelihood, impact and possible duration of disruption to the continuity of its operations; and (b) establish, implement and maintain adequate, appropriate and effective arrangements to ensure that it can continue to function effectively and comply with its regulatory requirements (as identified in accordance with paragraph 9) in the event of anticipated or unforeseen disruption. 14 Systems and controls for record keeping (1) An intermediary must establish, implement and maintain procedures to ensure that sufficient information is recorded and retained about the

4 SD 2020/0439

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 15 c SD No. 2020/0438 Page 7 conduct of its business and its compliance with the regulatory requirements. (2) An intermediary must establish, implement and maintain adequate, appropriate and effective systems and controls over its general records. (3) The systems and controls referred to in sub-paragraph (2) must be — (a) such as to enable the intermediary to comply with the regulatory requirements; and (b) adequately and correctly documented. (4) An intermediary must — (a) maintain records relating to its business transactions, financial position, internal organisation and risk management systems such as to demonstrate to the Authority that it complies with the regulatory requirements; (b) maintain those records in a manner that is orderly and readily accessible in or from the Isle of Man and available for inspection and investigation by or on behalf of the Authority; and (c) keep those records for at least 6 years after it ceases to be registered under Part 6 of the Act. 15 Governance system documentation An intermediary must establish, implement and maintain adequate, appropriate and effective documentation of its significant systems of governance and their operation. 16 Clients’ records (1) An intermediary must keep and maintain proper records to show and explain transactions effected by it on behalf of its clients. (2) Those records must be — (a) kept in English; (b) kept up-to-date; (c) in such a form as to demonstrate compliance with the regulatory requirements; and (d) kept for at least 6 years after the transaction. 17 Board composition The board of directors of an intermediary must include an adequate number of directors with an appropriate overall combined level of knowledge, skills, experience and commitment such that the board can properly and objectively discharge its duties and responsibilities and carry out its functions in relation to the intermediary.

Article 18 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 8 SD No. 2020/0438 c 18 Directors (1) An intermediary must have at least 2 directors. (2) All directors of an intermediary must be natural persons. (3) At least two directors of an intermediary must be resident in the Isle of Man. 19 Powers and resources of the board (1) The board of directors of an intermediary must have adequate and appropriate powers and resources to properly discharge its duties and responsibilities and carry out its functions in relation to the intermediary. (2) For the purpose of sub-paragraph (1) the board must, amongst other things, be able to — (a) obtain timely, accurate, relevant and sufficiently comprehensive information and analyses relating to the intermediary, its management and external environment; (b) delegate activities and functions as appropriate, identifying and keeping under review all matters, whether delegated or reserved to the board; and (c) obtain external expertise where necessary and as appropriate. 20 Frequency of board meetings The board of directors of an intermediary must meet with sufficient regularity so it can properly discharge its duties and responsibilities and carry out its functions in relation to the intermediary. 21 Board meeting documents The board of directors of an intermediary must where practicable and appropriate ensure that, in respect of each meeting of the board, the following are circulated to its directors in advance of the meeting to allow the directors adequate time to consider their content — (a) suitably detailed agenda of the items to be considered at the meeting; (b) minutes from the previous meeting of the board; and (c) adequate and appropriate information in support of the matters to be considered at the meeting. 22 Minutes of board and board committee meetings (1) The board of directors of an intermediary must ensure that the intermediary keeps minutes and associated documents of all of its board and board committee meetings.

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 23 c SD No. 2020/0438 Page 9 (2) Those minutes and documents must provide an adequate and appropriate record of proceedings including — (a) which directors attended, which alternate directors attended as an alternate (and for whom) and which directors did not attend for any reason; (b) sufficient detail to evidence what board-level attention was given at the meeting to matters being considered at the meeting and the substance of discussions had at the meeting; (c) all material considerations, decisions and actions (including actions taken and points for further action, as applicable); (d) any conflicts of interest arising in relation to the matters being considered at the meeting and how they were managed; and (e) any dissentions or negative votes recorded in terms acceptable to the dissenting person or negative voter. (3) Those minutes must — (a) without undue delay after the meeting to which they relate, be written up and distributed in final draft to all persons entitled to receive a copy; and (b) within a reasonable timeframe, be accepted by the board (or, if a committee meeting, the committee) and signed as a formal record of the meeting by a duly authorised person. 23 Key responsibilities of directors A director of an intermediary must — (a) act on a well-informed basis; (b) act in good faith, honestly and reasonably; (c) exercise due care, skill and diligence; (d) act in the best interests of the intermediary and its clients, putting those interests ahead of his or her own interests; (e) exercise objectivity in decision-making, taking due account of the interests of the intermediary and its clients; (f) identify and either avoid or promptly disclose to the board of directors of the intermediary any conflicts of duty or interest he or she has or may have in relation to the intermediary; (g) not use his or her position to gain undue personal advantage or cause any detriment to the intermediary; (h) ensure he or she has the appropriate integrity, competence, experience, qualifications and commitment so that he or she can carry out his or her functions in relation to the intermediary; and (i) properly discharge his or her duties and responsibilities and carry out his or her functions in relation to the intermediary.

