Peer-to-Peer Insurance Guidelines

APPROVED by Director of the Financial Market Supervision Service of the Bank of Lithuania Decision No V 2021/(34.3.E-3400)-419-181 of 27 September 2021 PEER-TO-PEER INSURANCE GUIDELINES Contents INTRODUCTION .......................................................................................................... 2 CHAPTER I. ASSESSMENT OF LEGAL ENVIRONMENT................................................... 3 CHAPTER II. OBJECTIVES, SCOPE AND ENTITIES OF THE GUIDELINES ...................... 4 CHAPTER III. DEFINITIONS ....................................................................................... 5 CHAPTER IV. GUIDELINES .......................................................................................... 5

1. Legal form of a P2P insurance service provider ........................................................... 5
2. Informing consumers that P2P insurance services are not insurance services and how they differ......................................................................................................................... 5
3. Clear and understandable information on the terms of P2P insurance services................ 6
4. Provision of key information about a P2P insurance product in a standardised format...... 6
5. Complaint handling procedure .................................................................................. 7
6. Impeccable reputation and qualification..................................................................... 7
7. Business plan ......................................................................................................... 7
8. Business continuity plan .......................................................................................... 7
9. Good governance.................................................................................................... 8
10. ICT risk management ............................................................................................ 8
11. Outsourcing ......................................................................................................... 8
12. Reasonable pricing ................................................................................................ 9
13. Restrictions of objects of P2P insurance ................................................................... 9
14. Protection of funds in the P2P insurance pool............................................................ 9
15. Transparent accounting ....................................................................................... 10
16. Publication of financial statements and statistics ..................................................... 10 CHAPTER V. NOTIFICATION OF THE BANK OF LITHUANIA OF P2P INSURANCE ACTIVITY.................................................................................................................. 10

2 INTRODUCTION The peer-to-peer (P2P) insurance1 platform has been tested for a year in the Bank of Lithuania’s sandbox and the specific characteristics of P2P insurance in comparison to conventional insurance activities carried out by an insurance company or mutual association have been identified. P2P insurance enables persons, both natural and legal, to form communities of peers with common interests in order to protect themselves against losses. To that end, a P2P insurance pool is set up from contributions paid by the community’s members. Loss compensation decisions are made by the community’s members themselves. If funds are still available in the compensation pool after all losses, they are refunded to the community’s members. The community spirit of P2P insurance encourages members to try together to reduce risks and losses and thus protect themselves at lower cost. It can provide a risk management tool alternative to conventional insurance capable of increasing supply and boosting competition on the insurance market. P2P insurance services are very similar to conventional insurance services provided by insurance companies operating under the Republic of Lithuania Law on Insurance apart from the pooled contributions of the community’s members to offset losses which can be used to cover the losses only to the extent of funds available in the pool. In the case of conventional insurance business, an insurance company undertakes to cover all the losses agreed in the insurance contract for which it makes provisions and, if the premiums collected are insufficient to cover the losses, it has to use its assets (own funds). Due to the different way of assuming risks and the different content and scope of obligations, P2P insurance contracts are not deemed to be insurance contracts and are not subject to the requirements of the Republic of Lithuania Law on Insurance. P2P insurance services are very similar to conventional insurance services not only in their nature and characteristics but also in terms of the risks involved. Consumers may not understand how the terms and conditions of provision of P2P insurance services differ from those of conventional insurance services and the protection afforded by their legal regulation, their expectations may not be met and the contributions made to the P2P insurance pool may not be sufficient to cover losses. Therefore, in the opinion of the Bank of Lithuania, the requirements for the provision of P2P insurance services should be established to protect the interests of the public and the consumers. There is no uniform regulation of P2P insurance in the European Union and P2P insurance service providers operate in different countries with a licence of an insurance company, insurance intermediary, payment institution, peer-to-peer lending platform operator or without any licence but proposals for the regulation of P2P insurance can be put forward following the publication of the Digital Finance Strategy for the EU2 by the European Commission on 24 September 2020. 1 The Lithuanian term for peer-to-peer (P2P) insurance is tarpusavio draudimas by analogy to peer-to-peer lending (tarpusavio skolinimas in Lithuanian). 2 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU, 24 September 2020.

