ICP and ComFrame Online Tool

Publicly defined objectives foster transparency. Based on this, government, legislatures and other stakeholders, including insurance industry participants and consumers, can form expectations about insurance supervision and assess how well the supervisor is achieving its objectives and fulfilling its responsibilities.

Responsibilities and objectives of the supervisor should be stable over time. However, when those responsibilities and objectives are updated periodically, it should be done in a manner that avoids creating instability, as a stable business environment is important for the insurance sector and consumer confidence. Objectives and key aspects of the supervisor responsibilities should be defined in primary legislation to the extent that it needs the effect of law. Aspects that should undergo frequent updating due to changing circumstances should be supplemented as needed with updated legally enforceable rules and guidance.

Institutional frameworks for insurance supervision vary across jurisdictions. For example, there may be separate authorities for prudential and market conduct supervision, for macro and micro prudential supervision, for licensing and ongoing supervision, and resolution.

Primary legislation should clearly define responsibilities of each authority involved in insurance supervision at both the insurance legal entity level and the group-wide level.

Where there are multiple authorities responsible for insurance supervision, the institutional framework, the main responsibilities of the respective authorities and a basis for cooperation and coordination should be clearly set out in primary legislation.

The precise supervisory objectives and their respective priority may vary by jurisdiction depending on the level of development of the insurance markets, market conditions and consumers. Supervisory objectives could also include promoting insurance market development, financial inclusion, financial consumer education, and contributing to fighting financial crime.

The policyholders to be considered in defining supervisory objectives include past, present and future policyholders.

Depending on the evolution of the jurisdiction’s insurance or financial markets, the supervisor may emphasise temporarily one or more of the objectives. Regardless, the supervisor should take into account the other objectives in fulfilling its function. In such circumstances, this should be explained to stakeholders, including insurance industry participants, consumers and the general public.

Primary legislation should give the supervisor the necessary powers to achieve its responsibilities and objectives, and the ability to take supervisory action adequately. The supervisor should have the powers needed to implement a framework for effective insurance supervision, which is described by the ICPs in general.

Legislation should clearly address insurance legal entity and group-wide supervision, providing the supervisor with sufficient powers to achieve the respective responsibilities and objectives.

The supervisor should have sufficient powers in place to perform the role of a group-wide supervisor, including coordination and collaboration with other relevant supervisors. Additionally, the legislation should empower the supervisor of an insurance legal entity which is part of a group to contribute to the supervision of that group on a group-wide basis

It is important that supervisory responsibilities, objectives and powers are aligned with actual challenges faced by the insurance market to effectively protect policyholders, maintain a fair, safe and stable insurance market and contribute to financial stability

Market changes can mean that the legislation is no longer adequate for the supervisor to achieve its intended outcomes. The supervisor may identify changes in the economy, society or business environment in general that affect insurance supervisions that are not currently or sufficiently addressed by legislation. When the supervisory outcomes may not be achieved with the current legislation, the supervisor should initiate or propose changes in legislation.

If supervisory responsibilities, objectives or powers assigned by primary legislation become obsolete, the supervisor should initiate or propose changes to the legislation.

Operational independence, accountability and transparency by the supervisor contribute to the legitimacy and credibility of the supervisory process. As explained in this introductory guidance, the three concepts of independence, accountability and transparency are closely interconnected and mutually dependent.

Operational independence means the supervisor should be able to take actions and make decisions in the exercise of its supervisory responsibilities without interference from any part of the government, including other governmental bodies, the legislature, and the insurance sector. The supervisor should be able to carry out the supervisory process, take supervisory measures and impose sanctions as it deems necessary to fulfil its objectives. However, this independence should be balanced with accountability.

The supervisor should be accountable for the actions it takes in the exercise of its supervisory responsibilities to the government, including other governmental bodies and the legislature, which delegated various responsibilities to the supervisor, as well as to those it supervises and the public at large. Accountability means that the supervisor operates within the bounds of its delegated authority, in a fair and equitable manner that is open to scrutiny and review by the government and the public, and that the actions of the supervisor may be challenged as part of a judicial appeal process. Strong internal governance processes, sufficient and skilled human resources and maintenance of high standards of integrity and professionalism underpin the accountability of the supervisor.

Transparency reinforces accountability. Transparency increases the predictability of supervision and shapes the expectations of supervised entities, which enhances supervisory effectiveness. For these reasons, supervisory requirements, supervisory processes as well as information about the supervisor’s responsibilities should be publicly disclosed, in a manner consistent with any confidentiality requirements imposed on the supervisor.

The structures of supervisors vary across jurisdictions. For example, a supervisor can be structured as a separate independent entity governed by a Board of Directors, as a commission or as a body overseen by one appointed individual. No one single structure is appropriate for all supervisors. Regardless of their structure, all supervisors should have processes and safeguards that allow them to be operationally independent, accountable and transparent.

Operational independence of the supervisor includes having the discretion to allocate its resources, including financial and human resources, and to carry out the supervisory process in accordance with its objectives and the risks the supervisor perceives. Having this discretion, which underpins operational independence, should be recognised in primary legislation.

The supervisor should be financed in a manner that does not undermine its independence. A wide variety of financing models exist, such as financing by government, levies imposed on supervised entities and combinations thereof. To help ensure the supervisor’s independence is not compromised, the method in which it is financed should be stable, predictable and transparent, and prevent interference from its funding source.

The institutional relationships and accountability frameworks between the supervisor and the government should be clearly defined in legislation. It is important to specify the circumstances and processes for sharing information, consultation or approval between the supervisor and the government. This may include establishing what information should be provided, how each entity should consult on matters of mutual interest and when approval from relevant authorities is necessary. The daily operations of the supervisor should not be subject to consultation with or approval by the government. In exceptional circumstances, the supervisor may choose to consult with the government in relation to a supervisory decision where there are major socio-economic implications of that decision.

In addition to independence from the government, the supervisor should not permit excessively close relationships, or even the appearance thereof, with industry participants, in particular supervised entities. Such relationships can compromise the supervisor’s ability to enforce the law strictly or to control the behaviour of supervised entities as intended by law. These relationships can also lead the supervisor to make policy or operational decisions to benefit supervised entities, whether a particular entity or supervised entities as a whole, rather than in furtherance of its supervisory objectives. The supervisor’s policies, for example, post-employment, anti-corruption and accountability in decision-making, should seek to avoid such close relationships.

The legislation should define the responsibilities of the governing body. In cases where there are industry representatives or elected officials or government employees on the governing body of the supervisor, the composition of the governing body should be sufficiently diverse to prevent such representatives from controlling the supervisor.

The supervisor’s staff and members of its governing body can also experience pressures that could compromise their independence. Generally, the staff of the supervisor should not hold any consultancies, directorships or financial interests, expect any future benefit from, or be involved in any capacity in the entities it supervises, other than in a supervisory role or as a customer, and should not accept gifts or hospitality from these entities in excess of a low monetary value. The supervisor should have policies and processes or a code of conduct to avoid or manage real, potential or perceived conflicts of interests. The supervisor should require its staff and members of its governing body to report conflicts of interests. Staff and members of the governing body of the supervisor should exclude themselves from decisions where they have a conflict of interest.

Having necessary legal protection from legal action promotes the independence of the supervisor by enabling its staff to make decisions and take action against a regulated legal entity even though such action or decision may be contested by that entity.

In this context, legislation should protect the supervisor and its staff from criminal or civil liability for decisions made and actions taken in the course of discharging their supervisory responsibilities, provided that the action or decision was not taken in bad faith or illegally.

Public procedures regarding the appointment and dismissal of the head of the supervisor enhance independence, as they limit the potential for government interference in the management of the supervisor. Those procedures should be codified in legislation.

Those procedures should disclose, for example, who appoints the head of the supervisor and members of the governing body, the length of those appointments and the reasons for which the head of the supervisor or members of the governing body can be dismissed before the end of their term, if applicable.

Legislation should disclose the general criteria for appointing members of a governing body, including that they possess relevant qualifications, knowledge and experience to oversee the activities of the supervisor, as well as the mechanism for their remuneration (for example, salary, daily allowance or voluntary work). The procedures regarding the appointment of the members of the governing body should result in a balance of skills, knowledge and experience amongst the members of the governing body as a whole.

A well-defined internal governance structure and strong internal governance processes support the accountability and integrity of the supervisor. The supervisor’s internal governance includes its organisational structure and management arrangements, lines of responsibility, and systems of risk management and internal controls. In this context, integrity refers to the supervisor always acting with probity, respectability and lawfulness, and within the bounds of its delegated authority.

Regardless of the supervisor’s governance structure, the responsibilities of the governing body, the responsibilities of Senior Management, communication channels and decision making authorities, including delegation thereof, should be documented in writing to facilitate compliance with internal controls, including proper authorisation of actions taken by or on behalf of the supervisor. In addition, well-defined communication channels help ensure prompt escalation of significant issues to appropriate levels within the supervisor.

The supervisor should have a process to develop and implement a strategic plan that sets out its goals and priorities, given the responsibilities and objectives assigned to it by legislation. Such a plan should cover a specific period of time, such as two or three years. The supervisor should report on its performance against that plan to the government and other stakeholders, including insurance industry participants, consumers and the general public.

The supervisor should identify the individual or group of individuals responsible for the implementation and review of the internal governance arrangements. The internal governance processes and procedures should be subject to regular independent review, for example by an internal audit function or a public auditor.

The supervisor should have internal mechanisms to help ensure that it is consistent in the actions and decisions it takes.

Cases where circumstances are similar should lead the supervisor to take similar actions or decisions. Actions taken in a particular case in the past should be considered in new cases where the circumstances are similar, unless a change in the requirements or supervisory procedures occurred in the time between the two cases.

Procedural fairness enhances public confidence in the supervisory process. Parties subject to a decision made by the supervisor should be able to receive the written reasons for the decision and to appeal the decision to an impartial review body or tribunal. The manner in which the supervisor’s decision could be subject to judicial review, or in which decisions can be appealed, should be defined and transparent, and included in the notification of the decision.

The existence of an appeal or review mechanism helps ensure that the supervisor’s decisions are made within the law as consistently as possible and are well reasoned. Appeal processes should be specific and balanced to preserve supervisory independence and effectiveness. However, these processes should allow the supervisor to exercise its powers quickly in cases where expeditious action is required. In certain cases, these processes may provide that the decision of the supervisor remains in force until the appeal or review mechanism has produced a final decision on the appeal, unless otherwise ordered by a court.

The type of information that the supervisor is required to keep confidential should be specified in legislation. Generally, any non-public information received relating to a supervised entity would be considered confidential, as well as information received from another supervisor (see ICP 3 Information sharing and confidentiality requirements). Legislation should also specify the circumstances under which the supervisor is allowed to disclose confidential information and to whom it can be disclosed.

The supervisor and its staff, including former staff, and all persons acting on its behalf (presently or in the past) should be liable to penalties for unlawful access to, use of, or disclosure of, confidential information. This includes any outside experts hired by the supervisor and persons to which the supervisor outsourced any supervisory function. The penalties for such conduct should be specified in legislation and may include disciplinary actions, up to and including termination of employment, and criminal or legal proceedings. The duty of confidentiality should survive the termination of employment of a staff member or other third party engaged by the supervisor.

• its objectives and responsibilities;
• its goals and priorities for the future;
• its activities in light of its goals and priorities in the previous year;
• its resources, including human, technological and financial;
• data and analysis about the state of the insurance sector; and
• supervisory measures taken in relation to problem or failed insurers, subject to confidentiality considerations and in so far as it does not jeopardise other supervisory objectives or prejudice another case pending before the supervisor.

The supervisor should seek to publish a report at least annually that contains the elements listed above as well as its audited financial statements. This type of report is a key document by which a supervisor accounts to its stakeholders.

The supervisor publishes and regularly reviews requirements, policies and supervisory procedures to ensure they remain appropriate for the characteristics of the industry, emerging risks and evolving international standards. Some requirements may be contained in primary legislation, while others may be contained in instruments issued by the supervisor, such as guidance and industry advice. The supervisor should ensure these instruments are made available to the public, for example on the supervisor’s website.

A critical element of transparency is for the supervisor to provide the opportunity for meaningful public consultation on proposed requirements and supervisory procedures. Meaningful public consultation benefits from participation by a diversity of stakeholders. Consequently, the supervisor should have methods in place to encourage and solicit stakeholder participation. All persons (presently or in the past) gaining access to confidential information should be subject to the penalties for the wrongful disclosure of that information.

The supervisor should have written procedures on the types of documents that are subject to public consultation as well as the process and timelines for consultation. Some documents used in the supervisory process may not be suitable for consultation, such as detailed procedural manuals that are used to guide staff of the supervisor in the performance of their day-to-day duties.

In some jurisdictions, the development and issuance of requirements may be outside of the control of the supervisor; for example, the power to enact legislation may be vested in another government body or supranational bodies that have a direct role in the legislation in force in their member countries. In such cases, the consultation process may also be outside the remit of the supervisor. To the extent possible, the supervisor should be involved in the development of the requirements, for example, by participating in consultations, and the supervisor should keep the public and the industry informed of proposed changes.

The supervisor’s financial resources and staffing policies should enable it to attract and retain highly skilled, competent and experienced staff with the necessary professional qualifications, where required. The supervisor should have the ability to hire or contract the services of external experts when necessary.

The supervisor should have a process for regularly reviewing its human resources needs, the skills and experience of existing staff and its projected human resource requirements over the short to medium term.

This review could lead the supervisor to implement initiatives to bridge gaps in numbers and/or skills. These could include more flexible hiring policies or schemes for secondment of staff from industry or other supervisory authorities within the jurisdiction or internationally. These initiatives may help in providing access to specialist skills on a temporary basis. Secondments for supervisory staff to industry or other supervisory authorities enhance the skills and experience of staff particularly to better understand industry practices. When implementing such initiatives, the supervisor should have safeguards in place to avoid conflicts of interest and protect confidential information, such as by restricting access to certain information.

The supervisor should provide adequate training opportunities for its staff to ensure that their skills and supervisory practices remain up to date with evolving supervisory and regulatory developments and changes in the industry.

The technological resources available to the supervisor should enable supervisory staff to collect and store securely, quickly access, and efficiently analyse information about the entities it supervises.

Outsourcing of selected supervisory activities to third parties can complement the supervisor’s resources with valuable expertise. However, supervisory activities are primarily the responsibility of the supervisor. The supervisor should retain accountability for and oversight of any outsourced activities to the same degree as non-outsourced activities. Outsourcing should not adversely affect the supervisor`s ability to conduct effective supervision or meet its objectives.

The process used to select third party providers should be fair, open and transparent. All qualified third party providers should have equal access to information regarding the process. Prior to engaging a third party, the supervisor should assess the proposed provider’s competence and experience and the safeguards for the handling of data, including treatment of confidential information. The decision to select a provider should be made free from conflicts of interest, or where such conflicts cannot be avoided, they should be managed.

A written agreement should govern the relationship between the supervisor and the third party provider. The agreement should describe all material aspects of the outsourcing arrangement, including the services to be provided, remuneration of the third party provider, resolution of disputes and procedures governing the sub-contracting of services.

• information on strategy, business activities and business models including prospective and recent acquisitions or disposals of insurance business;
• financial data relating to an insurer;
• organisational structure, both legal and management structure;
• information on the management and operational systems and controls used by insurers;
• information on individuals holding positions of responsibility in insurers  such as Board Members, Senior Management, Key Persons in Control Functions and Significant Owners;
• information on individuals or insurers involved, or suspected of being involved, in criminal activities;
• information on any failures to comply with supervisory requirements, regulatory investigations and reviews, and on any restrictions imposed on the business activities of insurers;
• information concerning regulated entities related to the insurance group, whether undertaking insurance business or other financial business which is subject to regulation, and information concerning non-regulated entities related to the insurance group such as service companies or holding companies;
• specific information requested and gathered from a regulated entity; and
• reporting information within groups to meet group supervisory requirements, including subsidiaries and non-regulated holding companies.

• other insurance supervisors;
• supervisors responsible for banks and other credit institutions;
• supervisors responsible for investments, securities, pensions, financial markets and other sectors;
• authorities responsible for the recovery or resolution of insurers;
• authorities responsible for anti-money laundering or combating the financing of terrorism; and
• law enforcement agencies.

The supervisor should use bilateral or multilateral agreements to facilitate information sharing because they provide the basis for a two-way flow of information and the basis for confidential treatment of the information shared. The IAIS MMoU is an example of a multilateral memorandum of understanding for cooperation and exchange of information between supervisors related to the supervision of insurance legal entities and insurance groups. All signatories to the IAIS MMoU undergo a validation of their laws and regulations to demonstrate compliance with the MMoU’s strict confidentiality regime. For this reason, if all relevant parties are signatories to the IAIS MMoU, it is the preferred framework for multilateral information exchange.

Supervisory colleges can provide a framework for supervisory cooperation and crisis management in which information sharing between involved supervisors occurs on an ongoing basis.

Information sharing is particularly important for the operation of a supervisory college. For a supervisory college to be effective there needs to be mutual trust and confidence among supervisors, particularly in relation to exchange and protection of confidential information.

Each member of the college should take measures necessary to avoid the unintentional divulgence of information or the unauthorised release of confidential information. It is important that appropriate information exchange agreements or other arrangements are in place between the members of the supervisory college to ensure that information can be exchanged in a secure environment.

Where confidential information exchanged within a supervisory college is communicated to relevant supervisors or authorities who are not involved in the college, supervisors should:

• have a formal mechanism in place between the group-wide supervisor and the other supervisors or authorities to ensure the protection of the confidential information. Such mechanisms could be included in the relevant information sharing agreements; and
• obtain the prior consent of the supervisor having provided such information.

• if the requesting supervisor only has the power and responsibility to supervise intermediaries and not insurers, it may not have a legitimate interest in requesting information relating to an insurer; or
• if the requesting supervisor requests information relating to an insurer that has no current or planned operations or other connections to the requesting supervisor’s jurisdiction, it may not have a legitimate interest in requesting such information.  

A valid supervisory purpose is relevant to the requesting authority’s performance of a supervisory task. Valid supervisory purposes may include information requested for the purposes of:

• licensing;
• suitability criteria;
• intra-group transactions such as loans and extensions of credit, parental guarantees, management agreements, service contracts, cost-sharing arrangements, reinsurance agreements, dividends and distributions;
• prevention of financial crime, such as fraud, anti-money laundering or combating the financing of terrorism;
• ongoing supervision, including preventive and corrective  measures and sanctions; and
• exit from the market and resolution.

A supervisor may voluntarily provide information to other relevant supervisors so as to better enable the supervisors’ fulfilment of their supervisory functions. In such cases, the supervisor providing information should adhere to the same requirements as though the information had been requested by a requesting supervisor.

In principle, the requested supervisor is expected to share information with a requesting supervisor with a legitimate interest and for a valid supervisory purpose

In deciding whether and to what extent to fulfil a request for information, the requested supervisor may take into account matters including:

• the nature of the information to be provided;
• the purpose for which the information will be used;
• the ability of the requesting supervisor or authority to maintain the confidentiality of any information received, taking account of the IAIS MMoU or other existing agreements in each jurisdiction;
• whether, in the context of supervisory college or otherwise, the request is covered by a coordination agreement;
• whether it would be contrary to the interest of the jurisdiction of the requested supervisor; and
• relevant laws and regulations in each jurisdiction (in particular those relating to confidentiality and professional secrecy, data protection and privacy, and procedural fairness).

While requests for information should normally be made in writing, the requested supervisor should not insist on written requests in an emergency situation, and should not unreasonably delay a response to an oral request for information made for a valid supervisory purpose by a requesting supervisor.

The requested supervisor may receive a request for information which is not already in their possession. In such circumstances, the requested supervisor should, if it considers it reasonable, obtain that information from the insurer or other entities from which it has the power to obtain information.

If the requested supervisor denies a request, it should explain its reason for the denial to the requesting supervisor or authority.

Lack of strict reciprocity should not be used by the requested supervisor as the reason for not sharing information that would otherwise be appropriate to share, particularly in an emergency or other crisis situation. Strict reciprocity in terms of the level, format and detailed characteristics of information requested is not required.

The requesting supervisor should specify the intended purposes of the information sought. Additionally, MoUs may address purposes for which the requested information may be used by the requesting supervisor.

The requesting supervisor first obtains agreement with the requested supervisor or authority before passing on requested information. Supervisors and authorities are encouraged to request information directly from the requested supervisor, rather than from the requesting supervisor, to provide an opportunity for direct dialogue and further consultation. Requesting supervisors should ensure that appropriate confidentiality requirements are in place and the information is only passed on to another relevant supervisor or authority with a legitimate interest and – in case of a supervisory authority – for valid supervisory purposes.

• other IAIS MMoU signatories in the fulfilment of their supervisory functions; and
• other relevant domestic financial sector bodies such as central banks, law enforcement agencies, relevant courts and other authorities (see Annex B of the IAIS MMoU).

Conditions imposed by the requested supervisor on the passing on of information to third parties should not prevent the requesting supervisor or authority from being able to use the information for its own valid supervisory purposes.

Where allowed by the laws and practices of the jurisdiction, a requesting supervisor required to disclose confidential information by legal compulsion should place, or seek to place, protections from disclosure on that information. Such protections could include:

• a protective order placing restrictions on use or further distribution of the confidential information; or
• limitations on the means and location of the disclosure of the confidential information.

Licensing contributes to efficiency and stability in the insurance sector. Strict conditions governing the formal approval through licensing of insurance legal entities are necessary to protect consumers. The relevant licensing criteria should be applied to prospective entrants consistently to promote a level playing field at point of admission to the insurance sector. Licensing requirements and procedures should not be used inappropriately to prevent or unduly delay access to the market.

The role of the supervisor in licensing is to assess whether insurance legal entities are able to fulfil their obligations to policyholders on an ongoing basis. The licensing procedure is the first step towards achieving this objective.

Licensing is distinct from approval granted in terms of general domestic company, trade or commercial law. Apart from applying for a supervisory licence, other requirements pertaining to company, trade or commercial law should be met (e.g. filing incorporation documents or applying to the registrar of commerce).

Given the principle that all entities engaged in insurance activities must be licensed, the exclusion of limited insurance activities from licensing requirements should give due regard to having appropriate alternative safeguards in place to protect policyholders.

Similarly, jurisdictions may allow a simplified process for non-significant entities (eg limited geographic scope, limited size, and limited lines of business) for the purposes of licensing. In such situations, the legislation should state clearly the applicability, requirements and process for such authorisation.

In jurisdictions where an authority other than the insurance supervisor is responsible for issuing licences, the insurance supervisor should be able to give input and recommend conditions or restrictions (including refusal) on a licence where appropriate to the licensing authority.

Entities should neither be allowed to present themselves nor act as licensed insurance legal entities without or before having been granted a licence.

