Regulatory Reporting
Insurance Authority’s Broad of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, Information & Supervisory Reports
Effective from 30/4/2020The Chairman of the Board of Directors of the Insurance Authority,
- - Raving reviewed Federal Law No. (6) of 2007 Concerning Establishment of the Insurance Authority and Organization of the Insurance Operations and its Executive Regulations.
- - Federal Decree No. (20) of 2018 Concerning Anti Money-Laundering and Terrorist Financing and Financing of Illicit Organizations.
- - Cabinet Resolution No. (10) of 2019 Concerning the Executive Regulations of the Federal Decree No. (2) of 2018 Concerning Anti Money-Laundering and Terrorist Financing and Financing of Illicit Organizations.
- - Cabinet Resolution No. (20) of 2019 Concerning Executive Regulations for Terrorist Lists and applying United Nations Resolutions concerning Preventing and Suppressing Terrorism and its Funding and Preventing Arming and its funding and the Related Decisions,
And based on the proposal of the Director General of the Insurance Authority and approval of the
Board of Directors of the Authority,
Has resolved:
Insurance Authority Board of Directors' Resolution No. (20) of 2020 Concerning the Extension of the Periods Granted to Insurance Companies to Submit the Specified Financial Data and Reports Statement and giving the Director General the Authority to Extend
Effective from 13/5/2020The Chairman of the Board of Directors of the Insurance Authority,
Having pursued,
- The Federal Law No.)6( of 2007 on Establishment of the Insurance Authority & Organization of Insurance Operations, the amendments thereof and its Executive Regulation;
- The Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies;
- The Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies;
- The legislations, regulations, instructions and enforceable decisions issued by the IA;
- And, based on the recommendation of the Director General of the Insurance Authority and the approval of the Board of Directors,
Has resolved,
Article (1)
This Decision is applicable to all Insurance Companies established in the State and all Branches of foreign Insurance Companies licensed to operate in the State through a Branch or through an Insurance Agent, and Insurance Related Professions, in the context applicable to their nature.
The Guidance Manual and the forms attached to this decision shall form an integral part thereof.
Article (1)
The periods granted in the Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies for submitting quarterly financial statements and any annual or quarterly reports or statements required by the Authority shall be extended for additional (45) days ending by 30/06/2020.
Article (2)
Insurance Companies and Related Professions are committed to submitting the data, information and reports during the period of time specified by the Director General, and using the electronic means adopted by the Insurance Authority.
Article (2)
The Director General the Authority shall be authorized to issue decisions and circulars necessary to extend the periods prescribed to submit the financial statements and any other reports, statements, information ,or forms required by the Authority from insurance companies and insurance-related professions under the legislations in force.
Article (3)
The Director General shall issue the decisions and circulars to apply this Decision.
Article (3)
The Director General shall issue the decisions and circulars necessary to implement the provisions of the Decision herein.
Article (4)
The provisions of this decision shall come into force as from the date of its issuance.
Article (4)
This Decision shall be published in the Official Gazette, and shall come into force after three months of its publication.
A Guide to the Regulatory Information, Data and Reports to be Provided by the Insurance Companies and Insurance-Related Professions
Effective from 30/4/2020First: Introduction
The procedures and operations of the internal control, compliance and risk management have developed from the traditional to the modern methods emanating from the global professional associations, which laid down the international standards of the internal control, compliance, risk management operations in terms of planning and undertaking such activates, so that those in charge of these operations would focus on the riskiest fields.
The task of those employees can be summed up in ensuring that the operations, actions and procedures of the company in certain fields of the insurance industry are in line with the provisions in the State-enacted laws and, in particular, the laws, regulations, instructions and decisions of the Insurance Authority.
The Authority assures that the higher management has the responsibility for taking all necessary actions that would ensure objective and professional work performed by the staff of the Internal Control, Compliance and Risk Management Departments, especially in relation to providing the information and data and facilitating their work. The Authority also emphasizes that the staff should necessarily perform their work with high professionality and objectivity free from any interest or pressure that would impact the integrity and impartiality of their reports.
General Provisions:
- The insurance companies and the insurance-related professionals shall take due diligence to effectively regulate and control their affairs taking into consideration the nature, size, complexity and diversity of their operations and the risks faced by them. They must have suitable procedures and controls on the risk management.
- The insurance companies must establish and maintain a governance framework stipulating that:
- The responsibilities shall be distributed among the board directors, highermanagement and officers of the regulatory positions.
- The regulatory tasks shall be separated from the responsibilities of themanagement.
- The operations and affairs of the company shall be adequately monitored andcontrolled by the managers and the higher management.
- Such strategies, policies, procedures and controls shall be established andmaintained including the internal controls in commensuration with the nature,size and complexity of the operations and risk profile of the company.
- They shall ensure that their policies, procedures and controls are regularly reviewed and updated as required.
- The insurance companies shall create and maintain the internal control jobs as follows:
- Risk management,
- Compliance which includes combating financial crimes, anti -moneylaundering and countering terrorism financing, and
- Internal audit.
- The insurance companies can combine more than one of the internal controljobs above by performing them through the internal control staff. It should beemphasized that the combating of the financial crimes shall be carried on by aseparate and specialized employee in this task.
- The insurance-related professions shall create and maintain the internal controljobs as follows:
- Risk management,
- Compliance which includes combating financial crimes, anti -moneylaundering and countering terrorism financing,
- Internal audit, and
- The other jobs as they hold suitable for the nature, size and complexity of theinsurance operations.
- The operating insurance brokerage companies can authorize the internalcontroller who is registered with the Insurance Authority to perform all aforesaidinternal control tasks till other directives will be issued by the Authority.
Second: Information Update
- The insurance companies and the insurance-related professionals shall work on updating the information and data of the company in the electronic-systems of the Insurance Authority.
- The company shall authorize whoever it holds suitable of its staff for periodically updating this data in accordance with the periods in the regulations, instructions and decisions on updating its information in the IA registers.
- Some of the data and information shall be subject to the approval of the Insurance Authority in accordance with the requirements for necessarily applying Resolution No 15 of 2014 of the Board of the Insurance Authority on the Data and Information in the Register of the Insurance Companies and the Insurance-Related Professions.
- The management and the internal control staff in the insurance companies and the insurance-related professions shall review and update the procedures of the company for updating its information and providing the data and reports on a quarterly basis.
