Back Custom print Link Text Only Rich Text Print

  • IA IA Insurance Aggregators

    • IA-A IA-A Introduction

      • IA-A.1 IA-A.1 Purpose

        • IA-A.1.1

          This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to insurance aggregators who are intermediaries with an insurance broker's license providing insurance aggregator services, as defined in the Authorisation Module of the CBB Rulebook Volume 3, in the Kingdom of Bahrain.

          October 2019

        • IA-A.1.2

          This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 3, applicable to insurance brokers particularly:

          (a) Authorisation Module;
          (b) Principles of Business Module;
          (c) High Level Controls Module;
          (d) General Requirements Module;
          (e) Risk Management Module;
          (f) Capital Adequacy Module;
          (g) CBB Reporting Requirements Module
          (h) Auditors and Accounting Standards Module;
          (i) Financial Crime Module; and
          (j) Enforcement Module.
          October 2019

        • Legal Basis

          • IA-A.1.3

            This Module contains the CBB's Directive (as amended from time to time) applicable to insurance brokers undertaking insurance aggregator activities by operating an online platform for this purpose, and is issued under the powers available to the CBB under Article 38 of the CBB Law.

            October 2019

          • IA-A.1.4

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

            October 2019

      • IA-A.2 IA-A.2 Module History

        • IA-A.2.1

          This Module was first issued in August 2019. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.

          October 2019

        • IA-A.2.2

          A list of recent changes made to this Module is provided below:

          Module Ref. Change Date Description of Changes
               
               
               
               

    • IA-B IA-B Scope of Application

      • IA-B.1 IA-B.1 Introduction

        • IA-B.1.1

          Insurance aggregators as defined in Module AU-1.1.8A provide information aggregation services to clients by comparing the different insurance products for its customers. Insurance aggregators are licensed as insurance brokers and may provide all or some of the services that insurance brokers are authorised to provide only through an online platform.

          October 2019

        • IA-B.1.2

          The word aggregator simply means an organisation that collects information from other businesses and then places it on one website. This may be used by a number of industries as an effective way of increasing client proposals and referrals. In the insurance industry, a customer is able to find insurance quotes under a single electronic platform instead of trawling through multiple insurer websites for quotes individually.

          October 2019

        • IA-B.1.3

          Insurance aggregators who handle client money should have policies and procedures in place to safeguard client money, and comply with the requirements under Module CL.

          October 2019

        • IA-B.1.4

          Additionally, there are confidentiality and data privacy implications if the Insurance aggregator uses the cloud for the analytics. If client data is processed by the tool using the cloud, there must be safeguards to avoid noncompliance with applicable laws.

          October 2019

    • IA-1 IA-1 Systems and Controls

      • IA-1.1 IA-1.1 Systems and Controls

        • Role of Board and Senior Management

          • IA-1.1.1

            The Board of Directors must establish adequate internal controls and maintain effective oversight and governance of the insurance aggregator process and the client interface including establishing sound policies, procedures, systems, methodologies and controls. Such policies must be comprehensive and cover the following:

            (a) Controls over technology solutions;
            (b) Platform operations and performance;
            (c) Tools and measures to prevent frauds and errors;
            (d) Risk management controls;
            (e) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
            (f) Record keeping and audit trails;
            (g) Safeguarding client moneys; and
            (h) Financial controls.
            October 2019

          • IA-1.1.2

            The Board of Directors must take responsibility for the establishment and oversight of effective risk management and internal controls.

            October 2019

          • IA-1.1.3

            Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.1, the Board of the insurance aggregator must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

            October 2019

        • Technology governance

          • IA-1.1.4

            Insurance aggregators must use technology solutions which are capable of interfacing with software and systems used by insurance licensees and different applications used by customers.

            October 2019

          • IA-1.1.4A

            With respect to Paragraph IA-1.1.4, if an insurance licensee does not have technology systems capable of interfacing with the insurance aggregator, it may utilize other means to display the said licensee's quote such as a quoting engine based on the criteria of the insurance firm.

