The Regulation on Internal Systems of Insurance and Private Pension Sectors (the “Regulation”) and the scope of liabilities regarding internal systems are revised to include special institutions operating in the insurance and private pension sectors and insurance and reinsurance brokers with legal personality, in addition to the insurance and reinsurance companies and pension companies.
With the new Regulation, the liabilities of the board of directors and senior management of special institutions and insurance and reinsurance brokers with legal personality have expanded, and the ultimate responsibility for the establishment and effective operation of internal systems has been assigned to the board of directors or the organ under any name that carries out the duties of the board of directors. In this context, it is regulated that the board of directors of insurance, reinsurance and pension companies shall fulfil its duties and responsibilities regarding internal systems through an audit committee to ensure that such duties and responsibilities are duly fulfilled.
Additionally, special institutions and companies within the scope of the new Regulation shall form a separate internal control unit, risk management unit, internal audit unit and functions related to these units within their organizational structures. Companies, Natural Catastrophe Insurance Pool, Special Risks Management Center and Turkish Motor Vehicle Bureau are obliged to establish an actuarial unit and function in addition to the above defined units and functions. However, even though the special institutions, insurance and reinsurance brokers with legal personality are not obliged to establish an actuarial unit under the Regulation, if they carry out actuarial function or establish an actuarial unit voluntarily, they are required to carry out these activities in accordance with the Regulation.
The authorities of the board of directors are also regulated in detail. In this context, the board of directors shall submit a management statement, which gives assurance regarding the internal systems, to the independent auditor as of the audit period. The procedures and principles regarding the management statement to be submitted under this Regulation may be further determined by the Insurance and Private Pension Regulation and Supervision Authority (“Authority”).
The required qualifications for the members of the audit committee are regulated in detail under the Regulation, and members should continue to comply with such qualifications during their duty period. At least one of the committee members shall reside in Turkey. In case the number of the members of the board of directors in the audit committee falls below two for any reason, the board of directors must appoint a sufficient number of members who have the required qualifications to the audit committee within one month, at the latest. In the absence of a member with the required qualifications, non-executive board members may be appointed to the audit committee for a temporary period. Special institutions and insurance and reinsurance brokers with legal personality are not obliged to establish an audit committee. However, in this case, board of directors of the special institutions and brokers shall fulfil the procedures stipulated among the duties and responsibilities of the audit committee under this Regulation. In addition, a board member may be appointed to perform the said duties, provided that the appointed member meets the qualifications sought for the members of the audit committee.
Business processes and information systems
Institutions must establish business processes and information systems in order to manage the activities carried out for the services provided in an effective, reliable and uninterrupted manner; to fulfil the obligations set forth under the applicable legislation, to ensure the integrity, consistency, reliability, timely availability and confidentiality of the information provided from the systems where accounting and financial reporting and main activities are carried out, and at the same time, to ensure the monitoring and control of the risks arising from the use of information systems and taking the necessary precautions. In addition, institutions must have their primary and secondary systems in Turkey. On the other hand, e-mail, teleconferencing or video conferencing services are exempt from the requirement to be in Turkey.
Business continuity management and plan
For the continuation or timely recovery of operations during an interruption or crisis that may occur due to reasons such as war, terrorism, strikes, lockouts, turmoil, epidemics, fire and natural disasters, IT attacks and business interruptions of business partners, institutions are obliged to establish a business continuity management structure approved by the board of directors, which aims to minimize operational, financial, legal and reputational adverse effects thereof. Accordingly, an emergency and contingency plan must be established as part of the business continuity plan to determine the priority actions and measures to be taken in any emergency or unexpected situation. Establishment of a system by the internal control unit to review the plans within the scope of the business continuity plan. In case of a change that will affect the business processes or information systems of institutions, the plans must be reviewed and updated. Such plans must be tested at least once a year by the headquarters, selected regional offices, model intermediaries and other related parties, taking into account possible short or long-term interruptions in automatic and manual processes.
The new Regulation further details the scope of the controls regarding the execution of activities, communication systems and information systems, compliance control, scope of outsource controls, and the scope of duties and responsibilities of the internal control unit. Appointment and dismissal of the internal control unit manager shall be carried out by the board of directors with the opinion of the audit committee, and the appointment and dismissal of the unit personnel shall be carried out by the audit committee with the opinion of the manager of the internal control unit.
Similarly, the duties, qualifications and responsibilities of the risk management and actuarial unit are regulated in detail under the Regulation.
In addition to the reporting to the Authority, the new Regulation introduces reporting to public. Accordingly, annual report to be prepared by the institutions for each financial year shall include information on the activities carried out within the scope of business continuity management, the individual activities of the units established within the scope of internal systems, the internal systems of the company and the outsourcing of units except for the internal systems in addition to other issues.
Except for trade secrets and taking into account the issues relating to protection of personal data, companies and special institutions are required to publish the information stipulated in the Regulation on their websites which should be easily accessed by users from the home page on a quarterly basis for January-March, April-June, July-September, October-December periods, within one month following every quarter. These reports shall be available for five years and shall be presented as comparable to other period reports.
Provided that the units related to internal systems are structured within the organization of the institution, necessary personnel are employed and work plans are prepared by the related units; in the cases where these units are insufficient, internal control, risk management, actuarial and internal audit functions can be outsourced on the condition that their limits are determined.
The Regulation also stipulates various transitional provisions and determines time intervals for institutions to comply with the newly introduced obligations under the Regulation.