REGULATION ON INTERNAL SYSTEMS OF INSURANCE, REINSURANCE AND PENSION COMPANIES

Transcription

1 REGULATION ON INTERNAL SYSTEMS OF INSURANCE, REINSURANCE AND PENSION COMPANIES Official Gazette of Publication: Issued By: Prime Ministry (Treasury Undersecretariat ) PART ONE Objective, Scope, Basis, Definitions and Establishment of Internal Systems, and Responsibilities of the Board of Directors Objective and Scope ARTICLE1 (1) The objective of this Regulation is to regulate the principles and procedures relating to the internal control, internal audit and risk management systems to be established by insurance, reinsurance and pension companies, and the operation of such systems. (2) This Regulation covers the insurance and reinsurance companies established in Turkey, Turkish branches of foreign insurance and reinsurance companies, and pension companies. Basis ARTICLE 2 (1) This Regulation has been prepared pursuant to Article 4 of the Insurance Law No and dated 3/6/2007, and Article 16 of the Private Pension Savings and Investment System Law No and dated 28/3/2001. Definitions ARTICLE 3 (1) The following expressions in this Regulation shall have the following respective meanings; a) Administrative or operational unit: A unit where direct income-generating activities are carried out, b) Internal systems: Internal control, internal audit and risk management systems, c) Law: Insurance Law No and Private Pension Savings and Investment System Law No.4632, ç) Undersecretariat: Undersecretariat of Treasury, d) Company: Insurance and reinsurance companies established in Turkey, Turkish branches of foreign insurance and reinsurance companies, and pension companies, e) Full consolidation: Consolidation carried out in cases where the controlling share of the company in its affiliates and subsidiaries are higher than 50%, f) (O.G ) Main Services: Services which are carried out to enable companies to perform insurance and private pension activities, and which are required to be performed continuously. Establishment of Internal Systems ARTICLE 4 (1) For the monitoring and control of risks, companies, together with all their regional offices and units, shall be obliged to establish, manage and develop adequate and effective internal systems in line with the scope and structure of their activities and suitable for changing conditions, within the framework of the procedures and principles envisaged in the regulations in force. (2) Internal systems shall be restructured within the organizational structure of the company. The Board, on the condition that it possesses ultimate responsibility, may nominate one or more of its members who are not in charge of any managing or operational units and who have at least 7 years of experience in insurance or finance, as the member responsible for internal systems. (3) The member of the Board to be appointed for the maintenance of the internal systems should be a member other than the general manager. (4) (O.G ) The companies, under their organizational structure, shall establish a separate internal audit unit, internal control system and risk management system. However, the Undersecretariat may require the companies of a certain size to establish a separate risk management unit or risk management committee.

2 (5)The internal audit unit shall directly report to the Board and shall have administrative independence. (6)Internal control and risk management activities are directly dispatched and managed by the general manager of the company. (7) ) The Risk Management and Internal Control Duties Regulation, prepared by the general manager, found appropriate by the member of the Board responsible for the internal systems and approved and adopted by the Board, enshrines the academic credentials, level of experience, knowledge and skills and other qualifications required for the staff responsible of executing these activities. (8) The Internal Audit Regulation, prepared by the internal audit unit and approved and adopted by the Board enshrines the academic credentials, level of experience, knowledge and skills and other qualifications required for internal auditors. (9) The staff carrying out internal control and risk management duties may perform other duties within the company on the condition that internal control and risk management activities are not impeded. Responsibilities of the Board of Directors ARTICLE 5 (1) Establishment of internal systems, their management and development in an effective, sufficient and appropriate manner, ensuring the safety of the information obtained from the accounting and financial reporting system and determination of the powers and responsibilities within the company shall be subject to the final approval of the board. (2) Within the framework of the first article, the board shall be obliged to: a) Develop the organizational structure and human resources policy of the company as well as the criteria for the appointment of high level executives, b) Determine the strategies and policies on internal systems and their implementing procedures in writing and enable their efficient implementation, continuation and coordination, c) Select the responsible people who will conduct internal system activities, determine their duties, powers and responsibilities, approve the working methods and principles of the staff and ensure the designation of the necessary resources, ç) Determine the risk management strategies and policies in a general manner and for each and every type of risk, the risk levels to be assumed and their implementing procedures in writing; designate maximum risk limits for executives or working staff, d) (O.G ) Ensure the proper monitoring of intermediation activities. PART TWO Internal Control System Objective and Scope of the Internal Control System ARTICLE 6 (1) The objective of the internal control system is to protect company assets; conduct activities in an effective and efficient manner in accordance with the Law and other regulations, company policies and principles and insurance practices; ensure the reliability and integrity of the accounting and financial reporting system and the timely deliver of information. (2) To realize the expected objective of the internal control system, the following shall be compulsory: a)establishment of functional differentiation of duties within the company and allocation of responsibilities, b) Establishment of the accounting and financial reporting system, information system and internal communication channels in such a way that they efficiently work, c) Determination of risk related limits and standards, ç) Development of workflow schemes that show controls and business steps over the business procedures of the company. (3)The internal control system shall be structured to embrace the company s general management units, regional offices, representative offices and all activities.

