Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The Insurance Authority Board of Directors’ Resolution No. 18 of 2020 Concerning the Electronic Insurance Regulations was issued on 27 April 2020 (the ‘Regulations’). The Regulations entered into force on 15 May 2020 and there is a 6-month implementation period for companies to comply with the Regulations.
At a time when the insurance industry is undergoing significant digital disruption (with the adoption and roll-out of insurance technology known as Insurtech) and with a marked acceleration of online operations as a result of the COVID-19 pandemic, these Regulations focus on effectively managing these technological changes and ensuring that the provision of online insurance products and services is safe, secure and protects the interests and rights of the insurance consumer. The Regulations also set out the legal requirements for outsourcing online insurance operations.
The Regulations apply to “Electronic Insurance Operations”. These are defined as any business carried out through electronic and smart systems, including, but not limited to, the provision of insurance coverage and insurance premiums offers, the selling and marketing of insurance policies, the collection of insurance premiums, the receipt of claims and the handling of complaints. Based on the definition of “Website” under the Regulations, it will cover all online platforms, from social media to online work tools such as Google Docs to blogs, live chat and multimedia sharing networks such as YouTube, Instagram and Snapchat.
The Regulations cover “Companies” and “Insurance-Related Professions” (together ‘Insurance Businesses’). The term “Companies” covers both insurance companies incorporated in the UAE and foreign insurance companies licensed to carry out insurance activities in the UAE, whether through a branch or through an insurance agent, including Takaful insurance companies. “Insurance-Related Professions” covers a broad range of insurance-related activities: insurance agent, actuaries, insurance brokers, surveyor and loss adjusters, insurance consultants or any other insurance related profession that the Board of Directors of the UAE Insurance Authority (‘Authority’) decides to regulate. It also covers insurance policies marketed through banks.
Any Insurance Businesses seeking to provide Electronic Insurance Operations will require the approval of the Authority. To secure that approval, an action plan for Electronic Insurance Operations must be submitted to the Authority covering, amongst other things, an analysis of the projected volume of Electronic Insurance Operations for the next three years, an analysis of the risks (e.g. adverse selection, cybersecurity, money laundering, terrorist financing, etc.) associated with electronic transactions and the necessary precautionary measures taken to mitigate such risks and a contingency plan for managing any disruption to one or more elements of the Electronic Insurance Operations, including specific business continuity measures and reporting procedures, both internally and to the Authority. The action plan must be approved internally by the Insurance Business’ board of directors or, if a sole proprietorship, by the owner of the sole proprietorship prior to being submitted for the approval of the Authority.
Insurance Businesses subject to the Regulations will need to put in place an effective online strategy, approved by their board of directors, and risk management strategies with strong internal supervisory controls overseen by executive management. This includes a written policy formally adopted by the board of directors. In particular, Insurance Businesses must ensure that they invest in the right level of expertise and resources to ensure the delivery of effective Electronic Insurance Operations.
Insurance Businesses are required to develop a policy for online advertising and using price comparison services and also sharing data with Insurtech companies and other third parties connected to the provision of Electronic Insurance Operations. That said, the Regulations also state that Insurance Businesses are prohibited from dealing directly with price comparison websites unless they are insurance brokers. The Regulations set out detailed requirements for the engagement by insurance brokers with price comparison websites.
There are certain restrictions on the type of insurance products that can be sold electronically. For example, life insurance products linked to investment instruments. Life and personal insurance policies which do not require specific underwriting in an individual case may be sold online. The Regulations set out a list of the liability and property insurance products that can be sold online including, without limitation, health, fire, land vehicle, personal accident, household, travel, theft, professional indemnity, workman’s compensation and marine cargo insurance. To the extent that a specific insurance product is not listed in the Regulations, Insurance Businesses can seek the approval of the Authority to market and sell the insurance product online.
To the extent they do not already have one, Insurance Businesses will need to establish an IT department to manage their Electronic Insurance Operations. Alternatively, they can consider outsourcing the provision of Electronic Insurance Operations. The outsourcing of any Electronic Insurance Operations will require Authority approval and the outsourcing contract will need to ensure that the outsourced provider complies with the Regulations, the code of professional practice issued by the Authority and other related legislation. Under the Regulations, Insurance Businesses outsourcing any Electronic Insurance Operations are required to establish strong governance and reporting mechanisms to effectively manage the outsourced arrangement.
Where Insurance Businesses wish to sell their insurance products through a third party website licensed for this purpose (e.g. an aggregated insurance platform), they are required to seek Authority approval.
Insurance Businesses must ensure that the Electronic Insurance Operations meet any applicable UAE cybersecurity standards and requirements and must put adequate technical measures in place to ensure data privacy and confidentiality. This includes following applicable UAE laws and regulations in relation to the storing of data inside the UAE and in cloud computing environments. The Regulations include detailed security measures that Insurance Businesses need to take. These include specific requirements for the secure collection and processing of sensitive data (including encryption). Customer records obtained as part of the Electronic Insurance Operations must be retained by the Insurance Businesses for a minimum of 10 years. Online payment transactions must be through payment system providers licensed by the UAE Central Bank.
The Regulations set out details of the information that Insurance Businesses must include on their websites or mobile applications and make available to customers seeking to contract for insurance products. Detailed product information must be listed covering the nature and benefits of the insurance product, coverage exclusions, coverage waiting periods, costs (including VAT), etc. It also needs to clearly display the Insurance Business’ contact details (by phone and electronic means (such as an email or chat function)) and an explanation of how to register complaints. This information needs to be kept updated. A minimum of two means of communication must be provided by the Insurance Businesses.
Electronic marketing whether by SMS or email will require prior customer approval (suggesting the requirement for a clear customer opt-in to marketing communications) and must follow the provisions of the Authority’s code of professional practice in relation to marketing practices. Furthermore, the Regulations state that any advertising and promotion of Electronic Insurance Operations will require the prior written approval of the Authority.
One interesting feature required on the Insurance Business’ website is a self-assessment tool, allowing a customer to assess their insurance needs and make an informed decision.
The Regulations state that the provisions of the Electronic Transactions and E-Commerce Law (Federal Law No. 1 of 2006) apply to the execution, electronically, of insurance contracts or any other matters relating to Electronic Insurance Operations. The Regulations allow for the execution of contracts through “electronic automated means, including two or more electronic information systems that are prepared and programmed to do such in advance” –allowing, it seems, for the use of smart contracting. Customers must be made aware of any smart contracting arrangements. The Regulations also set out the requirements for the issuing of dated electronic insurance policies and for a paper copy to be provided, if requested by a customer.
The Authority has the power to conduct periodic inspections to ensure compliance with the Regulations and may request information and documentation for audit and supervision purposes. A violation of the Regulations may result in a warning from the Authority requiring the rectification of the violation in a specified time, the suspension of Electronic Insurance Operations or cancellation of the approval to conduct Electronic Insurance Operations. Any company conducting Electronic Insurance Operations within the UAE without the approval of the Authority will be blocked.
New UAE regulations setting out clear legal requirements for UAE insurance industry providers seeking an effective online presence, collaboration with price comparison websites and the outsourcing of online insurance operations.