3 CHAPTER I. ASSESSMENT OF LEGAL ENVIRONMENT 1.1. Insurance activity is defined in the Republic of Lithuania Law on Insurance3 as an economic and commercial activity whereby the risk of loss of another person is assumed or it is otherwise sought to protect the property interests of that person in case of insured events under an insurance contract in return for an insurance premium by means of assets covering the technical provisions calculated by the insurer and other assets to protect the person’s property interests. The insurance contract is defined in the Civil Code of the Republic of Lithuania4 stating that under an insurance contract one party (the insurer) undertakes to pay, subject to the insurance contribution (premium) laid down in the contract, to the other party (the policyholder) or a third party for whose benefit the contract has been concluded, the insurance benefit laid down by law or insurance contract calculated according to the procedure prescribed by law or insurance contract where an insured event laid down by law or insurance contract occurs. 1.2. The Civil Code of the Republic of Lithuania5 also stipulates that natural and legal persons may insure their property interests on a mutual basis by pooling the funds necessary for such insurance in mutual associations. However, only insurance companies, not mutual associations, are entitled to carry out insurance activities in the Republic of Lithuania under the Republic of Lithuania Law on Insurance. 1.3. The Solvency II Directive of the European Union6 imposes uniform requirements for the conduct of insurance activities (e.g. governance, capital, investment, disclosure of information) on both insurance companies and mutual associations7. However, this Directive does not apply to mutual-benefit institutions whose benefits vary according to the resources available and in which contributions of the members are determined on a flat-rate basis8. 1.4. EU legislation does not define what constitutes insurance, insurance activity or insurance contract. There is also a debate as to whether P2P insurance, i.e. a pool of money created by a group of persons with common interests and intended to cover the losses of those persons as long as there is money in the pool, is actually insurance9. 1.5. In the light of the above regulatory provisions and documents, three types of providers of insurance (or insurance-like) services and their characteristics can be distinguished: 1.5.1. an insurance company which undertakes to compensate the policyholder’s losses in case of an insured event for an insurance premium; 1.5.2. a mutual association whose members undertake to compensate losses by pooling the funds necessary for this insurance; 1.5.3. a peer-to-peer insurance community whose members participate in the compensation of losses only to the extent of their contribution to the insurance pool and no one undertakes to compensate losses in excess of the amount of the pool. 1.6. The requirements for the activities of insurance companies and mutual associations have been harmonised at the EU level but the requirements for the provision of P2P insurance services have not. The services provided on the P2P insurance platform do not meet the definition of insurance activity laid down in the Republic of Lithuania Law on Insurance as well since neither 3 Article 2(31) of the Republic of Lithuania Law on Insurance. 4 Article 6.987 of the Civil Code of the Republic of Lithuania. 5 Article 6.1017 of the Civil Code of the Republic of Lithuania. 6 Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II). 7 Articles 89, 96 and 212 and Annex III of Solvency II contain references to mutual associations. 8 Articles 5 and 9 of Solvency II. 9 The European Insurance and Occupational Pensions Authority. Report on Best Practises on Licencing Requirements, Peer-to-Peer Insurance and the Principle of Proportionality in an InsurTech Context, 19 March 2019.