Depending on the legal forms that are permitted in a jurisdiction, foreign insurers may be allowed to conduct insurance activities within the jurisdiction by way of a local branch or subsidiary or on a cross-border provision of services basis. A subsidiary is a domestically established legal entity that needs to be licensed. A branch is not separate from the insurance legal entity, and can be established in a jurisdiction other than the insurance legal entity's home jurisdiction. A host jurisdiction may require that branches of foreign insurance legal entities be licenced or otherwise authorised by the host supervisor. Cross-border provision of services does not require a local establishment but may require authorisation from the host supervisor.

In addition to being publicly available, licensing requirements should also be easily accessible. Supervisors should issue guidelines on how to file an application for a licence, which include advice on the required format of documents and the expected time it would take to process an application upon the receipt of all relevant documents.

Supervisors should assess the applicant’s business and financial plans to ascertain that the proposed business lines will be soundly managed and adequately capitalised. Business and financial plans should be projected for a minimum of three years by the applicant and include information such as the products to be offered, distribution methods and channels to be used, risk profile, projected setting-up and development costs by business line, capital requirements and solvency margins. Information regarding insurance and reinsurance should also be provided.

Where the applicant is part of a group, the applicant should submit its corporate and group structure, indicating all of the material entities within the group (including both insurance legal entities and other entities, including non-regulated entities). Information on the type of related party transactions and/or relationships between all material entities within the group should also be provided.

The applicant should also provide information to demonstrate the appropriateness of its systems of risk management and internal controls, including contracts with affiliates, outsourcing arrangements, information technology systems, policies and processes.

If applying to be licensed to underwrite both life insurance business and non-life insurance business (where such is allowed), the applicant should demonstrate to the satisfaction of the supervisor that its systems of risk management and internal controls are adequate to manage the risks separately for each business stream.

Further guidance on suitability, governance and capital requirements can be found in ICP 5 (Suitability of Persons), ICP 7 (Corporate Governance), ICP 8 (Risk management and internal controls) and ICP 17 (Capital adequacy).

The supervisor should require a legal entity to submit an application if it proposes to conduct insurance activities. The application should include information on the types of business to be written and contain all the documents and information required by the legislation to confirm that the licensing requirements are met.

In instances where the application is deemed not complete, the supervisor should inform the applicant without delay, and the applicant should be given the opportunity to provide additional information to complete the application.

• whether the external auditors and actuaries have the necessary expertise and experience to perform the roles; and
• their independence from the legal entity and the consideration they give to the protection of policyholders’ interests.

The supervisor should make its assessment and finalise its decision within a reasonable timeframe and without undue delay. A time period should be indicated to the applicant for the assessment procedure, commencing from the date on which all complete application documentation has been submitted to the supervisor. Within this period, the supervisor should decide on the acceptability of the application for a licence. However, this does not preclude the supervisor from conducting additional due diligence if necessary. If the supervisor has not come to a decision within the indicated timeframe and the licence cannot be granted, the supervisor should communicate the reason for the delay to the applicant.

In general, requirements, conditions or restrictions that are imposed on an applicant at the point of issue of the licence deal with the scope of activities that an insurance legal entity is permitted to conduct or the nature of its customers (eg retail versus sophisticated customers). If necessary, the supervisor should impose additional requirements, conditions or restrictions on an applicant not only at the point of issue of the licence, but also as part of its ongoing supervision of the insurance legal entity (see ICP 9 (Supervisory review and reporting) and ICP 10 (Preventive measures, corrective measures and sanctions).

The denial of a licence or conditions or restrictions on a licence should be confirmed in writing to the applicant. The explanation should be provided to the applicant in a transparent manner. Supervisors should convey their concerns with regard to an applicant’s proposed insurance activities and explain the reasons for imposing licensing conditions or restrictions.

A licence should clearly state the classification of insurance activities that the insurance legal entity is licensed to conduct. Regarding classification, legislation should categorise insurance business into types and classes of insurance (at least into life and non-life).

Before adding new classes of insurance to the list of classes already granted to the insurance legal entity, the supervisor should consider all of the above mentioned licensing requirements, as applicable.

The supervisor should publish the complete list of licensed insurance legal entities and clearly state the scope of licence that has been granted to each insurance legal entity. This would provide clarity to the public as to which entities are licensed for specific classes of business.

If the conditions or restrictions to the license would impact the public or any person dealing with the insurance legal entity, the supervisor should either publish these conditions or restrictions or require the insurance legal entity to disclose these conditions or restrictions accordingly. Conditions or restrictions that would impact the public could include, for example, the lines or classes of insurance business an insurance legal entity is permitted to conduct.

As part of the consultation, supervisors should use the modes available for supervisory cooperation, in particular, the ability to exchange information relevant for the application (eg check of suitability of directors and owners) with domestic or foreign authorities. The exchange of information may be governed by law, agreement or memorandum of understanding, especially if the information is deemed confidential. Having such arrangements in place is important so as to not unduly delay the processing of an application.

Before making a decision to grant the licence, the host supervisor should have an understanding of how the home supervisor supervises the insurer on an ongoing basis.

Host supervisors should consult home supervisors on relevant aspects of any licensing proposal, but in any event they should always consider checking that the home supervisor of the insurance legal entity has no objection before granting a licence. The home supervisor should assess the risks posed to the insurer of establishing an insurance legal entity in a foreign jurisdiction and highlight any material reservations or concerns to the host supervisor as soon as practicable. The host supervisor should inform the home supervisor of the scope of the licence, including any restrictions or prohibitions imposed on the licence.

Host supervisors should reject applications for a licence from foreign entities which are not subject to regulation and supervision in the home jurisdiction. In the case of joint ventures, if there is lack of clear parental responsibility, the supervisor should reject such applications.

Jurisdictions or regions may have a system or cooperation agreements in place whereby such consultation is not necessary or required.

Suitability requirements may extend to other individuals (eg financial controllers and treasurers) to account for the roles of such individuals that may differ depending on the jurisdiction and the legal form and governance structure of the insurer.

Competence is demonstrated generally through the level of an individual’s professional or formal qualifications and knowledge, skills and pertinent experience within the insurance and financial industries or other businesses. Competence also includes having the appropriate level of commitment to perform the role. Refer to ICP 7 (Corporate Governance) with regard to competence and commitment and to ICP 8 (Risk management and internal controls) with regard to control functions.

Integrity is demonstrated generally through character, personal behaviour and business conduct.

The supervisor should require the insurer to take the necessary measures to ensure that these requirements are met by setting high internal standards of ethics and integrity, promoting sound corporate governance and requiring that these individuals have pertinent experience, and maintain a sufficient degree of knowledge and decision making ability.

To ensure an appropriate level of suitability, Board Members, Senior Management and Key Persons in Control Functions should acquire, maintain and enhance their knowledge and skills to fulfil their roles, for example, by participating in induction and ongoing training on relevant issues. Sufficient time, budget and other resources should be dedicated for this purpose, including external expertise drawn upon as needed.

The supervisor should assess the suitability of Board Members, Senior Management, Key Persons in Control Functions and Significant Owners of an insurance legal entity as part of the licensing procedure before the insurance legal entity is permitted to operate (see ICP 4 Licensing).

The supervisor should assess the suitability of Board Members, Senior Management, Key Persons in Control Functions and Significant Owners of insurers either prior to changes in the positions or as soon as possible after appointment. The supervisor should also require the insurer to perform internal suitability assessments of Board Members, Senior Management and Key Persons in Control Functions on an ongoing basis, for example on an annual basis or when there are changes in the circumstances of the individuals. The supervisor may require the insurer to certify that it has conducted such assessments and demonstrate how it reached its conclusions.

With regard to Control Functions, the individual(s) to be assessed should be the Key Persons in Control Functions.

The supervisor should have sufficient and appropriate information to assess whether an individual meets suitability requirements. The information to be collected and the supervisor’s assessment of such information may differ depending on the role.

• evidence that the individual has sufficient relevant knowledge and pertinent experience within the insurance and financial industries or other businesses; and
• evidence that the individual has the appropriate level of commitment to perform the role.

The application of suitability requirements relating to competence for Board Members, Senior Management and Key Persons in Control Functions of an insurer may vary depending on the degree of their influence and on their roles. It is recognised that an individual considered competent for a particular position within an insurer may not be considered competent for another position with different responsibilities or for a similar position within another insurer. When assessing the competence of the Board Members, regard should be given to respective duties allocated to individual members to ensure appropriate diversity of qualities and to the effective functioning of the Board as a whole.

• Legal indicators: These provide information on possible legal misconduct. Such indicators could include civil liability, criminal convictions or pending proceedings:
  • for breaches of law designed to protect members of the public from financial loss, eg dishonesty, or misappropriation of assets, embezzlement and other fraud or other criminal offences (including anti-money laundering and the combating of the financing of terrorism.
  • against the individual in his/her personal capacity;
  • against an entity in which the individual is or was a Board Member, a member of the Senior Management, a Key Person in Control Functions or a Significant Owner; or
  • incurred by the individual as a consequence of unpaid debts.
• Financial indicators: These provide information on possible financial misconduct, improper conduct in financial accounting, or negligence in decision-making. Such indicators could include:
  • financial problems or bankruptcy in his/her private capacity; or
  • financial problems, bankruptcy or insolvency proceedings of an entity in which the individual is or was a Board Member, a member of the Senior Management or a Key Person in Control Functions.
• Supervisory indicators: These provide information gathered by or that comes to the attention of supervisors in the performance of their supervisory duties. These supervisors could also be authorities with supervisory responsibility in sectors other than insurance. Such indicators could include:
  • the withholding of information from public authorities or submission of incorrect financial or other statements;
  • conduct of business transgressions;
  • prior refusal of regulatory approval for key positions;
  • preventive or corrective measures imposed (or pending) on entities in which the individual is or was a Board Member, a member of the Senior Management, or a Key Person in Control Functions; or
  • outcome of previous assessments of suitability of an individual, or sanctions or disciplinary actions taken (or pending) against that individual by another supervisor.
• Other indicators: These may provide other information that could reasonably be considered material for the assessment of the suitability of an individual. Examples include:
  • suspension, dismissal or disqualification of the individual from a position as a Board Member or a member of the Senior Management of any company or organisation;
  • disputes with previous employers concerning incorrect fulfilment of responsibilities or non-compliance with internal policies, including code of conduct, employment law or contract law;
  • disciplinary action or measures taken against an individual by a professional organisation  in which the individual is or was a member (e.g., actuaries, accountants or lawyers); or
  • strength of character, such as the ability and willingness to challenge, as an indicator of a person’s integrity as well as competence to perform the respective role. 

• the nature and scope of its business;
• its ownership structure, where relevant;
• its source of finance/funding and future access to capital;
• the group structure, if applicable, and organisation chart; and
• other relevant factors.

• Financial statements and exhibits. If the Significant Owner is a legal person, financial statements may include annual financial statements; for a natural person, it may include financial information (such as tax accounts or personal wealth statements) that are reviewed by an independent public accountant; and
• Transactions and agreements such as: loans; investments; purchase, sale or exchange of securities or other assets; dividends and other distributions to shareholders; management agreements

• Significant Owners understand their role as potential future sources of capital, if needed;
• there are any indicators that Significant Owners will not be able to meet their debts as they fall due;
• appropriate prudential solvency requirements are met if the Significant Owner is a financial institution;
• Significant Owners have been subject to any legally valid judgment, debt or order that remains outstanding or has not been satisfied within a reasonable period;
• Significant Owners have made arrangements with creditors, filed for bankruptcy or been adjudged bankrupt or had assets sequestered; and
• Significant Owners have been able to provide the supervisor with a satisfactory credit reference.

Insurers should be required to report promptly any information gained about these persons that may materially affect their suitability, for example, if a Board Member is convicted of a financial crime. See guidance under Standard 5.3 for additional examples of indicators of circumstances that may materially affect the suitability of an individual.

• requesting the insurer to provide additional education, coaching or the use of external resources in order to achieve compliance with suitability requirements by an individual in a position as Board Member, member of the Senior Management or Key Person in Control Functions;
• preventing, delaying or revoking appointment of an individual in a position as Board Member, member of the Senior Management or Key Person in Control Functions;
• suspending, dismissing or disqualifying an individual in a position as a Board Member, Senior Management or Key Person in Control Function, either directly or by ordering the insurer to take these measures;
•  requiring the insurer to appoint a different person for the position in question who does meet the suitability requirements, to reinforce the sound and proper management and control of the insurer;
• imposing additional reporting requirements and increasing solvency monitoring activities; or
• withdrawing or imposing conditions on the business licence, especially in the case of a major breach of suitability requirements, taking into account the impact of the breach or the number of members of the Board, Senior Management or Key Persons in Control Functions involved.

• requiring the Significant Owners to dispose of their interests in the insurer within a prescribed period of time;
• the suspension of the exercise of their corresponding voting rights; or
• the nullification or annulment of any votes cast by the Significant Owners.

There can be circumstances where a Board Member, a member of the Senior Management or a Key Person in Control Functions is unable to carry out his/her role and a replacement needs to be appointed on short notice. In jurisdictions where the supervisor approves the post-licensing appointment of Board Members, Senior Management or Key Persons in Control Functions, it may be appropriate for the supervisor to permit the post to be filled temporarily until the successor’s suitability assessment is affirmed. In such circumstances, a supervisor may require that these temporary replacements meet certain suitability requirements, depending on his/her position or responsibilities within the insurer. However, such assessment should be conducted and concluded in a timely manner.

Supervisors should use the modes available for supervisory cooperation, in particular, the ability to exchange information relevant to check suitability with domestic or foreign authorities. Having such arrangements in place is important so as to not unduly delay relevant supervisory processes and/or affect the insurers’ ability to satisfy composition requirements for the Board or make necessary changes to its management team (see ICP 3 Information sharing and confidentiality requirements).

The supervisor may use this information as an additional tool to assess effectively the suitability of, or to obtain information about, a Board Member, a member of the Senior Management or a Key Person in Control Functions.

If a Significant Owner that is to be assessed is a legal person or a corporate entity regulated in another jurisdiction, the supervisor should seek confirmation from the relevant authority that the entity is in good standing in that other jurisdiction.

The supervision of change of control and portfolio transfers supports supervisory objectives, in particular:

• licensing regimes are not undermined by control being obtained or retained by those who would not get a licence ordinarily; and
• insurers should continue to be held in corporate or other arrangements that allow them to be effectively supervised.

To assist in understanding the content of this ICP, it is emphasised that:

• change of control extends beyond the immediate controlling interest, such as the ownership of equity in an insurer, and includes other actions that have the potential to change the exercise of control over the insurer;
• change of control is relevant, both at the insurance legal entity and intermediate and ultimate beneficial owner levels;
• change of control may take place in a variety of forms, such as mergers, acquisitions or (de)mutualisations;
• control includes the exercise of influence over decisions such as those on strategic, operating, investing and financing policies of an insurer. It may also include the power to appoint or remove members, or otherwise influence the composition of, the Board or of Board committees;
• control may be exercised by a person individually, or acting in concert with associates or others, and directly or indirectly through corporate structures or other mechanisms; and
• significant owners and the transactions that determine or change control may be outside of a jurisdiction, but the impact on the ultimate control of the insurer in that jurisdiction means that they remain relevant to effective supervision of control.

Supervisory requirements and practices regarding change of control and portfolio transfers may vary, taking into account the nature, scale and complexity of the transactions and the risk posed to achievement of supervisory objectives. For example, portfolio transfers between reinsurers, internal restructuring transactions within a group that does not change the ultimate beneficial ownership of the entity, and demutualisation, are different types of transactions. Their nature may warrant different supervisory approaches and/or different levels of intensity of supervision.

There may be transactions where a portfolio transfer or a change of control is cross-border in nature. In such cases, the supervisor should coordinate and exchange information with the relevant supervisors (see ICP 3 Information sharing and confidentiality requirements and ICP 25 Supervisory cooperation and coordination).

The definition of "control" should address, at least:

• holding of a defined number or percentage of issued shares or financial instruments above a designated threshold in an insurer or its intermediate or ultimate beneficial owner or the head of the insurance group or head of the financial conglomerate as may be the case; and/or
• having a defined percentage of voting rights attached to shares or financial instruments.

Financial instruments other than shares that should be of interest to the supervisor are those that have the potential to impact the levels of control over an insurer, including those that may convert in the future into an interest that leads to a change of control through that conversion.

The definition of a threshold for control is not necessarily the same as the definition that may apply for accounting consolidation or other purposes.

The supervisor should require notification of proposals that would lead to increased (or decreased) control.

The supervisor should establish thresholds for notification. Such thresholds may improve transparency and compliance with related requirements while avoiding immaterial notifications. The supervisor typically establishes lower thresholds (such as between 5 and 10 percent) for initial notification of acquiring control, and a higher percentage for approval and for increased control also requiring approval.

The supervisor may also be informed by notifications made to other authorities such as corporate law supervisors or under rules for publicly traded companies.

Notifications should be submitted to the supervisor in a reasonable time. Changes that arise because of actions of the insurer should be subject to advance notification. Actions of others are usually made “subject to” relevant approvals so are not effective until approved.

The supervisor should assess both actions that lead to new controlling interests and those that lead to material increases in existing controlling interests. Material increases may arise, for example, when existing significant owners increase their interest, when associates increase their interest, or when a significant owner acquires a new associate who has a plan to acquire an interest (directly or indirectly) in the insurer.

The supervisor should obtain the information necessary to assess the change of control. The supervisor may seek such information from the insurer, its significant owners, shareholders or other relevant persons. The information obtained should be proportionate to the complexity of the change of control. Regardless, the supervisor should have sufficient information to understand the impact of the change of control on the insurer and be able to identify the ultimate beneficial owner.

When considering whether to approve a change of control that leads to a new significant owner, the supervisor should verify that the approval would not lead to a control arrangement that would not have been approved as part of the jurisdiction’s licensing requirements in similar circumstances (see ICP 4 Licensing).

The supervisor should assess whether a new significant owner is suitable to fulfil its role. A significant owner should possess at least the necessary qualities relating to financial soundness and integrity (see ICP 5 Suitability of persons).

The supervisor should be able to deny a change of control when, for example, it would be prejudicial to the interests of policyholders, the resulting structure would not allow for effective supervision, or the ultimate beneficial owner cannot be identified.

In jurisdictions where mutual ownership of insurers is possible, legislation should provide a process for mutual insurers to demutualise at their own discretion or if directed to do so by the supervisor.

The process for (de)mutualisation may vary by jurisdiction. For example, the ultimate approval may be provided by authorities other than the supervisor, such as courts or votes of member policyholders. Regardless, the supervisor should be consulted and should have the right to object to a (de)mutualisation.

In assessing a (de)mutualisation, the supervisor should consider the impact on the financial condition of the insurer and the ongoing expectations of policyholders, including those that will continue as participating policyholders. The supervisor should also assess whether the new governing organisational document of the company adequately protects current and future policyholders.

Insurance policies are legal contracts between an insurer and its policyholders. As such, an insurer should not be able unilaterally to alter the terms of a contract by merging with another insurer, (de)mutualising, or transferring some of its business to another insurer.

In order to protect the interests of policyholders and to safeguard the financial condition of the insurers involved, legislation should address the conditions for a portfolio transfer. Policyholders’ benefit expectations and existing policy values should not normally be lessened as a result of a portfolio transfer.

The process for a portfolio transfer may vary by jurisdiction. For example, the ultimate approval may be provided by authorities other than the supervisor, such as courts. Regardless, the supervisor should be consulted and should have the right to object to a portfolio transfer.

When assessing a transfer, the supervisor should consider the impact on the transferring policyholders, as well as on those that are not transferring, and those that are current policyholders of the company to which the policyholders are being transferred. This should apply whether the portfolio transfer is considered a part of normal business, a merger or part of a resolution where the insurer is no longer viable (see ICP 12 Exit from the market and resolution).

• promotes the development, implementation and effective oversight of policies that clearly define and support the objectives of the insurer;
• defines the roles and responsibilities of persons accountable for the management and oversight of an insurer by clarifying who possesses legal duties and powers to act on behalf of the insurer and under which circumstances;
• sets requirements relating to how decisions and actions are taken including documentation of significant or material decisions, along with their rationale;
• provides sound remuneration practices which promote the alignment of remuneration policies with the long term interests of insurers to avoid excessive risk taking;
• provides for communicating with the supervisor, as appropriate, matters relating to the management and oversight of the insurer; and
• provides for corrective actions to be taken for non-compliance or weak oversight, controls or management.

An effective corporate governance framework enables an insurer to be flexible and transparent; to be responsive to developments affecting its operations in making timely decisions and to ensure that powers are not unduly concentrated. The corporate governance framework supports and enhances the ability of the key players responsible for an insurer’s corporate governance; ie the Board, Senior Management and Key Persons in Control Functions to manage the insurer’s business soundly and prudently.

• jurisdictional corporate law, which may allow or require different Board structures (such as one-tier or two-tier Boards);
• organisational structure such as stock companies, mutuals or co-operatives; and
• group, branches, or solo legal entity operations.

The standards on corporate governance are designed with sufficient flexibility to apply to supervision of insurers regardless of any differences in the corporate structures and legal systems.

The term Board includes its management and oversight roles, regardless of Board structure.

Governance of insurers formed as mutuals or co-operatives is different from that of insurers formed as joint stock companies (ie, bodies corporate). These standards are nevertheless sufficiently flexible to be adapted to mutuals and co-operatives to promote the alignment of actions and interests of the Board and Senior Management with the broader interests of policyholders. Where there are references to shareholders or stakeholders, they should be generally treated as references to policyholders in mutuals, unless otherwise indicated.

Insurance groups should ensure that the corporate governance framework is appropriate to the structure, business and risks of the insurance group and its legal entities. The corporate governance framework should include policies, processes and controls which address risks across the insurance group and legal entities, and clear reporting lines between the head of the group and the legal entities within the group.

When setting up or monitoring their corporate governance framework, insurance groups should evaluate the specific challenges which may arise from the organisational model adopted by a group (e.g. more centralised or more decentralised model). The main factors underlying the challenges are:

• the division of authorities and responsibilities between the key players at the insurance group and legal entity level;
• effective group-wide direction and coordination;
• proper consideration of the legal obligations, governance responsibilities and risks both at the insurance group and legal entity level; and
• effective communication within the group and adequate information at all levels (see Issues Paper on Approaches to Group Corporate Governance; Impact on Control Functions).

The supervisor should take the organisational structure of the group into consideration in evaluating its governance. Particularly when the management structure differs from the legal entity structure, it is not sufficient to assess governance only at the legal entity level. In such a case, it is important that appropriate governance exists across the group and that the supervisor assesses it on a group-wide basis.

If an insurer is a branch, these standards would generally apply to the legal entity in its home jurisdiction. However, the host supervisor may require designated oversight and/or management accountabilities and structures to be maintained at the branch, including in some cases a designated representative responsible for the management of the branch. In such cases, these standards should also apply, as appropriate, to the oversight and management roles maintained within the branch taking due account of the governance structures and arrangements as determined by the host supervisor.