- The insurance companies and the insurance-related professions shall periodically review and update the following information according to the company’s business nature as appropriate including for example without limitation:
- General information about the company
- The information in the enrollment and licensing records on which thecompany is registered
- The information about the chairman and the directors of the board of the company
- The information about the principal officers of the company
- The information about the staff of the company
- The information about the nationals working in the company and the
information about the Emiratisation in terms of the training and compliance ofthe board of directors - The information about the branches of the company
- The financial information about the capital, rating, deposits and bank guarantees of the company
- The information about the certified external auditor and actuary of the company
- The information about the major shareholders as per the shareholdings to be disclosed in accordance with the legislations in force
- The name of the members of the governance committee in the company.
- Information about the Compliance Officers.
Third: The Disclosures of the Insurance Companies and the Insurance-Related Professionals
- The insurance companies and the insurance-related professionals shall provide the interim and annual financial and technical statements and reports according to the provisions of Federal Law No 6 of 2007 on the Establishment of the Insurance Authority and the Regulation of its Operations as amended and the regulations, instruction, decisions and circulars issued thereunder.
- The insurance companies and the insurance-related professionals shall as far as applicable to the nature of their operations and their legal forms as appropriate inform and provide the Authority with:
- The convocation of the ordinary and extraordinary general meetings of the Company at least 15 days prior to the date of the general meeting.
- The minutes of the general assembly within 7 days as of the date of the general meeting.
- The dates and timings of the board meetings of the company in which this board will discuss decisions of the company which would affect the policy holders and beneficiaries such as the dividends, bonus shares, capital increase or reduction and the approval for new investment policies at least 2days prior to the date of the meetings provided that they shall present there solutions carried in this regard after the approval of the board immediately once they are carried.
- The insurance companies and the insurance-related professionals shall inform and provide the Authority with:
- All information and data provided by the company to any other regulatory authority and any data or information received by the company from such authorities within 2 working days.
- The changes in the company’s administrative structure at the level of the board and the executive management.
- All or any substantial developments in the company at the level of the board and the executive management that would affect the financial conditions or the policyholders or beneficiaries once they occur such as the catastrophes, fire, merger, issuance of new securities, suspension of one of the production lines, voluntary liquidation and the cases filed by or against the company that would affect its financial position and expose it to serious loss whereby its chairman or the general manager must immediately inform the Director General within one business day.
- The insurance companies shall provide the Authority with the approved forms of the insurance documents and their annexes according to Administrative Decision No 140 of 2019 on the Exclusion of Certain Insurance Documents from the Requirement of Being Drawn up in Arabic.
- The insurance companies and the insurance-related professionals shall provide all required data and statistics in accordance with the Authority-set periods.
Fourth: Reports on Governance and Adherence
• The Self-Assessment Form and the Annual Report on Governance
- The insurance companies and the insurance-related professionals shall as far as applicable to the nature of their operations and their legal forms as appropriate provide the Authority with a self-assessment of the governance procedures of the company in the intended completed e-form when the annual financial statements and reports are presented.
- The insurance companies shall provide the Insurance Authority with a copy of the annual governance report filed by it every year when it presents its governance self-assessment form.
- The governance self-assessment form shall comprise the following cornerstones:
- The rights of the shareholders and policyholders
- The general assembly.
- Related party transactions.
- Disclosure and transparency.
- Internal audit.
- Board committees.
- Training.
- Internal controls.
- Any other matters as held necessary by the Authority.
• Risk and Adherence Self-Assessment Forms
- The insurance companies and the insurance-related professionals shall fill in their risk and compliance self-assessments in accordance with the Authority-fixed periods in this regard in the intended e-form.
- The risk and adherence self-assessment form shall comprise:
- The insurance risks including the risks of the product, design, pricing andunderwriting.
- The credit risks.
- The market risks including the investment and liquidity risks
- The operational risk including the legal risks.
- The organizational risks
- The risks of the related parties
- The risks of the financial crime.
- The insurance fraud risks.
- The cyber risks.
- Other risks as specified by the Authority.
Fifth: Internal Audit & Risk Management Reports
• Internal Audit Reports
- The insurance companies and the insurance-related professionals shall enable the internal audit staff to provide the Authority with the annual internal audit reports of the companies when the annual financial statements and reports are presented every year as well as Form No. ( 1 ) as hereto attached.
- The internal audit report must comprise:
- An executive summary of the internal audit process.
- A short background.
- The objective and scope of participating in the audit.
- The methodology used.
- The main findings.
- The recommendations.
- The challenges.
- The internal audit staff of the insurance companies and the insurance-relatedprofessionals must fill in the intended e-form of the internal audit report whenthey submit a copy of the annual internal audit report according to the ReportForm No (2 )as hereto attached.
• Risk Management Reports:
- The insurance companies and the insurance-related professionals shall fill in the intended e-form of the risk management of the companies when the annual financial statements and reports are presented according to the Form No( 3 ) as hereto attached.
- The insurance companies and the insurance-related professionals can provide the Authority with a copy of their risk management form which is associated with the e-report above.
Sixth: The Reports on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations
- The insurance companies and the insurance-related professionals shall appoint a Compliance Officer to combat money laundering and terrorism financing as required by the laws, regulations, instructions, decisions and circulars in force.
- The insurance companies and the insurance-related professionals shall enable the staff specialized in anti-money laundering and combating the financing of terrorism to perform their work and send the periodic reports to the Insurance Authority.
- The Compliance Officers and the internal control staff must perform their work in a highly objective and professional way.
- The insurance companies and the insurance-related professionals must shape policies and procedures for combating the financial crimes including money laundering and the financing of terrorism and illegal organizations.
- The insurance companies and the insurance-related professionals shall present periodic reports as follows:
- The reports prepared by the Compliance Officers.
- The reports prepared by the internal control staff concerning the effective internal controls for anti-money laundering and combating terrorism financing.
- The report of the certified external auditor of the company concerning the effective internal controls for anti-money laundering and combating terrorism financing.
- The self-assessment reports prepared by the Compliance Officers including:
- A biannual self-assessment report in the intended e-form of the Insurance Authority to be filed prior to the end of 15 August every year in the e-systems of the Authority.
- An annual self-assessment report in the intended e-form of the Insurance Authority to be filed prior to the end of 15 February every year in the e-systems of the Authority.
- The Compliance Officers must attach their internal reports on the internal work policies, regulations and procedures to aforesaid electronic self-assessment reports according to the following determinants:
- The regulations and policies on anti-money laundering and combating terrorism financing.
- The internal regulations on the risk-based approach
- Customer due diligence
- • Enhanced customer due diligence.
- Continuous due diligence.
- The (STRs) uspicious Transaction Reports.
- Compliance Officers.
- Record keeping.
- Training.
- All or any reports required by the Authority concerning the data and statistics on anti-money laundering and combating terrorism financing according to the Authority-set periods.
- The reports prepared by the internal audit staff concerning the effective internal controls for anti-money laundering and combating terrorism financing.
