Back Custom print Link Text Only Rich Text Print

  • IA-1 IA-1 Systems and Controls

    • IA-1.1 IA-1.1 Systems and Controls

      • Role of Board and Senior Management

        • IA-1.1.1

          The Board of Directors must establish adequate internal controls and maintain effective oversight and governance of the insurance aggregator process and the client interface including establishing sound policies, procedures, systems, methodologies and controls. Such policies must be comprehensive and cover the following:

          (a) Controls over technology solutions;
          (b) Platform operations and performance;
          (c) Tools and measures to prevent frauds and errors;
          (d) Risk management controls;
          (e) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
          (f) Record keeping and audit trails;
          (g) Safeguarding client moneys; and
          (h) Financial controls.
          October 2019

        • IA-1.1.2

          The Board of Directors must take responsibility for the establishment and oversight of effective risk management and internal controls.

          October 2019

        • IA-1.1.3

          Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.1, the Board of the insurance aggregator must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

          October 2019

      • Technology governance

        • IA-1.1.4

          Insurance aggregators must use technology solutions which are capable of interfacing with software and systems used by insurance licensees and different applications used by customers.

          October 2019

        • IA-1.1.4A

          With respect to Paragraph IA-1.1.4, if an insurance licensee does not have technology systems capable of interfacing with the insurance aggregator, it may utilize other means to display the said licensee's quote such as a quoting engine based on the criteria of the insurance firm.

          October 2019

        • IA-1.1.5

          The internal controls mentioned in Paragraph IA-1.1.3 must include, but not be limited to, the following:

          (a) The development and or acquisition of the technology solutions to conduct the activity;
          (b) Testing of the solutions and application program interfaces;
          (c) Standards of communication and access and related security controls;
          (d) Safe authentication of the users; and
          (e) Tools and measures to prevent frauds and errors.
          October 2019

        • IA-1.1.6

          Insurance aggregators must maintain an up-to-date security policy document containing the following information:

          a) a detailed documentation of the technology architecture and of the systems and the network elements providing:
          i. description of the business IT systems supporting the business activities;
          ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
          iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
          iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
          b) the logical security measures and mechanisms that govern the internal access to IT systems;
          c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
          d) the security of the customer payment processes; and
          e) ensure that the information systems, (both hardware and software) including the aggregation website(s)/portals, Proposal Management System and the Data Centers hosting the website(s)/Portal(s)/Proposal Management System are in compliance with the Cyber Security rules stipulated in Section RM-9.
          October 2019

      • Business continuity

        • IA-1.1.9

          Insurance aggregators must ensure they have an up-to-date business continuity plan and arrangements consisting of the following information:

          a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
          b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
          c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
          d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
          October 2019

        • IA-1.1.10

          Insurance aggregators must ensure that there are documented measures to protect confidentiality of client data consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.

          October 2019

        • IA-1.1.11

          Insurance aggregators must ensure that the requirements relating to enhanced due diligence as required under Module FC are met when the client is assessed as higher risk and also where the client relationship (whether at the time of on-boarding or otherwise) is on a non-face-to-face basis.

          October 2019