Page 1 Overview of the Internal Control Requirements for the Maltese Insurance Industry Dr. Marisa Attard Malta, 8 April 2010

CEIOPS Session Outline Overview of Insurance Rule 27 of 2009 – Insurers’ Internal Controls (‘Rule’) Future Work Plan Page 2

CEIOPS Scope of the Rule To determine the internal controls required to be implemented by Board appropriate to company’s business and which would enable the company to verify that: -Business is conducted in a sound and prudent manner; -Transactions only entered into with appropriate authority; -Assets are safeguarded; -Accounting and other records provide complete, accurate, verifiable and timely information; -Management is able to identify, assess, manage and control risks of the business and maintain sufficient capital for these risks. (source IAIS – ICP 10 – Internal Controls) Page 3

CEIOPS Savings Requirements of the Rule are without prejudice to: -Legal responsibilities and framework within which Board of Directors are required to carry out their responsibilities in terms of Companies Act, 1995; -Obligations emanating from the Insurance Business (Criteria of Sound and Prudent Management) Regulations, 1999; -The requirements of the Code of Principle of Good Corporate Governance contained in the Listing Rules applying to listed companies; and -Corporate Governance Guidelines for Public Interest Companies issued by the MFSA. Page 4

CEIOPS The Rule: Lays down guidelines on internal controls; Provides specific examples of areas to be considered by an insurance undertaking in establishing and maintaining internal controls. Page 5

CEIOPS For purposes of Rule Internal Controls means the policies, systems and processes, established by the Board of Directors and effected by senior management and other personnel of the company, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of financial and non-financial reporting, adequate control of risks, a prudent approach to business and compliance with applicable legislation. Interpretation Page 6

CEIOPS An insurance undertaking when establishing and maintaining internal controls should: -Take reasonable care to establish and maintain internal controls appropriate to its business; -Take into consideration the nature, scale and complexity of its business; -Diversity of its business, including geographical diversity; -Volume and size of its transactions; -Degree of risk associated with each area of its operations. Insurance undertakings should carry out regular review of these controls and identify any faults and/or fragilities. General Guidelines Page 7

CEIOPS Guidelines require an insurance undertaking to have in place an appropriate and effective internal control environment that ensures that the insurance undertaking is managed in a sound and prudent manner; The factors encompassing the internal control environment are: -Board of directors that is actively concerned with sound corporate governance and that understands and diligently discharges its responsibilities by ensuring that undertaking is appropriately and effectively managed and controlled; - Management that actively manages and operates the undertaking in a sound and prudent manner; Organisational and procedural controls supported by an effective management information system to soundly and prudently manage the undertaking’s exposure to risk; An independent audit mechanism to monitor the effectiveness of the internal controls. General Guidelines Page 8

CEIOPS Board: Is responsible to approve and review the overall business strategies and important policies of the undertaking; Is to establish and maintain effective internal controls; Be aware of major risks facing the company. Responsibilities of Board Page 9

CEIOPS Activities of board in relation to internal controls are to include: -Establishment of internal controls; -Periodic discussions with senior management regarding the effectiveness of internal controls; -Regular and timely review of effectiveness of internal controls made by senior management, internal and external auditors and other control personnel; -Ensure that all concerns raised on internal control weaknesses are followed up by senior management; -Establishment and oversight of a risk management system that includes setting and monitoring internal controls so that all major risks are identified, measured, monitored and controlled on an ongoing basis; -Periodic review of risk management systems, strategies and policies. Activities of Board Page 10

CEIOPS Responsibilities of Senior Management Senior Management is to: Effectively implement internal controls – if responsibility is delegated, senior management remains responsible to oversee that personnel with the delegated responsibility also develop and enforce appropriate internal controls; Ensure compliance with established internal controls. Important to have in place a well defined organisational structure, with clear lines of responsibility and authority, providing for effective communication throughout the organisation; Ascertain that qualified and competent staff carry out the undertaking’s activities and that staff training and skills are regularly reviewed. Page 11

CEIOPS Page 12 CEIOPS Company should take reasonable care to establish and maintain effective internal controls for ensuring compliance with applicable legislation, conditions of authorisation as well as other applicable laws of Malta, whether insurance specific or not; Appropriate to have a separate compliance function as part of the internal control system: -Dependent on nature, scale and complexity of business; -Compliance function should be documented preferably, set out in the internal control policy of the company. Compliance

CEIOPS Page 13 Compliance (cont.) -Staffed by competent staff who are sufficiently independent to perform their duties objectively, with unfettered access to the company‘s relevant records necessary to allow it to carry out its responsiblities; -Although not expressly stated in the Rule, it is expected that the compliance function shall promptly report any major compliance problems it identifies to the Board of directors.