- The internal control staff of the insurance companies and the insurance-related professionals must file an annual report by the end of April every year on reviewing the internal policies, regulation and procedures for anti-money laundering and combating the financing of terrorism according to the intended E-Form No (4 ) as hereto attached.
- The internal audit report must contain:
- An executive summary of the internal auditing.
- A short background
- The objective and scope of participating in the audit
- The methodology used
- The main findings.
- The recommendations.
- The challenges.
- The report prepared by the internal control staff must imply a comprehensive review of at least the following internal controls:
- The regulations and policies for anti-money laundering and combating terrorism financing.
- The internal regulations on the risk-based approach.
- Customer due diligence.
- The enhanced the customer due diligence.
- The continuous due diligence.
- The (STRs) Suspicious Transaction Reports.
- Record keeping.
- Training.
- All or any other additional controls.
- The internal control staff can upload their report on reviewing the internal controls of the company associated with the e-report above.
- The report of the certified external auditor of the company concerning the effective internal controls for anti-money laundering and combating terrorism financing shall be in accordance with the following:
- The insurance companies and the insurance-related professionals shall fill in the e-form of the annual report prepared by the company’s external auditor when the audited annual financial statements and reports are provided to the Authority in Form No. ( 5 ) as hereto attached.
- The Authority must be provided by the company with a copy of the duly signed report of the external auditor when the e-report above is presented provided that the report shall comprehensively review at the least the following internal controls:
Scope
Details
Suspicious Transactions Reports
- Verifying from the Compliance Officer the applicable policies and procedures to ensure that any of the staff that deals or has an administrative liability for dealing with the transactions, which may involve money laundering or terrorism financing, files an immediate report to the Compliance Officer of the company, if he/she comes to know about a suspicious operation, and freezes the transactions.
- Verifying from the Compliance Officer if there are any suspicious or unusual transactions notified by the staff and if the FIU of the Central Bank of the UAE is notified of it after verifying that it is suspicious or unusual.
- Obtaining STR and SAR records, it should be confirmed if such reports are urgently notified only to the FIU of the Central Bank of the UAE, (ensuring that the reports are not filed to another regulator).
- Verifying from the Compliance Officer the applicable procedures to ensure that the higher management, officers and staff do not notify or inform by any (written or phone) means the (customer, the beneficiary or any related profession) about their information, notifying the relevant authorities and verifying that the company has policies, procedures, regulations and controls to prevent informing the customer in this event
- Verifying if the examined samples imply any contact or refers to a communication with the customer to inform him/her/it that he/she/it is a suspect
- Verifying that STR and SAR are timely filed to the FIU of the Central Bank of the UAE, describing the nature of the transactions which raise suspicion, and verifying if the notified transactions are timely frozen.
- Verifying that the company has an activated account in “GO-AML” and the number of STR and SAR sent to the FIU during the year.
Compliance Officer - Verifying the documents of the appointment or assignment of any of the company’s employees as a (Compliance Officer) and requesting the documentary evidence of the
appointment/assignment which were notified to the Insurance Authority- Verifying through the administrative structure that the
(Compliance Office) filed his/her reports directly to the higher management of the company and that there are no other tasks assigned to the Compliance Officers- Ensuring that the Compliance Officer is responsible for all obligations in Article 21 of Cabinet Resolution No 10 of 2019 on the Executive Regulations of Federal Law No 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations
- Verifying that the company asked the appointed external auditors to prepare and file a report on the compliance with Law on Anti-Money Laundering to the Insurance Authority by 30 April of the next year and that the findings of such report were received and addressed by the company.
- Verifying the qualifications of the (Compliance Officer),(including the professional certificates and the training courses attended by the (Compliance Officer)
- Verifying that the (Compliance Officer) files a biannual report to the higher management and the Insurance Authority.
Due Diligence procedures 1) Performing all obligations for “Know Your Customer”, customer due diligence and enhanced due diligence as set out in Cabinet Resolution No 10 of 2019 on the Executive Regulations of Federal Law No 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations:
a. For natural persons, as set out in the above Cabinet Resolution.
b. For corporate persons, as set out in the above Cabinet
Resolution.c. For NGOs, as set out in the above Cabinet Resolution.
d. In the event of conducting transactions for another person or
entity, verifying the identity of such person or entity and obtaining the required information and documents, as set out in the above Cabinet Resolution.2) Verifying from the staff of the company if all necessary information and documents of the customers, including the ultimate beneficiary owners, are obtained prior to establishing any business relationships, whether the customer is a natural or corporate person, and if such information is regularly updated
3) Verifying from the Company if the applicable procedures establish the identity of the beneficiaries, which are not the customer, obtaining and recording full information there, and ensuring whether:
a) The company determines and verifies the identity of this party prior to conducting any payment transactions
b) In the event of identifying the beneficiary as a corporate person or taking a legal arrangement with high risk, the customer due diligence procedures of the company shall include procedures based on premises to determine and verify the real identity of the beneficiary of the insurance policy upon payment
4) Ensuring through the staff of the company whether the customer due diligence procedures are adopted:
a) The company takes measures based upon premises to understand the ownership and nature of the corporate person
b) The company ensures the nature and type of the business relationship, which is established with a natural or corporate person
c) The company controls on a continuous basis the business relationship with its customers,
to the effect that it verifies the transactions conducted to ensure that they are in accordance with KYC and the details of the customer business and its risks as well as the source of the funds, as required.
5) Verifying if the company enters into business with a customer by using a false name or with an unknown person or opening an account with a fictitious name and if the name of the account holder is in accordance with the identity card or a copy of the passport or the trade license and if the staff in charge verifies that such copies are authentic and signed.
6) Verifying from the staff of the company if the following procedures and terms are adopted and complied with:
a. Applying the due diligence procedures to the current customers, if:
(1) There is a substantial change in the nature or ownership of the customer
(2) There is doubt about the correctness or accuracy of the information of the customer
(3) A big transaction is about to be concluded with or for the customer
(4) There is another reason that may be held adequate by the company
b. If the company is unable to identify the customer by a reliable and independent source of information, the company must:
1) End any relation with the customer immediately.
2) Consider the need for filing suspicious transaction reports to the competent unit.
Enhanced Due Diligence Performing all obligations for “Know Your Customer”, customer due diligence and enhanced due diligence, as set out in Cabinet Resolution No 10 of 2019 of the Executive Regulations of Federal Law No 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations
1) Verifying that the company has a process for identifying the customers and/ or the real beneficiaries from the politically exposed persons (PEP) and ensuring that:
a. Suitable risk management regulations are applied to determine whether the customer or the real beneficiary is a PEP or not.
b. The approval of the higher management is obtained for establishing or proceeding with a business relationship, if the customer or the real beneficiary is a PEP.
c. The source of the wealth and assets of the real beneficiary is determined by any available reasonable means.
d. It during the business relationship conducts enhanced due diligence.