Article 24 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 10 SD No. 2020/0438 c 24 Management controls (1) An intermediary must — (a) organise and control its internal affairs in a responsible manner; and (b) promote high ethical standards in the conduct of its business. (2) The board of directors of an intermediary must establish, implement and maintain adequate, appropriate and effective internal and operational controls, systems, policies and procedures relating to all aspects of its business to ensure — (a) effective communication between the intermediary and its clients; (b) appropriate segregation of key duties, activities and functions; (c) the fair treatment of its clients; (d) the safeguarding of assets belonging to clients for which the intermediary is responsible; (e) effective maintenance of accounting and other records and the reliability of this information; (f) appropriate safeguards to protect data from loss or misuse; and (g) adequate and competent staffing and resources. (3) An intermediary must review the controls required under sub-paragraph (2) annually, or more frequently if appropriate, and document that review. (4) Where the intermediary employs staff or is responsible for activities conducted by others it must ensure that — (a) there are sufficient staff, at all levels; (b) staff are suitable with adequate qualifications and experience for the business; (c) there are adequate arrangements in place such that — (i) its client facing staff are competent on an ongoing basis and trained adequately and appropriately; (ii) the basis on which competency has been assessed is documented; and (iii) its client facing staff undertake a minimum number of hours of relevant continuous professional development per annum. (5) An intermediary must have an appropriate level of management, with appropriate competence and integrity for their individual and collective roles in relation to the intermediary, which provides for the intermediary’s sound and prudent management.

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 25 c SD No. 2020/0438 Page 11 25 Culture The board of directors of an intermediary must promote and sustain a corporate culture in respect of, and throughout, the intermediary that supports the implementation of these Guidance Notes. 26 Risk management (1) The board of directors of an intermediary must — (a) establish, implement and maintain comprehensive policies, appropriate to the nature and scale of its business and, where appropriate, its position in any group to which it may belong, for managing the risks specified in sub-paragraph (2); and (b) review those policies annually and evidence that review. (2) The risks referred to in sub-paragraph (1)(a) are all of the reasonably foreseeable, relevant and material risks to which the intermediary is or may be exposed, including financial, legal, regulatory and operational risks, as well as risks arising from any group of companies to which the intermediary belongs and risks arising from any activity of the intermediary for which it is not required to be registered as an intermediary under Part 6 of the Act. (3) The intermediary must — (a) ensure that the policies referred to in sub-paragraph (1)(a) are complied with; (b) maintain appropriate procedures and controls for the purpose of monitoring its compliance with those policies; and (c) monitor the risks specified in sub-paragraph (2) on a frequent and timely basis. 27 Business plan (1) An intermediary must have a documented business plan. (2) An intermediary must operate in accordance with its business plan. (3) An intermediary must notify the Authority as soon as is practicable of any material changes to its business plan. 28 Remuneration policy (1) An intermediary must establish, implement and maintain an effective remuneration policy which must be in writing. (2) The policy must — (a) address the risk of inappropriate remuneration undermining the interests of clients;

Article 29 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 12 SD No. 2020/0438 c (b) avoid conflicts of interest caused by the misalignment of incentives; and (c) contain measures for the proper management of incentive schemes so as to avoid the encouragement of improper or imprudent behaviour. (3) An intermediary must — (a) ensure that the policy is complied with; and (b) maintain adequate, appropriate and effective procedures and controls for the purpose of monitoring its compliance with the policy. 29 Relations with regulators An intermediary must — (a) co-operate in an open and honest manner with the Authority and any other regulatory body to which it is accountable; and (b) keep them promptly informed of anything relating to the intermediary which is relevant to the exercise of their respective regulatory functions. 30 Outsourced significant activities and functions Where a significant activity or function of an intermediary has been outsourced, the intermediary must ensure that — (a) it retains at least the same degree of oversight of, and accountability for, the outsourced activity or function as would apply if the outsourced activity or function was not outsourced; (b) where the outsourced provider is required to have any regulatory consents in order to carry out the outsourced activity or function, those consents have been obtained and remain in force; (c) the outsourced provider has the appropriate integrity, competence, experience and qualifications to carry out the outsourced activity or function; (d) the outsourced provider has the capacity to carry out the outsourced activity or function taking into account the size and timing of corresponding workloads; (e) its use of the outsourced provider is consistent with the — (i) ongoing and effective risk management, financial management and compliance of the intermediary with its legal and regulatory requirements;

