Part II: Financial Regulations For Insurance Companies - Insurance Laws and Products

The UAE Insurance Authority (the Authority) published the Financial Regulations for Insurance Companies (the Financial Regulations) in December 2014. They have subsequently been supplemented with a pro-forma solvency template and e-Forms. Each of these documents is available on the Authority's website.¹ In this second Article in our series on the Financial Regulations, Peter Hodgins and Liesel van den Heever consider the detailed requirements with which insurers will be required to comply.²

This Article addresses the requirements of the Financial Regulations in relation to:

The insurer's investments;
The new solvency requirements for insurers;
Risk management;
Technical provisions;
Corporate Governance; and
Documentation and Reporting.

The Insurer's Investments

Much of the commentary on the Financial Regulations to date has focused on the limits on asset investments. This is perhaps unsurprising given the reputation of certain Insurers for focusing on generating profit through their investments rather than the technical underwriting aspects of their business.

In relation to the investment activities of Insurers, the aim of the Financial Regulations is stated in Article 1(1) of Section One:

"The Company must ensure that the assets are diversified and adequately spread and allow the Company to respond adequately to changing economic circumstances. In particular for developments in the financial and real estate markets or major catastrophic events; the Company must assess the impact of irregular market circumstances on its assets and must diversify the assets in such a way as to reduce such impact."³

The Financial Regulations therefore introduce controls on Insurers' investment activities and set out guidance in respect of general requirements for investments and Insurers' investment policies, including: the characteristics and diversification of Insurance Companies' investments, asset distribution and allocation limits, investment related risks, the domiciling of investments, and the use of derivatives.

Controls on Investment Activities

There are a number of key controls on investment risk imposed by the Financial Regulations:

Insurers are required to submit reports in relation to their investment activities to the Authority on a quarterly and annual basis (Section 1, Article 10).

Concentration risk is addressed by the imposition of restrictions on investments with the same issuer and/or in the same asset classes (see below for details of the asset allocation limits).

Insurers are required to establish an Investment Committee (see below for details of the role of the Investment Committee).

There needs to be adequate segregation of duties in relation to the execution, recording, authorisation and reconciliation of investments (Section 1, Article 1(3)).
Insurers are required to have a defined risk appetite and to establish investment and risk management policies to ensure that investment activity is carried on in accordance with the defined appetite (Section 1, Article 2(1)).⁴ Procedures must be in place to ensure compliance with the asset allocation limits (Section 1, Article 2(3)). The policies should also provide for, at least, annual stress testing to ensure that the investment strategy remains appropriate to the circumstances of the Insurer (Section 1, Article 2(5)).
A separate investment strategy is required for entities conducting both life and non-life business (Section 1, Article 2(8)).
Insurers are required to have a "Contingency Funding Plan" to address how current and future liabilities will be met in the event that it does not have sufficient assets or liquidity of assets (Section1, Article 2(9)).
There are restrictions on the holding of assets outside of the UAE (see below).
The outsourcing of investment activities to a third party investment manager is restricted to investment managers in the UAE and subject to the overriding principle that the Insurer remains primarily responsible for the performance of the outsourced investment manager (see below).

Asset Allocation Limits

Insurers are only permitted to invest in assets for which the risk can be "properly identified, measured, monitored, managed, controlled and reported" (Section One, Addendum 1(2)). However, it is the asset allocation limits provided in Article 3 of Section One that have received the most comment in the market. This Article provides both a maximum limit on exposure to particular asset classes and also a sub-limit for single counter-party exposures as follows:

Article 3(2) of Section 1 states that the above limits applies to "Total Invested Assets" (which is defined as the sum of all assets held for investment purposes, including derivatives and other hedging instruments and cash). However, we understand that the Authority has indicated that assets in excess of the above limits will not be admissible for the purposes of calculating the solvency of an Insurer.

Article 7(A)(1)(a) of Part Two of the Regulations, provides that Insurers which exceed the maximum limits of 30% for investment in real estate have until 29 January 2018 to make adjustments to comply with the limits set. The compliance period for insurers that have exceeded the maximum limits of other types of assets is until 29 January 2017. Analysis published by A.M. Best suggest that the asset allocation limits are reflective of the average distribution of assets by insurers in the UAE. This invariably means that there are companies that will need to divest assets in order to comply with these requirements.