2) In the event of large documents, as specified in Article 6 of Cabinet Resolution No 10 of 2019 above, verifying that the documents of the financial situation of the customer, the source of the funds and the net income as well as the names of the banks, which the customer deals with, are kept and maintained over the past three years.
3) Ensuring that the company provides, in addition to the due diligence procedures, the due diligence under Cabinet Resolution No 10 of 2019 above.
4) Ensuring that the insurance company takes reasonable measures to identify the beneficiary or the beneficial owner of the life insurance and Family Takaful insurance policies. If he/she is identified as a PEP, the company shall inform the higher management prior to paying to the beneficiaries or prior to exercising any rights thereof, do a comprehensive examination of all business relationships and consider notifying a STR to the Unit
Maintaining Documents - The number of the years of maintaining the documents (in the event of a court case and after the end of the court case or in the event that there is no legal action)
- The existing transaction details (type, sum, etc.), including whether an STR or SAR is notified
- The method of maintaining the data (in soft or hard files)
- The existing system for document maintenance
- If the system includes the dates of the commencement and end of the business relationship
- In the event of notifying STR or SAR whether the database contains a request from the FIU and what is the timeframe of dealing with such requests
- The minimum requirements for storing (soft and hard) records, which may include the safety and the availability of the data in the event of a crisis
Risk-Based Approach The company relays on a risk-based approach, which includes:
- Assessing the risks of money laundering and financing of terrorism faced by the company, including
a. The type of the company’s customers (and the purpose of the relationship)
b. The products and services provided by the Company (and their objective)
c. The technology used by the company (and the objective of this use) to provide such products and services
- Establishing the required procedures for mitigating such risks
- The existing classification and description of the risks of the business relationship, taking into consideration at least four risk factors of this business relationship: customer risk, product risk, operational risk and competent department risks
Policies & Procedures Ensuring that the policies and procedures:
- Are authenticated and approved for anti-money laundering and combating terrorism financing.
- Include specified actions and standards for identifying the customers with high risk.
- Include a specified and periodic mechanism for updating the lists of terrorism in Cabinet Resolution No 20 of 2019 and informing the regulator if the case is identified
- Include the standards for notifying STR or SAR, (including the notification timeframe).
- Require a timeframe for the regular update of the policies and procedures
- Performing by the internal auditor a regular audit of the procedures for anti-money laundering and combating terrorism financing, which are adopted by the departments of the company
- Verifying if the company adopts a policy for periodically reviewing the sufficient customer due diligence and enhanced due diligence for the customers and ultimate beneficiary owner and ensures a continuous update of the information, particularly, about the customers with high risk.
- Verifying that the company adopts a process for periodically and regularly updating the tests of AML diligence.
AML Systems & Control Verifying that:
- An independent internal control unit exists in the company and inquiring from the internal auditor about the way of ensuring compliance with the policies, procedures, regulations and controls for anti-money laundering and combating terrorism financing.
- The internal auditor files his/her reports to the audit committee.
- Verifying from the Compliance Officer that there are confidential information agreements with the related professions, with which the company deals.
- Verifying from the compliance officer that the information about the company is disclosed only as far as required in the investigations or the court cases, which are subject to the applicable legislations of the State
- The company adopts and adheres to procedures for anti-money laundering and combating terrorism financing applicable to all of its branches inside and outside the UAE.
- If the requirements for anti-money laundering and combating terrorism financing in the host country are less strict than the UAE requirements, the company applies all UAE requirements save for anything not permitted under the laws and regulations of the host country.
- In the event that the branch or the subsidiary, which operates abroad, is unable to adhere to the highest standards, the company notifies the Insurance Authority of the matter and adheres to the additional directives dedicated by the Authority.
Staff Training & Employment - Verifying if the training of the (Compliance Officer) and all staff remains updated and suitable for the activities of the company and the different customer types, and if the training is provided on a regular and continuous basis
- Ensuring that the (Compliance Officer) does a periodic examination of all (newly appointed staff – current staff)
- Verifying that a high level scientific training is provided to the(compliance officer)
Continuous Control - Reviewing and updating the AML procedures on a regular basis
- Verifying that the (Compliance Officer) ensures a continuous examination of all databases of the customers of the company and compares such examination with the terrorist lists in the law and legislations in force
Full compliance with Cabinet Resolution No 20 of 2019 on the Regulations of the Terrorist Lists and implementing the Security Council’s Resolutions concerning the Prevention and Suppression of Terrorism and its Financing and Proliferation of Armaments and the Relevant Resolutions shall be completely implemented.
- The details of those on the lists of the sanctions committees, (as defined in said Resolution) shall be followed up on a daily basis by directly referring to the resolutions approved by the Security Council and registering to this end on the website of the Executive Office of the Committee for Goods and Materials Subjected to Import & Export Control: https://uaeiec.gov.ae/ar-ae/United-Nations-Securoty/Council-Saction
- The customer databases and any information obtained about the potential or current customers shall continually be verified and compared with the names on the penalty list. An updated list shall be maintained in a database of the terrorist persons and organizations on such list.
- The Authority shall be immediately notified in the event that funds are frozen so that it shall notify the Executive Office of the Committee for Goods and Materials Subjected to Import & Export Control in accordance with the provisions of the legislations in force.
- The Authority shall be notified if it is found that one of the previous customers of the company or any incidental customer which the company dealt with is a person or an organization on the penalty list.
- The Authority shall be notified of not taking action as a result of similar names and failing to eliminate such similarity by the available or accessible information.
Internal Audit Report
Form Number (1)
Internal Audit report for “name of insurance company “
Period of review: Timeframe of the review
Date of Final Report: Date of submission to the Mgt.
Name of Auditors Names of auditors involved
1- Executive Summary This section should contain the following
- A brief background;
- Objective and the scope of audit engagement;
- Methodology;
- Key findings;
- Opinion;
- Recommendations;
- Limitations
2- Background This section should contain the following;
- A brief background on the auditee;
- Brief description of duties/functions of auditee;
3- Objective and Scope
- Elaborate on the objective and scope of audit engagement and period covered by the current audit.
4- Methodology
- This section should explain the methodology adopted to conduct internal audit vis-à-vis interview, observation, sampling, sample size and others used for test checking records, number of records checked, type of records checked.
5- Recommendations
- This section will contain general recommendations if any that could not be covered as part of recommendations in the specific audit observations.
6- Conclusion
- This section should constitute the auditors’ overall opinion about the functioning of the auditee unit with respect the overall objective of the audit engagement.