The Board should ensure that the insurer has a well-defined governance structure which provides for the effective separation between oversight and management functions. The Board is responsible for providing the overall strategy and direction for the insurer and overseeing its proper overall management, while leaving the day-to-day management of the insurer to Senior Management. The separation of the roles of the Chair of the Board and the Chief Executive Officer (CEO) reinforces a clear distinction between accountability for oversight and management.

The Board should also ensure that there is a clear allocation of roles and responsibilities to the Board as a whole, to committees of the Board where they exist, and to the Senior Management and Key Persons in Control Functions to ensure proper oversight and sound management of the insurer. The allocation of roles and responsibilities should clearly identify the individual and collective accountabilities for the discharge of the respective roles and responsibilities. The organisational structure of the insurer and the assignment of responsibilities should enable the Board and Senior Management to carry out their roles in an adequate and objective manner and should facilitate effective decision making.

The allocation of responsibilities to individual Board Members (for example the membership of Board committees such as the audit or remuneration committee) should take due account of whether the relevant member has the degree of independence and objectivity required to carry out the functions of the particular committee. The effective oversight of the executive functions should be performed by the non-executive members of the Board, because they are not involved in the day-to-day management of the insurer. Within a group the allocation and division of the oversight and management responsibilities at different levels should be transparent, appropriate for, and aligned with, the organisational model of the group. Where individuals undertake functions for more than one legal entity within a group, the group should have in place appropriate measures so that conflicts of interest between the different roles to be performed by such individuals are avoided, or where such conflicts cannot be avoided, they should be managed.

• ensure that there are adequate policies and processes relating to the appointment, dismissal and succession of the Senior Management, and be actively involved in such processes;
•  ensure that Senior Management’s knowledge and expertise remain appropriate given the nature of the business and the insurer's risk profile;
• monitor whether the Senior Management is managing the affairs of the insurer in accordance with the strategies and policies set by the Board, and the insurer’s risk appetite, corporate values and corporate culture;
• set appropriate performance and remuneration standards for Senior Management consistent with the long-term strategy and the financial soundness of the insurer and monitor whether the Senior Management is meeting the performance goals set by the Board;
• regularly meet with the Senior Management to discuss and review critically the decisions made, information provided and any explanations given by the Senior Management relating to the business and operations of the insurer; and
• have regular interaction with any committee it establishes as well as with other key functions, proactively request information from them and challenge that information when necessary.

As a part of its regular monitoring and review of the insurer’s operations, the Board should review whether the relevant policies and processes, as set by the Board, are being properly implemented by Senior Management and are operating as intended. Particular attention should be paid as to whether the responsibilities for managing and implementing the policies of the Board have been effectively discharged by those responsible. The Board should obtain reports at least annually for this purpose and such reports may include internal or external independent reports as appropriate.

The Board should adopt a rigorous process for setting, approving, and overseeing the implementation of the insurer’s overall business objectives and strategies, taking into account the long term financial safety and soundness of the insurer as a whole, the interests of its policyholders and other stakeholders, and the fair treatment of customers. The Board ensures that the Senior Management has adequately documented and communicated these objectives and strategies to the Key Persons in Control Functions and all other relevant staff.

The effective implementation of objectives and strategies should be supported by the corporate culture and by clear and objective performance goals and measures, taking due account of, among other things, the insurer’s long term interests and viability and the interests of policyholders and other stakeholders. The Board should review the appropriateness of the goals and measures set.

A corporate culture reflects the fundamental corporate values and includes norms for responsible and ethical behaviour applicable to all employees of the insurer. The Board should take the lead in setting the appropriate tone at the top. This includes adherence to the corporate values by the Board and a strong risk culture avoiding excessive risk taking. The corporate values, norms and supporting policies should be communicated throughout the insurer. These are also reflected in the insurer’s business objectives and strategies, and supported by professional standards and codes of ethics that set out what the insurer considers to be acceptable and unacceptable conduct. In this regard, the Board should take account of the interests of policyholders and other relevant stakeholders. In setting the tone at the top the Board should ensure that employees are aware that appropriate disciplinary or other actions will follow unacceptable behaviours.

The Board should ensure that the corporate culture promotes timely and frank discussion and escalation of problems to Senior Management or itself. The Board should set and oversee the implementation of transparent policies and processes which promote and facilitate that employees can communicate concerns or information about illegal or unethical behaviour confidentially and without reprisal directly or indirectly to the Board (eg whistle blower policy). The Board should determine how and by whom legitimate concerns shall be investigated and addressed (Senior Management, Board or an external party).

The Board should define and oversee the implementation of norms for responsible and ethical behaviour. It should not allow behaviour that would be incompatible with the protection of policyholders and that could lead to reputational risks or improper or illegal activity, such as financial misreporting, fraud, money laundering, bribery and corruption. The norms for responsible and ethical behaviour should also make clear that employees are expected to conduct themselves ethically in addition to complying with laws, regulations and the insurer’s policies.

The Board should ensure that the insurer’s corporate governance framework and overall business objectives and strategies are reviewed at least annually to ensure that they have been properly implemented and that they remain appropriate in light of any material changes in the organisational structure, activities, strategy, and regulatory and other external factors. The Board should ensure more frequent reviews, for instance when an insurer embarks on a significant new business initiative (eg a merger or acquisition, or a material change in the direction with respect to the insurer’s product portfolio, risk or marketing strategies), upon the introduction of a new type or class of risk or product or a decision to market products to a new class or category of clients, or following the occurrence of significant external or internal events which may potentially have a material impact on the insurer (including its financial condition, objectives and strategies) or the interests of its policyholders or other stakeholders.

The Board of an insurer should have a sufficient number of members who have relevant expertise among them as necessary to provide effective leadership, direction and oversight of the insurer’s business to ensure it is conducted in a sound and prudent manner. For this purpose, the Board should collectively and individually have, and continue to maintain, including through training, necessary skills, knowledge and understanding of the insurer’s business to be able to fulfil their roles. In particular, the Board should have, or have access to, knowledge and understanding of areas such as the lines of insurance underwritten by the insurer, actuarial and underwriting risks, finance, accounting, the role of control functions, investment analysis and portfolio management and obligations relating to fair treatment of customers. While certain areas of expertise may lie in some, but not all, members, the collective Board should have an adequate spread and level of relevant competencies and understanding as appropriate to the insurer's business.

Board Members should have the commitment necessary to fulfil their roles, demonstrated by, for example, a sufficient allocation of time to the affairs of the insurer and reasonable limits on the number of Board Memberships held within or outside the insurance group.

The Board should review, at least annually, its own performance to ascertain whether members collectively and individually remain effective in discharging the respective roles and responsibilities assigned to them and identify opportunities to improve the performance of the Board as a whole. The Board should implement appropriate measures to address any identified inadequacies, including any training programmes for Board Members. The Board may also consider the use of external expertise from time to time to undertake its performance assessment where appropriate in order to enhance the objectivity and integrity of that assessment process.

The Board should have appropriate practices and procedures for its own internal governance, and ensure that these are followed and periodically reviewed to assess their effectiveness and adequacy. These may be included in organisational rules or by-laws, and should set out how the Board will carry out its roles and responsibilities. They should also cover a formal and documented process for nomination, selection and removal of Board Members, and a specified term of office as appropriate to the roles and responsibilities of the Board member, particularly to ensure the objectivity of decision making and judgment. Appropriate succession planning should also form part of the Board’s internal governance practices.

While the Board as a whole remains collectively responsible for the stewardship of the insurer, the Chair of the Board has the pivotal role of providing leadership to the Board for its proper and effective functioning. The role of the Chair of the Board should generally encompass responsibilities such as setting the Board’s agenda, ensuring that there is adequate time allocated for the discussion of agenda items, especially if they involve strategic or policy decisions of significant importance, and promoting a culture of openness and debate by facilitating effective participation of non-executive and executive members and communication between them and also with the Senior Management and Key Persons in Control Functions. To promote checks and balances, it is good practice for the Chair of the Board to be a non-executive Board member and not serve as chair of any Board committee. In jurisdictions where the Chair of the Board is permitted to assume executive duties, the insurer should have measures in place to mitigate any adverse impact on the insurer's checks and balances.

To support the effective discharge of the responsibilities of the Board, the Board should assess whether the establishment of committees of the Board is appropriate. Committees that a Board may commonly establish include audit, remuneration, ethics/compliance, nominations and risk management committees. Where committees are appointed, they should have clearly defined mandates and working procedures (including reporting to the Board), authority to carry out their respective functions, and a degree of independence and objectivity as appropriate to the role of the committee. The Board should consider occasional rotation of members and of the chairs of committees, or tenure limits to serve on a committee, as this can help to avoid undue concentration of power and promote fresh perspectives. If the functions of any committees are combined, the Board should ensure such a combination does not compromise the integrity and/or effectiveness of the functions combined. In all cases, the Board remains ultimately responsible for matters delegated to any such committees.

To promote objectivity in decision making by the Board, the formal and perceived independence of Board Members should be ensured. To that end, Board Members should avoid personal ties or financial or business interests which conflict with that of the insurer. Where it is not reasonably possible to avoid conflicts of interests, such conflicts should be managed. Documented procedures and policies should be in place to identify and address conflicts of interests which could include disclosure of potential conflicts of interests, requirements for arm’s length transactions, abstention of voting and, where appropriate, prior approval by the Board or shareholders of professional positions or transactions.

Besides policies on conflicts of interests, the insurer should ensure objectivity in decision making by establishing clear and objective independence criteria which should be met by an adequate number of members of the Board (ie non-executive Board Members). For this purpose, the independence criteria should also take account of group structures and other applicable factors. Meeting such criteria is particularly important for those Board Members undertaking specific roles (such as members of the remuneration and audit committees) in which conflicts of interests are more likely to arise.

Objectivity in decision making is also promoted by independence of mind of the individual Board Members. This means that a Board member should act without favour; provide constructive and robust challenge of proposals and decisions; ask for information when the member judges it necessary in the light of the issues; and avoid “group-think”.

Board Members should also bear in mind the duties of good faith and loyalty applicable to them at the individual level, as set out in Standard 7.4.

To be able to discharge its role and responsibilities properly, the Board should have well-defined powers, which are clearly set out either in legislation and/or as part of the constituent documents of the insurer (such as the constitution, articles of incorporation, by-laws or internal/organisational rules). These should, at least, include the power to obtain timely and comprehensive information relating to the management of the insurer, including direct access to relevant persons within the organisation for obtaining information, such as Senior Management and Key Persons in Control Functions.

Adequate resources, such as sufficient funding, staff and facilities, should be allocated to the Board to enable the Board Members to carry out their respective roles and responsibilities efficiently and effectively. The Board should have access to services of external consultants or specialists where necessary or appropriate, subject to criteria (such as independence) and due procedures for appointment and dismissal of such consultants or specialists.

The Board may delegate some of the activities or tasks associated with its own roles and responsibilities. (Delegations in this context are distinguished from outsourcing of business activities by the insurer, which is dealt with in ICP 8 Risk management and internal controls.) Notwithstanding such delegations, the Board as a whole retains the ultimate responsibility for the activities or tasks delegated, and the decisions made in reliance on any advice or recommendations made by the persons or committees to whom the tasks were delegated.

• the delegation is appropriate. Any delegation that results in the Board not being able to discharge its own roles and responsibilities effectively would be an undue or inappropriate delegation. For example, the duty to oversee the Senior Management should not be delegated to a Board committee comprised mostly or solely of executive members of the Board who are involved in the day-to-day management of the insurer;
• the delegation is made under a clear mandate with well-defined terms such as those relating to the powers, accountabilities and procedures relating to the delegation, and is supported by adequate resources to effectively carry out the delegated functions;
• there is no undue concentration of powers giving any one person or group of individuals an unfettered and inappropriate level of powers capable of influencing the insurer’s business or management decisions;
• it has the ability to monitor and require reports on whether the delegated tasks are properly carried out; and
• it retains the ability to withdraw the delegation if it is not discharged properly and for due purposes by the delegate, and, for this purpose, have appropriate contingency arrangements in place.

The specific duties identified above are designed to address conflicts of interests that arise between the interests of the individual members of the Board and those of the insurer and policyholders. The insurer should include these duties as part of the terms of engagement of the individual Board Members.

The supervisor should be satisfied that individual Board Members understand the nature and scope of their duties and how they impact on the way in which the member discharges his/her respective roles and responsibilities. A Board member should consider his/her ability to discharge the roles and responsibilities in a manner as would be expected of a reasonably prudent person placed in a similar position. He/she should act on a fully informed basis, and for this purpose continually seek and acquire information as necessary.

Where a member of the Board of an insurer has common membership on the Board of any other entity within or outside the insurer’s group, there should be clear and well defined procedures regarding the member’s duty of loyalty to the insurer. These may include appropriate disclosure and in some instances shareholder approval of such overlapping roles. In the event of a material conflict with the interests of the insurer, the member should disclose such conflicts promptly to the Board of the insurer and its stakeholders as appropriate, and be required to decline to vote or take any decisions in any matters in which he/she has an interest.  

It is the Board’s responsibility to ensure that the insurer has appropriate systems and functions for risk management and internal controls and to provide oversight to ensure that these systems and the functions that oversee them are operating effectively and as intended. The responsibilities of the Board are described further in ICP 8 (Risk management and internal controls).

Sound remuneration policy and practices are part of the corporate governance framework of an insurer. This standard and guidance are neither intended to unduly restrict nor reduce an insurer’s ability to attract and retain skilled talent by prescribing any particular form or level of individual remuneration. Rather, they aim to promote the alignment of remuneration policies with the long term interests of insurers to avoid excessive risk taking, thereby promoting sound overall governance of insurers and fair treatment of customers.

As a part of effective risk management, an insurer should adopt and implement a prudent and effective remuneration policy. Such a policy should not encourage individuals, particularly members of the Board and Senior Management, Key Persons in Control Functions and major risk-taking staff, to take inappropriate or excessive risks, especially where performance-based variable remuneration is used.

The Board, particularly members of the remuneration committee where one exists, should collectively have the requisite competencies to make informed and independent judgments on the suitability of an insurer’s remuneration policy. Such competencies include skills, such as a sufficient understanding of the relationship between risk and remuneration practices. The remuneration committee, where established, should have an adequate representation of non-executive members to promote objectivity in decision-making.

• the components of the overall remuneration policy, particularly the use and balance of fixed and variable components;
• the performance criteria and their application for the purposes of determining remuneration payments;
• the remuneration of the members of the Board, Senior Management and major risk-taking staff; and
• any reports or disclosures on the insurer’s remuneration practices provided to the supervisor or the public.

The Board should ensure that in structuring, implementing and reviewing the insurer’s remuneration policy, the decision-making process identifies and manages conflicts of interests and is properly documented. Members of the Board should not be placed in a position of actual or perceived conflicts of interests in respect of remuneration decisions.

The Board should also ensure that the relevant Key Persons in Control Functions are involved in the remuneration policy-setting and monitoring process to ensure that remuneration practices do not create incentives for excessive or inappropriate risk taking, are carried out consistently with established policies and promote alignment of risks and rewards across the organisation. Similarly, the remuneration and risk management committees of the Board, if such committees exist, should interact closely with each other and provide input to the Board on the incentives created by the remuneration system and their effect on risk-taking behaviour.

• predominantly based on the effective achievement of the objectives appropriate to such control functions. Performance measures for staff in control functions should represent the right balance between objective assessments of the control environment (eg the conduct of the relationship between the control functions and executive management) and outputs delivered by the control functions, including their impact, quality and efficiency in supporting the oversight of risks. Such output measures may include recommendations made and implemented to reduce risks, reduction in number of compliance breaches and measures adopted to promptly rectify identified breaches, results of external quality reviews and losses recovered or avoided through audits of high risk areas;
• not linked to the performance of any business units which are subject to their control or oversight. For example, where risk and compliance functions are embedded in a business unit, a clear distinction should be drawn between the remuneration policy applicable to staff undertaking control functions and other staff in the business unit, such as through the separation of the pools from which remuneration is paid to the two groups of staff; and
• adequate as an overall package to attract and retain staff with the requisite skills, knowledge and expertise to discharge those control functions effectively and to increase their competence and performance.

Where any control function is outsourced, the remuneration terms under the agreement with the service provider should be consistent with the objectives and approved parameters of the insurer’s remuneration policy.

Variable remuneration should be performance-based using measures of individual, unit or group performance that do not create incentives for inappropriate risk taking.

• There should be an appropriate mix of fixed and variable components, with adequate parameters set for allocating cash versus other forms of remuneration, such as shares. A variable component linked to performance that is too high relative to the fixed component may make it difficult for an insurer to reduce or eliminate variable remuneration in a poor financial year;
• The reward for performance should include an adjustment for the material current and future risks associated with performance. Since the time horizon of performance and associated risks can vary, the measurement of performance should, where practicable, be set in a multi-year framework to ensure that the measurement process is based on longer term performance;
• If the variable component of remuneration is significant, the major part of it should be deferred for an appropriate specified period. The deferral period should take account of the time frame within which risks associated with the relevant performance (such as the cost of capital required to support risks taken and associated uncertainties in the timing and the likelihood of future revenues and expenses) may materialise. The deferral period applied may vary depending on the level of seniority or responsibility of the relevant individuals and the nature of risks to which the insurer is exposed;
• The award of variable remuneration should contain provisions that enable the insurer, under certain circumstances, to apply malus or claw back arrangements in the case of subdued or negative financial performance of the insurer which is attributed to the excessive risk taking of the staff concerned and when risks of such performance have manifested after the award of variable remuneration; and
• Guaranteed variable remuneration should generally not be offered, as they are not consistent with sound risk management and performance-based rewards.

The variable component should be subject to prudent limits set under the  remuneration policy that are consistent with the insurer’s capital
management strategy and its ability to maintain a sound capital base taking account of the internal capital targets or regulatory capital
requirements of the insurer.

• be clearly defined and be objectively measurable;
• be based not only on financial but also on non-financial criteria as appropriate (such as compliance with regulation andinternal rules, achievement of risk management goals, adequate and timely follow up of internal audit recommendations as well as compliance with market conduct standards and fair treatment of customers;
• take account of not only the individual’s performance, but also the performance of the business unit concerned where relevant and the overall results of the insurer and the group; and
• not treat growth or volume as a criterion in isolation from other performance criteria.

• shares do not vest for a minimum specified period after their award (“vesting restrictions”);
• share options or other similar rights are not exercisable for a minimum specified period after their award (“holding restrictions”); and
• individuals are required to retain an appropriate proportion of the shares awarded until the end of their employment or other specified period beyond their employment (“retention restrictions”).

Subject to any applicable legal restrictions, it is appropriate that future vesting and holding restrictions for share-based remuneration remain operative even upon cessation of employment (ie there should be no undue acceleration of the vesting of share-based payments or curtailing of any holding restrictions).

Where an insurer provides discretionary pay-outs on termination of employment (“severance payments”, sometimes also referred to as “golden parachutes”), such payment should be subject to appropriate governance controls and limits. In any case, such pay-outs should be aligned with the insurer’s overall financial condition and performance over an appropriate time horizon. Severance payments should be related to performance over time; should not reward failure and should not be payable in the case of failure or threatened failure of the insurer, particularly to an individual whose actions have contributed to the failure or potential failure of the insurer.

•  overseeing the financial statements, financial reporting and disclosure processes;
•  monitoring whether accounting policies and practices of the insurer are operating as intended;
•  overseeing the internal audit process (reviews by internal audit of the insurer’s financial reporting controls) and reviewing the internal auditor’s plans and material findings; and
• reporting to the supervisor on significant issues concerning the financial reporting process, including actions taken to address or mitigate identified financial reporting risks.

The Board should ensure that significant findings and observations regarding weaknesses in the financial reporting process are promptly rectified. This should be supported by a formal process for reviewing and monitoring the implementation of recommendations by the external auditor.

• applies robust processes for approving, or recommending for approval, the appointment, reappointment, removal and remuneration of the external auditor;
• applies robust processes for monitoring and assessing the independence of the external auditor and to ensure that the appointed external auditor has the necessary knowledge, skills, expertise, integrity and resources to conduct the audit and meet any additional regulatory requirements;
• monitors and assesses the effectiveness of the external audit process throughout the audit cycle;
• investigates circumstances relating to the resignation or removal of an external auditor, and ensuring prompt actions are taken to mitigate any identified risks to the integrity of the financial reporting process, and
• reports to the supervisor on circumstances relating to the resignation or removal of the external auditor.

•  the terms of engagement of the external auditor are clear and appropriate to the scope of the audit and resources required to conduct the audit and specify the level of audit fees to be paid;
• the auditor undertakes a specific responsibility under the terms of engagement to perform the audit in accordance with relevant local and international audit standards;
• the external auditor complies with internationally accepted ethical and professional standards and, where applicable, the more stringent requirements applicable to audits of listed entities and public interest entities;
• there are adequate policies and a process to ensure the independence of the external auditor, including:
  • restrictions and conditions for the provision of non-audit services which are subject to approval by the Board;
  • periodic rotation of members of the audit team and/or audit firm as appropriate; and
  • safeguards to eliminate or reduce to an acceptable level identified threats to the independence of the external auditor.
• there is adequate dialogue with the external auditor on the scope and timing of the audit to understand the issues of risk, information on the insurer’s operating environment which is relevant to the audit, and any areas in which the Board may request for specific procedures to be carried out by the external auditor, whether as a part or an extension of the audit engagement; and
•  there is unrestricted access by the external auditor to information and persons within the insurer as necessary to conduct the audit.

• identify and assess the risks of material misstatement in the insurer’s financial statements, taking into consideration the complexities of insurance activities and the need for insurers to have a strong control environment;
• respond appropriately to the risks of material misstatement in the insurer’s financial statements; and
• develop appropriate relationships with the internal audit function and the actuarial function.

The Board should take appropriate actions where doubts arise as to the reliability of the external audit process.

• regular meetings between the Board and the external auditor during the audit cycle, including meetings without management present; and
• prompt communication of any information regarding internal control weaknesses or deficiencies of which the external auditor becomes aware.

The supervisor and the external auditor should have an effective relationship that includes appropriate communication channels for the exchange of information relevant to carrying out their respective statutory responsibilities.

Reports prepared by the external auditor for the insurer (eg management letters) should be made available to the supervisor by the insurer or the external auditor.

The supervisor should require the external auditor to report matters that are likely to be of material significance. This would include material fraud, suspicion of material fraud and regulatory breaches or other significant audit findings identified in the course of the audit. Such information should be provided to the supervisor without the need for prior consent of the insurer and the external auditor should be duly protected from liability for any information disclosed to the supervisor in good faith.

The supervisor should require a further audit by a different external auditor where necessary.