Valuation of Assets

The valuation requirement for investment assets is set out in Addendum 1 to Section 1.

Where possible, assets must be valued on a mark-to-market basis using the "more prudent" side of the bid/offer spread or mid-market rate (Section 1, Addendum 1(5)). Where there is a material difference between the bid/offer spread and the mid-market rate, Insurers must consider adjusting the valuation or making reserves against the credit risk (Section 1, Addendum 1(5)).

Where mark-to-market is not possible, Insurers are required to use mark-to-model valuations (Section 1, Addendum 1(6)). Such models must be independently tested from the party that developed the model, approved by the Investment Committee and independently certified by an Actuary. The senior management of the Insurer are responsible for ensuring that the Investment Committee is aware of all positions that are subject to the mark-to-model valuation, and the materiality of the uncertainty that such valuations create.

There are specific rules specifying the valuation process for real estate set out in Section 1, Addendum 1(6)).

Outsourcing of Asset Management Activities

An Insurer will only be permitted to outsource investment management to an investment manager inside the UAE, and is required to monitor the performance of the outsourced entity on a quarterly basis. However, no definition or any licensing requirements are provided in respect of such an "investment manager."⁷

The requirement to outsource to a third party inside the UAE could prove problematic for Insurers that outsource to entities with centralised investment teams outside of the UAE.

Insurance companies will need to update their governance of the outsourcing situation and roles and responsibilities need to be redefined. Insurers are required to have policies and procedures governing outsourcing activities (including limitations on the authorities of the outsourced provider), and risk managements systems (Section 1, Article 8(1) and Addendum 5(2)). These policies will need to reflect that the Insurer remains primarily responsible for the activities of the outsourced investment manager (Section 1, Article 8(3)). It is therefore necessary for Insurers to ensure that they have adequate expertise and resources in-house in order to monitor the functions of the outsourced entity (Section 1, Addendum 5(2)).

In addition, the outsourcing agreement will need to comply with the requirements specified by the Authority and copy of the agreement must be provided to the Authority upon request (Section 1, Article 8(2) and (4)). There are a range of considerations that will need to be addressed in relation to such outsourcing agreements, including consideration of the requirements for the segregation of assets, service levels, management information, record keeping and data protection requirements etc.

Domicile of Investments

A key consideration for Insurers is the restrictions on where assets may be held. Section 1, Article 6 provides that assets held outside of the UAE may only be held in a foreign jurisdiction with a sovereign rating that is at least equivalent to that of the UAE. Not more than: (i) 50% of the Total Invested Assets; or (ii) 100% of the assets held in respect of the technical provisions, may be held outside of the UAE.

Solvency Requirements

Controls on Solvency

There are a number of key controls around the issue of solvency:

The Financial Regulations create three different measurements of solvency, including a risk-based solvency capital requirement akin to the model used in Solvency II. The highest of the three measurements applies in each case.
Insurers are required to maintain certain specified types of assets (referred to as "Own Funds") equivalent to the highest of the solvency measurements.
Insurers must establish risk management systems and controls.
There are extensive reporting obligations in relation to the solvency requirements, including: (i) the annual submission of the solvency template; and (ii) a quarterly report on the Solvency Capital Requirement. In addition, Insurers are required to "immediately" report any non-compliance with the solvency requirements and to submit a realistic recovery plan.
The Authority can also require a Financial Condition Report to be submitted on an ad hoc basis to include such details as may be requested by the Authority.⁸

Measuring Solvency

Section Two of the Financial Regulations creates three key measurements in respect of the solvency of Insurers:

Minimum Capital Requirement (MCR) – as was previously required by the Insurance Law and Cabinet Resolution No. 43 of 2009, Insurers must maintain a minimum capital of AED100 million (AED250 million for reinsurers);
Minimum Guarantee Fund (MGF) – to be calculated on the following basis: (i) not less than one third of the Solvency Capital Requirement; and (ii) the higher of a minimum amount to be specified by the Authority for each type of business and a specified percentage of the net earned premium for each type of business.
The Solvency Capital Requirement (SCR) – the amount calculated by reference to the risks to which the insurer is exposed using the solvency template published by the Authority.