3 Establishment of Functional Differentiation of Duties and Responsibilities ARTICLE 7 (1)The duties and responsibilities of all units and staff within the company shall be determined clearly and in writing, by the differentiation of tasks in relation to the activities in the same subject, in order to prevent errors and irregularities, conflicts of interest,manipulation of information and misuse of resources within the company. (2) The functions of deciding to carry out an operation, accounting of the operation after it is recorded and execution of the operation shall be entrusted to the responsibility of different staff members. (3) The functions which may create potential risk for the company shall be determined and separated from other functions as much as possible, and they shall be assigned to the different officials. The responsibilities and powers of the executive staff shall be regularly reviewed and necessary measures shall be taken to ensure that those do not create potential risk for the company. Establishment of Information Systems ARTICLE 8 (1) The information systems to be established within the company shall be required to be compatible with the scale of the company and characteristics and complexity of the activities and products offered. (2) In the bare minimum, the information systems shall be established to enable; a) Keeping, using, and backing up all information concerning the company secure in electronic media, b) Data aggregation per products offered, types of activity, geography, or groups bearing risks, c) Determining deviation from annual budget and targets, ç) Assessment of risks using risk assessment techniques and models, producing warning information and effective reporting on approximation of pre-determined risk limits, d)keeping accounting records on transaction basis in accordance with insurance account plan and explanatory notices, e) Providing information required by the relevant persons during any audit or inquiry, appropriately and within a short period of time, f) Policy-based querying regarding risk and price analysis. (3) The company shall be obliged to ensure the reliability of the information systems as well their modifications with regular updates, and to take necessary measures to ensure the continous functioning of the information systems. (4) The Undersecretariat is authorized to determine the minimum methods and principles concerning the components and control of the information systems of the companies. Establishment of Communication Structure and Effective Communication Channels ARTICLE 9 (1) The company shall be obliged to ensure the conveyance of information to all relevant persons within the organization structure. (2) Appropriate communication channels shall be required to be established and maintained within the company by the senior management in order to enable the staff to report to the relevant management levels and the internal audit unit, the encountered problems and suspicious issues considered against the customary practices. Internal Control Activities ARTICLE 10 (1) The internal control activities shall, as a minimum, include the following controls: a) Control of operations regarding the execution of activities, b) Control of the communication channels and information systems as well as the financial reporting system, c)compliance controls. ç) (O.G ) Controls over service procurements which are in effect extensions or supplements of main services. (2) The internal control activities shall constitute a part of the daily activities of the company. The written policies and implementing procedures concerning internal control shall be developed so as to