- The strength of the auditee agency may be highlighted in this section along the areas needing attention and corrective action.
7- References
- This section should list all publish or unpublished materials used and referred in coming with the Internal Audit Report.
8- Limitations
- Describe all your limitations in here. The limitations can be related to scope of the audit, methodology adopted, adequacy of the samples and adaptation of standards.
Form Number (2)
Internal Audit Report
FINDING
POTENTIAL EFFECT
RECOMMENDATION
PRIORITY *
MANAGEMENT RESPONSE
TARGET DATE
Priority ratings have been assigned to issues raised in this report as follows:*PRIORITY OF INDIVIDUAL RECOMMENDATIONS
Extreme Priority.
Internal Audit considers the implementation of this recommendation to be fundamental to the proper working of the system. It should normally be carried out within 1 month of the report’s issue
HIGH
Internal Audit considers the implementation of this recommendation to be important to the proper functioning of the system. It should be carried out normally within 3 months of the report’s issue.
MEDIUM
Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally within 6 months of the report’s issue.
LOW
The system’s effective operation may not depend upon this recommendation, but Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally more than 6 months of the report’s issue.
Form Number (3)
Risk Assessment as of [DATE]
Identified Risks and Schemes
Likelihood
Significance
Risk Rating
Controls Effectiveness Assessment
Residual Risks
Risk Response (List an action plan on how each residual risk will be mitigated)
Insurance risk
Credit risk
Market risk
Operational risk
Regulatory risk
Contagion and related party risk
Financial crime risk
Cyber risk
Strategic risk
Regulatory Risk
Likelihood
Rating
Based on Annual Frequency
Based on Annual Probability of Occurrence
Descriptor
Definition
Descriptor
Definition
5
Very frequent
More than twenty times per year
Almost certain
>90% chance of occurrence
4
Frequent
Six to twenty times per year
Likely
65% to 90% chance of occurrence
3
Reasonably frequent
Two to five times per year
Reasonably possible
35% to 65% chance of occurrence
2
Occasional
Once per year
Unlikely
10% to 35% chance of occurrence
1
Rare
Less than once per year
Remote
< 10% chance of occurrence
Significance
Rating
Descriptor
5
Catastrophic
4
Major
3
Moderate
2
Minor
1
Incidental
Control Effectiveness
Control Risk Rating
Description
5
Very effective (reduces 81-100% of the risk)
4
Effective (reduces 61-80% of the risk)
3
Moderately effective (reduces 41-60% of the risk)
2
Marginally effective (reduces 21-40% of the risk)
1
Not effective (reduces 0-20% of the risk)
OVERALL ASSURANCE
FULL " Very effective"
Full assurance that the system of internal control is designed to meet the organisation's objectives and controls are consistently applied in all the areas reviewed
SIGNIFICANT " Effective"
Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls put the achievement of particular objectives at risk.
LIMITED " Moderately effective"
Limited assurance as generally moderate sound system in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.
Very LIMITED " Marginally effective"
Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.
NO ASSURANCE
No assurance as weaknesses in control or consistent non-compliance with key controls could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed.
Residual Risks for individual findings
High
Active management attention required as a high priority. Controls are not adequate to address the associated risk.
Medium
Active management attention required as a moderate priority. Controls are not adequate to address the associated risk.
Low
Active management attention not required on priority. Controls are more or less adequate to address the associated risk.
Form Number (4)
Internal Audit Report
Controls
Finding
Potential effect
Recommendation
Priority
Management response
Target date
Effectiveness From (1-5)
AML/CFT systems
Policies and procedures
Risk-Based Approach ("RBA")
Customer Due Diligence – CDD
Suspicious Transaction reports
Record Keeping
Training
AML Officer, Compliance Officer
Ongoing monitoring
Enhanced Due Diligence ("EDD")
ETC….
Form Number (5)
External Audit Report
Procedures
FINDING
Effectiveness From (1-5)
Risk-Based Approach ("RBA")
Customer Due Diligence - CDD
Suspicious Transaction reports
Record Keeping
Training
AML Officer , Compliance Officer
Ongoing monitoring
Enhanced Due Diligence ("EDD")
ETC….
Financial Reporting and External Audit Regulation
C 5/2023 Effective from 30/4/2024Having perused Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities, as amended;
Decretal Federal Law No. (48) of 2023 Concerning the Organization of Insurance Operations;
Decretal Federal Law No. (32) of 2021 on Commercial Companies;
Federal Law No (12) of 2014 on the Regulation of the Auditing Profession, as amended;
Cabinet Decision No. (48/2022) On the Implementing Regulation of Federal Law No. (12/2014) on the Regulation of the Auditing Profession;
Chairman of Securities and Commodities Authority’s Board of Directors Decision No. (3/Chairman) of 2020 Concerning Approval of Joint Stock Companies Governance Guide;
Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies;
Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports;
The Central Bank of the UAE’s Board of Directors’ Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance and Shari’ah Governance Standard for Takaful Insurance Companies;
Notices issued by the Central Bank Concerning Dividend Announcement and Profits Repatriation Approval Process;
And, based on the recommendation of the Governor and the approval of the Board of Directors; Has resolved,
Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the insurance sector. To this end, Companies are required to maintain appropriate records, prepare financial statements in accordance with the International Financial Reporting Standards (IFRS) and the instructions of the Central Bank, and publish annual financial statements bearing the opinion of an External Auditor approved by the Central Bank.
In implementing this Regulation, the Central Bank intends to ensure that Companies approaches to financial reporting and external audit are in line with the leading international practice.
This Regulation is issued pursuant to the powers vested in the Central Bank under the Central Bank Laws.
Where this Regulation includes a requirement to provide information or take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements that are additional to the listing provided in the relevant article.
This Regulation supplements Decretal Federal Law No. (48) of 2023 Concerning the Organization of Insurance Operations, the Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, information and Supervisory Reports, the Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies, the Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies, and the Central Bank of the UAE’s Board of Directors’ Resolution published in the Official Gazette issue No. (740) on 30 November 2022 Regulation Regarding Takaful Insurance. Additional requirements may be imposed pursuant to decisions to be issued by the Central Bank in this regard.
Objective
The objective of this Regulation is to establish the minimum acceptable standards for Companies’ approach to financial reporting and external audit, with a view to:
i.
Ensuring the soundness of the Companies; and
ii.
Contributing to financial stability and policyholder protection.
Scope of Application
This Regulation applies to all Companies. Companies established in the UAE with Group relationships including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation is adhered to on a solo and Group-wide basis.
Article (1): Definitions
The following terms shall have the meaning assigned to them below for the purposes of this Regulation:
1-1
Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2-1
Board: The Company’s board of directors.
