(1) |
An insurer must establish and maintain the following control functions: |
(a) |
a risk management function; |
(b) |
a compliance function; |
(c) |
an internal audit function; and |
(d) |
in the case of a long-term insurer, an actuarial function. |
(2) |
The Authority may exempt a long-term insurer from the requirement to establish and maintain an actuarial function if the Authority is of the opinion that it is appropriate given the nature, scale and complexity of the insurer's business and risks. |
(3)
(a) |
Each control function referred to in subsection (1) must be structured to ensure that the function has the necessary authority, independence, resources, expertise and access to the board of directors or a committee of the board identified by the board of directors and all relevant employees and information to exercise its authority and perform its responsibilities. |
(b) |
The independence referred to in paragraph (a) must be sufficient to allow a control function to— |
(i) |
serve as a further component of an insurer's checks and balances; |
(ii) |
provide an objective perspective on strategies, issues, and potential noncompliance related to its areas of responsibility; and |
(iii) |
implement or oversee the implementation of corrective measures where necessary. |
(4) |
The authority and responsibilities of each control function must be determined and documented under the governance framework of the insurer referred to under Part 2. |
(5)
(a) |
The risk management function, compliance function and actuarial function must be regularly reviewed by the insurer's internal audit function or an objective external reviewer. |
(b) |
The internal audit function must be regularly reviewed by an objective external reviewer. |
(c) |
The board of directors must regularly review the performance of each control function, taking into consideration the reviews referred to under paragraphs (a) and (b). |
(6) |
The existence of any control function does not relieve the board of directors or managing executives from their respective governance and related responsibilities. |
(7) |
An insurer may where appropriate in light of the nature, scale and complexity of the business, risks, and legal and regulatory obligations of an insurer, outsource a control function. |
(8) Each control function must—
(a) |
avoid conflicts of interest, and if any conflict cannot be avoided report that conflict to the managing executives and the board of directors; and |
(b) |
comply with the requirements relating to the reporting structures, independence, resources, expertise, responsibilities and functions referred to in sections 24 to 27. |