4 the members of the P2P insurance community nor the P2P insurance platform operator are obliged to compensate losses in case of an insured event in excess of the P2P insurance pool. 1.7. However, the nature and characteristics of P2P insurance services are very similar to those of conventional insurance services provided by insurance companies operating under the Republic of Lithuania Law on Insurance. The risks that P2P insurance services may pose to the consumer and the public are also very similar, including the risk of inappropriate safekeeping of the pool and non-payment of compensation, the risk of inadequate understanding of at least the key features and conditions of services and the risk of possible fraud by the service provider. In addition, consumers may not understand the difference between P2P insurance services and conventional insurance services and may have unjustified expectations regarding the content of the services, in particular the obligation of the P2P insurance provider to compensate all losses incurred. The risk of loss may be underestimated and contributions collected to the P2P insurance pool may not be sufficient to cover losses. The inappropriate provision of P2P insurance services may also pose reputational risks to the insurance market. Therefore, in order to protect the interests of consumers of P2P insurance services and the public, the requirements for P2P insurance activity should be laid down. 1.8. Since a P2P insurance service provider does not undertake to use more funds than it has accumulated in the P2P insurance pool, it is not exposed to the same insurance risks as an insurance company. Moreover, one of the key characteristics of P2P insurance, that is returning the funds unused to compensate losses to the members of the P2P insurance community, does not allow to pool a significant amount over a long period of time that could be invested, i.e. there is no exposure to investment risks. Therefore, the application of capital requirements imposed by the Solvency II Directive on insurance companies, which are mainly based on the need to absorb insurance and investment risks, would be disproportionate for P2P insurance providers. The specific nature of P2P insurance services (their similarity to insurance services and small contributions received from the customer) would make the requirements applicable to providers of payment services or crowdfunding platforms excessive for P2P insurance service providers and would constitute an unjustified barrier to the development of P2P insurance services. Requirements for P2P insurance should be set at a level proportionate to the risks associated with P2P insurance activity. CHAPTER II. OBJECTIVES, SCOPE AND ENTITIES OF THE GUIDELINES 2.1. The Peer-to-Peer Insurance Guidelines (hereinafter – the Guidelines) represent the Bank of Lithuania’s opinion on what requirements should apply to P2P insurance. This is a guidance document. As the P2P insurance market develops and a clear need for legal regulation of this business is identified, the regulation of the activities by law should be considered. 2.2. The Guidelines are aimed at facilitating the development of high standards for P2P insurance activities that prevent or, if present, ensure the management of risks associated with P2P insurance activities. The Guidelines should also provide clarity on the requirements for provision of P2P insurance services to potential providers and users of these services. At the same time, they should allow for the monitoring of the development of P2P insurance activities and for a debate on applicable requirements with a view to establishing better regulation of P2P insurance. 2.3. The Guidelines apply to P2P insurance service providers. 2.4. The Guidelines provide guidance on consumer information about P2P insurance services, governance of the P2P insurance service provider, pricing of services, protection of the pooled funds, operational limitations and disclosure of financial and statistical data.

5 CHAPTER III. DEFINITIONS For the purposes of these Guidelines: 3.1. peer-to-peer (P2P) insurance means the sharing of the risk of loss by persons who have formed a community for the purposes of protecting themselves against an agreed risk of loss by means of compensating the loss out of the pool of contributions of those persons; 3.2. P2P insurance services means the facilitation of forming a P2P insurance community of persons and benefiting from P2P insurance, including the stipulation of P2P insurance rules, assessment of the risk of loss stated in a P2P insurance contract, collection of P2P insurance contributions, safekeeping of the P2P insurance pool, compensation of losses and refunding of contributions not used for loss compensation; 3.3. P2P insurance activities means the economic activities of providing P2P insurance services for a fee under a P2P insurance contract; 3.4. P2P insurance service provider means a person providing P2P insurance services; 3.5. P2P insurance community means a group of persons with a common interest to protect themselves against an agreed risk of loss who share that risk of loss under P2P insurance contracts; 3.6. member of P2P insurance community means a person who has entered into a P2P insurance contract with a P2P insurance service provider and who is part of a P2P insurance community; 3.7. P2P insurance contract means a contract whereby a P2P insurance service provider undertakes to provide, for a fee set out in this contract, the P2P insurance services set out in this contract to a member of P2P insurance community; 3.8. P2P insurance contribution means the amount of money stated in a P2P insurance contract which a member of P2P insurance community pays into a P2P insurance pool; 3.9. P2P insurance administration fee means a portion of the P2P insurance contribution stated in the P2P insurance contract for the payment for P2P insurance services; 3.10. P2P insurance pool means a pool comprised of P2P insurance contributions to compensate losses specified in the P2P insurance contract. CHAPTER IV. GUIDELINES P2P insurance services should be provided in accordance with the Guidelines.