Communications with the supervisor should promote effective engagement of the supervisor on the governance of the insurer to enable informed judgments about the effectiveness of the Board and Senior Management in governing the insurer.

• the insurer’s overall strategic objectives, covering existing or prospective lines of business and how they are being or will be achieved;
• the insurer’s governance structures, such as allocation of oversight and management responsibilities between the Board and the Senior Management, and organisational structures, including reporting lines;
• members of the Board and any Board committees, including their respective expertise, qualifications, track-record, other positions held by such members, and whether such members are regarded as independent;
• processes in place for the Board to evaluate its own performance and any measures taken to improve the Board’s performance;
•  the general design, implementation and operation of the remuneration policy;
• major ownership and group structures, and any significant affiliations and alliances; and
• material related-party transactions.

In addition to information publicly available, the supervisor may require more detailed and additional information relating to the insurer’s corporate governance framework for supervisory purposes, which may include commercially sensitive information, such as assessments by the Board of the effectiveness of the insurer’s governance system, internal audit reports and more detailed information on the remuneration structures adopted by the insurer for the Board, Senior Management, Key Persons in Control Functions and major risk-taking staff. The insurer’s communication policies and strategies should enable such information to be provided to the supervisor in a timely and efficient manner. Supervisors should safeguard such information having due regard to the confidentiality of commercially sensitive information and applicable laws.

• the operation of risk adjustments, including examples of how the policy results in adjustments to remuneration for employees at different levels;
• how remuneration is related to performance (both financial and personal business conduct) over time; and
• valuation principles in respect of remuneration instruments.

• the total cost of remuneration awarded in the period, analysed according to the main components such as basic salary, variable remuneration and long-term awards;
• the total amount set aside in respect of deferred variable remuneration;
• adjustment to net income for the period in respect of variable remuneration awarded in previous periods;
• the total costs of all sign-on payments in the period and number of individuals to whom these relate; and
• the total costs of all severance payments in the period and number of individuals to whom these relate.

These amounts should be analysed by type of instrument (eg cash, shares, share options etc.) as applicable, and in a manner consistent with the key elements of the remuneration policy.

Disclosure of information on governance should be made on a regular (for instance, at least annually) and timely basis.

Senior Management should implement appropriate systems and controls, in accordance with the established risk appetite and corporate values and consistent with internal policies and processes.

• processes for engaging persons with appropriate competencies and integrity to discharge the functions under Senior Management, which include succession planning, ongoing training and procedures for termination;
• clear lines of accountability and channels of communication between persons in Senior Management and Key Persons in Control Functions;
• proper procedures for the delegation of Senior Management functions and monitoring whether delegated functions are carried out effectively and properly, in accordance with the same principles that apply to delegations by the Board (see Guidance 7.3.13 and 7.3.14);
• standards of conduct and codes of ethics for the Senior Management and other staff to promote a sound corporate culture, and the effective implementation on an ongoing basis of standards and codes (see ICP 8 Risk management and internal controls for conflicts of interest provisions);
• proper channels of communications, including clear lines of reporting, as between the individuals performing the functions of the Senior Management and the Board, including provisions dealing with whistleblower protection, and their effective implementation; and
• effective communication strategies with supervisors and stakeholders that include the identification of matters that should be disclosed, and to whom such disclosure should be made.

Adequate procedures should be in place for assessing the effectiveness of Senior Management’s performance against the performance objectives set by the Board. For this purpose, annual assessments of their performance against set goals should be carried out at least annually, preferably by an independent party, a control function, or the Board itself. Any identified inadequacies or gaps should be addressed promptly and reported to the Board.

Senior Management should also promote strong risk management and internal controls through personal conduct and transparent policies. Senior Management should communicate throughout the insurer the responsibility of all employees in this respect. It should not interfere with the activities that control functions carry out in the rightful exercise of their responsibilities, including that of providing an independent view of governance, risk, compliance and control related matters.

The supervisor plays an important role by requiring the Board and Senior Management of the insurer to demonstrate that they are meeting the applicable corporate governance requirements, consistent with these standards, on an ongoing basis. The onus for demonstrating, to the satisfaction of the supervisor, that the corporate governance framework is effective and operates as intended rests with the insurer.

The Supervisor should assess through its supervisory review and reporting processes whether the insurer’s overall corporate governance framework is effectively implemented and remains adequate (see ICP 9 Supervisory review and reporting).

To help facilitate the supervisory review and reporting processes, the supervisor should establish effective channels of communication with the insurer, and have access to relevant information concerning the governance of the insurer. This may be obtained through periodic reports to the supervisor and any information obtained on an ad hoc basis (see also Standard 7.7). Communication may also be facilitated by the supervisor having regular interaction with the Board, Senior Management and Key Persons in Control Functions.

The supervisor should assess the governance effectiveness of the Board and Senior Management and determine the extent to which their actions and behaviours contribute to good governance. This includes the extent to which the Board and Senior Management contribute to setting and following the “tone at the top”; how the corporate culture of the insurer is communicated and put into practice; how information flows to and from the Board and Senior Management; and how potential material problems are identified and addressed throughout the insurer.  

• ongoing mandatory training that is commensurate with their respective duties, roles and responsibilities of the Board and Senior Management within the insurer;
• a review of the periodic self-evaluation undertaken by the Board as referred to in Guidance 7.3.3 and 7.11.1;
• meetings and/or interviews with the Board and Senior Management, both collectively and individually as appropriate, particularly to reinforce expectations relating to their performance and to get a sense of how informed and proactive they are; and
• attending and observing Board proceedings.

Where remuneration policies of an insurer contain more high risk elements, closer supervisory scrutiny of those policy and practices may also be warranted, including requests for additional information as appropriate to assess whether those practices are having an adverse impact on the ongoing viability of the insurer or commissioning an independent assessment of the insurer’s remuneration policy and practices.

As part of the overall corporate governance framework and in furtherance of the safe and sound operation of the insurer and the protection of policyholders, the Board is ultimately responsible for ensuring that the insurer has in place effective systems of risk management and internal controls and functions to address the key risks it faces and for the key legal and regulatory obligations that apply to it. Senior Management effectively implements these systems and provides the necessary resources and support for these functions.

In some jurisdictions, risk management is considered a subset of internal controls, while other jurisdictions would see it the other way around. The two systems are in fact closely related. Where the boundary lies between risk management and internal controls is less important than achieving, in practice, the objectives of each.

The systems and functions should be adequate for the insurer’s objectives, strategy, risk profile, and the applicable legal and regulatory requirements. They should be adapted as the insurer’s business and internal and external circumstances change.

• strategies setting out the approach of the insurer for dealing with specific areas of risk and legal and regulatory obligation;
• policies defining the procedures and other requirements that members of the Board and employees need to follow;
• processes for the implementation of the insurer’s strategies and policies; and
• controls to ensure that such strategies, policies and processes are in fact in place, are being observed and are attaining their intended objectives.

An insurer’s functions (whether in the form of a person, unit or department) should be properly authorised to carry out specific activities relating to matters such as risk management, compliance, actuarial matters and internal audit. These are generally referred to as control functions.

Group-wide risks may affect insurance legal entities within a group, while risks at the insurance legal entity level could also affect the group as a whole. To help address this, groups should have strong risk management and compliance culture across the group and at the insurance legal entity level. Thus, in addition to meeting group governance requirements, the group should take into account the obligations of its insurance legal entities to comply with local laws and regulations.

How a group's systems of risk management and internal controls are organised and operate will depend on the governance approach the group takes, ie, a more centralised or a more decentralised approach (see Issues Paper on Approaches to Group Corporate Governance; impact on control functions). Regardless of the governance approach, it is important that effective systems of risk management and internal controls exist and that risks are properly monitored and managed at the insurance legal entity level and on a group-wide basis.

Additionally, a group’s governance approach will also affect the way in which its control functions are organised and operated. Coordination between the insurance legal entity and group control functions is important to help ensure overall effective systems of risk management and internal controls. Regardless of how the group control functions are organised and operated, the result should provide an overall view of the group-wide risks and how they should be managed.

Supervisors should require the establishment of comprehensive and consistent group governance and assess its effectiveness. While the group-wide supervisor is responsible for assessing the effectiveness of the group’s systems of risk management and internal controls, the other involved supervisors undertake such assessments on a legal entity basis. Appropriate supervisory cooperation and coordination is necessary to have a group-wide view and to enhance the assessment of the legal entities.

The risk management system is designed and operated at all levels of the insurer to allow for the identification, assessment, monitoring, mitigation and reporting of all risks of the insurer in a timely manner. It takes into account the probability, potential impact and time horizon of risks.

• take into account the insurer’s overall business strategy and business activities (including any business activities which have been outsourced);
• provide that the insurer’s risk appetite, expressed in a risk appetite statement, be aligned with the insurer’s business strategy and embedded in its day-to-day activities;
• provide relevant objectives, key principles and proper allocation of responsibilities for dealing with risk across the business areas and business units of the insurer;
• provide explanations of the methodologies, key assumptions and limitations of risk management; for groups this would include the rationale as to the risk appetite for different individual insurance legal entities within the group;
• provide a documented process defining the Board approval required for any deviations from the risk management strategy or the risk appetite and for settling any major interpretation issues that may arise;
• define and categorise material risks (by type) to which the insurer is exposed, at both insurance legal entity and group level where applicable, and the levels of acceptable risk limits for each type of these risk;
• include documented policies that describe how categories of risks are managed and the specific obligations of employees and the insurer in dealing with risk, including risk escalation and risk mitigation tools;
• provide suitable processes and tools (including stress testing and, where appropriate, models) for identifying, assessing, monitoring and reporting on risks. Such processes should also cover contingency planning;
• provide for regular reviews of the risk management system (and its components) to help ensure that necessary modifications and improvements are identified and made in a timely manner; and
• appropriately address other matters related to risk management for solvency purposes set out in ICP 16 Enterprise risk management for solvency purposes.

The risk management system should cover at least the following risks: underwriting and reserving, asset-liability management, investments, liquidity, concentration, operational and conduct, as well as reinsurance and other risk mitigation techniques.

The risk management system should be aligned with the insurer’s risk culture and embedded into the various business areas and units with the aim of having the appropriate risk management practices and procedures embedded in the key operations and structures.

The risk management system should take into account all reasonably foreseeable and relevant material risks to which the insurer is exposed, both at the insurer and the individual business unit levels. This includes current and emerging risks.

Insurers should assess material risks both qualitatively and, where appropriate, quantitatively. Appropriate consideration should be given to a sufficiently wide range of outcomes, as well as to the appropriate tools and techniques to be used. The interdependencies of risks should also be analysed and taken into account in the assessments.

The insurer’s risk assessment should be documented including detailed descriptions and explanations of the risks covered, the approaches used, and the key judgements and assumptions made.

Insurers should have in place adequate processes, controls and systems to assess the risks of new products and carry out a risk assessment before entering into new business lines and products. Significant new or changed activities and products that may increase an existing risk or create a new type of exposure should be approved by Senior Management and/or by the Board.

The risk management system should include processes and tools for monitoring risk, such as early warnings or triggers that allow timely consideration of, and adequate response to, material risks.

The risk management system should include strategies and tools to mitigate against material risks. In most cases an insurer will control or reduce the risk to an acceptable level. Another response to risk is to transfer the risk to a third party. If risks are not acceptable within the risk appetite and it is not possible to control, limit or transfer the risk, the insurer should cease or change the activity which creates the risk.

Risks, the overall assessment of risks and the related action plans should be reported to the Board and/or to Senior Management, as appropriate, using qualitative and quantitative indicators and effective action plans. The insurer’s documented risk escalation process should allow for reporting on risk issues within established reporting cycles and outside of them for matters of particular urgency.

The Board should have appropriate ways to carry out its responsibilities for risk oversight. The risk management policy should therefore cover the content, form and frequency of reporting that it expects on risk from Senior Management and each of the control functions. Any proposed activity that would go beyond the Board-approved risk appetite should be subject to appropriate review and require Board approval.

The insurer’s risk management policy should be written in a way to help employees understand their responsibilities regarding risk management. It should also reflect how the risk management system relates to the insurer’s overall corporate governance framework and its corporate culture. Regular internal communications and training within the insurer on the risk management policy and risk appetite may help in this regard.

For insurance groups, a risk management policy addresses the way in which the group manages risks that are material at the insurance group level, including risks that arise from the insurance group being part of a wider group. For an insurance legal entity that is part of a group, the risk management policy of that entity should address management of risks material at the entity level as well as additional risk it faces as a result of its membership in a group, which can encompass the widest group of which the insurance legal entity is a member and not only the entity’s insurance group. Within an insurance group, the head of the group and the legal entities should ensure appropriate coordination and consistency between the head of the group and the legal entities when setting the risk management policy.

Both the Board and Senior Management should be attentive to the need to modify the risk management system in light of changes in the insurer’s risk profile as well as other new internal or external events and/or circumstances. The risk management system should include mechanisms to incorporate new risks and new information related to risk already identified on a regular basis. The risk management system should also be responsive to the changing interests and reasonable expectations of policyholders and other stakeholders.

Material changes to an insurer’s risk management system should be documented and subject to approval by the Board. The reasons for the changes should be documented. Appropriate documentation should be available to internal audit, external audit and the supervisor for their respective assessments of the risk management system.

As part of its responsiveness to changes in the insurer’s risk profile, the risk management system should incorporate a feedback loop based on appropriate information, management processes and objective assessment. A feedback loop provides a process of assessing the effect of changes in risk leading to changes in risk management policy, risk limits and risk mitigating actions. This may help ensure that decisions made by the Board and Senior Management are implemented and their effects monitored and reported in a timely and sufficiently frequent manner.

Within an insurance group, there should be sufficient coordination and exchange of information between the head of the insurance group and its insurance legal entities as part of their respective feedback loops to ensure relevant changes in risk profiles can be taken into account.

The internal controls system should ensure effective and efficient operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported (both internally and externally), and compliance with laws, regulations, supervisory requirements and the insurer's internal rules and decisions. It should be designed and operated to assist the Board and Senior Management in the fulfilment of their respective responsibilities for oversight and management of the insurer. Some insurers have a designated person or function to support the advancement, coordination and/or management of the overall internal controls system on a more regular basis.

The internal controls system should cover all units and activities of the insurer and should be an integral part of the daily activities of an insurer. The controls should form a coherent system, which should be regularly assessed and improved as necessary. Each individual control[1] of an insurer, as well as all its controls cumulatively, should be designed for effectiveness and operate effectively. Individual controls may be preventive (applied to prevent undesirable outcomes) or detective (to uncover undesirable activity). Individual controls may be manual (human), automated, or a combination and may be either general or process or application specific.

An effective internal control system requires an appropriate control structure with control activities defined at every business unit level. Depending on the organisational structure of the insurer:

• first, business or other units should own, manage and report on risks and should be primarily accountable for establishing and maintaining effective internal control policies and processes;
• second, control functions should determine and assess the appropriateness of the controls used by the business or other units; and
• third, the internal audit function should provide independent assurance on the quality and effectiveness of the internal controls system.

This is typically referred to as the three lines of defence or three lines model. Whatever structure is used, it is important that responsibilities for the control system are clearly allocated to promote checks and balances and avoid conflicts of interest.

• appropriate segregation of duties and controls to ensure such segregation is observed. This includes, amongst others, having sufficient distance between those accountable for a process or policy and those who check if for such a process or policy an appropriate control exists and is being applied. It also includes appropriate distance between those who design a control or operate a control and those who check if such a control is effective in design and operation;
• up-to-date policies regarding who can sign for or commit the insurer, and for what amounts, with corresponding controls, such as practice that key decisions should be taken at least by two persons and the practice of double or multiple signatures. Such policies and controls should be designed, among other things, to prevent any major transaction being entered into without appropriate governance review or by anyone lacking the necessary authority and to ensure that borrowing, trading, risk and other such limits are strictly observed. Such policies should foresee a role for control functions, for example by requiring for major matters the review and sign-off by Risk Management or Compliance, and/or approval by a Board level committee;

• appropriate controls for all key business processes and policies, including for major business decisions and transactions (including intra-group transactions), critical IT functionalities, access to critical IT infrastructure by employees and related third parties, and important legal and regulatory obligations;
• policies on training in respect of controls, particularly for employees in positions of high trust or responsibility or involved in high risk activities;
• a centralised documented inventory of insurer-wide key processes and policies and of the controls in place in respect of such processes and policies, that also may introduce a hierarchy among the policies;

• appropriate controls to provide reasonable assurance over the accuracy and completeness of the insurer’s books, records, and accounts and over financial consolidation and reporting, including the reporting made to the insurer’s supervisors;
• adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format;
• information processes that cover all significant activities of the insurer, including contingency arrangements;
• effective channels of communication to ensure that all staff fully understand and adhere to the internal controls and their duties and responsibilities and that other relevant information is reaching the appropriate personnel;
• policies regarding escalation procedures;

• processes for regularly checking that the totality of all controls forms a coherent system and that this system works as intended; fits properly within the overall corporate governance framework of the insurer; and provides an element of risk control to complement the risk identification, risk assessment, and risk management activities of the insurer. As part of such review, individual controls are monitored and analysed periodically to determine gaps and improvement opportunities with Senior Management taking such measures as are necessary to address these; and
• periodic testing and assessments (carried out by objective parties such as an internal or external auditor) to determine the adequacy, completeness and effectiveness of the internal controls system and its utility to the Board and Senior Management for controlling the operations of the insurer.

The Board should have an overall understanding of the control environment across the various entities and businesses, and require Senior Management to ensure that for each key business process and policy, and related risks and obligations, there is an appropriate control.

In addition, the Board should ensure there is clear allocation of responsibilities within the insurer, with appropriate segregation, including in respect of the design, documentation, operation, monitoring and testing of internal controls. Responsibilities should be properly documented, such as in charters, authority tables, governance manuals or other similar governance documents.

The Board should determine which function or functions report to it or to any Board Committees in respect of the internal controls system.

• the strategy in respect of internal controls (such as responsibilities, target levels of compliance to achieve, validations and implementation of remediation plans);
• the stage of development of the internal controls system, including its scope, testing activity, and the performance against annual or periodic internal controls system goals being pursued;
• an assessment of how the various business units are performing against internal control standards and goals;
• control deficiencies, weaknesses and failures that have arisen or that have been identified (including any identified by the internal or external auditors or the supervisor) and the responses thereto (in each case to the extent not already covered in other reporting made to the Board); and
• controls at the appropriate levels so as to be effective, including at the process or transactional level.

As part of the effective systems of risk management and internal controls, insurers have control functions, including for risk management, compliance, actuarial matters and internal audit. Control functions add to the governance checks and balances of the insurer and provide the necessary assurance to the Board in the fulfilment of its oversight duties.

The existence of control functions does not relieve the Board or Senior Management of their respective governance and related responsibilities.

The control functions should be subject to periodic review either by the internal audit function (for control functions other than internal audit) or an objective external reviewer.

The appointment, performance assessment, remuneration, discipline and dismissal of the head of control functions should be done with the approval of, or after consultation with, the Board or the relevant Board committee. For the head of the internal audit function, the appointment, performance assessment, remuneration, discipline and dismissal should be done by the Board, its Chair or the Audit Committee.

The insurer should notify the supervisor of the reasons for dismissals of heads of control functions.

The Board should approve the authority and responsibilities of each control function to allow each control function to have the authority and independence necessary to be effective.

The authority and responsibilities of each control function should be set out in writing and made part of, or referred to in, the governance documentation of the insurer. The head of each control function should periodically review such document and submit suggestions for any changes to Senior Management and the Board for approval, where appropriate.

A control function should be led by a person of appropriate level of authority. The head of the control function should not have operational business line responsibilities.

Insurers should organise each control function and its associated reporting lines into the insurer’s organisational structure in a manner that enables such function to operate and carry out their roles effectively. This includes direct access to the Board or the relevant Board committee.

• serve as a component of the insurer’s checks and balances;
• provide an objective perspective on strategies, issues, and potential violations related to their areas of responsibility; and
• implement or oversee the implementation of corrective measures where necessary.

Each control function should avoid conflicts of interest. Where any conflicts remain and cannot be resolved with Senior Management, these should be brought to the attention of the Board for resolution.

Each control function should have the authority to communicate on its own initiative with any employee and to have unrestricted access to information in any business unit that it needs to carry out its responsibilities. The control functions should have the right to conduct investigations of possible breaches and to request assistance from specialists within the insurer, eg legal and internal audit, or engage external specialists to perform the task. The control functions should be free to report to Senior Management or the Board on any irregularities or possible breaches disclosed by its investigations, without fear of retaliation or disfavour from management.

Each control function should have the resources necessary to fulfil its responsibilities and achieve the specific goals in its areas of responsibility. This includes qualified staff and appropriate IT/management information processes. The function should be organised in an appropriate manner to achieve its goals.

The head of each control function should review regularly the adequacy of the function's resources and request adjustments from Senior Management as necessary. Where the head of a control function has a major difference of opinion with Senior Management on the resources needed, the head of the control function should bring the issue to the Board or relevant Board Committee for resolution.

Persons who perform control functions should be suitable for their role and meet any applicable professional qualifications and standards. Higher expectations apply to the head of each control function. Persons who perform control functions should receive regular training relevant to their role to remain up to date on the developments and techniques related to their areas of responsibility.

• information as to the function’s strategy and longer term goals and the progress in achieving these;
• annual or other periodic operational plans describing shorter term goals and the progress in achieving these; and
• resources (such as personnel, budget, etc.), including an analysis on the adequacy of these resources.

In addition to periodic reporting, the head of each control function should have the opportunity to communicate directly and to meet periodically (without the presence of management) with the Chair of any relevant Board committee (eg Audit or Risk Committee) and/or with the Chair of the full Board. The Board should periodically assess the performance of each control function. This may be done by the full Board, by the Chair of the Board, by the relevant Board committee or by the Chair of the relevant Board committee.

A robust risk management function that is well positioned, resourced and properly authorised and staffed is an essential element of an effective risk management system. Within some insurers, and particularly at larger or more complex ones, the risk management function is typically led by a Chief Risk Officer.

• an assessment of risk positions and risk exposures and steps being taken to manage them;
• an assessment of changes in the insurer’s risk profile relative to risk appetite;
• where appropriate, an assessment of pre-defined risk limits;
•  where appropriate, risk management issues resulting from strategic affairs such as corporate strategy, mergers and acquisitions and major projects and investments;
• an assessment of risk events and the identification of appropriate remedial actions.

The head of the risk management function should have the authority and obligation to inform the Board promptly of any circumstance that may have a material effect on the risk management system of the insurer.