CEIOPS Risk identification, evaluation and management Undertaking should have in place effective and appropriate internal controls for: -Identifying, assessing and evaluating on an on- going basis the significant risks to which it is exposed across all hierarchy levels, operational processes and functional areas; -Prudently managing and controlling these risks including the development and implementation of appropriate internal controls relating to risk mitigation and risk transfer arrangements. Page 14

CEIOPS Risk identification, evaluation and management (cont.) -Deciding on risk tolerance limits and resilience strategies and regularly reviewing limits and strategies; -Ensuring that circumstances for which controls and limits were originally designed are still appropriate and effective; -Evaluating risks involved for new types of business activities and setting of sound and prudent exposure limits and risk management policies; -Ensuring that overall risk profile of undertaking is sound and prudent; -Risks which undertaking may face not limited only to underwriting or reinsurance risks, but may also extend to other forms of risk such as credit, concentration, market, liquidity and operational. Page 15

CEIOPS Management Information System Undertaking should develop, maintain an effective comprehensive management information system in order that timely, sufficient and relevant information is produced to ensure the prudent management of the undertaking; Quality information should be available at all levels within the organisation to assist in making informed business decisions; Need to review management information systems on a regular basis. Page 16

CEIOPS Human Resource Management / Training Need for undertakings to establish human resource policies and procedures to ensure that resource requirements of the undertaking are identified; A human resource programme needs to include: -The development and implementation of human long term plans, thus ensuring that sufficient, experienced and skilled staff are available to carry out its business in a prudent manner; -Development and regular review of remuneration programme to ensure that company is managing prudently the risk associated with its variable remuneration policies; -Regular personnel evaluation and review. Page 17

CEIOPS Internal audit function Undertaking should have an ongoing internal audit function that is objective and independent from operational functions and which is of a nature and scope appropriate to the business; Internal audit function should include an evaluation and examination of the internal controls as well as the compliance of activities with internal strategies, processes and reporting procedures; An internal audit function needs to: -Have unfettered access to all company’s business lines and support departments; -Assess outsourced functions; -Have appropriate independence, including reporting lines to Board of directors. Page 18

CEIOPS Internal audit function (cont.) -Have status within the company to ensure that senior management reacts to and acts upon its recommendations; -Be granted sufficient resources and staff that are suitably trained, possess appropriate experience to understand and evaluate business they are auditing; -Employ a methodology that identifies key risks run by the company and allocates its resources accordingly. The MFSA has the right of access to internal audit reports. Page 19

CEIOPS Audit Committee Establishing of audit committee depending on nature, scale and complexity of undertaking’s business; Generally constituted as a sub-committee of board of directors to whom it is answerable and reports regularly; Membership confined to non-executive directors and at least one member is independent with competence in accounting and / or auditing; Generally minimum of 3 members: Should have clear written terms of reference specifying membership, authority and duties of audit committee. Page 20

CEIOPS Audit Committee (cont.) Audit committee functions should include: -Monitoring of the internal reporting process; -Monitoring of effectiveness of company’s internal control, internal audit, and risk management systems; -Monitor statutory audit of the annual accounts; -Review and monitor the independence of the external auditor and, in particular the provisions of additional services to the company by the said auditor as well as make a recommendation to the board for the appointment of the external auditor; To properly execute its functions audit committee should have explicit authority and necessary resources and full access to information. Page 21

CEIOPS Other areas Other areas which a company is expected to consider when establishing and maintaining internal controls include: Business strategy: undertaking company should plan its business appropriately so as to be able to identify, measure, manage and control risks of regulatory concern. Business strategy plan should be well documented and updated to take account of changes in the business environment. Business continuity and contingency planning: undertaking should have in place appropriate arrangements (contingency plan) to ensure that it can continue to function and meets its regulatory obligations in the event of an unforeseen interruption. Contingency plan should be regularly updated, tested, tests documented and reinforcements effected. Page 22

CEIOPS Other areas Accounting and record keeping controls: Undertaking needs to establish and maintain appropriate internal controls over the accounting and other record keeping process. Accounting records should disclose with reasonable accuracy, at all times, the financial position of the company and enable that the financial statements required by the MFSA to be prepared within time limits specified in the conditions of authorisation; Safeguarding Controls: The undertaking should have in place appropriate and effective safeguards to ensure that procedures exist for the safeguarding and protection of its assets and those of its customers or other parties held in physical custody or on a book based system;. Outsourced functions: Company should set controls and monitor on an ongoing basis all outsourced functions as if these functions were performed internally and subject to the normal standards of internal controls. Page 23

CEIOPS Other areas Segregation of duties: Segregation of duties, both between individuals and departments, reduces risks of intentional or unintentional manipulation or error by increasing the element of independent verification; –Hence, depending on the nature, scale and complexity of the undertaking’s business there must be in place effective internal controls respecting the segregation of duties in order to ensure the existence of a clear and distinct separation of incompatible duties; –Work flow should be designed so that work of one person is either independent of, or serves as a check on work of other person. Page 24

CEIOPS Other areas Actuarial reports: Where the appointment of an actuary is required by law, actuarial reports are to be made to the board. The board and senior management should review the recommendations of the actuary. Senior management are to implement the adequate measures. Hence, internal controls should be set up to ensure compliance with measures implemented; Consumer Protection and Complaints: An undertaking should deal with due care, skill and diligence in its dealing with consumers. It is expected that an undertaking treats its customers fairly and have systems for recording and handling a compliant. It should provide training to its employees in this area. Page 25

CEIOPS Future Work Plan Implementation of Solvency II - Transposition of L1 text and L2 implementing measures in national law by 31 October L1 Text: Article 46 of Directive 2009/138/EC of 25 November 2009; - L2 Implementing Measures: CEIOPS’ Advice for Level 2 Implementing Measures on Solvency II: System of Governance – October 2009 (former CP 33). Page 26

CEIOPS Future Work Plan (cont.) MFSA: - System of Governance Guidance Notes to be issued in April MFSA will require feedback from licence holder; - Future on-site compliance visits: emphasis on system of governance issues. Page 27

Page 28 Contact Dr. Marisa Attard Director – Insurance and Pensions Supervision Unit Malta Financial Services Authority Notabile Road Attard Malta Phone: Fax: Website: