Published: Jun 9, 2023

Risk Management and Internal Control Regulations Issued for Insurance Companies in the UAE

Earlier this year, the Central Bank of UAE had issued the Corporate Governance Regulation for Insurance Companies. This regulation applied to locally incorporated insurers as well as to branches of foreign insurers licensed in the UAE. While the sector is still undertaking steps to comply with the requirements under these regulations, the Central Bank of UAE has now issued the Risk Management and Internal Control Regulations Issued for Insurance Companies (“Risk Management Regulations“). The regulations were issued on 30 December 2022 and had a 90-day implementation period from the date of publication in the gazette. Therefore, they have now come into force.

The Risk Management Regulations provide a comprehensive framework for the risk management and internal control that insurers in the UAE are required to have. These requirements are placed under the oversight of the Board of Directors and Senior Management.

Relevance

While the UAE insurance sector has shown strong resilience and has been growing year on year, the lack of financial stability within the insurers has been a cause of concern and this has become more apparent in the recent years, which has led to a number of mergers between the insurance and Takaful operators. However, while merger and acquisitions are effective to some extent, strong fundamentals are what the sector requires, and the issuance of the Risk Management Regulations is a very welcome step in this direction. This combined with the Corporate Governance Regulations provide a clear set of instructions which the management of the company must abide by and which the Board of Directors must uphold at all times.

Summary

The Risk Management Regulations, which also contains Risk Management and Internal Control Standards, provide a clear set of guidance that apply to effective Risk Management and Internal Control systems, compliance function, actuarial function, control function, internal audit function, outsourcing, stress testing of material risks and countering of fraud in insurance. 

While all these are important and must be followed by all insurers, we highlight some of the key developments below:

  • An Insurer must have comprehensive and effective systems of Risk Management and Internal Controls that should provide a company-wide and view of all material risks to which they are or could be exposed, and their interdependencies. An entity’s definition and assessment of material risks must take into account its Risk Appetite, Risk Profile, nature, size and the complexity of its business and structure. Further, for entities which are part of a Group, and where Central Bank is the primary regulator, the entities must develop a process which provides the entity level and group level view of all material risks to the Board;
  • The Risk Management system must cover, at a minimum underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk mitigation techniques and conduct of business. It must also cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in the Financial Regulations as well as the risks which are not, or not fully, included in the calculation thereof;
  • Special emphasis has been drawn on “Control Functions”, which include Risk Management, Internal Audit, Compliance and Actuarial, who must have direct access to the Board or to the relevant committee. It goes on to detail each function, such as, the Risk Management function should be headed by a Chief Risk Officer (CRO) or equivalent.  The head of each control function must be well resourced with qualified staff, and should not participate in operational business responsibilities, such as underwriting, investment, reinsurance, sales or accounting. The Insurer must not dismiss the heads of Control Functions without first obtaining the no-objection of the Central Bank. Compensation of employees in the Control Functions must be determined independently of the performance of the Insurer to ensure avoidance of any conflict of interest; and
  • Detailed guidance has now been provided with respect to outsourcing, both within UAE and outside. Prior no-objection of Central Bank is mandatory for outsourcing of Material Business Activity, ie activity that has the potential, if disrupted, to have a significant impact on the insurer’s business operations or its ability to manage risks effectively. Although all requests for non-objection will be considered on their individual merits, the Central Bank, will in general, not permit the Outsourcing of core insurance activities, and key management and Control Functions, including but not limited to Senior Management oversight and internal audit.

How can we help?

Most of the locally incorporated insurers in the UAE are part of wider groups and local family businesses, and the requirements of the Risk Management Regulations will have a far reaching impact across the group, wherein entities within the group will have to re-evaluate their risk management strategy, governance and compliance with these requirements, including outsourcing arrangements within the group for cross functions.

For insurers set up as branches of foreign insurance companies, there is a need to establish strong governance and management team at the local level which understands the various functions and is able to synchronize these with the parent entities. Such entities often have outsourcing arrangement with their group entities in other jurisdictions, which will now need to comply with these regulations, starting from obtaining the no-objection from the Central Bank and ensuring that such arrangements build-in the provisions mandated under the Risk Management Regulations.

Our team of insurance experts are happy to advice on the overall impact of these regulations on your business, review and revise outsourcing agreements, assist in formulation of the risk management and other strategies and provide training to the key staff on these requirements and other regulatory developments from time to time.

Key Contacts