            October 2019

          • IA-1.1.5

            The internal controls mentioned in Paragraph IA-1.1.3 must include, but not be limited to, the following:

            (a) The development and or acquisition of the technology solutions to conduct the activity;
            (b) Testing of the solutions and application program interfaces;
            (c) Standards of communication and access and related security controls;
            (d) Safe authentication of the users; and
            (e) Tools and measures to prevent frauds and errors.
            October 2019

          • IA-1.1.6

            Insurance aggregators must maintain an up-to-date security policy document containing the following information:

            a) a detailed documentation of the technology architecture and of the systems and the network elements providing:
            i. description of the business IT systems supporting the business activities;
            ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
            iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
            iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
            b) the logical security measures and mechanisms that govern the internal access to IT systems;
            c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
            d) the security of the customer payment processes; and
            e) ensure that the information systems, (both hardware and software) including the aggregation website(s)/portals, Proposal Management System and the Data Centers hosting the website(s)/Portal(s)/Proposal Management System are in compliance with the Cyber Security rules stipulated in Section RM-9.
            October 2019

        • Business continuity

          • IA-1.1.9

            Insurance aggregators must ensure they have an up-to-date business continuity plan and arrangements consisting of the following information:

            a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
            b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
            c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
            d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
            October 2019

          • IA-1.1.10

            Insurance aggregators must ensure that there are documented measures to protect confidentiality of client data consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.

            October 2019

          • IA-1.1.11

            Insurance aggregators must ensure that the requirements relating to enhanced due diligence as required under Module FC are met when the client is assessed as higher risk and also where the client relationship (whether at the time of on-boarding or otherwise) is on a non-face-to-face basis.

            October 2019

    • IA-2 IA-2 Operating Framework

      • IA-2.1 IA-2.1 Client Agreements

        • IA-2.1.1

          Insurance aggregators must agree in writing the terms of business with their clients (i.e. insurance firms) and ensure that the following are stipulated:

          a) the full scope of the insurance aggregator services;
          b) the basis for providing advice (if any) including but not limited to methodologies used for such advice,
          c) the fees, charges or commissions relevant to the services being offered;
          d) the dispute resolution processes are available to the clients if they wish to make a complaint.
          October 2019

        • IA-2.1.2

          Insurance aggregators must disclose in writing the full particulars of any actual or potential conflicts of interest arising from any connection or association with product provider, including any commissions or fees and any material information or facts that may compromise its objectivity or independence.

          October 2019

      • IA-2.2 IA-2.2 Arrangements with Insurance Firms

        • IA-2.2.1

          No arrangements must be made by the insurance aggregators with the insurance firms which are against the interests of policyholders.

          October 2019

        • IA-2.2.2

          An insurance aggregator desirous of transmitting proposals to an insurance firm must enter into an "agreement" with the insurance firm which must include at least the following details:

          a) Timeframe and mode of transmission of proposals to be shared;
          b) Onus of complying with regulatory and other legal requirements on both the parties to the agreement;
          c) Identifying the different data elements to be shared such as name of prospective client/client/visitor of the web site, contact details etc.;
          d) The timeframe for providing the premium and feature tables of the agreed products to the insurance aggregator after concluding the agreement and keeping them up to date.
          October 2019

        • IA-2.2.3

          The insurance aggregator must keep the agreement ready for inspection as and when desired by the CBB's on-site supervision team.