4 be executed first by the staff carrying out the activity and then by the internal control staff, and the entire staff of the company shall be informed of the policies and implementing procedures concerning the internal control activities developed in relation to the activities they carry out. (3) The company shall be required to carry out the following practices within the framework of the control of operations for the execution of activities: a) Reporting:Preparation of daily, weekly or monthly reports on extraordinary circumstances, suspicious transactions, irregularities and general performance for submitting to the upper management and the board, b) Approval and authorization: Establishment of bilateral and cross control and signature procedures, and obtaining approval or authorization for transactions above certain limits, c) Interrogation and reconciliation: Interrogating the details of the transactions, comparing the accounts, carrying out reconciliations at regular intervals, ç) Physical control: Establishment of rules and restrictions on access to, and utilization and keeping of the assets including cash, financial assets or policies owned by the company or held in custody on behalf of the insureds and participants and other parties, and drawing up of an inventory of all tangible assets at regular intervals, (4) The following practices shall be required within the framework of the control of the communication channels: a) Control to find out whether there are any restrictions on the staff s access to the information generated within the company, b) Control to find out whether the staff is regularly informed about the activity performance of the company, c) Control to find out whether the staff is regularly informed about the amendments made in the Law and other relevant regulations, as well as new products and activities, ç) Control to find out the frequency at which the company staff reports to the relevant management levels and the internal control unit, the encountered problems and suspicious issues considered against the customary practices. (5) The following practices shall be required within the framework of the control of information systems: a) Overall information system control regarding the activities concerning the information system and management and procedures thereof, b) Implementing controls including data creation and authorization, input, data processing and output controls. (6) The following practices shall be required within the framework of the control of financial reporting system: a) Control to establish whether financial reports have been prepared in accordance with the Law and relevant legislation, b) Control to identify possible errors and omissions during the process between the recording of transactions and their reflection in financial reports, c) Control of the information included in financial reports and control of the operations providing basis for the information that is controlled. (7)The compliance controls shall ensure that all activities which the company carries out or plans to carry out, and new transactions and products, are in compliance with the Law and relevant legislation, internal policies and rules of the company,and with insurance practices (8) The internal control activities and the manner they will be executed shall be designed by the general manager of the company together with the senior management of relevant units by taking into consideration the characteristic of the entire activities carried out by the company. (9) Whether internal control activities are carried out or not, the observance of rules and restrictions and achievement of targets shall be checked at various pre-determined levels of management, and shall be communicated to the staff members who carry out the internal control activities, on an urgent or normal basis taking into consideration the characteristic of the findings.

5 Duties and Authorities of the Staff Carrying Out Internal Control Activities ARTICLE 11 (1)The staff carrying out internal control activity shall conduct their duties in units, regional offices, and in general management offices where the operational activities are executed. (2) The staff carrying out internal control activity shall be rotated at time intervals deemed appropriate by the general manager. (3) The staff carrying out internal control activity shall request information based on reports from the units concerned in order to monitor, review and control the reliable performance of all activities of the company; shall implement controls or reviews based on general or special observations and monitoring through various control documents and tools; shall put their findings in the form of reports, and shall prepare warning messages and communicate them to the units concerned. (4) The staff carrying out internal control activity shall be authorized to demand additional explanation from the company staff concerning matters which they monitor, review and control, and to seek their opinions. PART THREE Internal Audit System Objective and Scope of Internal Audit System ARTICLE 12 (1) The objective of the internal audit system is to provide guarantee to the senior management that the activities of the company are conducted in accordance with the Law and other relevant legislation and internal strategies, policies, principles and targets of the company, and the internal control and risk management systems are effective and adequate. (2) In order to achieve the intended purpose of the internal audit system during the periodical and riskbased audits carried out at the level of domestic and overseas branches,regional offices, agencies and general management units,and affiliates of the company subject full-consolidation: a) Practices as well as adequacy and efficiency of the internal control and risk management units shall be assessed. b) The accuracy and reliability of accounting records and financial reports shall be reviewed. c)the compliance of the operational activities with the established procedures, and the functioning of the internal control implementing procedures shall be tested. ç) The reliability of the electronic information system shall be reviewed. d) The compliance of the operations with the Law and other relevant legislation and internal strategies, policies and implementing procedures of the company, and other internal regulations shall be supervised. e) The accuracy, reliability and compliance with time limits of the reporting made to the board of directors and the Undersecretariat within the framework of the company regulations shall be supervised. f) Deficiencies, errors and abuses shall be identified; opinions and proposals shall be provided in order to prevent recurrence of such cases and to ensure efficient and effective use of company resources. g) (Amd: O.G ) Service procurements which are in effect extensions or supplements of main services shall also be evaluated within the framework of internal audit system. Internal Audit Unit ARTICLE 13 (1) Internal audit activity shall be carried out by the internal audit unit or the inspection board within the company. A sufficient number of internal auditors or inspectors shall be employed in the internal audit unit, with the purpose of carrying out internal audit activities at a level required by the nature of such services, without disrupting the audit services stipulated in the Law and relevant legislation and internal regulations of the company, taking into consideration the size of the company, complexity, intensity, scope and risk-level of its activities. (2) The director of the internal audit unit is required to have at least a bachelor's degree, and five years