• assist the Board and Senior Management in carrying out their respective responsibilities, including by providing specialist analyses and performing risk reviews;
• identify the individual and aggregated risks (actual, emerging and potential) the insurer faces;
• assess, aggregate, monitor and help manage and otherwise address identified risks effectively; this includes assessing the insurer’s capacity to absorb risk with due regard to the nature, probability, duration, correlation and potential severity of risks;
• gain and maintain an aggregated view of the risk profile of the insurer both at a legal entity and/or group-wide level;
• establish a forward-looking assessment of the risk profile;
• evaluate the internal and external risk environment on an ongoing basis in order to identify and assess potential risks as early as possible. This may include looking at risks from different perspectives, such as by territory or by line of business;
• consider risks arising from remuneration arrangements and incentive structures;
• conduct regular stress testing and scenario analyses as defined in ICP 16 (Enterprise risk management for solvency purposes);
• regularly provide written reports to Senior Management, Key Persons in Control Functions and the Board on the insurer’s risk profile and details on the risk exposures facing the insurer and related mitigation actions as appropriate;
• document and report material changes affecting the insurer’s risk management system to the Board to help ensure that the system is maintained and improved; and
• conduct regular self-assessments and implement or monitor the implementation of any needed improvements.

The compliance function has a broader role than merely monitoring compliance with laws, regulations and supervisory requirements; monitoring compliance with internal policies and promoting and sustaining a compliance culture within the insurer are equally important aspects of this control function.

Compliance starts at the top. The Board is ultimately responsible for establishing standards for honesty and integrity throughout the insurer and for creating an effective corporate culture that emphasises them. This should include a code of conduct or other appropriate mechanism as evidence of the insurer’s commitment to comply with all applicable laws, regulations, supervisory requirements and internal policies, and conduct its business ethically and responsibly.

As part of this commitment, the insurer has in place a robust and well positioned, resourced and properly authorised and staffed compliance function. Within some insurers, particularly larger or more complex ones, such a function is typically led by a Chief Compliance Officer.

• an assessment of the key compliance risks the insurer faces and the steps being taken to address them;
• an assessment of how the various parts of the insurer (eg divisions, major business units, product areas) are performing against compliance standards and goals;
• any compliance issues involving management or persons in positions of major responsibility within the insurer, and the status of any associated investigations or other actions being taken;
• material compliance violations or concerns involving any other person or unit of the insurer and the status of any associated investigations or other actions being taken; and
• material fines or other disciplinary actions taken by any regulator or supervisor in respect of the insurer or any employee.

The head of the compliance function should have the authority and obligation to inform promptly the Chair of the Board directly in the event of any major non-compliance by a member of management or a material non-compliance by the insurer with an external obligation if in either case he or she believes that Senior Management or other persons in authority at the insurer are not taking the necessary corrective actions and a delay would be detrimental to the insurer or its policyholders.

• promote and sustain an ethical corporate culture that values responsible conduct and compliance with internal and external obligations; this includes communicating and holding training on an appropriate code of conduct or similar that incorporates the corporate values of the insurer, aims to promote a high level of professional conduct and sets out the key conduct expectations of employees;
• identify, assess, report on and address key legal and regulatory obligations, including obligations to the insurer’s supervisor, and the risks associated therewith; such analyses should use risk and other appropriate methodologies;
• ensure the insurer monitors and has appropriate policies, processes and controls in respect of key areas of legal, regulatory and ethical obligation;
• hold regular training on key legal and regulatory obligations particularly for employees in positions of high responsibility or who are involved in high risk activities;
• facilitate the confidential reporting by employees of concerns, shortcomings or potential or actual violations in respect of insurer internal policies, legal or regulatory obligations, or ethical considerations; this includes ensuring there are appropriate means for such reporting;
• address compliance shortcomings and violations, including ensuring that adequate disciplinary actions are taken and any necessary reporting to the supervisor or other authorities is made; and
• conduct regular self-assessments of the compliance function and the compliance processes and implement or monitor needed improvements. 

A robust actuarial function that is well positioned, resourced and properly authorised and staffed is essential for the proper operation of the insurer. It plays a key role as part of the insurer’s overall systems of risk management and internal controls.

• any circumstance that may have a material effect on the insurer from an actuarial perspective;
• the adequacy of the technical provisions and other liabilities;
• distribution of profits to participating policyholders;
• stress testing and capital adequacy assessment with regard to the prospective solvency position of the insurer; and
• any other matters as determined by the Board.

Written reports on actuarial evaluations should be made to the Board, Senior Management, or other Key Persons in Control Functions or the supervisor as necessary or appropriate or as required by legislation.

• the insurer’s insurance liabilities, including policy provisions and aggregate claim liabilities, as well as determination of reserves for financial risks;
• asset liability management with regard to the adequacy and the sufficiency of assets and future revenues to cover the insurer’s obligations to policyholders and capital requirements, as well as other obligations or activities;
• the insurer’s investment policies and the valuation of assets;
• an insurer’s solvency position, including a calculation of minimum capital required for regulatory purposes and liability and loss provisions;
• an insurer’s prospective solvency position by conducting capital adequacy assessments and stress tests under various scenarios, and measuring their relative impact on assets, liabilities, and actual and future capital levels;
• risk assessment and management policies and controls relevant to actuarial matters or the financial condition of the insurer;
• the fair treatment of policyholders with regard to distribution of profits awarded to participating policyholders;
• the adequacy and soundness of underwriting policies;
• the development, pricing and assessment of the adequacy of reinsurance arrangements;
• product development and design, including the terms and conditions of insurance contracts and pricing, along with estimation of the capital required to underwrite the product;
• the sufficiency, accuracy and quality of data, the methods and the assumptions used in the calculation of technical provisions;
• the research, development, validation and use of internal models for internal actuarial or financial projections, or for solvency purposes as in the ORSA; and
• any other actuarial or financial matters determined by the Board.

Where required, the actuarial function may also provide to the supervisor certifications on the adequacy, reasonableness and/or fairness of premiums (or the methodology to determine the same) and certifications or statements of actuarial opinion.

The supervisor should clearly define when such certifications or statements of actuarial opinion need to be submitted to the supervisor. When these are required to be submitted, the supervisor should also clearly define both the qualifications of those permitted to certify or sign such statements and the minimum contents of such an opinion or certification.

Some jurisdictions may require an “appointed actuary”, “statutory actuary”, or “responsible actuary” (referred to here as an “Appointed Actuary”) to perform certain functions, such as determining or providing advice on an insurer’s compliance with regulatory requirements for certifications or statements of actuarial opinion. The tasks and responsibilities of the Appointed Actuary should be clearly defined and should not limit or restrict the tasks and responsibilities of other individuals performing actuarial functions.

The insurer should be required to report the Appointed Actuary’s appointment to the supervisor.

The Appointed Actuary should not hold positions within or outside of the insurer that may create conflicts of interest or compromise his or her independence. If the Appointed Actuary is not an employee of the insurer, the Board should determine whether the external actuary has any potential conflicts of interest, such as if his or her firm also provides auditing or other services to the insurer. If any such conflicts exist, the Board should subject them to appropriate controls or choose another Appointed Actuary.

If an Appointed Actuary is replaced, the insurer should notify the supervisor and give the reasons for the replacement. In some jurisdictions, such a notification includes statements from both the insurer and the former Appointed Actuary as to whether there were any disagreements with the former Appointed Actuary over the content of the actuary’s opinion on matters of risk management, required disclosures, scopes, procedures, or data quality, and whether or not any such disagreements were resolved to the former Appointed Actuary’s satisfaction.

In some jurisdictions, the Appointed Actuary also has the obligation to notify the supervisor if he or she resigns for reasons connected with his or her duties as an Appointed Actuary or with the conduct of the insurer’s business and give the reasons for resigning. The Appointed Actuary should also notify the supervisor and provide an explanation if his or her appointment is revoked by the insurer.

The supervisor should have the authority to require an insurer to replace an Appointed Actuary when such person fails to adequately perform required functions or duties, is subject to conflicts of interest or no longer meets the jurisdiction’s eligibility requirements.

One of the oversight roles of the Board is to ensure that the information provided by the internal audit function allows the Board to effectively validate the effectiveness of the internal control system.

• the overall means by which the insurer preserves its assets and those of policyholders, and seeks to prevent fraud, misappropriation or misapplication of such assets;
• the reliability, integrity and completeness of the accounting, financial and risk reporting information, as well as the capacity and adaptability of IT architecture to provide that information in a timely manner to the Board and Senior Management;
• the design and operational effectiveness of the insurer’s individual controls in respect of the above matters, as well as of the totality of such controls (the internal controls system);
• other matters as may be requested by the Board, Senior Management, the supervisor or the external auditor; and
• other matters which the internal audit function determines should be reviewed to fulfil its mission, in accordance with its charter, terms of reference or other documents setting out its authority and responsibilities.

To help ensure objectivity, the internal audit function is independent from management and other control functions and is not involved operationally in the business. The internal audit function’s ultimate responsibility is to the Board, not management. To help ensure independence and objectivity, the internal audit function should be free from conditions that threaten its ability to carry out its responsibilities in an unbiased manner. In carrying out its tasks, the internal audit function forms its judgments independently. If necessary, the internal audit function should consider the need to supplement its own assessment with third party expertise in order to make objective and independent decisions.

• access and review any records or information of the insurer which the internal audit function deems necessary to carry out an audit or other review;
• undertake on the internal audit function’s initiative a review of any area or any function consistent with its mission;
• require an appropriate management response to an internal audit report, including the development of a suitable remediation, mitigation or other follow-up plan as needed; and
• decline doing an audit or review, or taking on any other responsibilities requested by management, if the internal audit function believes this is inconsistent with its mission or with the strategy and audit plan approved by the Board. In any such case, the internal audit function should inform the Board or the Audit Committee and seek their guidance.

• the function’s annual or other periodic audit plan, detailing the proposed areas of audit focus, and any significant modifications to the audit plan;
• any factors that may be adversely affecting the internal audit function’s independence, objectivity or effectiveness;
• material findings from audits or reviews conducted; and
• the extent of management's compliance with agreed upon corrective or risk mitigating measures in response to identified control deficiencies, weaknesses or failures, compliance violations or other lapses.

In addition to periodic reporting, the head of internal audit should be authorised to communicate directly, and meet periodically, with the head of the Audit Committee or the Chair of the Board without management present.

• establishing, implementing and maintaining a risk-based audit plan to examine and evaluate alignment of the insurer's processes with their risk culture;
• monitoring and evaluating the adequacy and effectiveness of the insurer’s policies and processes and the documentation and controls in respect of these, on a legal entity and group-wide basis and on an individual subsidiary, business unit, business area, department or other organisational unit basis;
• reviewing levels of compliance by employees, organisational units and third parties with laws, regulations and supervisory requirements, established policies, processes and controls, including those involving reporting;
• evaluating the reliability, integrity and effectiveness of management information processes and the means used to identify, measure, classify and report such information;
• monitoring that identified risks are effectively addressed by the internal control system;
• evaluating the means of safeguarding insurer and policyholder assets and, as appropriate, verifying the existence of such assets and the required level of segregation in respect of insurer and policyholder assets;
• monitoring and evaluating the effectiveness of the insurer's control functions, particularly the risk management and compliance function; and
• coordinating with the external auditors and, to the extent requested by the Board and consistent with applicable law, evaluating the quality of performance of the external auditors.

• market, underwriting, credit, liquidity, operational, conduct of business, as well as reputational issues derived from exposure to those risks;
• accounting and financial policies and whether the associated records are complete and accurate;
• extent of compliance by the insurer with applicable laws, regulations and supervisory requirements from all relevant jurisdictions;
• intra-group transactions, including intra-group risk transfer and internal pricing;
• adherence by the insurer to the insurer’s remuneration policy;
• the reliability and timeliness of escalation and reporting processes, including whether there are confidential means for employees to report concerns or violations and whether these are properly communicated, offer the reporting employee protection from retaliation, and result in appropriate follow up; and
• the extent to which any non-compliance with internal policies or external legal or regulatory obligations is documented and appropriate corrective or disciplinary measures are taken including in respect of individual employees involved.

Subject to applicable laws on record retention, the internal audit function should keep records of all areas and issues reviewed so as to provide evidence of these activities over time.

Outsourcing should not materially increase risk to the insurer or materially adversely affect the insurer’s ability to manage its risks and meet its legal and regulatory obligations.

The Board and Senior Management remain responsible in respect of functions or activities that are outsourced.

The supervisor should require the Board to have review and approval processes for outsourcing of any material activity or function and to verify, before approving, that there was an appropriate assessment of the risks, as well as an assessment of the ability of the insurer’s risk management and internal controls to manage them effectively in respect of business continuity. The assessment should take into account to what extent the insurer’s risk profile and business continuity could be affected by the outsourcing arrangement.

The supervisor should require insurers which outsource any material activity or function to have in place an appropriate policy for this purpose, setting out the internal review and approvals required and providing guidance on the contractual and other risk issues to consider. This includes considering limits on the overall level of outsourced activities at the insurer and on the number of activities that can be outsourced to the same service provider. Because of the particularly important role that control activities and control functions play in an insurer’s corporate governance framework, the supervisor should consider issuing additional requirements for their outsourcing or dedicating more supervisory attention to any such outsourcing.

• how the insurer’s risk profile and business continuity will be affected by the outsourcing;
• the service provider’s governance, risk management and internal controls and its ability to comply with applicable laws and regulations;
• the service providers’ service capability and financial viability; and
• succession issues to ensure a smooth transition when ending or varying an outsourcing arrangement.

In choosing an outsourcing provider, the Board or Senior Management should be required to satisfy themselves as to the expertise, knowledge and skills of such provider.

Outsourcing arrangements should be subject to periodic reviews. Periodic reports should be made to management and the Board.

This ICP focuses on the general processes and procedures supervisors should have in place with respect to supervisory review and reporting. For the purpose of this ICP, off-site monitoring and on-site inspections are collectively referred to as “supervisory review”. Aspects of what supervisors may require or assess as part of supervisory review and reporting on specific areas (such as solvency, governance, conduct of business) are dealt with in other ICPs with respect to those ICPs’ specific areas of focus.

• developing and implementing a framework for supervisory review and reporting;
• developing and executing supervisory plans for insurers;
• analysis of reported and other relevant information;
• feedback and dialogue between the supervisor and insurers;
• intervention, including any preventive/corrective measures or sanctions, where necessary;
• follow-up (including updating the supervisory framework and/or adjusting the frequency and intensity of assessment under supervisory plans); and
• cooperation and coordination with other relevant supervisors and authorities where necessary.

While the framework should encompass all insurers within a jurisdiction, it should be sufficiently flexible with varying supervisory review and reporting requirements that allow for taking a risk-based approach. For example, the supervisory processes and activities which are appropriate for a complex, internationally active insurer may be different than those for a small, local insurer.

The supervisor should have documented procedures and/or guidelines for consistent and regular supervisory review and reporting at an appropriate level of depth.

The supervisor should be able to process data in a timely and effective way and have processes and procedures to collect and store reported data securely in an electronic format. The framework should have the necessary protections for confidential information in the possession of the supervisor and for the sharing of information (see ICP 2 Supervisor and ICP 3 Information sharing and confidentiality requirements).

The framework should enable the supervisor to coordinate on-site inspection and off-site monitoring activities. The supervisor should document the results of these activities in such a way that they are accessible and comprehensible to all involved staff.

The supervisor should establish both qualitative and quantitative methods for assessing insurers, in a consistent manner and on an ongoing basis. The supervisor should develop monitoring tools to identify potential risks within or affecting the insurer or its customers in a timely manner.

• current and prospective solvency, including assets and liabilities and off-balance sheet commitments;
• capital resources management;
• technical operations (eg actuarial methods, underwriting policy, reinsurance policy);
• treatment of customers and whether any activities being engaged in are not fair, lawful or proper;
• corporate culture, business objectives and strategies and business models;
• the systems of risk management and internal controls;
• organisational structure; and
• compliance with supervisory requirements.

The supervisor should assess the insurer’s enterprise risk management framework for the identification and quantification of risks, and evaluate whether business activities and/or internal practices/processes reflect the insurer’s risk assessment. The supervisor should compare the risk profile of the insurer with its risk-carrying capacity and seek to detect issues that may adversely affect its capacity to meet obligations towards policyholders. The framework should enable the supervisor to analyse trends and compare risk assessments including against any stress test outcomes.

The framework should include assessments of the risks to which insurers are exposed and the risks which insurers may pose to policyholders, the insurance sector and financial stability. These assessments should include risks which may lead to an insurer’s distress or disorderly failure or which may be transmitted through collective activities or exposures of a number of insurers and that may have a serious negative impact on financial stability (see ICP 24 Macroprudential supervision).

The framework should include sufficiently comprehensive and regular communication between the supervisor and insurers. This communication should involve senior level representatives as well as specialised areas within both the supervisor and insurers, and for insurance groups, may include contact with non-regulated and parent entities. Additionally, there should be appropriate communication channels between the supervisor and the external auditors for the exchange of information relevant to carrying out their respective statutory responsibilities.

The framework should promote pro-active and early intervention by the supervisor, in order to enable the insurer to take appropriate action to mitigate risks and/or minimise current or future problems.

The supervisor’s review of its framework should pay due attention to the evolving risks which may be posed by insurers and to risks to which insurers may be exposed.

As part of the framework review, the supervisor should confer regularly internally as well as externally with other relevant authorities and stakeholders so that all relevant information is being appropriately assessed and analysed, and to facilitate the identification of potential new risks or emerging market trends that the framework may need to address. While the framework should be updated accordingly, the supervisor should be mindful that such updates are not done so frequently or in a manner that causes unnecessary disruption to the supervisory process and/or excessive costs to the supervisor and insurers.

The framework should be suitably flexible so that it may adapt easily and in a timely manner to domestic and global developments in, for example, legislation, the insurance and broader financial markets, or international standards.

The framework of the group-wide supervisor should take into account all entities identified within the scope of the insurance group (see ICP 23 Group-wide supervision). While insurance groups may have different approaches to governance structures – either more centralised or more decentralised – the framework should include appropriate tools for supervisory review and reporting for all relevant entities (see Issues Paper on Approaches to Group Corporate Governance).

Although the group-wide supervisor may not have the power to conduct supervisory review and reporting of non-regulated entities, it should assess, at least, the potential adverse impact of such non-regulated entities on the group.

Similarly, where the group-wide supervisor does not have the power to conduct supervisory review and reporting of a group legal entity in another jurisdiction, it should communicate and coordinate with the other involved supervisor accordingly. For example, the group-wide supervisor could approach the other involved supervisor to propose a joint on-site inspection or recommend that the other involved supervisor undertake such an inspection, when deemed necessary.

A supervisory plan is a tool for supervisors to determine the frequency, scope and depth of supervisory review activities. It could be generic (eg addressing categories or groups of insurers) or specific (addressing individual insurers).

The supervisor should review outsourced material activities or functions through the insurer itself, but should also obtain information from, and conduct on-site inspections of, entities engaged in providing outsourced activities or functions for the insurer, where necessary.

The supervisory review process for outsourced material activities or functions may differ from the process used for non-outsourced activities or functions, provided that the supervisory outcomes are met.

Agreements between the insurer and entities providing the outsourced material activities or functions should be drawn up in such a way that the supervisor’s ability to conduct its review is not restricted.

Supervisory reporting requirements should apply to all insurers licensed in a jurisdiction, and form the general basis for off-site monitoring. Supervisory reporting requirements are a reflection of the supervisor’s needs and will thus vary by jurisdiction according to overall market structure and conditions and by insurer according to its nature, scale and complexity.

In setting supervisory reporting requirements, the supervisor may make a distinction for foreign insurers who are allowed to conduct insurance activities within the jurisdiction by way of a local branch or subsidiary or on a cross-border provision of services basis.

The supervisor should require insurers to report both quantitative and qualitative information, including at least:

• financial reports, which include at least a balance sheet and income statement as well as a statement of comprehensive income if appropriate;
• an external audit opinion on annual financial statements;
• off-balance sheet exposures;
• material outsourced functions and activities;
• a description of the insurer’s organisational structure, corporate governance framework and risk management and internal control systems; and
• information on complaints, claims, surrenders and lapses.

The supervisor should require insurers to utilise a consistent and clear set of instructions and definitions for any element in required reports that is not self-evident, in order to maximise comparability.

The supervisor may require that certain reports and information, such as solvency ratios or technical provisions, are subject to independent (internal or external) review, including audit and/or actuarial review.

While the supervisor sets out the relevant accounting and auditing standards to be used for supervisory reporting, the actual standards are generally established by a party other than the supervisor. To help accounting and auditing standards reflect the nature of insurance business, the supervisor could provide guidance and practices to be used for areas such as fair value estimations and technical provisions.

The external audit of the annual financial statements should be conducted in accordance with auditing standards that are generally accepted internationally.

The supervisor should consider using the work of external auditors in order to support the supervisory review process. For example, the supervisor may utilize the external audits to identify: internal control weaknesses and possible audit material risks; issues resulting from regulatory and accounting changes; changes in insurance and financial risks; and issues encountered in applying the audit approach.

The supervisor should require the external auditor to report matters that are likely to be of material significance without delay. Such matters would include (indication of) material fraud and regulatory breaches or other significant findings identified in the course of the audit. Such information should be provided to the supervisor without the need for prior consent of the insurer and the external auditor should be duly protected from liability for any information disclosed to the supervisor in good faith.

Depending on the nature, scale and complexity of the insurer, more frequent reporting and/or additional information may be requested from specific insurers on a case-by-case basis.

The supervisor should require that information on changes that could materially impact the insurer’s risk profile, financial position, organisational structure, governance or treatment of its customers is provided by the insurer in a timely manner.

The supervisor periodically reviews its reporting requirements to ascertain that they still serve their intended objectives and to identify any gaps which need to be filled. Assessing the results of off-site monitoring and on-site inspections may help inform such a review.

The supervisor should require an insurance legal entity which is part of an insurance group to describe its group reporting structure, and to provide timely notification of any material changes to that structure and significant changes or incidents that could affect the soundness of the insurance group. The description of the reporting structure should include information on the relationships between entities within the insurance group, and on the nature and volume of material intra-group transactions. The supervisor may require information on the impact on the insurance legal entity of being part of an insurance group.

The supervisor may request and obtain relevant information about any entity within an insurance group, subject to applicable legal provisions and coordination with the supervisors of affected jurisdictions.

The group-wide supervisor should establish its supervisory reporting requirements on a group-wide basis in coordination with the other involved supervisors. Such coordination may help the group-wide supervisor understand what information is being reported and avoid any gaps as well as facilitate the submission of information on group entities in other jurisdictions.

In order to better understand the group and its risks, the group-wide supervisor should require the group to submit information on the group structure, business operation and financial position of material entities within the insurance group and relationship among entities within the insurance group, including participation in other group entities and material intra-group transactions.

The supervisor should be proactive and forward-looking in conducting effective off-site monitoring, and not rely only on historical data. The supervisor should analyse information obtained in a timely manner.

The results of off-site monitoring should influence the supervisory plan and help determine the content, nature, timing and frequency of on-site inspections. Off-site monitoring may also enable the early detection of problems so that prompt and appropriate supervisory responses can be taken before such problems become more serious.