Insurers are required to maintain Own Funds (as defined – see below) equivalent to the higher of the three measurements (Section 2, Article 8(1)). For these purposes all of the MCR is required to be met by Basic Own Funds and the MGF and SCR are required to be met from Basic Own Funds plus not more than 50% of Ancillary Own Funds (Section 2, Article 7(6) and (7)).

It is envisaged that the MCR will be the most relevant solvency requirement for start-up and smaller insurers. However, as their business matures and grows in volume the MGF and, increasingly, the SCR will become much more material components in the solvency calculation.

Own Funds

For the purposes of calculating whether an insurer satisfies the solvency requirement, the Financial Regulations use the concept of "Own Funds". These are divided into:

Basic Own Funds – which consist of: (i) the surplus of Admissible Assets over liabilities less the amount of any treasury shares held by the insurer; plus (ii) subordinated liabilities in the form of group level debt in a holding company;⁹ and
Ancillary Own Funds – which consist of items other than Basic Own Funds which can be called up to absorb losses, including unpaid share capital, letters of credit or guarantees and other legally binding commitments receivable by the Insurer (Section 2, Article 7(2) and (3)).

Risk Management

The Financial Regulations define "risk management" as:

"[T]he process of identification, evaluation and economically effective mitigation of past, present or future events or their impact that cause a Company to deviate from its stated objectives whether positively or negatively. These events can impact both the asset and liability side of the Company's balance sheet, the Company's profit and loss account, its cash flows, its earning capacity, profitability, ability to continue as a going concern, reputation and its intellectual and technological capital." (Section 2, Addendum 2(1)).

As the SCR is to be calculated by reference to the risks to which an Insurer is exposed, including underwriting risk, market and liquidity (investment) risk, credit risk and operational risk (Section 2, Article 5(1) and Section 2, Addendum 1) it follows that, in order to complete the solvency template to calculate the SCR, an insurer will need to have risk management systems and controls. Such systems and controls are mandated by Section 2, Article 6.

There is flexibility with regard to the composition of the risk management systems and controls. The Financial Regulations note that they will need to take into account a range of factors, including the nature, size and complexity of an Insurer's business, the diversity of its operations, the volume and size of transactions that it undertakes, etc. (Section 2, Addendum 2(3)). However, processes are required to be in place to ensure that:

There is a risk appetite established by the Board of Directors;
There is an assessment of all risks faced by an insurer; and
Sufficient management information is available to ensure to facilitate internal and external reporting of risk (Section 2, Addendum 2(2)).

Insurers are required to maintain contingency plans in order to address risks that materialise (Section 2, Addendum 2(5)).

Technical Provisions

Insurers are required to establish technical provisions to meet their obligations to policyholders and beneficiaries, including:

Unearned Premium Reserves;
Unexpired Risk Reserves;
Outstanding Loss reserves;
Incurred But Not Reported Reserves;
Allocated Loss Adjustment Expenses and Unallocated Loss Adjustment Expense Reserves; and
(for life insurance business only) the Mathematical Reserves.

There are detailed provisions with regard to the calculation each of the reserves set out in Section 3, Article 3 and Addendums (1) and (2).

Investment Requirements

Insurers are required to maintain investment assets within the UAE equivalent to the technical reserves. For these purposes, the requirement is to be calculated gross of reinsurance for UPR, URR and the Mathematical Reserve, but for all other technical provisions is to be net of reinsurance (Section 3, Article 2).

The Role of the Actuary

As we discuss below, the Actuary is a key figure in the Financial Regulations. In relation to the technical provisions, the actuary is required to review the provisions both gross and net of reinsurance and to certify the quarterly and annual report on the technical provisions.

Other Key Features

The requirements of the Financial Regulations in respect of asset allocation, solvency, risk management and technical provisions have certainly received the most attention from the media. However, there are a number of other aspects of the Financial Regulations which merit detailed consideration.