6 of experience in one of the fields of insurance and/or finance. The director of the internal audit unit shall carry out the internal audit activities in accordance with the internal audit plans and policies and implementing procedures regarding audit activities. (3) The director of the internal audit unit shall; a) Determine policies and implementing procedures regarding internal audit activities, and put them into practice upon the approval of the board of directors. b) Supervise internal audit activities, monitor and direct the audit policies, programs, processes and practices. (4) In companies where it is possible to carry out internal audit activities with an internal auditor, the audit activities shall be executed by the internal auditor in question, who shall also bear the duties, powers and responsibilities of the director of the internal audit unit. (5) Besides periodical and risk-based audits, special audits in accordance with the objectives of the internal audit, shall be carried out by the internal audit unit, upon request by the board of directors or the Undersecretariat. (6) If any circumstances which will seriously harm the financial state of the company or cause extraordinary repercussions are observed, the internal audit unit shall submit the report it shall prepare, to the board of directors of the company, and the Undersecretariat as soon as possible. Qualifications and Powers of Internal Auditors ARTICLE 14 (1) Internal auditors shall carry out their duties and responsibilities in an impartial and independent manner. For this purpose, it shall be ensured that the internal auditors do not report to anyone other than the internal audit unit director and the board of directors, and are kept away from conflicts of interests during the performance of their duties. (2) In order to enable the internal auditors to fulfill their duties and responsibilities effectively, the board of directors shall ensure that the internal auditors are entrusted with the authority to exercise initiative in all departments and units of the company, obtain information from all company staff, and access all records, files and data. (3) Internal auditors shall not be assigned as internal control staff or risk management staff. Internal Audit Activities and Working Principles ARTICLE 15 (1) Periodical and risk-based internal audit activities of the companies shall include the preparation and implementation of the internal audit plan, its execution through working programs, and monitoring of measures taken by the relevant management units in accordance with the audit reports. Internal Audit Plan ARTICLE 16 (1) Internal audit plan shall be based on the risk assessments. The opinion of the senior management shall also be sought on the plan. The plans deemed appropriate by the board member responsible for the relevant internal systems shall be implemented with the approval of the board of directors. (2) The following shall be covered in internal audit plans: a) Areas to be audited during the period, with the significance and priority ranking made as a result of risk-based assessments, b) Purpose of the audit, c)summary risk assessments concerning each area or activity to be audited and the Law, and other relevant legislation, ç) Time frame and audit period in which the planned audit activity shall be carried out, d) Resources required for audit activities and potential impacts of resource constraints, e) On-site review of all assets, accounts and records, documents, staff and all other elements which may affect the security of the company, f) Control or review based on general or specific observations and monitoring based on various control documents and instruments, g) Centralized control or review activities in accordance with the organization and activitiy character of the company,