Analysis by the supervisor may provide a deeper understanding of developing trends affecting an insurer and its customers. Analysis by business lines, customer grouping and/or distribution channels may provide insights into the insurer’s overall risk profile.

The supervisor should establish and follow documented procedures for the analysis and monitoring of the supervisory reporting that it receives. These may be conducted by individual supervisory staff using monitoring tools and/or specialised resources, as appropriate.

Examples of ways in which this Standard and its corresponding guidance can be pursued include the following [see text in Annex].

On-site inspections help the supervisor to identify strengths and weaknesses within an insurer, and to assess and analyse the risks to which an insurer and its customers are exposed.

On-site inspections may supplement the analysis from off-site monitoring and provide the supervisor with the opportunity to verify information it has received. On-site inspection may also help detect problems that may not be apparent through off-site monitoring. It is important that on-site inspections are coordinated with off-site monitoring to increase efficiency and avoid duplication of work.

On-site inspections should be tailored to the particular insurer and its risks. However, an on-site inspection work programme should remain flexible since new priorities might arise.

The on-site inspection work programme should take account of the insurer’s distribution model, the nature, size and profile of its customer base and its relative importance in the market. On-site inspections should be more frequent and more in- depth for insurers which are in a difficult financial position or where there is concern that their business practices pose a high risk of negative customer outcomes.

The supervisor may use independent experts (see ICP 2 Supervisor) to conduct part of an on-site inspection, for instance when additional resources or specific expertise is needed.

The supervisor can conduct on-site inspections on either a broad or targeted basis. The purpose of a broad on-site inspection is to assess the overall condition, activities and risk-profile of the insurer. A targeted on-site inspection is focused on a specific area or areas of an insurer, such as a particular key activity or process. Targeted on-site inspections can also be carried out across a number of insurers based on a specific theme, activity or risk (sometimes called "thematic reviews"). Targeted on-site inspections can be very effective in focusing supervisory resources quickly on those areas requiring immediate attention. If a targeted on-site inspection leads to other areas of supervisory concern, the supervisor may determine that a broad on-site inspection is necessary.

Advance notice is normally given to the insurer before the supervisor conducts an on-site inspection so that both parties may plan accordingly. However, the supervisor may decide not to provide advance notice in certain circumstances.

Examples of ways in which this Standard and its corresponding guidance can be pursued include the following [see text in Annex].

The supervisor should provide appropriate feedback in a timely manner to the insurer during the ongoing supervisory review process. The supervisor should issue in writing the findings of the review and the actions required. In many circumstances, the supervisor’s initial action will be to discuss the issue with the insurer, which may resolve the issue and require no further action. However some issues may require preventive or corrective measures, and in some cases imposing sanctions (see ICP 10 Preventive measures, corrective measures and sanctions).

Whether and how the insurer has subsequently addressed issues identified by the supervisor should be considered in the evaluation of the insurer and should be factored into the ongoing supervisory plan.

• reviewing and analysing the minutes of the Board and its committees;
• examining communications provided by the auditors to the Board and/or the Audit Committee, such as the auditors’ reports;
• analysing information obtained from and/or received through direct engagement with the external auditor on substantial insights into the insurer’s corporate governance framework, control environment, and financial reporting;
• evaluating the suitability of significant owners by analysing the ownership structure and sources of finance/funding;
• evaluating the independence of the Board Members, the suitability of the Board Members, Senior Management and Key Persons in Control Functions, their effectiveness, and their ability to acknowledge improvement needs and correct mistakes (especially after such needs or mistakes have been identified by the insurer, its auditors, or the supervisor and after changes of management and in the Board);
• testing the insurer's internal policies, processes and controls in order to assess compliance with regulations and/or adequacy of these in light of the insurer's risk profile;
• testing the accounting procedures in order to assess accuracy of the financial and statistical information periodically sent to the supervisor and its compliance with the regulations; and
• evaluating the organisational structure and the management of the insurer.

• analysing business lines, the type of products offered, policyholders and location of business;
• analysing the distribution model(s) used;
• meeting with the management to get information and a deeper understanding about current and future business plans;
• analysing material contracts;
• analysing the sales and marketing policies of the insurer, in particular, policy conditions and remuneration paid to the intermediaries; and
• evaluating the reinsurance cover and its security. In particular, the reinsurance cover should be appropriate with regard to the financial means of the insurer and the risks it covers.

• analysing organisational charts, the group structures and the intragroup links;
• analysing the relationships with major investors and among branches and subsidiaries;
• analysing intragroup transactions, fees and other arrangements, including identifying instances of cross-subsidisation of businesses within a group or non-arm's length fees and charges;
• analysing agreements with external service providers;
• identifying financial problems originating from an entity in the group to which the insurer belongs; and
• identifying of conflicts of interest arising from intra-group relationships or relationships with external entities.

• analysing audited financial statements and off-balance sheet commitments;
• analysing the settlement of claims and the calculation of technical provisions according to current regulations;
• analysing the operations and financial results by line of business;
• analysing the investment policy (including derivatives policy) and the assets held to cover the technical provisions;
• valuation of the insurer’s investments;
• assessing litigation in which the insurer is a party; and
• analysing the forecasted balance sheets and profit

• assessing the culture of the insurer in relation to customer treatment, including the extent to which the insurer’s leadership, governance, performance management and recruitment, complaints handling policies and remuneration practices demonstrate a culture of fair treatment to customers;
• assessing how conflicts of interests with customers are identified, managed and mitigated;
• reviewing how products are designed and distributed to ensure they fulfil the customers’ demands and needs;
• checking the adequacy, appropriateness and timeliness of the information and advice given to customers;
• reviewing the handling and timing of claims and other payments;
• reviewing the handling, frequency and nature of customer complaints, disputes and litigation; and
• reviewing any customer experience reports used by the insurer or from other sources, such as an ombudsman.

The supervisor should initiate escalating measures to prevent a breach of regulatory requirements by an insurer, respond to a breach of regulatory requirements by an insurer, and enforce those measures to ensure that the insurer responds to the supervisor’s concerns. Preventive measures should be used to prevent a breach of regulatory requirements and corrective measures should be used to respond to a breach of regulatory requirements. Functionally, supervisors may take similar or identical actions as preventive or corrective measures. In addition, where a regulatory requirement has been violated, supervisors may use sanctions.

The supervisor should promptly and effectively deal with insurer non-compliance with regulatory requirements or supervisory measures that could put policyholders at risk, could pose a threat to financial stability, or could impinge on any other supervisory objectives. The more significant the threat to policyholders’ interests or to financial stability, then the quicker the supervisor will need to act and to require action from the insurer, and the more significant the measures that may be required. By mitigating certain risks, preventive and corrective measures that are primarily intended to protect policyholders may also contribute to financial stability, by decreasing the probability and magnitude of any negative systemic impact.

Circumstances may arise when preventive or corrective measures are insufficient to prevent an insurer from being no longer viable, or likely to become no longer viable, and therefore need to exit the market or be resolved (see ICP 12 Exit from the market and resolution).

As part of the supervisory framework (see ICP 9 Supervisory review and reporting), the supervisor should consider in advance how to use preventive and corrective measures, enforcement of those measures, and the imposition of sanctions. A supervisor’s framework should be documented to assist in the delivery of consistent supervision over time. It is crucial that the framework leaves room for the exercise of supervisory judgement and discretion, so flexibility should be allowed in the use of preventive measures, corrective measures and sanctions. In addition to general criteria, other parts of the framework on preventive measures, corrective measures and sanctions can also be released publicly, particularly where the supervisor feels that this additional transparency will lead to the market functioning more effectively. The decision-making processes that underpin the supervisory framework should function in a way that allows the supervisor to take immediate action when necessary.

In some instances, the supervisor will need to work with other authorities or bodies in order to take or enforce supervisory measures or sanctions against an insurer. For example, some measures or sanctions will require the approval of a judicial body.

There are different methods by which supervisory outcomes can be achieved. The method chosen may vary depending on the jurisdiction’s legal framework. In some jurisdictions, one method is to accept an enforceable written agreement to do, or not to do, some thing or things from the insurer in question. The potential advantages of achieving an outcome by this route are that it can be quicker and less costly. This option can be used to achieve outcomes related to preventive or corrective measures or to sanctions.

Measures or sanctions targeted at non-insurance legal entities within an insurance group may require the supervisor to work with other regulatory authorities.

The supervisor for an insurance legal entity within an insurance group should inform other involved supervisors when taking supervisory measures against or imposing sanctions on that insurance legal entity, where those sanctions are material or otherwise relevant to those supervisors.

The supervisor should have in place mechanisms to identify when unlicensed insurance activity is being carried out. Examples of such mechanisms include monitoring of media and advertising, review of consumer complaints or encouraging industry and other stakeholders to notify the supervisor of suspicious activity.

Where unlicensed activity is identified, the supervisor should act to address the issue. Examples include requiring the unlicensed entity to apply for a licence, seeking court orders to require the unlicensed entity to stop the activity, informing law enforcement authorities of criminal and/or civil concerns, imposing sanctions on the individual/entity or publicising the fact that the individual and/or entity is/are not licensed to conduct insurance activities.

Determining when an insurer seems likely to operate in a manner that is inconsistent with regulatory requirements will require a degree of discretion on the part of the supervisor. Nevertheless, concerns that necessitate preventive measures should be well founded based on the supervisor’s assessment.

If the insurer operates in a manner that is likely to impact its ability to protect policyholders’ interests or pose a threat to financial stability, the supervisor should act more urgently in requiring preventive measures.

The supervisor should communicate concerns to the insurer with a promptness that reflects the significance of the concern. Some concerns, such as relating to insurer solvency, policyholder protection, or financial stability, will be sufficiently significant to require immediate communication to the insurer. Other concerns, although significant, may not require such rapid communication, but should still be communicated appropriately. For example, it is unlikely to be appropriate for a supervisor to wait for the next on-site visit to an insurer before communicating a significant concern.

The supervisor should promptly bring significant concerns to the attention of the Board because it has ultimate responsibility for the insurer and that such concerns are resolved. In addition, the supervisor should also communicate with Senior Management and with Key Persons in Control Functions to bring significant concerns to their attention.

The supervisor should have available a range of preventive measures broad enough to address insurers of all sizes and complexities. Preventive measures should be chosen to address the severity of the insurer’s problems.

•  restrictions on business activities, such as:
  • prohibiting the insurer from issuing new policies or new types of product;
  • requiring the insurer to alter its sales practices or other business practices;
  • withholding approval for new business activities or acquisitions;
  • restricting the transfer of assets;
  • prohibiting the insurer from continuing a business relationship with an intermediary or othe outsourced provider, or requiring the terms of such a relationship to be varied;
  • ​restricting the ownership of subsidiaries; and
  • restricting activities of a subsidiary where, in its opinion, such activities jeopardise the financial situation of the insurer;
• directions to reinforce the insurer’s financial position, such as:
  • requiring measures that reduce or mitigate risks (for example, restricting exposures, through either hard or soft limits, to individual counterparties, sectors, or asset classes);
  • requiring an increase in capital;
  • restricting or suspending dividend or other payments to shareholders; and
  • restricting purchase of the insurer’s own shares; and
• other directions, including:
  • requiring the reinforcement of governance arrangements, internal controls or the risk management system;
  • requiring the insurer to prepare a report describing actions it intends to undertake to address specific activities the supervisor has identified, through macroprudential surveillance, as potentially posing a threat to financial stability (see ICP 24 Macroprudential supervision);
  • facilitating the transfer of obligations under the policies from a failing insurer to another insurer that accepts this transfer;
  • suspending the licence of an insurer; and
  • barring individuals acting in key roles from such roles in future.

• temporarily delaying or suspending, in whole or in part, the payments of the redemption values on insurance liabilities or payments of advances on contracts;
• lowering the maximum rate of guarantees for new business or introducing additional reserving requirements; or
• incentivising the use of a system-wide lending facility, when available, for market-wide liquidity issues extending to insurers.

The supervisor should take steps to address problems arising from Board Members, Senior Management, Key Persons in Control Functions, significant owners, external auditors and any other person who plays a significant role within the insurer. For example, the supervisor should require the insurer to replace or restrict the power and role of those involved (listed above) in the governance processes if the supervisor has material concerns with management or governance.

The supervisor should reject, rescind and/or request a court to revoke the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to, or does not adhere to, established professional standards.

• the auditor does not have adequate insurance industry knowledge and competence;
• there is an identified issue with auditor objectivity and independence;
• the auditor does not disclose to the supervisor matters that it is required to disclose;
• clear audit quality concerns are identified, such as if the auditor fails to test internal control systems sufficiently, the auditor is not appropriately sceptical, or does not appropriately challenge the insurer’s management regarding the major accounting figures; or
• the auditor’s system of internal quality control appears ineffective.

The Guidance under Standard 10.2 is equally applicable when considering corrective measures.

In addition to the supervisory tools set out in 10.2.6, when considering corrective measures the supervisor may find it necessary, in cases of serious breach of regulatory requirements, to revoke the licence of an insurer. The supervisor should be able to enforce this decision.

The supervisor should require the insurer to prepare a plan to resolve the concerns within an acceptable timeframe. The plan should include actions proposed by the insurer or preventive or corrective measures required by the supervisor. What is acceptable as a timeframe will depend on the circumstances of the concerns raised.

If the insurer does not prepare an acceptable plan in a specified timeframe to respond to the supervisor’s concerns, the supervisor should impose such a plan on the insurer.

The supervisor should review the results of the actions that the insurer has taken. The supervisor should review both whether the actions have been taken and, if so, the effectiveness of the actions.

The supervisor may require assurance from an independent reviewer regarding adequate resolution of significant concerns. In such cases the supervisor may also require that such an independent reviewer be appointed at the expense of the insurer.

The supervisor should require further measures if its concerns with the insurer become worse, including if the insurer fails to take the actions in a plan.

Supervisory measures should escalate in line with the supervisor’s concerns about the insurer. If the insurer’s inaction leads to an increased risk to policyholders, then the supervisor should respond by requiring stronger measures to mitigate this risk.

Enforcement of preventive or corrective measures could involve the supervisor issuing a formal direction to an insurer to take particular actions or to cease conducting particular activities. It could also involve the supervisor seeking the assistance of other authorities, or the courts, to enforce a measure.

The supervisor should be able to impose a range of sanctions, which could be administrative, civil or criminal in nature. These can include the ability to impose fines, the ability to bar individuals acting in key roles from holding similar roles in future, and the ability to require remediation (such as requiring compensation of policyholders in cases of mis-selling). It is recognised that supervisors will not always be able to take a full range of legally binding actions themselves and may need to act in conjunction with, or refer matters to, other authorities, in particular, in the case of criminal penalties.

In some cases it may be appropriate to apply sanctions against insurers or individuals when justified by their actions, or inactions.

• fail to provide information to the supervisor in a timely fashion;
• withhold information from the supervisor;
• provide information that is intended to mislead the supervisor;
• deliberately misreport to the supervisor; or
• do not act in accordance with orders or directions imposed on the insurer.

The sanctions imposed by the supervisor should be commensurate with the nature and severity of the insurer’s non-compliance with regulatory requirements. Administrative or procedural breaches will generally attract less severe sanctions than breaches arising from an insurer’s intentional disregard of regulatory requirements. The sanction imposed should be sufficiently dissuasive so that the insurer, or other insurers, do not commit a similar breach in the future.

The supervisor should impose more severe sanctions relative to the gravity of the breach where an insurer’s history demonstrates a pattern of non-compliance with regulatory requirements.

The supervisor may impose sanctions on insurers or individuals in addition to supervisory measures or in the absence of supervisory measures.

The imposition of sanctions against an insurer or an individual typically should not delay either supervisory measures or insurer action taken in response to supervisory measures. However, in some instances, the nature of the sanctions may delay supervisory measures. For example, where a supervisor sanctions an insurer by requiring a number of Senior Managers to be replaced with new individuals, supervisory measures intended to improve the governance of the insurer may not be practical until after the new individuals are appointed.

The supervisor, or another responsible authority in the jurisdiction, should take action to enforce sanctions that have been imposed.

The supervisor should sanction insurers and individuals within a consistent framework, so that similar violations and weaknesses attract similar sanctions. Supervisors should consider how proposed sanctions relate to previous cases. The supervisor should identify precedents where the supervisor has sanctioned an insurer or individual for similar actions/inactions. Where the supervisor has sanctioned an insurer or individual for similar actions/inactions, then the supervisor should consider carefully whether a comparable sanction is appropriate. If the supervisor concludes that a very different sanction is appropriate, the supervisor should be prepared to explain why it reached this conclusion.

In order for sanctions to have a deterrent effect on other insurers, the fact of the sanction, and sufficient details of the breach, should in general be published. However, the supervisor should retain the discretion to take a different course of action (for example, not to publish, or to delay publication) where this would further the achievement of supervisory objectives or it is otherwise in the public interest to do so.

An orderly process for an insurer’s withdrawal from the business of insurance helps to protect policyholders, and contributes to the stability of the insurance market and the financial system. Jurisdictions should have transparent and effective regimes for an insurer’s exit from the market and the resolution of an insurer.

In this ICP, “resolution” refers to an action taken by a resolution authority towards an insurer that is no longer viable, or is likely to be no longer viable, and has no reasonable prospect of returning to viability. Resolution actions include portfolio transfer, run-off, restructuring, and liquidation.

• “supervisor” is used when the standard and/or guidance involves responsibilities and/or roles of the day-to-day supervisor of the insurer;
• “resolution authority” is used when the standard and/or guidance involves resolution powers and/or processes after resolution has been instituted: this includes supervisors acting under their resolution powers; and
• “supervisor and/or resolution authority” is used when the standard and/or guidance involves responsibilities for planning and/or initiation of resolution and encompasses supervisors acting in their pre-resolution roles (eg before a supervisor or resolution authority institutes resolution and/or obtains any necessary administrative and/or judicial approvals to do so).

The structure and roles of resolution authorities vary across jurisdictions. In some jurisdictions, the resolution authority and the supervisor may be one single authority; in other jurisdictions, resolution of insurers may be the responsibility of one or more separate authorities. In some jurisdictions certain resolution powers may be exercised or overseen by the court. Whatever the allocation of responsibilities, a transparent and effective resolution regime should clearly delineate the responsibilities and powers of each authority involved in the resolution of insurers (see ICP 1 Objectives, powers and responsibilities of the supervisor). Where there are multiple authorities responsible for the resolution of insurers, the resolution regime should empower the relevant authorities to cooperate and coordinate with each other.

Exit from the market refers to cessation of the insurer’s business, in part or in whole. Insurers that meet regulatory requirements may decide to exit from the market on a voluntary basis for business and/or strategic reasons. This is often referred to as ‘voluntary exit from the market’.

Insurers may also be required by the supervisor to exit from the market. For example, supervisory measures and/or sanctions may result in an insurer exiting from the market (ie involuntary exit from the market) (see ICP 10 Preventive measures, corrective measures and sanctions).

Jurisdictions may need to have mechanisms in place to determine whether the continuity of insurance cover is necessary when insurers exit from the market. Any such continuity should preferably be on the same contract terms, but when necessary, on amended terms. Such mechanisms need to be proportionate to the unique nature and structure of the insurance market in each jurisdiction. Continuity of insurance cover may be facilitated by transferring insurance portfolios to a succeeding insurer, including a bridge institution. Continuity of some insurance contracts, particularly for some non-life products, may be necessary for only a short period (for example 30 or 60 days) so that the policyholder has sufficient time to find another insurer. Facilitating continuity of insurance cover might not be necessary for certain types of insurance products, such as those that are offered by many insurers in a market and which are highly substitutable.

Where an insurer exits from the market and there is no succeeding insurer or no similar insurance products available in the market, mechanisms that facilitate the availability of alternate cover may need to be explored by the supervisor, such as when the exiting insurer delivers insurance contracts that cover risks that may be important to a particular jurisdiction’s economy and/or are compulsory insurance in legislation.

A resolution regime should make it possible for any losses to be absorbed by: i) shareholders; ii) general creditors; and iii) policyholders, in a manner that respects the jurisdiction’s liquidation claims hierarchy. Policyholders should absorb losses only after all lower ranking creditors have absorbed losses to the full extent of their claims. Mechanisms, such as policyholder protection schemes (PPSs), may mitigate the need for the absorption of losses by policyholders.

Depending on the circumstances, appropriate resolution measures may be applied to one or more separate entities in an insurance group, such as: i) the head of the insurance group; ii) an intermediate holding company below the head of the insurance group; iii) an insurance legal entity within the group; iv) a branch of an insurance legal entity within the group; or v) other regulated (eg banks) or non-regulated entities within the group. For other regulated entities within the group (eg banks), a resolution regime relevant to their sector may apply.

Some insurers operate on a cross-border basis through subsidiaries or branches in another jurisdiction, or through providing insurance services on a cross-border basis without setting up a physical presence outside their home jurisdiction. Also, where an insurance legal entity is a member of a group, there could be intra-group transactions and guarantees among insurance legal entities and/or other group entities in different jurisdictions. Cross-border coordination and cooperation, including exchange of information, is necessary for the orderly and effective resolution of insurers that operate on a cross-border basis.

Voluntary exit from the market is initiated by the insurer.

The supervisor should require the insurer which voluntarily exits from the market to make appropriate arrangements for the voluntary exit (eg, run-off or portfolio transfer), including ensuring adequate human and financial resources to fulfil all its insurance obligations.

• expected timeframe;
• projected financial statements;
• human and material resources that will be available;
• governance and risk management of the process;
• communication with policyholders about the insurer’s exit from the market; and
• communication to the public.

Insurers that exit from the market on a voluntary basis should continue to be subject to supervision until all insurance obligations are either discharged or transferred to succeeding insurers. Legislation should provide for appropriate requirements for these exiting insurers.

The legislation should support the objective of protecting policyholders. This however does not mean that policyholders will be fully protected under all circumstances and does not exclude the possibility that losses be absorbed by policyholders, to the extent they are not covered by PPSs or other mechanisms. A jurisdiction may have additional resolution objectives in the legislation, such as contributing to financial stability.

The legislation should provide a scheme for prioritising the payment of claims of policyholders and other creditors in liquidation (liquidation claims hierarchy). Resolution powers should be exercised in a way that respects the hierarchy of creditors’ claims in liquidation. In a resolution action other than a liquidation, creditors should be entitled to compensation if they receive less than they would have received if the insurer was liquidated (ie the “no creditor worse off than in liquidation” (NCWOL) principle). The NCWOL principle may require funding to provide compensation to creditors so that they receive at least as much as they would have received in a liquidation.

Resolution should seek to minimise reliance on public funding. In principle, any public funding used for the resolution of the insurer should be recouped from the insurance sector in a transparent manner. The phrase “reliance on public funding” does not refer to the use of funds from policyholder protection schemes to support the implementation of resolution actions.