3-1
Central Bank: The Central Bank of the United Arab Emirates.
4-1
Central Bank Laws: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities, as amended and Decretal Federal Law No. (48) of 2023 On the Organization of Insurance Operations.
5-1
Company: The insurance company incorporated in the State, and the branch of a foreign insurance company, that is licensed to underwrite primary insurance and reinsurance, including Takaful insurance companies.
6-1
Conflict of Interest: A situation of actual or perceived conflict between the duty and private interests of a person, which could improperly influence the performance of his/her duties and responsibilities.
7-1
Control Function: Function (whether in the form of a person, unit or department) that has a responsibility in a Company to provide objective assessment, reporting and/or assurance; this includes the risk management, compliance, actuarial, internal audit and where applicable Shari’ah control and Shari’ah audit functions.
8-1
Corporate Governance: A set of relationships between a Company’s Board, Senior Management, customers and other stakeholders; and a structure through which the objectives of the Company are set, and the means of attaining those objectives and monitoring performance are determined.
9-1
External Auditor: The audit firm and the individual audit engagement team members conducting the audit. Where relevant, specific references are made to the audit firm only in certain paragraphs.
10-1
Financial Regulations: Insurance Authority Board of Directors’ Decision No. (25) of 2014 Pertinent to Financial Regulations for Insurance Companies and the Insurance Authority Board of Directors’ Decision No. (26) of 2014 Pertinent to Financial Regulations for Takaful Insurance Companies and Insurance Authority’s Board of Directors’ Decision No. (19) of 2020 Concerning the Guidance Manual for Insurance Companies and Related Professions to Submitting the Data, Information and Supervisory Reports.
11-1
Group: A group of entities which includes an entity (the ‘first entity’) and:
a.
any parent of the first entity;
b.
any Subsidiary of the first entity or of any parent of the first entity;
c.
any Affiliate
12-1
Internal Controls: A set of processes, polices and activities governing a Company’s organizational and operational structure, including reporting and Control Functions.
13-1
Intragroup Transactions: any transaction by which a Company relies, either directly or indirectly, on another entity within the same Group.
14-1
Matter of Significance: A matter, or group of matters, that would have significant impact on the activities or financial position of the Company. Examples include failure to comply with the licensing criteria or breaches of the Central Bank Laws, or Financial Regulations, significant deficiencies and control weaknesses in the Company’s operations or financial reporting process or other matters that are likely to be of significance to the function of the Central Bank as regulator.
15-1
Regulation: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
16-1
Risk Management: The process through which risks are managed allowing all risks of a Company to be identified, assessed, monitored, mitigated (as needed) and reported on a timely and comprehensive basis.
17-1
Senior Management: The individuals or body responsible for managing the Company on a day-to-day basis in accordance with strategies, policies and procedures set out by the Board, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
18-1
Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
a.
holds a majority of the voting rights in the first entity;
b.
is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
c.
is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
d.
if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
19-1
Takaful Insurance: A collective contractual arrangement aiming at achieving cooperation among a group of participants against certain risks whereby each participant pays certain contribution amount to form an account called the participants' account through which entitled compensations are paid to the member in respect of whom the risk has realized. The Takaful Insurance Company shall manage this account and invest the funds collected therein against certain compensation.
Article (2): Financial Reporting
1-2
The Board and Senior Management are responsible for ensuring that financial statements are:
a.
prepared in accordance with accounting policies and practices that are widely accepted internationally;
b.
supported by record keeping systems; and
c.
issued annually to the public together with an independent External Auditor’s opinion.
2-2
The Board audit committee must oversee the financial reporting process and the establishment or amendment of significant accounting policies and practices.
3-2
In addition to the reporting requirements per the Financial Regulations, a Company must provide the Central Bank with qualitative and quantitative reports in an easily accessible manner with the following information, at a minimum:
a.
a description of the nature of the Company’s activities which sets out the following:
i.
business lines, types of products offered, policyholder segments and location of business;
ii.
policies concerning sales, marketing and remuneration paid to intermediaries;
iii.
the main trends and factors that contribute to the development, performance and position of the Company over its business planning time period; and
iv.
any material changes that have occurred in the Company’s activities.
b.
a description of the Company’s undertakings to ensure fair treatment of policyholders, which sets out the following:
i.
the culture of the Company in relation to policyholder treatment, including the extent to which the Company’s leadership, governance, performance management and recruitment, complaints handling policies and remuneration practices demonstrate a culture of fair treatment to policyholders;
ii.
how products are designed and distributed to ensure they fulfil the customers’ demands and needs;
iii.
the adequacy, appropriateness and timeliness of the information and advice given to customers;
iv.
the handling and timing of claims, including but not limited to acknowledging receipt of claims, notifying policyholders of accepting claims, rejecting claims or requiring additional documentation to proceed;
v.
premium refunds;
vi.
the handling, frequency and nature of customer complaints, disputes, and litigation;
vii.
means of communication used to address customer complaints, including but not limited to SMS text messages, telephone, email or social media platforms and the frequency of their update;
viii.
policyholder experience reports used by the Company or from other sources, such as the insurance disputes resolution committees/ courts of law/ ombudsman/ arbitration/ mediation, as the case may be; and
ix.
any material changes that have occurred in the Company towards fair treatment of policyholders.
c.
a description of the Corporate Governance framework, Risk Management system and Conflict of Interest policies - including those from the Company’s relations with policyholders-, and any material changes in this regard.
d.
at the Group level -where applicable- a description of the Company’s relationships within the Group, including Group structures, Intragroup Transactions and intragroup links along with a description of any material changes in this regard;
4-2
The Central Bank will determine the frequency and deadlines of submitting reports according to Article (2.3). The Central Bank may require additional reports as it deems necessary.
5-2
Companies must correct inaccurate reporting, as soon as possible, once identified.
6-2
Companies must report on any material changes or incidents that could affect their condition or customers, a soon as possible.
7-2
Companies must refrain from any action that may disclose or reveal their intentions regarding distribution or repatriation of profits, retained earnings, reserves, or other component of regulatory capital, unless they first have obtained the prior written no-objection from the Central Bank.
8-2
Companies must not make any distribution or repatriation of profits, retained earnings, reserves, or other component of regulatory capital unless they have obtained the prior written no-objection from the Central Bank.
9-2
The Board is responsible for ensuring that the risk governance framework of the Company, and if applicable, Group, provides for appropriate oversight of financial reporting and external audit. The framework must, at a minimum, provide for:
a.
documentation in an appropriate mandate or terms of reference of the role and responsibility of the Board audit committee, with respect to financial reporting; and
b.