1. Legal form of a P2P insurance service provider 4.1. A P2P insurance service provider should be a legal person with the legal form of a public limited liability company or private limited liability company.
2. Informing consumers that P2P insurance services are not insurance services and how they differ 4.2.1. Clear information about P2P insurance services should be published on the website of the P2P insurance service provider and made available to the consumer before the conclusion of the P2P insurance contract as well as provided in any promotional material: 4.2.1.1. that P2P insurance services are provided and their key features, in particular the loss compensation mechanism and its limitations, refunding of P2P insurance contributions unused for loss compensation; 4.2.1.2. that the services are not provided by an insurance company and that P2P insurance contracts are not considered to be insurance contracts and are, therefore, not subject to the

6 requirements and protection of the Republic of Lithuania Law on Insurance as well as that the P2P insurance service provider and P2P insurance services are not subject to supervision by the Bank of Lithuania. 4.2.2. When using terms common in the insurance industry, care should be taken to avoid situations that could mislead consumers as to the nature of the services provided (e.g. the terms insurer and policyholder should not be used). 3. Clear and understandable information on the terms of P2P insurance services 4.3.1. Clear rules on P2P insurance should be published on the website of the P2P insurance service provider and made available to the consumer prior to the conclusion of the P2P insurance contract, which should include at least: 4.3.1.1. the procedure for entering into the P2P insurance contract and joining the P2P insurance community; 4.3.1.2. the P2P insurance object; 4.3.1.3. the cases in which losses are compensated and not; 4.3.1.4. the procedure for calculating and paying P2P insurance contributions and consequences of non-compliance; 4.3.1.5. the procedure for determining losses; 4.3.1.6. the procedure for the use of the P2P insurance pool, the procedure and time limits for the calculation and payment of loss compensations; 4.3.1.7. the procedure and time limits for the calculation and payment of P2P insurance administration fees; 4.3.1.8. the procedure and time limits for the calculation and refunding of P2P insurance contributions unused for loss compensation; 4.3.1.9. the rights and obligations of the P2P insurance service provider and the member of the P2P insurance community; 4.3.1.10. the procedure for termination of the P2P insurance contract; 4.3.1.11. the procedure for settlement between the parties in the event of termination of the P2P insurance contract; 4.3.1.12. the procedure for settlement of disputes between the member of the P2P insurance community and the P2P insurance service provider; 4.3.1.13. the procedure for providing information to the other party to the P2P insurance contract. 4. Provision of key information about a P2P insurance product in a standardised format 4.4.1. Before the conclusion of a P2P insurance contract, key information about the P2P insurance product should be made available to the consumer in a standardised format similar to that used in the insurance industry10. Such information should fit on two A4 sheets and should contain answers to the following questions: 4.4.1.1. what is the object of P2P insurance; 4.4.1.2. what is covered by P2P insurance and not; 4.4.1.3. whether there are any limitations to the P2P insurance cover; 4.4.1.4. where the insurance cover applies; 4.4.1.5. when and how P2P insurance contributions are paid; 4.4.1.6. how the P2P insurance pool is used for loss compensation; 4.4.1.7. when and how P2P insurance contributions unused for loss compensation are refunded; 10 Council Implementing Regulation (EU) 2017/1469 of 11 August 2017 laying down a standardised presentation format for the insurance product information document.

7 4.4.1.8. obligations of the member of the P2P insurance community; 4.4.1.9. when P2P insurance cover comes into effect and ends; 4.4.1.10. how and under what terms a P2P insurance contract can be terminated. 5. Complaint handling procedure 4.5. A P2P insurance service provider should handle complaints/requests from members of the P2P insurance community, have a procedure in place for dealing with such complaints/requests and for responding to them in a way that ensures that conflicts of interest are avoided and should publish it on its website. 6. Impeccable reputation and qualification 4.6.1. Management and shareholders of a P2P insurance service provider, whose direct or indirect holding of the voting rights or share capital of the P2P insurance service provider equals or exceeds 20%, should be of impeccable reputation and should collectively have the appropriate professional qualification, knowledge and experience to ensure the sound and prudent management of the company, in particular in the areas of P2P insurance, financial and actuarial analysis and information technology. 4.6.2. A natural person may not be deemed to be of impeccable reputation if he or she has been convicted for a serious, grave crime or for a crime or criminal offence against property, property rights and property interests, economy and business order, financial system, public security, public service and public interests or equivalent crimes under criminal laws of other countries, where the conviction has not yet expired or it has not been reversed or less than three years have passed since the effective date of the judgement based on which the natural person was convicted for the criminal offences referred to in this paragraph. 4.6.3. A legal person may not be deemed to be of impeccable reputation if it has been convicted for any of the crimes referred to in paragraph 4.6.2 above and less than three years have passed since the effective date of the judgement. 7. Business plan 4.7. The activities of a P2P insurance service provider should be based on a business plan which should demonstrate that the interests of members of the P2P insurance community will be adequately protected and that the P2P insurance provider’s obligations arising out of the P2P insurance contracts will be met. 8. Business continuity plan 4.8.1. A P2P insurance service provider should ensure the uninterrupted provision of P2P insurance services and, to that end, have a business continuity plan in place at the time of commencement of its business. 4.8.2. The business continuity plan should take into account the significant risks in the areas that are considered vulnerable according to the analysis carried out by the P2P insurance service provider. The business continuity plan should cover a range of scenarios, including extreme but plausible ones, as well as cyber attack scenarios and assess the potential impact of such scenarios on the provision of P2P insurance services. Such scenarios should describe how the continuity of P2P insurance services and, for example, the security of ITC and information as well as personal data is ensured. The P2P insurance service provider should ensure that it can react to potential failure scenarios in such a way that, once the disruptions have been resolved, it is able to restore operation within a recovery time objective (maximum time period within which a system or a process must be recovered after an incident) and a recovery point objective (maximum time period within which the loss of data is considered acceptable in the event of an incident).

