Saudi Arabia Central Bank draft insure tech rules
On 18 October 2021, the Saudi Arabia Central Bank (SAMA) published the draft insuretech rules (the Rules) to regulate the activities of insuretech companies within the Kingdom of Saudi Arabia (KSA).
The Rules introduce a framework to regulate the operations of insuretech companies, set out certain obligations to ensure the protection of consumer rights and encourage fair competition with respect to providing insuretech solutions. The Rules set out various requirements that insuretech companies must comply with, including licensing, data protection and customer due diligence.
The Rules apply to Insuretech Activities, which are defined as “any solutions or services that use technology and are provided in an integrated manner within the scope of the Insurance Activities.” Insurance Activities include activities that include or result in “shifting burdens of risks from a person to an insurance company, which is obligated to indemnify the insured against loss or damage”, as well as “any other necessary, complementary or supporting activities of the insurance activities”.
Companies that aim to conduct insuretech activities must submit a license request to SAMA, which should include relevant information about their business model, the product (and its vision, mission, and objectives), senior officers and the minimum paid-up capital. A feasibility study, which sets out the technical infrastructure of the solution (including any technical arrangements in place), must accompany the application. SAMA shall make a decision on any license requests received within thirty (30) days.
Once an application that meets the above-mentioned requirements has been submitted, the applicant may be provided with SAMA’s initial non-objection. Companies can subsequently proceed to set-up the insuretech entity once the non-objection has been secured.
The business plan submitted must be approved by the insuretech’s board of directors. SAMA’s prior approval is required to effect any material changes to an insuretech’s business plan. Insuretech companies may be required to introduce amendments to an existing business plan in line with SAMA’s feedback.
Following this, an applicant must submit:
- constitutional documents (including the memorandum of association and articles);
- a fit and proper questionnaire (completed by senior management);
- a regulatory compliance plan;
- a professional liability insurance policy; and
- a business continuity plan (setting out a response to manage any emergencies).
The initial license obtained will enable applicants to commence operations in KSA. Companies cannot, however, market or advertise the licensed insuretech activities without SAMA’s prior approval. All licensed applicants must submit a monthly report to SAMA detailing risks (if any) that have been discovered in carrying out the relevant insuretech activities.
Obligations for Insuretech Companies
In respect of security and technical infrastructure, the Rules require all insuretech companies to develop a sound technical environment to exchange, hold, and receive any customer data. Insuretech companies must establish precautionary controls to manage any technological, operational or security risks.
In addition, licensed insuretechs must undertake thorough KYC and customer due diligence prior to onboarding any customers on their platform. This must include a two-factor authentication process that verifies the customer’s phone number and email address. All identify and beneficial ownership information must be obtained from a reliable source, and insuretechs will need to maintain electronic records of all such documentation collected from their customers. Insuretech companies shall remain liable to ensure that any customer data stored on their platform is up-to-date (including the customer’s address).
Any information collected must be protected using appropriate data security procedures and can only be stored within KSA. Companies must introduce adequate protocols to back-up the data collected and ensure all recovery mechanisms are operating appropriately.
The Rules prescribe a strong focus on consumer protection, which must be adhered to by all insuretechs. Licensed insuretech companies must clarify the nature of their activities and/or services to consumers within their terms and conditions. Such terms and conditions must disclose the financial consideration received by the relevant insuretech for providing its services.
Consumers must be notified of any changes made to the insuretech’s terms, conditions (and should approve any such changes in order for them to be implemented). All additional charges or expenses that consumers may incur in availing the services must be clarified within the terms and conditions. Insuretechs cannot refuse providing their service to a customer without reason and must provide an adequate explanation for any services that have been refused, cancelled or discontinued.
The Rules require insuretech companies to maintain a (i) dedicated customer support to address any grievances and (ii) a mechanism to deal with any cancelations or withdrawals by the customer. Such mechanisms should detail how customers can recover any amounts paid in the event of a cancellation.
Furthermore, insuretechs must avoid any conflict of interest in providing services to consumers to ensure fair dealings. This raises questions about the range of activities that a particular insuretech can independently offer to customers and whether SAMA might impose any restrictions to this extent. Companies cannot engage in any false advertising or negative marketing about any of their competitors.
In addition to the Rules, insuretech companies must remain compliant with the anti-money laundering laws, the anti-money laundering and counter-terrorism financing (AML/CTF) guide issued by SAMA, the insurance law, and the anti-cybercrime law in KSA. Non-compliance with the Rules (or any of the above-mentioned laws) will be construed as a violation of the relevant laws and may result in serious regulatory penalties.
The introduction of the Rules form part of SAMA’s overall aspirations to develop the KSA insurance market, and to introduce an efficient and strong supervisory framework to support the insuretech ecosystem. The Rules will enhance the adoption of insurance-focused technologies within KSA and this corresponds to the overall Saudi Vision 2030, which seeks to encourage the growth of KSA’s insurance sector in attempts to bolster non-oil contribution towards its overall GDP.
SAMA has invited industry specialists and interested individuals to provide their views on the draft Rules within thirty (30) days of the release of the Rules (by November 18 2021) and aims to take the relevant feedback received into account while releasing the final version of these Rules.