Board-approved policies, procedures, systems, internal controls and independent assurance by the internal and/or external audit functions of the Company on the preparation of financial statements and prudential reporting to the Central Bank.
10-2
Companies must prepare their financial statements in accordance with the International Financial Reporting Standards (IFRS) and the instructions of the Central Bank. Such instructions may include, but are not limited to, the submission and publication of financial statements, classification and provisioning of financial items or guidance on the application of specific IFRS in the UAE insurance sector.
11-2
Companies must use valuation practices consistent with IFRS and Financial Regulations, and subject their fair value estimation framework, structure and processes to independent verification and validation. The Board must ensure adequate governance structures and control process for all financial instruments that are measured at fair value for Risk Management and financial reporting purposes, which must include:
a.
reviewing and approving written policies related to fair valuations;
b.
ongoing review of significant valuation model performance for issues escalated for resolution and all significant changes to valuation policies;
c.
ensuring adequate resources are devoted to the valuation process;
d.
articulating the Company’s tolerance for exposures subject to valuation uncertainty and monitoring compliance with the Board’s overall policy settings at an aggregate Company-wide level;
e.
ensuring independence in the valuation process between risk taking and control units, including but not limited to dual signatures, “four eyes principle” and segregation of duties;
f.
ensuring the appropriate internal and external audit coverage of fair valuations and related processes and controls;
g.
ensuring the consistent application of accounting and disclosures;
h.
ensuring the identification of significant differences, if any, between accounting and Risk Management measurements, and that these are well documented and monitored; and
i.
ensuring that the External Auditor’s reservations are attended to, and that all necessary amendments and remedial action is being taken prior to the issuance of the annual financial statements and audit opinion, this includes but not limited to reservations towards valuation of real estate and any other assets, as determined by the Central Bank.
Article (3): External Audit
1-3
Companies must, every year, appoint an External Auditor or more, approved by the Central Bank, for auditing their accounts.
2-3
The Board audit committee must recommend the appointment, reappointment, dismissal and compensation of the External Auditor.
3-3
a.
The Board audit committee must establish a policy and processes for the nomination of the External Auditor. The policy and processes must be approved by the Board and applied at the general assembly for the purpose of selecting an External Auditor. The Board audit committee must review and recommend to the Board to agree to the terms of engagement prior to the signing of the written contract with the External Auditor. Where relevant, the Board audit committee must ensure that the terms of engagement with the External Auditor have been updated to reflect changes in the size, nature or complexity of the Company or in the instructions of the Central Bank.
b.
The Company must carry out a procurement procedure to select the external audit firm at least once every six (6) years, which coincides with the period of the rotation of the firm. Following rotation, a cooling off period of three (3) years must be observed before the same firm may be reselected. In addition, the Company must rotate the external audit partner in charge of the audit every three (3) years.
4-3
The Board audit committee must oversee the External Auditor’s effectiveness and independence.
5-3
The External Auditor must provide the Board audit committee with timely observations arising from the audit that are relevant to the Committee’s oversight responsibility for the reporting process. These include, but not limited to:
a.
significant difficulties encountered during the audit;
b.
key areas of significant risk of material misstatement in the financial statements, including a summary of material corrected and uncorrected misstatements.
c.
the extent of requests made by the Group auditor to another audit firm of member firms with respect to performance of a Group audit;
d.
the use of external experts to assist with the audit;
e.
the extent to which the External Auditor has used the work of the internal audit function and Internal Controls;
f.
matters relating to accountability, including significant decisions or actions by Senior Management that lack appropriate authorization;
g.
significant qualitative aspects of financial statement disclosures;
h.
feedback on the External Auditor’s relationship with Senior Management;
i.
identification of internal control weaknesses;
j.
issues resulting from regulatory and accounting changes; and
k.
changes in insurance and financial risks.
6-3
The External Auditor must conduct audits in accordance with the International Standards on Auditing (ISA) that require the use of a risk and materiality based approach in planning and performing the audit.
7-3
The scope of the external audits must include but not be limited to investments, technical provisions, solvency margins, commissions to distribution channels, capital adequacy, reinsurance arrangements, efficiency of the Corporate Governance and Risk Management arrangements and Internal Controls, and where applicable, compliance with Shari’ah requirements.
8-3
The External Auditor must comply with the independence requirements laid down in the Central Bank Laws and this Regulation. In case of violation of these requirements or failure in the performance of duties, the Central Bank may take any measures against the violating or negligent External Auditor, including rejection by the Central Bank to conduct audits in Companies.
9-3
The Central Bank may require a Company to rescind the appointment of an External Auditor when the Central Bank determines that the External Auditor has not adhered to established professional standards or has inadequate expertise or independence.
10-3
The External Auditor must meet with the Central Bank as deemed necessary for supervisory purposes. The Central Bank determines the agenda, timing and attendees for such meetings, which might be without the presence of the Company. The Central Bank may access the External Auditor’s working papers, when necessary.
11-3
The Central Bank may require a Company to appoint, at the Company’s expense, the existing External Auditor or another specified by the Central Bank to provide a report on a particular aspect of the Company’s business operations, prudential requirements, risk governance framework or other matters specified by the Central Bank.
Article (4): Special Considerations for External Audit
1-4
The external audit in Companies must be fully compliant with the provisions laid down in the Central Bank Laws and Regulations. Where more than one External Auditor is appointed, the External Auditors must distribute duties amongst themselves and issue a common external audit opinion.
2-4
The Board audit committee must approve a policy for the tendering of the audit engagement. This must include requirements for knowledge and competence, objectivity, independence, professional scepticism and quality control. The Board audit committee must review and agree to the terms of the engagement prior to the signing of the written contract. Where relevant, the Board audit committee must ensure that the work plan of the engagement has been updated to reflect changes in the size, business mix or complexity of the Company or in the instructions of the Central Bank.
3-4
The Board audit committee must assess the overall quality of the External Auditor at least annually. The Board audit committee must obtain from the External Auditor, on an annual basis, a report on the audit firm’s internal quality control procedures, including the audit firm’s engagement quality control process, and any significant matters of concern arising from these procedures.
4-4
In monitoring and assessing the work of the External Auditor, the Board audit committee must obtain an understanding of the auditor’s view on any significant matters arising during the audit, including both those subsequently resolved and those that remain outstanding. The Board audit committee must review with the External Auditor the statements provided by the Board and Senior Management in the representation letter to the External Auditor, considering whether, based on the knowledge of the members of the Board audit committee, the information provided for each item is complete and appropriate.
5-4
Following completion of the fieldwork for the audit, and prior to issuance of the audit opinion, the Board audit committee must consider whether the External Auditor followed the audit plan and understand any reasons for changes in the plan. The Board audit committee must obtain feedback from Senior Management on the conduct of the audit. The Board audit committee’s assessment of the effectiveness of the external audit process must be documented and reported to the Board for discussion of findings and any recommendations.