Resolution processes and procedures are aimed at supporting the resolution preparedness in a jurisdiction, including the supervisor and/or resolution authority, insurers and other relevant stakeholders. These processes and procedures should entail the establishment of strategies and actions for effectively resolving an insurer if it becomes necessary while minimising the impact on policyholders, financial stability, the real economy and taxpayers. Such actions include being able to put in place a resolution plan for an insurer (see Standard 12.4), and may also entail preparing to resolve certain types of insurers that have common characteristics or offer similar services. The supervisor and/or resolution authority should involve the insurer as appropriate. Where applicable, these processes and procedures may also address coordination with the authorities responsible for the non-insurer legal entities within an insurance group.

The supervisor should require the insurer to consider such risks and where appropriate, prepare contingency plans to mitigate the risk.

The supervisor should require that the insurer have procedures in place to provide necessary information (eg policyholders’ names, types of their contracts, and the value of each contract) to a relevant organisation (such as a PPS) in a timely manner when the insurer enters into resolution.

Insurers should have processes and procedures in place to be able to provide necessary information (eg policyholders’ names, types of their contracts and the value of each contract) to the supervisor and/or resolution authority, as well as any other relevant organisation (such as a PPS) in a timely manner when the insurer enters into resolution.

Insurers should evaluate prospectively their specific operations and risks in possible resolution scenarios and have processes and procedures available for use during a resolution.

When developing the criteria to decide which insurers will be subject to a resolution plan requirement, the supervisor and/or resolution authority should consider factors such as:

• the insurer’s size, activities and its lines of business;
• the insurer’s risk profile and risk management mechanisms;
• the level of substitutability of the insurer’s activities or business lines;
• the complexity of the insurer’s structure, including the number of jurisdictions in which it operates;
• the insurer’s interconnectedness; and/or
• the impact of the insurer’s failure.

The supervisor and/or resolution authority may also decide to require resolution plans for a minimum market share of its insurance sector.

The supervisor and/or resolution authority should also consider the factors above when deciding on the necessary level of detail of the resolution plan, when a plan is required.

The assessment of an insurer’s potential systemic importance should be in line with ICP 24 (Macroprudential supervision).

Insurers are considered critical if their failure is likely to have a significant impact on the financial system and/or the real economy of the jurisdiction, including by;

• materially affecting a large number of policyholders in the case that the insurer’s activities, services or operations are significantly relied upon and cannot be substituted with reasonable time and cost; or
• causing a systemic disruption or a loss of general confidence in the insurance sector.

The resolution plan should identify:

• financial and economic functions that need to be continued to achieve the resolution objectives for the insurer;
• suitable resolution options to preserve such functions or discontinue them in an orderly manner;
• data requirements for the insurer’s business operations, structures and financial and economic functions;
• potential barriers to effective resolution and actions to mitigate those barriers; and
• actions to protect policyholders.

For the purpose of the resolution plan, the supervisor and/or resolution authority should:

• require the insurer to submit necessary information for the development of the resolution plan; and
• where necessary, require the insurer to take adequate actions to improve its resolvability.

Resolvability assessments should consider if it is feasible and credible for the supervisor and/or resolution authority to resolve the insurer in a way that protects policyholders and contributes to financial stability while minimising reliance on public funds.

Resolvability assessments should be undertaken on a regular basis, or when there are material changes to the insurer’s business or structure, or any other change that could have a material impact on the resolvability assessment.

When the resolution plan and/or resolvability assessment identifies potential barriers to effective resolution, the insurer should be given the opportunity to propose its own prospective actions to improve its resolvability by mitigating these barriers, before it is required to do so by the supervisor and/or resolution. authority

In the case of a group, the group-wide supervisor and/or resolution authority should lead the development of the group-wide resolution plan, in coordination with other involved supervisors and/or resolution authorities and should involve the group as appropriate. Coordination may be done through a supervisory college or CMG if any is in place. The plan should cover at least the group’s material entities.

Other involved supervisors and/or resolution authorities may deem it appropriate to have their own resolution plan for the group’s insurance legal entity in their jurisdictions when, for instance:

• the insurance legal entity’s presence in the jurisdiction is large in scope and/or scale;
• the insurance legal entity provides critical and/or non-substitutable insurance coverages; and/or
• its resolution may impact that jurisdiction’s policyholders, financial stability and/or real economy.

If a host jurisdiction decides to establish a resolution plan, it should cooperate with the group-wide supervisor and/or resolution authority to ensure that the host jurisdiction’s plan is as consistent as possible with the group-wide resolution plan.

Resolvability assessments should be conducted at the level of those entities where it is expected that resolution actions would be taken, in accordance with the resolution strategies for the group, as set out in the resolution plan.

The jurisdiction should have a designated authority or authorities empowered to exercise powers for the resolution of an insurer. Where there are multiple authorities within a jurisdiction, their respective mandates, roles and responsibilities are clearly defined and coordinated.

Where different authorities within a single jurisdiction are in charge of the resolution of an insurer, a lead authority that coordinates the resolution of the insurer should be identified.

An example where a lead resolution authority should be identified is where the insurer has insurance and other financial operations (such as banking), and the authority responsible for the resolution of the other financial operations is different from the authority responsible for the resolution of the insurance operations in the jurisdiction.

Coordination agreements may be established where multiple authorities may be involved in the resolution of an insurer.

Relevant authorities in this context may include the group-wide supervisor and/or resolution authority, other involved supervisors and/or resolution authorities and others that may need to be involved in the resolution of insurers, such as PPS and supervisors in other financial sectors.

When an insurer voluntarily exits from the market, the supervisor should cooperate and coordinate with other relevant supervisors as necessary.

Cooperation and coordination should include matters, among others, such as consulting with or informing other relevant authorities of eg the anticipated exercise of resolution powers that the resolution authority considers necessary before taking resolution actions, where this is practicable.

When consulting, authorities should seek to determine if coordinated action on the resolution of an insurance group is necessary to avoid or minimise adverse impact on other group entities.

The supervisor and/or resolution authority should seek to achieve a cooperative solution with authorities in other jurisdictions who are concerned with the resolution of the insurance group.

Cooperation and coordination would be crucial when considering resolution action such as ordering the insurer to cease business (for example, when the insurer has overseas branches), freezing the insurer’s assets, and/or removing management of overseas branches, subsidiaries, or holding companies.

Information sharing, cooperation and coordination should be undertaken in a manner that do not compromise the prospect of successful exit or resolution.

Cross-border coordination agreements may need to be established between relevant authorities.

Resolution should be initiated where an insurer is no longer viable, or is likely to be no longer viable and has no reasonable prospect of becoming so, even if the entity is solvent in light of financial reporting standards. Criteria that determine or help determine when the supervisor and/or resolution authority initiates resolution should be considered in light of the insurer and the circumstances of its resolution. Criteria for determining whether resolution processes should be initiated may include:

• the insurance legal entity is in breach of the minimum capital requirement (MCR) and there is no reasonable prospect of restoring compliance with MCR;
• the consolidated own funds of the insurance group are lower than the sum of the proportional shares of the MCRs, or minimum capital requirements of the regulated legal entities belonging to the insurance group (eg due to double-gearing);
• the insurer is in breach of other material prudential requirements (such as a requirement on assets backing technical provisions) and there is no reasonable prospect of compliance being restored;
• there is a strong likelihood that policyholders and/or other creditors will not receive payments as they fall due;
• intra-group transactions impede or are likely to impede the ability of the insurer to meet policyholder and/or creditor obligations as they fall due; or
• measures attempting the recovery of the insurer have failed, or there is a strong likelihood that such proposed measures will: i) not be sufficient to return the insurer to viability; or ii) cannot be implemented in a reasonable timeframe.

The range of available resolution powers in a jurisdiction should allow the effective and orderly resolution of insurers, in particular to protect policyholders and contribute to financial stability. Some powers may not be needed for all insurers but only, for example, for insurers that are of systemic importance or critical in failure in the jurisdiction. In jurisdictions with more developed insurance markets and/or that include large, complex or systemically important insurers, it is particularly important for legislation to provide a sufficiently wide range of resolution powers to allow the supervisor and/or resolution authority to resolve an insurer effectively.

The choice and application of the powers set out below should take into account whether an insurer’s disorderly failure would potentially cause significant disruption to policyholders, the financial system and/or real economy, the types of business the insurer is engaged in, and the nature of its assets and liabilities.

Resolution powers should be exercised in a proportionate manner that resolves the insurer most effectively in light of the circumstances and objectives of resolution. Some powers may only affect the insurer, while others may impact contractual rights of third parties (such as a suspension of policyholders’ rights or restructuring of policies).

Some resolution powers are exercised with the aim to stabilise or restructure an insurer and avoid liquidation, while other resolution powers can be used in conjunction with liquidation. Creditors should have a right to compensation where they do not receive at a minimum what they would have received in a liquidation of the insurer under the applicable insolvency regime (NCWOL principle).

If a court order is required for the resolution authority to exercise resolution powers, the time required for court proceedings should be taken into consideration for the effective implementation of resolution actions.

Resolution powers should include the following. This list is not exhaustive and the resolution authority should have discretion to apply other available powers. The order of presentation of the powers is not an indication of the sequence in which these powers could be exercised or of their importance. While each power is only listed once, some can support more than one objective:

Taking control

• take control of and manage the insurer, or appoint an administrator or manager to do so;
• remove or replace Members of the Boards, Senior Management and/or Key Persons in Control Functions;
• prohibit the payment of dividends to shareholders;
• prohibit the payment of variable remuneration to, and allow the recovery of monies from, Members of the Boards, Senior Management, Key Persons in Control Functions and major risk taking staff, including claw-back of variable remuneration; and
• prohibit the transfer of the insurer’s assets without supervisory approval.

Withdrawal of licence

• withdraw the licence to write new business and put all or part of the insurance contracts into run-off.

Override rights of shareholders

• override requirements for approval by shareholders of particular transactions or to permit a merger, acquisition, sale of substantial business operations, recapitalisation, or other measures to restructure and dispose of the insurer’s business or its liabilities and assets; and
• sell or transfer the shares of the insurer to a third party.

Restructuring mechanisms

• restructure, limit or write down liabilities (including insurance liabilities), and allocate losses to creditors, shareholders and policyholders, where applicable and in a manner consistent with the liquidation claims hierarchy and jurisdiction’s legal framework.

Suspension of rights

• temporarily restrict or suspend the policyholders’ rights of withdrawing their insurance contracts;
• stay rights of the reinsurers of the ceding insurer in resolution to terminate, or not reinstate, coverage relating to periods after the commencement of resolution;
• impose a temporary suspension of payments to unsecured creditors and a stay on creditor actions to attach assets or otherwise collect money or property from the insurer; and
• temporarily stay early termination rights associated with derivatives and securities financing transactions.

Transfer or sell assets or liabilities

• transfer or sell the whole or part of the rights, assets and liabilities of the insurer to a solvent third party, and to take steps to facilitate transfer, run-off and/or liquidation
• terminate, continue or transfer certain types of contracts, including insurance contracts; and
• transfer any reinsurance associated with transferred insurance policies without the consent of the reinsurer.

Bridge institution

• establish a bridge institution.

Essential services and functions

• take steps to provide continuity of essential services and functions.

Liquidation

• initiate the liquidation of the whole or part of the insurer.

Where the resolution authority takes action which leads to another person taking control of an insurer with a view to restoring, restructuring or running off the business, the resolution authority should continue to be responsible for the orderly resolution of the insurer. In particular, the resolution authority should continue to exercise functions which ensure that the objectives of resolution are met, notwithstanding any additional responsibilities which the person appointed may have to the insurer or to the courts.

Resolution powers should be exercised in a manner that does not discriminate between creditors on the basis of their nationality, the location of their claim, or the jurisdiction where it is payable.

Mechanisms should be in place to (i) enable continuity of cover for policyholders where this is needed and (ii) ensure timely payment of claims to policyholders of the insurer in resolution, with the aim to minimise disruption to the timely provision of benefits to policyholders. A PPS can be one of the mechanisms that can help ensure timely payments to policyholders and minimise disruption.

When requiring contracts to be transferred to another insurer, the resolution authority should satisfy itself that the interests of the policyholders of the transferor and of the transferee are safeguarded. In some cases this may be achieved through varying, reducing or restructuring the transferred liabilities.

Portfolio transfers and transfers of other types of contracts of the insurer in resolution should not require the consent of each policyholder or party to the contract.

Consistent with the liquidation claims hierarchy, insurance liabilities should be written down only after equity and all liabilities that rank lower than insurance liabilities have absorbed losses, and only if the resolution authority is satisfied that policyholders are no worse off than in liquidation after compensation, where necessary.

Information on the period during which policyholders are prohibited from withdrawing from their insurance contracts should be available to policyholders in a transparent manner for the purposes of policyholder protection.

The exercise of stay powers, their scope of application and the duration of the stays should be designed to address the specific situation of the insurer in resolution. For example, the duration of the stay could depend on the type of the insurance or financial contract.

There may be circumstances where resolution powers will need to be exercised at the level of the head of the insurance group and/or non-regulated entities. Resolution authorities should have the capacity to exercise resolution powers directly on such entities within their jurisdiction to the extent necessary and appropriate. Where resolution powers need to be exercised on entities outside of their jurisdiction or legal authority, the resolution authority should cooperate and coordinate with relevant supervisors and resolution authorities in the relevant jurisdictions, to the extent necessary and appropriate.

Unless otherwise specified by the resolution authority, resolution powers exercised on an insurance legal entity (for instance to cease writing business) should also apply to the legal entity’s branches. However, the resolution authority responsible for a branch can also exercise powers toward the branch. In either case, the resolution authorities responsible for the branch and the insurance legal entity should consult and cooperate with one another.

The resolution authority may choose which power, or which combination of powers, is applied to which entity within the group. Different types of powers may be applied to different parts of the entity’s business.

Legislation should define the involvement of the supervisor in a liquidation, which promotes the protection of policyholders. The supervisor should be authorised to initiate, or should be involved in the liquidation of an insurance legal entity, or a branch of a foreign insurer in its jurisdiction.

In many jurisdictions, all resolution actions, including liquidation, may only be initiated by the supervisor and/or resolution authority. However, in some jurisdictions, the liquidation process can be initiated by another person (such as a creditor of the insurance legal entity, the insurance legal entity itself, or the court). If legislation permits another person to initiate liquidation, it should: i) require prior approval of the supervisor, or ii) at a minimum, require prior coordination with the supervisor. If legislation permits another person to initiate liquidation without such prior approval or coordination, it should provide that the supervisor may challenge the person’s action.

Policyholders should receive high legal priority in the liquidation of an insurance legal entity (or of a branch) so that policyholders rank above ordinary unsecured creditors. However, it is common in many jurisdictions that a higher priority is given to a limited number of other categories of claims. These may include claims:

• by liquidators, such as claims corresponding to expenses arising from the liquidation procedure;
• by employees;
• by tax or fiscal authorities;
• by social security systems; and
• claims on assets subject to rights in rem (eg through collateral, lien, mortgage).

In some jurisdictions, policyholders receive higher priority but only on a determined part of the insurance legal entity’s assets (eg the assets covering technical provisions). In such jurisdictions, with respect to this portion of the insurer’s assets, policyholders’ claims are generally subordinate only to liquidation expenses.

Mechanisms facilitating timely payment and, when needed, continuity of contracts should be in place. In some jurisdictions, a PPS or other protection mechanisms can contribute to a resolution and ensure timely payment of claims to policyholders. Where a bridge institution is available, this can ensure continuity of insurance products in cases where no insurer present in the market takes over the insurance portfolio of the insurance legal entity that would otherwise be liquidated. A PPS or other protection mechanisms could also ensure compliance with NCWOL principle by providing compensation to policyholders so that none are worse off than in liquidation. In some jurisdictions, a PPS can only pay claims after liquidation has been initiated.

While respecting the liquidation claims hierarchy, the resolution authority could treat certain types of creditors differently from others in the same class of creditors’ hierarchy. In such cases, the reasons for such a treatment should be transparent and clearly explained. Concerned creditors should be protected by the NCWOL principle and where they do not receive at a minimum what they would have received in a liquidation of the entity they should have a right to compensation.

For instance, different types of creditors could be:

• two categories of policyholders ranking pari passu where one is covered by a PPS while the other is not; or
• two categories of creditors ranking pari passu but the creditors are different in nature (eg direct policyholders versus cedants).

• settling contracts ranking pari passu at a different pace; or
• reducing (writing down) contracts ranking pari passu at a different rate.

In some jurisdictions, insurance liabilities may be restructured. Restructuring, limiting or writing down insurance liabilities may include:

• suspending or postponing payments to policyholders;
• amending terms of insurance contracts;
• terminating or restructuring options provided to policyholders;
• reducing the value of current and future benefits;
• early settling of contracts by payment of a proportion of the insurance liabilities to provide a more rapid and cost-effective resolution. This can apply to future determined benefits but also, and in particular in the case of inward (accepted) reinsurance, to future contingent claims; or
• restructuring reinsurance contracts to allow losses to be imposed on cedants as appropriate.

In most cases, approval from the court is required for the restructuring, while in some jurisdictions the resolution authority is empowered to restructure all or part of insurance liabilities without court approval. Restructuring should only occur if it adheres to the NCWOL principle.

Where insurance liabilities may be subject to restructuring in resolution, the resolution authority should clearly communicate information (for example, the processes through which such restructuring is undertaken and the extent that policyholders may be forced to absorb losses) to interested stakeholders.

When an insurance legal entity is resolved, the resolution of, or the application of some resolution powers to, the head of the group may support or aid the orderly resolution of the insurance legal entity and best ensure the protection of policyholders.

The resolution authority responsible for a branch should have the ability to support a resolution carried out by the resolution authority of the insurance legal entity which owns the branch or by the resolution authority responsible for the resolution of the insurance group to which the branch belongs.

The resolution process may differ in the jurisdiction of the branch and in that of the insurance legal entity, due, among other things, to different insolvency laws and creditor hierarchies.

Where the resolution authority of the insurance legal entity which owns the branch or the resolution authority responsible for the resolution of the insurance group to which the branch belongs are not taking action, or are acting in a manner that does not take sufficient account of the objectives of resolution in the branch jurisdiction, the resolution authority responsible for the branch may need to take actions of its own initiative.

Where the resolution authority for a branch takes resolution action of its own initiative, it should give prior notification and consult the supervisor or resolution authority of the insurance legal entity which owns the branch and/or the supervisor or resolution authority of the insurance.

Reinsurance refers to insurance purchased by an insurer (the ceding insurer) to provide protection against certain risks, primarily underwriting risks of the insurance policies issued by the insurer. Reinsurers assume these risks in exchange for a premium. Other forms of risk transfer include alternative reinsurance arrangements, such as risk transfer to the capital markets. For simplicity, this ICP uses “reinsurance” to refer to both mainstream reinsurance and other forms of risk transfer.

Geographical diversification of risk, which typically involves risk transfer across jurisdictional borders, is a key element of ceding insurer’s and reinsurer´s capital and risk management. Geographical diversification can also have an impact in the jurisdiction of the ceding insurer, in particular jurisdictions exposed to catastrophes. By ceding insurance risk across borders, ceding insurers in the jurisdiction, and the jurisdiction as a whole, can benefit from a reduced concentration of insurance risk exposures at the ceding insurer and jurisdiction level respectively. This may also contribute to the financial stability of the jurisdiction.

Ceding insurers and reinsurers may face external limitations to geographical diversification, for example, in the form of constraints to cross-border risk transfer. The supervisor should be aware of and take into account the potential impacts of such limitations on individual ceding insurers and reinsurers as well as on the soundness and efficiency of the insurance market.

A reinsurance contract is one of indemnity between the reinsurer and ceding insurer and does not constitute a legal transfer of part of the underlying risk in the same way as, for example, a novation. Nonetheless, reinsurance contracts have the effect of transferring part of the underlying risk in an economic sense. The supervisor should remain aware that while reinsurance transfers insurance risk from the ceding insurer to the reinsurer, it also creates other risks. In a standard transaction, the ceding insurer reduces its insurance risk and assumes other risks such as credit, operational and basis risk; the reinsurer assumes risks such as insurance, timing, operational and credit risk.

A reinsurance contract is by nature a business-to-business transaction, made between professional counterparties as part of a wider risk and capital management approach. For this reason, the sort of asymmetry of expertise and knowledge associated with insurance contracts involving general consumers is usually not an issue in the reinsurance sector, although some asymmetry of bargaining power can exist, depending on the precise dynamics of the market. Thus, typically, it is not necessary for the supervisor to seek the same level of protection for ceding insurers as it does for general consumers (see ICP 19 Conduct of business).

The supervisor should be able to assess whether ceding insurers make effective use of reinsurance. This involves gaining an understanding of, and comfort with, at least:

• the ceding insurer’s reinsurance strategy and reinsurance programme;
• the systems of risk management and internal controls put in place in order to implement the reinsurance strategy and execute the reinsurance programme;
• the economic impact of the risk transfer originating from the ceding insurer’s reinsurance programme; and
• the impact of reinsurance on the ceding insurer’s liquidity management.

The standards and guidance under this ICP are applicable to insurers and reinsurers, thus throughout this ICP:

• references to ceded reinsurance should be taken to include ceded retrocession (ie the reinsurance ceded by reinsurers);
• references to ceding insurers should be taken to include ceding reinsurers (ie retrocedents); and
• references to reinsurers should be taken to include retrocessionaires (ie reinsurers that assume reinsurance from ceding reinsurers).

A ceding insurer’s risk and capital management strategies should clearly articulate the part played by reinsurance, in particular:

• the objectives that are pursued by using reinsurance;
• the risk concentration levels and ceding limits as defined by the ceding insurer’s risk appetite; and
• the mechanisms to manage and control reinsurance risks.

When articulating the part played by reinsurance in the overall risk and capital management strategies, the ceding insurer should take into account its business objectives, levels of capital and business mix, with particular reference to:

• risk appetite (both gross limit and net retention);
• peak exposures and seasonality in the insurance book;
• levels of diversification in the insurance book; and
• appetite for credit risk posed by reinsurers.

The reinsurance programme comprises the detailed implementation of the reinsurance related elements of the risk and capital management strategies in terms of coverage, limits, deductibles, layers, signed lines and markets used. It should reflect the ceding insurer’s overall risk appetite, comparative costs of capital and liquidity positions determined in the reinsurance strategy. Therefore, reinsurance programmes can vary significantly in complexity, levels of exposure and number of participants.

In some instances, an insurer may have a business strategy and risk appetite to retain all risk and therefore a reinsurance programme would not be necessary.

Senior Management develops the reinsurance related elements of the risk management strategy as well as the reinsurance programme. Senior Management is also responsible for establishing appropriate systems and controls to ensure that these are complied with. The Board is responsible for approving the strategy and ensuring an appropriate oversight and consistent implementation of the reinsurance programme.