          October 2019

        • IA-2.2.4

          The insurance aggregator must ensure the following:

          a) While entering into such arrangements, no insurance aggregator must promise nor any insurance firm must compel the insurance aggregator to distribute the products of only a particular insurance firm;
          b) The arrangements must have provisions to include duties and responsibilities of insurance aggregators towards the policyholders, duties and responsibilities of insurance firms and insurance aggregators, terms and conditions for termination of arrangements;
          c) In case an insurance aggregator wishes to terminate arrangement with any insurance firm, they may do so after informing the insurance firm, the reasons for termination of arrangement. In such cases, the insurance aggregator must service any policies solicited but not yet issued by the concerned insurance firm until the issuance of the said policies;
          d) No insurance firm must pay and no insurance aggregator must receive any signing fee or any other charges by whatever name called, except those permitted by the CBB under relevant regulations, for becoming its insurance aggregator.
          October 2019

        • IA-2.2.5

          The CBB may, at any point in time, direct any insurance firm or insurance aggregator to terminate the distribution arrangements.

          October 2019

      • IA-2.3 IA-2.3 Product Comparisons

        • Policy for comparison and distribution of insurance products

          • IA-2.3.1

            Insurance aggregators must have a Board approved policy on the approach to be followed by the insurance aggregator in having multiple tie-ups, type of products sold, grievance redress mechanism, reporting requirements and any other item. The Board of the insurance aggregator must review the same at least once in three years.

            October 2019

        • Display of product comparisons on the insurance aggregator website

          • IA-2.3.2

            The insurance aggregator must adhere to the following conditions relating to display of product comparison on its website:

            a) Disclose prominently on the home page, a notice that
            i. the prospective client's/visitor's particulars could be shared with insurance firms;
            ii. the information displayed on the insurance aggregator's website is of the insurance firms with whom the insurance aggregator has an agreement;
            b) Product information displayed by the insurance aggregator must be authentic and be based solely on information received from insurance firms;
            c) Insurance aggregators must not display customer ratings, rankings, endorsements or bestsellers of insurance products on its website;
            d) The content of the website of the insurance aggregator must be unbiased and factual in nature;
            e) Basic features of products may be compared, such as:
            i. Eligibility criteria
            ii. Policy term
            iii. Premium
            iv. Inbuilt benefits/riders
            v. Premiums for different age groups
            vi. Benefits such as survival benefits/maturity benefits/death benefits etc.
            vii. Any other additional information/special product features relating to the products
            f) Product comparisons that are displayed must be up-to-date and reflect the true picture of the products.
            g) The product comparison must highlight whether a particular policy is a sharia compliant Takaful policy or a conventional insurance policy.
            October 2019

          • IA-2.3.3

            Insurance aggregators must not operate multiple websites or tie up with other un-registered websites for comparison of products.

            October 2019

      • IA-2.4 IA-2.4 Disclosures and Management of Proposals

        • IA-2.4.1

          Insurance aggregators must adhere to the following requirements with respect to their platform:

          a) Insurance aggregators must disclose prominently on the home page or similar page of the relevant application that the prospective client's/visitor's particulars could be shared with insurance firms if the arrangements the insurance firms warrant such a disclosure
          b) Insurance aggregator must provide an option to select multiple insurance firms by the visitor, to whom the proposal must be transmitted simultaneously;
          c) Insurance aggregators must provide an option to select or choose between conventional insurance and Takaful products;
          d) Insurance aggregators must not transmit the proposal containing data of a client to insurance firm(s) other than the one(s) preferred by the client. However, if the client shows interest in buying insurance but does not prefer any insurance firm, the insurance aggregator may transmit the proposal to several insurance firms in the same class of insurance business based on the need analysis of the client;
          e) Ensure that the proposals and other data are transmitted to the insurance firms and others using secured data encryption technologies;
          f) Disclose in all its correspondences with all stakeholders its name followed by "licensed as an Insurance Broker — Insurance Aggregator by the Central Bank of Bahrain".
          October 2019

        • IA-2.4.2

          Insurance aggregators must not provide customers with any cash discounts on their own account, such as in the form of discount codes, cash backs and promotional codes etc.