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 31 c SD No. 2020/0438 Page 13 (ii) standard of control that would apply if the outsourced activity or function was carried out internally by the intermediary; (iii) fair treatment of the intermediary’s stakeholders (as applicable); (iv) effective operation of the external audit of the intermediary; and (v) ongoing, open, honest and timely communication with the Authority in relation to the activities of the intermediary; (f) its use of the outsourced provider does not unreasonably — (i) increase its operational risk; and (ii) impair the Authority’s ability to monitor the intermediary’s compliance with its legal and regulatory obligations; and (g) a written agreement is in place with the outsourced provider, the terms and conditions of which the board of directors of the intermediary understands and authorises, and which — (i) is binding on both parties; (ii) sets out clearly the rights, expectations and obligations of both parties; (iii) provides for the termination and orderly winding up of the outsourced arrangement; and (iv) includes the means by which the outsourced provider is monitored and held accountable to the intermediary in relation to the outsourced activity or function 31 Fraud prevention An intermediary must ensure that high standards of integrity apply to all aspects of its business, and must — (a) establish, implement and maintain adequate, appropriate and effective policies, procedures and internal controls, and allocate adequate and appropriate resources to — (i) deter, prevent, detect, record and as required promptly report any fraud it becomes aware of to the appropriate authorities; and (ii) ensure that any fraud identified is remedied in a manner appropriate to the circumstances (including having regard to any relevant guidance provided by the police or other relevant authority); and (b) ensure that the intermediary’s policies, procedures and internal controls form an integral part of the intermediary’s risk management system.

Article 32 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 14 SD No. 2020/0438 c 32 Whistleblowing policy (1) An intermediary must establish, implement and maintain an adequate and effective whistleblowing policy to encourage the reporting of any improper or unlawful behaviour. (2) The policy must — (a) be in writing; (b) be appropriate to the intermediary’s size and organisation and the nature, scale and complexity of its business; (c) adequately and appropriately protect the whistleblower from any negative repercussions arising from reporting in good faith their concerns, including, but not limited to, ensuring confidentiality; and (d) be communicated effectively to all persons to whom it applies. (3) An intermediary must — (a) ensure that the policy is complied with; and (b) maintain appropriate procedures and controls for the purpose of monitoring its compliance with the policy. 33 Requirement for a compliance function (1) An intermediary must have an ongoing and effective compliance function that is adequate and appropriate to the nature, scale and complexity of the intermediary, its activities and the risks to which it is or may be exposed. (2) The compliance function must have adequate and appropriate expertise, resources and authority to carry out its activities effectively. 34 Nature and location of a compliance function (1) The compliance function of an intermediary — (a) must be carried out — (i) internally by the intermediary; (ii) by a suitable external party; or (iii) by a combination of both; and (b) must be ultimately controlled in or from the Isle of Man. (2) To avoid doubt, this paragraph does not restrict an intermediary from obtaining advice from outside of the Isle of Man as appropriate to its activities.

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Article 35 c SD No. 2020/0438 Page 15 35 Reporting of compliance function The compliance function of an intermediary must report at appropriate intervals, and at least annually, to the intermediary’s board of directors on compliance matters in accordance with its role in relation to the intermediary. 36 Audit – general An intermediary must — (a) take all reasonable steps to ensure it affords its auditor all of the rights and entitlements applicable to that position; and (b) permit and not deter the auditor from providing to the Authority such information and confirmations as the Authority requests for the purposes of carrying out the Authority’s functions. 37 Audit – engagement letter Prior to commencement of its audit, an intermediary must obtain from its auditor a letter of engagement which — (a) contains an undertaking from the auditor to provide to the intermediary, and upon request to the Authority, the governance communications referred to in paragraph 38; (b) defines clearly the extent of the rights and duties of the auditor; and (c) is signed and accepted in writing by both parties. 38 Governance communication (1) An intermediary must at the same time as its annual accounts are submitted to the Authority — (a) if it receives a management letter (or equivalent) from its auditor in respect of the audit of its financial statements which contains any recommendations to the intermediary to remedy any weaknesses in its systems and internal controls — (i) provide a copy to the Authority; (ii) inform the Authority whether the intermediary has implemented, or is in the process of implementing, the recommendations or addressed, or is in the process of addressing, the weaknesses identified (if any) in that communication; (iii) if the intermediary has not met the requirements in head (a)(i) and (ii), provide its reasons for not doing so to the Authority;

Article 38 Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Page 16 SD No. 2020/0438 c (b) if it does not receive a management letter referred to in head (a), provide the Authority with a copy of its auditor’s confirmation that no such communication has been, or is anticipated to be, issued. (2) An intermediary must, without undue delay, provide to the Authority a copy of any other formal communication it receives from its external auditor that identifies any material weakness relating to the intermediary’s internal controls, procedures or other systems of governance. MADE 22 OCTOBER 2020

Insurance Intermediaries (Corporate Governance) (General Business) Code 2020 Endnotes c SD No. 2020/0438 Page 17 ENDNOTES Table of Endnote References 1 The format of this legislation has been changed as provided for under section 75 of, and paragraph 2 of Schedule 1 to, the Legislation Act 2015. The changes have been approved by the Attorney General after consultation with the Clerk of Tynwald as required by section 76 of the Legislation Act 2015.