Senior Management of the ceding insurer should regularly review the performance of its reinsurance programme, to ensure that it functions as intended and continues to meet its strategic objectives. It is likely that such a review would take place as part of the feedback loop that is part of the risk management framework.

The supervisor should understand the ceding insurer’s business objectives and strategies, how reinsurance fits into these, and assess the extent to which objectives and strategies are adequately reflected in the reinsurance programme. The supervisor should challenge the ceding insurer where it identifies inconsistencies between the objectives and strategies and the reinsurance programme.

The supervisor’s assessment of a ceding insurer’s reinsurance programme should be based on a number of factors, such as the:

• structure of the programme, including any alternative risk transfer mechanisms;
• proportion of business ceded so that the net risks retained are commensurate with the ceding insurer’s financial resources and risk appetite;
• financial condition and claims payment record of the reinsurers in question (both in normal and stressed conditions);
• levels of exposure to a single reinsurer or different reinsurers being part of the same group;
• extent of any credit risk mitigation in place;
• expected resilience of the reinsurance programme in stressed claims situations, including stress related to the occurrence of multiple and/or catastrophic events;
• cession limits, if any, applicable in the jurisdiction;
• the supervisory regime in place in the jurisdiction of the reinsurer;
• level of effective risk transfer; and
• extent to which relevant functions are outsourced by the ceding insurer, including the criteria for the selection of reinsurance brokers.

The group-wide supervisor should require a reinsurance strategy for the insurance group that includes the following issues:

• its interaction with the group-wide risk and capital management strategies;
• how the risk appetite is achieved, on both a gross limit and net retention basis;
• the appetite for reinsurer credit risk, including approved security criteria for reinsurance transactions and aggregate exposure criteria to individual or related reinsurers;
• the autonomy afforded to individual insurance legal entities to enter into “entity specific” reinsurance arrangements, and the management and the aggregation of these exposures in the group-wide context;
• procedures for managing reinsurance recoverables, including required reporting from insurers;
• intra-group reinsurance strategy and practice; and
• use of alternative risk transfer, including capital markets risk transfer products.

Control of the reinsurance programme should be part of the ceding insurer’s overall system of risk management and internal controls (see ICP 8 Risk management and internal controls). The supervisor should require that the controls and oversight in place are suitable in the context of the ceding insurer’s business.

The ceding insurer should ensure that the characteristics of its reinsurance programme, including the credit risk posed by the reinsurer, are reflected in its capital adequacy assessment as well as its ORSA (see ICP 16 Enterprise risk management for solvency purposes).

When developing the reinsurance programme the ceding insurer should consider its appetite for reinsurer credit risk. Reinsurers may face solvency issues, leading to delayed payment or default, and this can have significant consequences for the solvency and liquidity of the ceding insurer.

• establishing criteria on the financial condition and claims payment record of eligible reinsurers;
• setting limits on risks ceded to a single reinsurer;
• ensuring a spread of risk amongst a number of reinsurers;
• incorporating rating downgrade or other special termination clauses into the reinsurance contract;
• requiring the reinsurer to post collateral (the ability to require this may depend upon the relative commercial strengths of the ceding insurer and reinsurer);
• proactively monitoring reinsurance claims recoveries; and
• withholding reinsurer’s funds.

The ceding insurer should have in place procedures for identifying reinsurers that meet its security requirements. If a ceding insurer develops a pre-approved list of reinsurers, there should also be processes for dealing with situations where there is a need to assess reinsurers outside any pre-approved list. Ceding insurers may have their own credit committees to make their own assessment of the risk.

• external opinions;
• the ceding insurer’s own view of the reinsurer;
• minimum levels of capital;
• duration and quality of relationship;
• expertise of the reinsurer;
• levels of retrocession;
• reinsurance brokers’ security criteria; or
• a mixture of these and other factors.

A ceding insurer should set prudent limits or guidelines reflecting security and size of the reinsurer, in relation to its maximum aggregate exposure to any one reinsurer or to a group of related reinsurers, which would be complementary to any supervisory limits or guidelines.

The ceding insurer should give due consideration to the risk posed by a mismatch in terms and conditions between reinsurance contracts and the underlying policies. The ceding insurer may bear a greater net exposure than it initially intended because of this gap.

The ceding insurer should have appropriate criteria in place for the purchase of facultative coverage. Any facultative reinsurance coverage bought should be linked to the procedures for aggregations and recovery management.

The ceding insurer should have a specific process in place to approve, monitor and confirm the placement of each facultative risk. If facultative reinsurance is necessary to ensure that acceptance of a risk would not exceed maximum net capacity and/or risk limits, such reinsurance should be secured before the ceding insurer accepts the risk.

In order to reduce the risk and scope of future disputes, the ceding insurer and the reinsurer should have in place processes and adequate controls to document the principal economic and coverage terms and conditions of reinsurance contracts clearly and promptly.

Ceding insurers and reinsurers should finalise the formal reinsurance contract without undue delay, ideally prior to the inception date of the reinsurance contract.

All material reporting due to and from reinsurers should be timely and complete, and settlements should be made as required by the reinsurance contract.

The ceding insurer should consider how its reinsurance contracts will operate in the event of an insolvency of itself or its reinsurer.

The supervisor should have access, on request, to material reinsurance documentation. In case of indications of significant uncertainties in terms of reinsurance documentation, the supervisor should take into account the resulting underwriting, operational and legal risks when considering the effects of reinsurance on the ceding insurer’s solvency.

The supervisor should regard as a reinsurance contract an agreement that transfers sufficient insurance risk to be considered insurance under jurisdictional rules.

In general, a contract should be considered as a loan or deposit if, during its development, the ceding insurer has the unconditional obligation to indemnify the reinsurer for any negative balances that may arise out of the contractual relationship. This characteristic does not result in risk transfer. All liabilities of the ceding insurer should be contingent on the proceeds of the underlying insurance business.

Upon request from the supervisor, the ceding insurer should provide sufficient information about its reinsurance contracts to allow the supervisor to make informed judgments about the substance of the risk transfer (ie, the degree of risk transfer in an economic sense).

Where there are concerns of inappropriate reporting with respect to the degree of risk transfer, the supervisor should assess the substance of the reinsurance contract entered into by the ceding insurer and how it has been reported by the ceding insurer. Further, the supervisor should be able to assess the impact that the ceding insurer’s reinsurance contracts have on the ceding insurer’s capital requirements. The supervisor should challenge Senior Management of the ceding insurer on the purpose of individual contracts where appropriate.

Finite reinsurance is a generic term that, for the purposes of this ICP, is used to describe a spectrum of reinsurance arrangements that transfer limited risk relative to aggregate premiums that could be charged under the contract.

Finite reinsurance transactions are legitimate forms of reinsurance arrangements; however, it is essential that they are accounted for appropriately. In particular, only contracts that transfer sufficient insurance risk in order to meet the requirements of the relevant accounting standards in force in each jurisdiction can be accounted for as reinsurance.

The supervisor should pay particular attention to reinsurance contracts that have, or appear to have, limited levels of risk transfer which may change over the duration of the contract. Only the amount of risk transferred under finite reinsurance contracts should be included in the regulatory capital calculations of the ceding insurer.

The cross-border nature of reinsurance transactions, together with the relative sophistication of the market participants involved in reinsurance, are key elements that the supervisor should consider when supervising ceding insurers.

Taking into account the supervision performed in the jurisdiction of the reinsurer may help the supervisor to assess the overall risk profile of the ceding insurer. This can be done, for example, by reviewing the supervisory framework and practices in the jurisdiction of the reinsurer, or by engaging in supervisor-to-supervisor dialogue.

The supervisor can benefit from relying on supervision performed in the jurisdiction of the reinsurer. Benefits may include, for example, strengthened supervision as well as a more efficient use of resources by the supervisor of the ceding insurer.

Where supervisors choose to recognise aspects of the work of other supervisory authorities, they should consider putting a formal supervisory recognition arrangement in place (see ICP 3 Information sharing and confidentiality requirements).

Supervisory recognition can be conducted through unilateral, bilateral and multilateral approaches to recognition. All three approaches recognise the extent of equivalence, compatibility or, at least, acceptability of a counterparty’s supervisory system. Bilateral and multilateral approaches typically incorporate a mutuality component to the recognition element, indicating that this is reciprocal.

Given the nature and direction of cash flows within a ceding insurer, liquidity risk historically has not been considered to be a major issue in the insurance sector. However, there can be liquidity issues within an individual ceding insurer which could arise specifically from the ceding insurer’s reinsurance programme.

Reinsurance contracts do not remove the ceding insurer’s underlying legal liability to its policyholders. The ceding insurer remains liable to fund all valid claims under contracts of insurance it has written, regardless of whether they are reinsured or not. For this reason, a large claim or series of claims could give rise to cash flow difficulties if there are delays in collecting from reinsurers or in the ceding insurer providing proof of loss to reinsurers.

The supervisor should require ceding insurers to take appropriate measures to manage their liquidity risk, including funding requirements in adverse circumstances. As with all risks, the insurer should develop its own response to the level of risk it faces and the supervisor should assess these responses. There are a number of ways in which liquidity risk may be mitigated. For example, some insurers choose to arrange a line of credit from a bank in order to deal with short-term liquidity issues.

Ceding insurers may make arrangements with their reinsurers in order to mitigate their liquidity risk. These arrangements, if used, may include clauses that trigger accelerated payment of amounts due from reinsurers in the event of a large claim and/or the use of collateral or deposit accounts, giving ceding insurers access to funds as needed. Use of such arrangements is a commercial matter between the ceding insurer and reinsurer.

External triggers can give rise to liquidity issues, especially where reinsurers have retroceded significant amounts of business. If a reinsurance contract contains a downgrade clause that gives the ceding insurer the right to alter the contract provisions, or obliges the reinsurer to post collateral with a ceding insurer to cover some or all of its obligations to that ceding insurer, such action may cause liquidity issues among reinsurers and may be pro-cyclical. Therefore, the supervisor should be aware of the potential consequences of such triggers for the overall efficiency and stability of the market.

A wide range of techniques has been developed to allow the transfer of insurance risk to the capital markets, resulting in a diversity and complexity of risk transfer arrangements.

In general, arrangements used to enable risk transfer to the capital markets operate like mainstream reinsurance. For example, risk is transferred via a reinsurance contract with similar terms and conditions to any other reinsurance contract. Further, the risk assuming entity is a reinsurer subjected to licensing conditions like any other reinsurer. The defining feature of these risk transfer arrangements is the direct funding of the reinsurance risk exposure with funds raised, often exclusively, in the capital markets.

• cat bonds take the name from the financial instrument (ie a debt security) issued to fund an insurance exposure, usually a catastrophe;
• collateralised reinsurance is generally used to highlight a credit risk mitigation feature of certain insurance transactions (ie the collateralisation of the insurance exposure);
• ILWs refer to a range of financial instruments used by counterparties, who may or may not be insurers, to buy or sell protection related to insurance risks; and
• sidecars refer to a legal entity created ‘on the side’ of an insurer that is used to transfer insurance risk, usually to the capital markets.

In the life sector, some arrangements are similar to the non-life sector (for example, mortality bonds, which operate like cat bonds). Other life insurance arrangements have specific features that are not used in non-life insurance, such as the funding of certain portions of the ceding insurer’s reserves.

Despite the many similarities with mainstream insurance, transactions transferring insurance risk to the capital markets have special features that the supervisor should bear in mind in order to assess the appropriateness and effectiveness of their use by ceding insurers and reinsurers.

Insurance risk transfer to the capital markets usually entails the creation of a dedicated entity or a legally ring-fenced arrangement, specifically constituted to carry out the transfer of risk. These are referred to by a variety of names, such as special purpose vehicles, special purpose reinsurance vehicles, or special purpose insurers; for the purpose of the ICPs, they are collectively referred to as special purpose entities (SPEs).

The main purpose of an SPE is to assume insurance risk, funding the exposure by raising funds in the capital markets, and to be dismantled once its purpose has been fulfilled. Importantly, as SPEs conduct insurance business, the supervisor should consider licensing them as insurers (see ICP 4 Licensing). Licensing of SPEs should be appropriately tailored to take into consideration the unique characteristics of SPEs. In this respect, close collaboration among those supervising ceding insurers and those supervising SPEs before authorisation of the SPE and on an ongoing basis can be particularly helpful.

• the insurance risk that it assumes is “fully funded” (ie, that the exposure taken by the SPE is funded across a range of foreseeable scenarios from the time the SPE goes on risk to the time it comes off risk);
• the claims of any investors in the SPE are subordinate to those of the ceding insurer; and
• the investors in the SPE have no recourse to the ceding insurer in the event of an economic loss.

• ownership structure of the SPE;
• suitability of the Board and Senior Management of the SPE;
• the SPE's management of credit, market, underwriting and operational risks;
• investment and liquidity strategy of the SPE;
• ranking and priority of payments;
• extent to which the cash flows in the SPE structure have been stress tested;
• arrangements for holding the SPE’s assets (eg trust accounts) and the legal ownership of the assets;
• extent to which the SPE’s assets are diversified; and
• use of derivatives, especially for purposes other than risk reduction and efficient portfolio management.

• extent to which key parties have been fully disclosed (eg sponsor, (re)insured, investors, advisors, counterparties) and are known to the supervisor;
• extent to which potential conflicts of interest between all parties to the SPE have been adequately disclosed and addressed (such as situations where sponsors also take a managing role);
• credit risk associated with key service providers, including financial guarantors used to protect the position of investors;
• degree of basis risk that is assumed by the ceding insurer and to what extent this could have immediate ramifications for the ceding insurer’s financial position in case of a loss;
• details of the SPE’s management arrangements and key personnel;
• third party assessments of the SPE structure (eg by credit rating agencies);
• expertise of the legal advisors involved;
• robustness of any financial or actuarial projections, if applicable (eg if triggers are indemnity based); and
• disclosure of outsourcing agreements.

As many SPEs are designed to operate with a minimum of day-to-day management, the supervisor should understand and assess the extent to which the systems of risk management and internal controls are adequate and proportionate to the nature of the underlying risks and to the complexity and expected lifespan of the SPE structure.

• investment restrictions are not breached;
• interest payments, dividends, expenses and taxes are properly accounted for;
• movements above established thresholds in assets and collateral accounts are reported;
• assets are legally existent and technically identifiable; and
• liabilities can be determined on a timely and accurate basis and obligations satisfied in accordance with the underlying contracts.

• the systems of risk management and internal controls of the SPE, particularly the extent to which these are sufficient to ensure effective operation in compliance with the SPE’s legal and supervisory obligations; and
• operational risks within the SPE structure and any mitigation arrangements.

The supervisor should understand and assess the extent to which SPE arrangements give rise to basis risk. This arises where the trigger for indemnity under the SPE arrangement is different from the basis on which underlying protected liabilities can arise.

Where SPEs contain indemnity triggers (ie, recovery from the SPE is based on the actual loss experience of the ceding insurer) basis risk is unlikely to be an issue. However, many SPEs contain non-indemnity triggers, such as parametric triggers (driven by objectively measurable events) or modelled triggers (driven by the outcome of modelled, industry-wide losses). In such cases, there may be events where the ceding insurer will remain exposed to its underlying policyholders without having recourse to the SPE.

Basis risk should be considered with reference either to the amount of credit given by the supervisor of the ceding insurer for the SPE arrangement or in the capital requirement of the ceding insurer, where such mechanisms are used.

Additionally, in some jurisdictions the accounting and regulatory treatment of insurance risk transfer that uses non-indemnity triggers may be different from the accounting treatment of indemnity-based insurance. The supervisor should understand these accounting differences and the impact these may have on the financial statements of the ceding insurer and the reinsurer.

• measures to be taken by the supervisor if any of the licensing or authorisation conditions are breached;
• level of capital and ability of the SPE to continue to respond adequately should covered events occur;
• level of reporting required by the supervisor in order to understand and assess whether the SPE is complying with its obligations;
• the SPE’s response in the event of fluctuations in the values of invested assets (eg match/mismatch between collateral account and exposure, flow of premiums, fees, commissions);
• arrangements put in place in the SPE to ensure that the “fully funded” condition is maintained in the case that the insurance risks assumed are rolled over from one risk period to another; and
• where the SPE undertakes multiple transactions, arrangements put in place in the SPE to ensure that the funds corresponding to each transaction

The unwinding of SPEs is often influenced by the dynamics of insurance losses. The supervisor should understand and gain comfort with the provisions in place to require orderly unwinding of SPEs. In particular, the supervisor should understand the process related to the generation, mitigation and management of any residual risk emerging from the unwinding of the SPE.

• issues relating to disposal of the investment portfolio;
• “dismantling” of the SPE and residual risks;
• where the SPE undertakes multiple transactions, issues relating to the segregation and legal insulation of assets per transaction; and
• supervisory issues relating to risks which revert to the ceding insurer on termination of the arrangement.

• whether the risk transfer taking place involves an SPE that is licensed in the jurisdiction where the insurance risk is assumed;
• the supervisory regime to which the SPE is subject in its jurisdiction; and
• the extent to which the ceding insurer has adequately provided for the identification, assessment and management of the risks associated with transferring insurance risk to an SPE (eg credit risk, basis risk).

The methodologies for calculating items in general purpose financial reports should be substantially consistent with the methodologies used for regulatory reporting purposes and ideally with as few changes as possible to satisfy regulatory requirements. However, this may not be possible or appropriate in all respects, considering the differing purposes. Differences between general purpose financial reports and regulatory reports should be publicly explained.

Differences between technical provisions for general purpose financial reports and regulatory reports should be explained in terms of differences in data, discount rate, methodology and assumptions used together with the rationale for why any different approach is appropriate for solvency purposes.

To the extent that financial reporting standards are consistent with the standards in this ICP, valuations that are in accordance with those financial reporting standards also may be regarded as compliant with this ICP.

The context and purpose of the valuation of assets and liabilities of an insurer are key factors in determining the values that should be placed on them. This ICP considers the valuation requirements that should be met for the purpose of the solvency assessment of insurers. This is within the context of IAIS risk-based solvency requirements (see ICP 17 Capital adequacy). Solvency requirements reflect a total balance sheet approach on an economic basis and address all reasonably foreseeable and relevant risks. An economic basis may include amortised cost valuations and market-consistent valuations that comply with this ICP.

A total balance sheet approach (see ICP 17 Capital adequacy) ensures that the determination of regulatory capital resources and required capital is based on consistent assumptions for the recognition and valuation of assets and liabilities for solvency purposes.

To achieve consistency with a total balance sheet approach to setting regulatory capital requirements, regulatory capital resources should broadly be regarded as the difference between assets and liabilities, but on the basis of their recognition and valuation for solvency purposes.

The standards and guidance in this ICP set out the outcomes for the supervisor to achieve. As such, the standards and guidance may not be specific in all cases about which party should take particular actions or how a particular outcome should be achieved. For example, the intended outcome from a standard or guidance may be achieved through legislation, rules set by an authority other than the jurisdiction’s insurance supervisor (eg relating to financial reporting) or through requirements or guidance from other sources.

The valuation for solvency purposes referred to in this ICP is the valuation of the assets and liabilities used within the broad concept of a risk-based solvency assessment of insurers.

Solvency assessment results from the application of supervisory judgment to various measures and estimates of an insurer’s current financial position and future financial condition which serve to demonstrate the insurer’s ability to meet its policyholder obligations when they fall due. This ICP refers to the financial statements used for solvency assessment as “regulatory financial statements”, which may differ from those used for general purpose financial reporting. Regulatory financial statements include a regulatory balance sheet and regulatory capital requirements. The overall solvency assessment may use additional information such as:

• stress and scenario testing;
• the insurer’s own risk and solvency assessment (ORSA); and
• relevant disclosure.

Technical provisions are a significant component of valuation for solvency purposes. They include a margin for risk referred to as the margin over current estimate (MOCE). Regulatory capital requirements are another component of the solvency assessment, and they include further allowance for risk so that when taken together with technical provisions, they are sufficient to ensure that policy obligations are satisfied with the probability of sufficiency required by the supervisor.

In adverse circumstances, certain assets may be considered to have reduced or nil value for solvency purposes. Consequently, in the capital adequacy assessment such assets may be excluded from or have reduced value in regulatory capital resources. Alternatively, a capital requirement may be set to cover the potential shortfall in value. Such adjustments are part of the process of determining regulatory capital requirements and/or regulatory capital resources (see ICP 17 Capital adequacy). These adjustments are shown separately from asset values in the regulatory financial statements. This enables improved transparency, consistency, and comparability.

Assets and liabilities should be recognised and derecognised to the extent necessary for risks to be appropriately recognised. Such recognition/derecognition principles may differ from those used for general purpose financial reporting.

Recognition of rights, obligations and risks arising from insurance contracts as part of the valuation of technical provisions is a significant issue for insurers and supervisors. There are two main possible points of recognition on entering into a binding contract (the bound date) and the inception date of the contract. In principle, the bound date is the date at which an economic obligation arises. However, in practice, these dates are only likely to be significantly different for certain classes of non-life insurance.

Contracts for ceded reinsurance should be recognised and valued to correspond to the recognition of the risks which they are mitigating. Where a current reinsurance policy is contracted to cover future direct policies, the value of the reinsurance policy should not include any amount with respect to future direct policies that have not been recognised.

An insurance contract liability (or a part of an insurance contract liability) within technical provisions should be derecognised when, and only when, it is extinguished (ie when the obligation specified in the insurance contract is discharged or cancelled or expires).

The purchase of reinsurance should not result in the derecognition of technical provisions unless the purchase of that reinsurance results effectively in the extinguishment or novation of the insurance contracts.

Solvency assessment based on consistent valuation of assets and liabilities is a prerequisite for obtaining meaningful insight into the asset-liability positions of an insurer and an understanding of the financial position of an insurer relative to other insurers. It provides reliable information on which to base the actions that are taken by insurers and their supervisors with respect to those positions.

The overall financial position of an insurer should be based on the consistent measurement of assets and liabilities. The solvency position includes an additional element consisting of explicit identification and consistent measurement of risks and their potential impact on all components of the balance sheet. This consistent measurement should apply to all assets and liabilities and extend across insurers (the term “insurer” means insurance legal entities and insurance groups, including insurance-led financial conglomerates) and time periods to achieve comparability.

Undertaking valuation on consistent bases means that differences in values of assets and liabilities can be explained in terms of the specific instrument or contract characteristics, and differences in the nature of the cash flows including their timing, amount, and inherent uncertainty, rather than differences in methodology or assumptions. Such consistency may be applied at different levels within an insurance legal entity or an insurance group.

Observed market valuations or amortised cost valuations (eg reserve specific calculations) may be used for some assets and liabilities, while valuation models (eg discounted cash flow models), may be used for other assets and liabilities. Calibration of such models to market valuations or amortised cost of other assets and liabilities can assist in achieving consistency.