          October 2019

      • IA-2.5 IA-2.5 Professional Indemnity Insurance

        • IA-2.5.1

          Every insurance aggregator must take out and continue to maintain a professional indemnity insurance cover from a licensed insurance firm in the Kingdom of Bahrain. (See Section GR-10.1)

          October 2019

        • IA-2.5.2

          An insurance aggregator must ensure that the insurance cover indemnifies against the following:

          a) any error or omission or negligence;
          b) any loss of money or other property for which the insurance aggregator is legally liable in consequence of any financial or fraudulent act or omission;
          c) any loss of documents and costs and expenses incurred in replacing or restoring such documents; and
          d) dishonest or fraudulent acts or omissions by insurance aggregator employees.
          October 2019

        • IA-2.5.3

          The indemnity cover should not contain any terms to the effect that payments of claims depend upon the insurance aggregator having first met the liability.

          October 2019

        • IA-2.5.4

          The cover should indemnify in respect of all claims made during the period of the insurance regardless of the time at which the event giving rise to the claim may have occurred.

          October 2019

        • IA-2.5.5

          The professional indemnity insurance cover must not be cancelled without the CBB's prior written approval.

          October 2019

    • IA-3 IA-3 Other Controls

      • IA-3.1 IA-3.1 Remuneration

        • IA-3.1.1

          Remuneration in any form paid to insurance aggregators by insurance firms must be in compliance with the following provisions:

          a) No fee can be charged to the insurance firm for listing its products;
          b) Proposals which are converted into sale of insurance policies will entitle the insurance aggregator to earn commission as applicable to insurance brokers;
          c) Insurance aggregator can provide other services to insurance firms in respect of policies procured through them. In such instances, the insurance firm may pay the insurance aggregators, reasonable service charges at mutually agreed rates in the service agreements with the insurance aggregators.
          October 2019

        • IA-3.1.2

          The insurance aggregator, if requested by a prospective client, must disclose the amount of remuneration it receives as a result of effecting insurance for that client.

          October 2019

      • IA-3.2 IA-3.2 Complaints Handling

        • IA-3.2.1

          The insurance aggregator must:

          a) Have in place a system for recording and monitoring complaints;
          b) Ensure that the website contains details of complaints handling procedures and provides a facility to the customer to log complaints online;
          c) Ensure that communication of clients in any form, written/phone/email/messaging etc. are acknowledged promptly in accordance with the requirements stated in Paragraph BC-4.5.1;
          d) Ensure that the grievance is resolved to the fullest satisfaction of the client;
          e) Ensure that responses are sent to the customer on the resolution of the grievance, and the customer is informed of the further redress procedure available to him; and
          f) Ensure that complaints are attended to at senior management level.
          October 2019

        • IA-3.2.2

          The insurance aggregator must disclose on its website that if a member of the public wishes to make a complaint or requires the assistance of the CBB in resolving a dispute, he may write to the CBB.

          October 2019

      • IA-3.3 IA-3.3 Training and Independent Assessments

        • Training

          • IA-3.3.1

            The Insurance aggregator must:

            a) Ensure that its staff are aware of and adhere to the standards expected of them by this Module;
            b) Ensure that staff is competent, suitable and have been given adequate training; and
            c) Ensure that there is a system in place to monitor the quality of services of its staff.
            October 2019

        • Independent assessments

          • IA-3.3.2

            Insurance aggregators must ensure that their overall control framework is evaluated and independently tested by an independent external consultant other than the external auditors:

            a) initially upon implementation of this Module and prior to launching of business;
            b) when there are any material changes to the systems and controls; and
            c) at least once every 3 years.
            October 2019

          • IA-3.3.3

            Insurance aggregators must ensure that report of the evaluation referred to in paragraph IA-3.3.2(b) is provided to the CBB within 2 weeks of completion of the report. The report required under IA-3.3.2(c) must be submitted within 3 months of the year-end in which the evaluation was conducted. In addition, the report required under IA-3.3.2 (a) should be submitted to the CBB for the CBB's review and no-objection prior to launching the business.

            October 2019