6-4
The Board audit committee must have the right and authority to meet regularly with the External Auditor – in the absence of Senior Management –to understand and discuss all issues that may have arisen between the External Auditor and Senior Management in the course of the external audit and how these issues have been resolved. These meetings must also address any other matters that the External Auditor believes the Board audit committee should be aware of in order to exercise its responsibilities.
7-4
The Board audit committee must discuss with the External Auditor any matters arising from the audit that may have an impact on regulatory capital or regulatory disclosures.
8-4
The Board audit committee must approve a policy governing the provision of non-audit services by the External Auditor. The policy must specify the types of non-audit services the External Auditor may provide, or is prohibited from providing, and establish a requirement for approval of any such arrangement by the Board audit committee or by an appropriate level of Senior Management in accordance with authority delegated by the Board audit committee.
9-4
The external audit firm engaged by the Company, including its Affiliates or Subsidiaries, must not provide any non-audit services to the Company during the financial years of its external audit mandate, which could impair its objectivity and independence.
10-4
Prohibited non-audit services by the External Auditor include:
a.
bookkeeping and preparing accounting records and financial statements;
b.
designing and implementing Internal Controls or Risk Management procedures related to the preparation and/or control of financial information or designing and implementing financial information technology systems;
c.
services related to the Company’s internal audit function;
d.
valuation services, including valuations performed in connection with actuarial services or litigation support services;
e.
human resources services, with respect to:
i.
management in a position to exert significant influence over the preparation of the accounting records of financial statements which are the subject of the external audit, where such services involve searching for or seeking out candidates for such position or undertaking reference checks of candidates for such position;
ii.
structuring the organization design; and
iii.
cost control.
f.
brokerage services in securities services or works;
g.
services linked to the financing, capital structure and allocation, and investment strategy of the Company, except providing assurance services in relation to the financial statements, such as the issuing of comfort letters in connection with the prospectuses issued by the Company;
h.
promoting, dealing in, or acquiring ownership in the Company;
i.
legal services, with respect to:
i.
the provision of general counsel;
ii.
negotiating on behalf of the Company; and
iii.
acting in advocacy role in the resolution of litigation.
j.
services that involve playing any part in the management or decision-making of the Company; and
k.
tax services and the provision of tax advice.
11-4
The prohibited non-audit services also include any prohibited services under Federal Law No (12) of 2014 on the Regulation of the Auditing Profession, as amended, Cabinet Decision No. 48/2022 On the Implementing Regulation of Federal Law No. 12/2014 on the Regulation of the Auditing Profession; and under the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which are not specifically listed above.
12-4
Where non-audit services are provided by the External Auditor, the Board audit committee must monitor the provision of such services to ensure that their performance does not impair the External Auditor’s objectivity and independence. This must take into consideration various factors including the skills and experience of the External Auditor, safeguards in place to mitigate any threat to objectivity and independence, and the nature and arrangements for non-audit fees. The Company’s annual report must explain to shareholders the nature and the fee arrangements for the non-audit services received, and how the External Auditor’s independence is safeguarded.
13-4
The External Auditor must meet the following expectations:
a.
have insurance industry knowledge and competence sufficient to respond appropriately to the risks of material misstatement in the Company’s financial statements and to properly meet additional regulatory requirements that may be part of the external audit;
b.
be objective and independent in both fact and appearance with respect to the Company;
c.
exercise professional scepticism when planning and performing the audit of Companies, having due regard to the specific challenges in auditing a Company;
d.
identify and assess the risks of material misstatement in the Company’s financial statements, taking into consideration the complexities of the Company’s activities and effectiveness of its internal control environment;
e.
have professional indemnity insurance in the UAE; and
f.
maintain confidentiality of information relating to the Company, unless such information is required by the Central Bank pursuant to Central Bank Laws, Regulation or other applicable legislation or required by other competent supervisory authority or judicial body.
14-4
The External Auditor must furnish the Board audit committee at least annually with information about the External Auditor’s policies and processes for maintaining independence and monitoring compliance with independence requirements.
15-4
The External Auditor must not purchase the securities of the Company whose accounts are audited by them or sell such securities directly or indirectly or provide any consultations to any person in connection with such securities during the blackout period.
16-4
The External Auditor must not serve on the Board or hold a position in Senior Management before two years have lapsed from the time of involvement in the Company’s audit.
17-4
The External Auditor’s terms of engagement must be established in a written contract, which at a minimum, provides that:
a.
the External Auditor must meet with the Central Bank as deemed necessary for supervisory purposes. The Central Bank will determine whether the Company will participate in such meetings;
b.
the External Auditor bears no duty of confidentiality to the Company with respect to any notification of meeting with the Central Bank required by this Regulation, or the provision of any document or information required to be submitted to, or requested by, the Central Bank for supervisory purposes; and
c.
the External Auditor must provide, upon the request of the Central Bank, access to working papers and other documents that support conclusions made in the audit opinion.
Article (5):Duty To Report To The Central Bank
1-5
External Auditors must promptly report to the Central Bank violations of the Central Bank Laws, Regulations, instructions and any Matters of Significance arising from their audit of the Company. External Auditors making such reports in good faith shall not be considered to have breached any of their obligations
2-5
Companies must promptly notify the Central Bank in case of resignation of their External Auditor and the reasons thereof, as well as obtain the non-objection from the Central Bank in case of their dismissal or change. Divergence of opinions between the Company and its External Auditor cannot be ground for dismissal.
3-5
Any material reservations of the External Auditor in relation to finalisation of accounts and issuing of a clean audit opinion, must be reported to the Central Bank prior to the finalization of the audit.
4-5
The External Auditor must not finalise financial statements containing a qualified audit opinion without first receiving the Central Bank’s non-objection.
Article (6): Takaful Insurance
A Company offering Takaful Insurance products may appoint an External Shari’ah Auditor for the Shari’ah compliance matters.
Article (7): Enforcement & Sanctions
Violation of any provision of this Regulation may be subject to regulatory action and sanctions as deemed appropriate by the Central Bank. These may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Company, or barring individuals from the UAE insurance sector.
Article (8): Interpretation of Regulation
The Regulatory Development Department of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (9): Publication & Application
1-9
This Regulation shall be published in the Official Gazette in both Arabic and English, and shall come into effect immediately on its publication. Companies which are not currently in compliance with the requirements must rectify this within six (6) months from the publication date.
2-9
Companies that will have the same External Audit firm engaged cumulatively for six (6) years or more as at the end of 2023 must rotate the external audit firm in 2024.