Corporate Governance and Structural Requirements

From a lawyer's perspective, one of the most striking features of the Financial Regulations is the clear demarcation of roles and responsibilities for compliance with the requirements of the Financial Regulations. Express reference is made to the following roles: the Chairman of the Board of Directors, the Board of Directors, the Senior Management, the Investment Committee, the Actuary, the Audit Committee, the Internal Auditor, the External Auditor and the Compliance Officer. It is perhaps no surprise to see such allocation of responsibilities. The global trend is for financial services regulators to hold individuals within the management accountable for compliance with regulations in addition to imposing sanctions.

Please see Table One of our first article with regard to the detailed requirements for each of these roles.¹⁰ However, by way of summary:

The Board of Directors

The Authority Imposes primary responsibility on the Board of Directors for ensuring compliance with the Financial Regulations. The Board of Directors' responsibilities can be broadly divided into the following key aspects:

Appointments – the Board is responsible for determining the membership of the Audit Committee and the Investment Committee. It is also responsible for the appointment of the Actuary.
Investments - Determining the Insurer's risk appetite for investments and reviewing investment and risk management policies on an annual basis. The Board of Directors also has specific responsibilities for the derivatives transactions of an Insurer.
Outsourcing – managing any outsourcing to a third party of investment management services.
Reviewing reports – the Board of Directors should receive reports on any breaches of the investment limits and/or the immediate and future risks identified by the Actuary which may have an impact on the ability of the insurer to fulfil its liabilities.
The Board's report is also required to be included in Financial Statements.

In addition the Chairman of the Board of Directors is also required to endorse the annual risk analysis report of its investment portfolio, the solvency template submitted annually, any Financial Condition Report requested by the Authority, the submission of the annual report on the technical provisions and to sign the Financial Statements.

Senior Management

The Financial Regulations also impose a number of express obligations on the "senior management" of an Insurer. There is no express definition of this term. We anticipate that this is a deliberate decision by the Authority to accommodate the different management structures used by insurers in the region and to allow flexibility in the enforcement of the Financial Regulations.

The responsibilities allocated to senior management can be summarised as follows:

Implementation of the risk management systems and controls.
Reporting to the Investment Committee on the Insurer's investment activities, including highlighting any investments which are subject to "mark-to-model" valuations.
Management of the Insurer in accordance with the risk appetite specified by the Board of Directors.
Developing the risk management policy for derivatives trading and regularly reporting on such business.

The Investment Committee

The Investment Committee is described as a Board of Director level committee and is to include members from amongst the board, the executive management and the other committees formed by the Board of Directors. It must have its own charter, investment policies and guidelines approved by the Board of Directors.

The minimum responsibilities of the Investment Committee are described in Section 1, Addendum 2(2) as including:

Establishing the investment strategy and policy for approval by the Board of Directors;
Setting the Investment Guidelines;
Reviewing and monitoring the investment activities of the Insurer;
Determining the scope of the audit procedures in relation to the Insurer's investment activities; and
Assisting the Board of Directors in evaluating the adequacy and efficiency of the investment policies and procedures.

In addition, the Financial Regulations also set out specific requirements for the Investment Committee's role in ensuring the segregation of functions for investment activity and monitoring of investments that are subject to a mark-to-model valuation.

The Actuary

The role of the Actuary is central to the Financial Regulations, which specify that an Insurer's Board of Directors must appoint an Actuary for both life and general business. The Actuary must be registered with the Authority and the Insurer must notify the Authority upon the appointment and dismissal of an Actuary. In an attempt to prevent insurers from shopping around for the most favourable actuarial report, insurers are also required to give reasons for changing an appointed Actuary.

The primary change in the Financial Regulations is that the Actuary is required to be involved in both the asset and liability side of an insurer's business. The responsibilities of the Actuary can be summarised as follows:

Certification of documents: the Actuary must certify the annual risk analysis report in relation to the Insurer's investments, mark-to-model valuations, the solvency template, the quarterly report on the Solvency Capital Requirement and any Financial Condition report required by the Authority.
Reporting: the Actuary is required to provide a report on the technical provisions of the Insurer on an annual and quarterly basis, and to provide a report addressing the immediate or future risks facing the company which may prejudice the Insurer's ability to meet its liabilities or satisfy the capital adequacy requirements.
Controls: the Actuary has a responsibility to be satisfied as to the quality of data used to calculate the technical provisions. It also has to provide the Authority with an explanation of the methodology used to calculate the IBNR and to explain any changes to the methodology used if it has a material impact on the results of the Insurer.

