The new Notifications re: Rules, Procedures, and Conditions for the Minimum Standard Requirements for Management of Risks Related to Insurance Fraud for Life and Non-Life Insurance Companies ("Notifications") were published in the Royal Gazette on 10 January 2019 and will be promulgated after 180 days from the date of publication, i.e. 10 July 2019.
The Notifications aim to ensure that insurance companies, under the guidance of the Office of Insurance Commission ("OIC"), can effectively manage both internal and external insurance fraud risks. This begins from the early stages of prevention, to investigation, reporting, and the remedying of such risks.
2. Key Concepts
To effectively implement risk management measures for insurance fraud, the Notifications impose the following requirements on both life and non-life insurance companies.
2.1 The board of directors must ensure that the insurance company complies with the requirements of the Notifications.
2.2 An insurance company is obligated to:
- Prepare a written policy for insurance fraud risk management, to be approved by the company's board of directors. The policy must be communicated to all of the company's departments. Such departments are required to strictly comply with the policy. Insurance companies are legally required to review the policy at least once a year, or upon every incident which may materially affect the company's financial stability or the company's credibility. Kindly note that an insurance company will have to provide a policy in electronic form to the OIC within 30 days from the effective date of the Notifications. This requirement is also applicable if there is any material change to the policy.
- Prepare a code of ethics for employees, and promote a culture that emphasizes on the importance of ethics and honesty. This entails, training employees on insurance fraud risks.
- Specify events and sources of internal and external insurance fraud risks, which include any of its operations that may affect the company's income, capital fund, reputation, or existence.
- Develop and implement the procedures for insurance fraud risk assessment.
- Manage insurance fraud risks, by performing at least the following:
- Set an appropriate and proper standard for the qualifications and suitability of directors, managers, and employees, and periodically conduct an evaluation on the role and responsibility of each individual (at least once a year);
- Set a policy for accepting customers or categorizing customers (the categorization must be able to identify suspicious customers), as well as carry out Customer Due Diligence (CDD) based on types of insurance and set measures to be used in case of suspicion;
- Set a criteria and method for managing compensation claims under an insurance contract;
- Set a criteria and method for considering and assessing the qualifications and suitability of insurance agents and brokers, which includes background checks and compliance reviews pertaining to a code of ethics;
- Monitor the operations of insurance agents and brokers, including their behavior, a factor that may lead to insurance fraud risk; It should be noted that conformance with these new requirements will not release insurance companies from joint liability with insurance agents. However, it can help improve the insurance company's position when it claims against the agents; and
- Prepare a policy for outsourcing third-party services, in order to control risks relating to third-party service providers.
- Develop a policy in relation to fraud whistleblowers, which must include protection of whistleblowers and complainants, and treatment of any information received as confidential.
- Upon the suspicion or discovery of a fraudulent incident, appoint an independent party to investigate, handle and remedy any damages. The independent party must report the investigation findings to the company’s audit committee at least once every quarter. If fraud or any actions that may affect the company’s financial stability, income or reputation is committed, the audit committee must report the findings to the company’s board of directors in order to rectify within the appropriate period as deemed by the committee, without delay. If the Company’s board of directors or managers do not improve or rectify within the specified period, the audit committee must report the fraudulent incident to the OIC.
- Prepare a database on internal and external fraud for monitoring purposes and for enhancing the efficiency of insurance fraud risk management.
- Revisit the insurance company's policy at least once a year to ensure compliance with the Notifications.
- Prepare a report summarizing the insurance company's implementation of insurance fraud risk policies and procedures, which have been approved by the risk management committee, and submit such report to its board of directors at least once a year.
Since the Notifications require insurance companies to implement various measures to deal with insurance fraud incidents, insurers are advised to begin preparing themselves and ensure compliance with the Notifications before they become effective on 10 July 2019. Note that failure to comply with the requirements could result in potential liability under the Insurance Acts.