7 ğ) Determining whether the headquarter units, regional directorates and branches, as well as agencies of the company comply with the insurance legislation, company objectives and policies, and the decisions taken by the company, h) Determining whether directors and staff succeed in complying with the targets set, ı) Requesting additional explanation, information and opinion from the company staff or agents on issues monitored, audited or controlled; warning other units of the company when necessary. Audit period ARTICLE 17 (1) The audit period shall indicate the frequency of internal audits. Under ordinary circumstances, the audit period shall be determined by the activities and areas to be audited, internal auditors and the time frame of the audit. Areas deemed riskier as a result of the risk assessments shall be audited more frequently compared to other areas. (2) The internal audit unit is required to carry out reporting at least three times per annum for all agents, at least once per annum for all headquarter units, regional directorates and branches and the provincial organization. However, the agents with a share of at least 5% or more in total premium production of the company excluding banks, or agents with a low collection rate should be audited at least once a year on-site.on the other hand, the review to be made for the agencies shall be limited with the business and transactions of the company. Internal Audit Reports ARTICLE 18 (1) The following shall be covered in internal audit reports: a) Issues observed and a summary of conclusions, b) Scope and objectives of the audit, c) Audit results in detail (ranking of significance of the audited issue within the framework of the issues observed,and its detailed justification), ç) Recommendations if any, and their advantages, d) Other information that may be required by the senior management, (2) (O.G ) Internal audit reports shall be included in the agenda of the board of directors, and the procedures to be carried out shall be determined on the basis of the results of the report. Outsourcing Internal Audit System ARTICLE 19 (1) The principles and procedures relating to outsourcing of the internal audit activities shall be determined by a communiqué to be issued by the Undersecretariat. PART FOUR Objective and Scope of Risk Management System Objective of Risk Management ARTICLE 20 (1) The objective of the risk management system is to define, measure, monitor and control the exposure to risks, through the policies, implementing procedures and limits established to monitor, manage and alter,if necessary, the risk and return structure inherent in the future cash flows of the company, and the characteristics and level of related activities. (2) In order to establish a suitable and adequate risk management system within the company; a) Adequate policies, implementing procedures and limits which will enable managing of different aspects of risks arising from the activities, b) Risk management activities

8 shall be defined clearly in accordance with the principles and procedures specified in this Regulation. Risk Management Policies ARTICLE 21 (1) The company shall establish written policies and implementing procedures on a consolidated and non-consolidated basis to manage each of the risks arising from its activities and the subsidiaries and affiliates subject to full consolidation. (2) When determining risk management policies and implementing procedures, the following issues shall be taken into consideration as a minimum: a) Strategies, policies and implementing procedures regarding activities of the company, b) Compliance with the volume, character and complexity of the activities of the company, c) Risk level that may be assumed by the company, ç) Risk monitoring and management capacity of the company, d) Past experience and performance of the company, e) Fields of the managers of the units carrying out the activities and their professional level in the relevant field, f) Liabilities specified in the Law and other relevant legislation. Risk Limits ARTICLE 22 (1) Risk limits shall be determined: a) In accordance with the risk level the company may assume, its activities and the volume and complexity of its products and services, b) On the basis of at least personnel, unit, companywide, and the group which includes the company (2) Risk limits shall be regularly reviewed and adapted in accordannce with the changes in the market conditions and company strategy. (3) It shall be ensured that risk limits are communicated to the relevant units and understood by the relevant staff. (4) Utilization of limits shall be closely monitored, and the cases where limits are exceeded shall be immediately notified to the senior management in order for the necessary measures to be taken. Risk Management Activities ARTICLE 23 (1) Risk management activities shall, as a minimum, include the following: a) Designing and implementing the risk management system composed of the activities such as; risk measurement, risk monitoring, control and reporting of risks, b) Defining risk management policies and implementing procedures on the basis of risk management strategies, c) Ensuring the implementation and observance of risk management policies and implementing procedures, ç) Ensuring that risks are understood and adequately evaluated prior to entering into a transaction, d) Participating in the process of designing, selecting, implementing and preliminary approval of risk measurement models, reviewing models regularly, and making necessary modifications, e) Generating daily reports from risk measurement models employed by the company, and analyzing the reports, f) Ensuring that the quantifiable risks remain within the set limits, and monitoring the use of such limits, g) Aggregating the limits for each risk defined per unit, and monitoring the compliance with the limits set per company, ğ) Ensuring that the results of risk measurement and risk monitoring are regularly and timely reported to the board of directors or to the relevant internal systems official, and general manager.

9 PART FOUR Final Provisions Entry into Force ARTICLE 24 (1) This Regulation's; a) Articles 6, 7, 8, 9, 10, 11, 20, 21, 22 and 23 shall enter into force on 31/3/2009, b) Remaining articles shall enter into force on 31/12/2008. Enforcement ARTICLE 25 (1) The provisions of this Regulation shall be executed by the Minister in charge of the Treasury Undersecretariat.