The Audit Committee

Insurers are required to establish an Audit Committee comprising at least three members from amongst its non-executive directors, executive managers or members of other committees established by the Board of Directors. One of the members of the Audit Committee must be qualified in financial and accounting affairs. The Audit Committee is required to meet at least once every three months.

The Audit Committee has oversight of the internal and external audit functions and the external auditor is required to report risks and control deficiencies to the Audit Committee.

There are relatively few express obligations imposed on the Audit Committee in the Financial Regulations. These obligations relate to the investment activities of the Insurer and include:

To work with the Investment Committee to determine the scope of rigorous audit procedures in respect of investment activities with a view to ensuing the timely identification of control weaknesses and operating system deficiencies.

To arrange audit reports on the adequacy and efficiency of the investment policies, procedures and controls.

The Internal Auditor

Insurers are required to establish an Internal Audit Department which, as noted above, must report to the Audit Committee. The Internal Audit Department must be commensurate with the size and nature of the Insurer. It must have a head of department who must be appropriately qualified and have relevant and adequate experience.

The Internal Auditors Department is required to establish an annual audit plan and to perform an annual risk assessment in accordance with the requirements of the plan. The purpose of the assessment is to provide "reasonable assurance" that risk management, control and governance functions operate as intended to enable the insurer to meet its objectives. The Internal Audit Department should provide recommendations to improve the Insurer's operations and evaluate the risk exposures relating to the achievement of the Insurer's operations.

The scope of the annual audit is required to include an evaluation of:

The reliability and integrity of the information provided to the Internal Audit Department;

Information security;

The regulatory compliance programme (in conjunction with the Insurer's legal counsel); and

The business continuity plans.

The External Auditor

Insurers are required to appoint External Auditors on an annual basis. Where the Insurer does not appoint an External Auditor within 4 months of the commencement of the financial year the Authority may appoint one.

The External Auditor's obligations under the Financial Regulations include:

Submitting its management letter to the Insurer before the publication of the financial statements.

Authentication of documents: The External Auditor is required to authenticate the quarterly and annual reports on the Insurer's investments, the solvency template and the technical provisions.

Reviewing actuarial reports presenting the immediate or future risks facing the Insurer and to provide an opinion on such risks to the Authority.

The Authority has the power to require the External Auditor to undertake additional work (at the expense of the Insurer), including requiring the External Auditor to expand the scope of its audit, to submit documentation and information to the Authority and to notify the Authority of any reservations that the External Auditor has in respect of the accounts or reserves of the Insurer.

Compliance Officer

The Financial Regulations repeat the requirement for all Insurers to appoint a Compliance Officer. The Compliance Officer's role is described as to verify the Insurer's compliance with "all rules, regulations and instructions." The Compliance Officer is to report to the Chief Executive Officer, but is also required to report directly to the Authority and to provide such information as may be required by the Authority.

Documentation and Reporting Requirements

Another facet of the Financial Regulations is extensive disclosure requirements for Insurers, and they and require both annual and quarterly reporting. Companies should carefully plan the reporting timetable and align resources required for this.

In addition to the quarterly report and analysis of its investment portfolio (with a deadline of 45 days after the quarter end), Insurance Companies are now also required to submit an annual risk analysis report of their investment portfolios, strategy and management process.

Insurers must submit a solvency template, validated by the Actuary and the External Auditor and endorsed by the Chairman of the Board of Directors, to the Authority within 4 months from the financial year end. Additionally, Companies must submit a report on the Solvency Capital Requirement to the Authority on a quarterly basis. This report must be certified by the Actuary and be submitted within 45 days of the quarter end.

Details of Technical Provisions must be reported by Insurers to the Authority quarterly, in addition to submitting an annual report certified by the Actuary, authenticated by the External Auditor, and endorsed by the Chairman of the Board of Directors.