8 4.8.3. The business continuity plan should be tested periodically to ensure that it is effective in the event of an emergency in the company. The results of testing should be documented and the business continuity plan should be updated on the basis of test results as well as in the light of changes in the business environment, market, products, IT systems and other changes in the external and internal environment that may affect business continuity. 9. Good governance 4.9.1. A P2P insurance service provider should ensure the implementation of a governance system, risk management, including risk transfer, and internal controls commensurate with the nature, scale and complexity of activities of the company. 4.9.2. The organisational structure should ensure a clear division of responsibilities, continuous, accurate, secure and fast transmission of information, enable the identification, assessment and control of potential risks, financial condition of the company, performance and allow for appropriate decision-making in relation thereto. 4.9.3. The risk management system should be evaluated and improved in the light of latest developments, both internal and external, and new risks. 4.9.4. The internal control system should ensure that activities are carried out efficiently and protect the company from potential losses, that financial and other information used internally and provided to others is reliable, appropriate and timely, and that the company’s activities comply with the strategy and the requirements set out in the laws and other legal acts of the Republic of Lithuania and internal documents. 4.9.5. The manager of a P2P insurance service provider should be covered by manager's civil liability insurance. 10. ICT risk management 4.10.1. In order to ensure the operational resilience of the P2P insurance platform to potential ICT risks (including cyber risks)11, the P2P insurance service provider should ensure that ICT and security risks are properly assessed, managed and controlled. 4.10.2. In order to protect the confidentiality, integrity and availability of information, including personal data, an information security policy should be adopted, processes for managing ICT changes and incidents should be established and periodic information security reviews should be carried out. 4.10.3. A P2P insurance service provider should put in place and implement logical access control procedures based on the principles of need-to-know, least privilege and segregation of duties, ensure monitoring of actions and unusual activities of users of IT systems, including IT administrators and third parties, implement physical security controls for its premises, data centres and sensitive areas to protect them from unauthorised access and environmental hazards, identify potential vulnerabilities in a timely manner and install critical software security upgrades. 11. Outsourcing 4.11.1. Where a P2P insurance service provider outsources its critical operational functions, measures should be in place to ensure the adequacy of the services provided by third parties. 4.11.2. The performance and results of third parties providing important services should be assessed on a regular basis. The P2P insurance service provider should include the requirements referred to in the Guidelines as requirements in contracts with third parties providing important services such as the minimum security requirements for information, including personal data, 11 ICT risks and related terms should be understood as defined in the Guidelines on Information and Communication Technology Security and Governance adopted by the European Insurance and Occupational Pensions Authority.