Insurance Companies must also provide Financial Statements in the prescribed format both quarterly and annually. The annual Financial Statements must be audited by the External Auditor and signed by both the Chairman of the Board of Directors and the General Manager, and included in the annual report. This annual report must also include:

The notes to the Financial Statements;
The Report of the Board of Directors;
The Report of the Actuary of the Company;
A description of the roles of the Actuary and the External Auditor in the preparation and audit of the annual financial statements; and
The Management Report (though this is not applicable to branches of Foreign Insurance Companies).
The Authority has the right to request a Financial Condition Report (FCR) at any time, which has to be certified by the actuary.

Records

In addition to reporting requirements, the Financial Regulations impose onerous requirements on Insurers to maintain books and records across the entire spectrum of their operations, across all lines of business, and to make them available to the Authority for examination. These requirements are set out in Section 5, and include the following:

Insurers must maintain complete transaction records for all local and international operations in their original form. Completed transaction records for business booked in the UAE must be maintained in the UAE, and must be easily accessible to the Authority.
Separate records must be maintained for Persons and Fund Accumulation insurance operations and Property and Liability insurance operations, and Insurers must maintain such accounting and other records necessary to identify all assets and liabilities in respect of each kind of business.
Insurers must maintain backups of all records, which must be kept in a separate location to the original records.
An extensive, non-exhaustive, list of records to be kept by Insurers is set out in Section 5, Article 3(1), and the Addendum to Section 5 contains further details as to what these records should contain.
The retention period of records and backups has now been increased to 10 years (previously 5 years) after the activity or working relation with the insured has ended, in alignment with certain Central Bank requirements.
Section 5, Article 4 provides the Authority with wide powers to examine such records and request information from an Insurer's employees.
Accounting books must be maintained in accordance with Section 6.

Insurance agents and brokers must also keep records, as mandated by Section 5, Articles 5 and 6 respectively.

Footnotes

^{1
http://www.ia.gov.ae/en/RulesRegulations/Pages/Financial_instructions_IC.aspx}

^{2 For an overview of the Financial Regulations and the
timetable for their implementation, please refer to our first
article which can be found at
http://www.clydeco.com/insight/updates/view/uae-insurance-market-leads-the-way-with-long-awaited-prudential-regulations}

^{3 Section One, Article 1(4) also notes that assets held by
insurers to cover its technical provisions and long-term
liabilities must have "characteristics of safety, yield and
marketability... appropriate to the type of business carried
on" and the assets must be "diversified and adequately
spread." Article 1(5) continues to note that they must be
"of a sufficient amount, and of an appropriate currency and
maturity, to ensure that cash inflows from those assets will meet
the expected cash outflows from... insurance liabilities as they
become due."}

^{4 Section 1, Addendum 3 sets out detailed provisions with
regard to the requirements to monitor and manage liquidity risk,
credit risk and market risk.}

^{5 Section1, Article 7 prohibits Insurers from dealing in
derivatives save for "hedging purposes." Where they are
used for hedging purposes the risks associated with such
transactions must be "insignificant and remote." All
other derivative positions must be closed out "promptly."
Further details in relation to the requirements for derivatives are
set out in Section 1, Addendum 4.}

^{6 The Financial Regulations provide for the possibility of
an exemption to the asset allocation limits for real estate with
the permission of the Authority (Section 1, Article 3(3)) and for
derivatives where they are for the purposes of hedging currency
fluctuation only (Section 1, Article 3(4)).}

^{7 The Emirates Securities and Commodities Authority
Decision No. (1) of 2014 Concerning the Regulations on Investment
Management creates a category of licence for investment managers.
However, it is anticipated that the Authority will permit insurers
to use entities such as Central Bank licensed banks and investment
companies for these purposes.}

^{8
http://www.ia.gov.ae/en/RulesRegulations/Pages/Solvency_template.aspx}

^{9 Such group level debt is subject to the prior approval of
the Authority.}

^{10 Our first article can be found at
http://www.clydeco.com/insight/updates/view/uae-insurance-market-leads-the-way-with-long-awaited-prudential-regulations}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

UK: Part II: Financial Regulations For Insurance Companies