9 data lifecycle specifications, encryption of data, requirements for network security and security monitoring, location requirements for data centres, service level agreements and procedures for the management of operational and security incidents, including escalation and notification of interested parties, where ICT services and systems are outsourced. The P2P insurance service provider should monitor and ensure that third parties comply with the established security objectives, measures and performance targets12. 12. Reasonable pricing 4.12.1. The pricing of P2P insurance services should be based on mathematical modelling so that the risk of losses in the P2P insurance community is properly assessed and adequate P2P insurance contributions are set to allow sufficient funds to be collected for loss compensation and to offer services that meet consumer expectations. 4.12.2. Where insurance contracts or other risk mitigation measures are used to manage the risk of insufficiency of the P2P insurance pool, the risk management policy of the P2P insurance activity should describe how these measures are taken into account in the design of P2P insurance products and calculation of P2P insurance contributions. 13. Restrictions of objects of P2P insurance 4.13. P2P insurance services should only be offered to protect interests related to damage, destruction or loss of property of a relatively low value. P2P insurance services could also be offered for the protection of property interests of a relatively low value arising out of civil liability for damage caused to an injured third party or their property. P2P insurance services should not cover risks relating to life or health and the annual amount of P2P insurance contributions under one P2P insurance contract should not exceed EUR 600. 14. Protection of funds in the P2P insurance pool 4.14.1. The funds of the P2P insurance pool should be kept in a separate account opened in the name of the payment service provider (e.g. an electronic money institution) which may not be subject to recovery of other debts owed by the P2P insurance provider13. 4.14.2. If the funds of the P2P insurance pool are not kept in the manner described in paragraph 4.14.1, they should be clearly identified at all times as obligations of the P2P insurance service provider to the members of the P2P insurance community. These obligations should be secured by a sufficient amount of money which should be kept in a separate account and used solely for the fulfilment of obligations arising out of P2P insurance contracts. 4.14.3. In order to limit the risk of non-fulfilment of obligations to members of the P2P insurance community, the P2P insurance service provider should additionally guarantee the fulfilment of these obligations with equity capital equal to at least 4% of the funds in the P2P insurance pool and at least EUR 18,75014. 12 For the management of third-party services, it is advised to refer to the Guidelines on Information and Communication Technology Security and Governance and the Guidelines on Outsourcing to Cloud Service Providers issued by the European Insurance and Occupational Pensions Authority. 13 Such separate accounts are held by crowdfunding platform operators and peer-to-peer lending platform operators as the legislation governing their activities contains no provisions on the safekeeping of customer funds and, therefore, they enter into special agreements with payment service providers, for instance, an agreement with an electronic money institution (EMI) for the opening of a dedicated account in the EMI’s system in the name of the EMI for the collection of funds of the platform’s customers and transfer to the ultimate recipient of funds in accordance with the platform’s payment instructions. The funds of customers of the platform thus become the funds of EMI’s customers and the statutory protection against claims of other creditors comes into effect. 14 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on the distribution of insurance products imposes similar requirements on insurance brokerage firms that also keep funds of their clients.

10 4.14.4. The P2P insurance service provider should not engage in activities other than P2P insurance, insurance, other financial services or activities related to the foregoing and the latter should not give rise to any risks of financial losses. 15. Transparent accounting 4.15.1. The accounting system of a P2P insurance service provider should operate in such a way that the financial statements give a true and fair view of its financial condition and performance and allow for the verification and assessment of the financial condition and performance of each P2P insurance contract, each P2P insurance community and the entire P2P insurance platform. 4.15.2. Members of a P2P insurance community should at all times have access to all the information relating to their P2P insurance contract and their P2P insurance community. 16. Publication of financial statements and statistics 4.16.1. In order to enable current and potential members of the P2P insurance community to have knowledge of the financial condition and performance of the P2P insurance service provider, the P2P insurance service provider should publish annual and interim (quarterly) financial statements on its website. 4.16.2. The P2P insurance service provider should publish on its website on a monthly basis the key statistical indicators of its P2P insurance activity, including the number of P2P insurance communities and their members, number of P2P insurance contracts concluded and in force, amount of P2P insurance contributions received, amount of administrative fees, number of claims for loss compensation and amount of compensation, amount of refunded P2P insurance contributions unused for loss compensation and amount of the P2P insurance pool. CHAPTER V. NOTIFICATION OF THE BANK OF LITHUANIA OF P2P INSURANCE ACTIVITY 5.1. A P2P insurance service provider is advised to notify the Bank of Lithuania of the conduct of its P2P insurance activities in Lithuania by email info@lb.lt.

---