Professionalising the Insurance Services Ecosystem: KSA’s Comprehensive ISP Framework

4 min 10 sec January 18, 2026 (Edited)

The Kingdom’s Insurance Authority (the “IA”) has released an initial draft implementing regulation on Insurance Service Providers (the “Draft”). It provides a comprehensive and tailored rulebook for Insurance Service Providers (“ISPs”), spanning principles and scope of business, license procedures and requirements, governance and systems and controls, market conduct and online activity, outsourcing standards and proportionate reporting/supervision. ISPs including brokers, agents, TPAs/claims settlement specialists, loss adjusters/assessors, insurance advisors and actuaries, and other licensed service providers that fall into the new proposed regime’s perimeter.

Currently, the operation of insurance activities for insurance and reinsurance service providers is predominantly governed by Cooperative Insurance Companies Control Law, Royal Decree No. M/32 dated 2/6/1424 H, as amended (“Insurance Law”), the Implementing Regulations of the Cooperative Insurance Companies Control Law, Ministerial Decree No (1/596) dated 1/3/1425 H (“Implementing Regulations”), Insurance Market Code of Conduct Regulations 2008 (“Code of Conduct”), and Insurance Intermediaries Regulation 2011 (“Intermediaries Regulation”).

We highlight below the key differences between the Draft and the existing regulatory framework, expected significance for the KSA insurance market and practical implications for businesses.

Key differences

On licensing, the Draft introduces a more comprehensive application submission with granular requirements: board resolutions, business profile, a three‑year plan with financial projections under multiple scenarios, governance and registered persons, systems and controls, contracts, continuity, professional indemnity insurance, facilities, website disclosures and explicit processing timelines and conditional approvals. These are materially more prescriptive than the baseline license submissions for service providers in the current law and regulations.

The Draft introduces a registration requirement for senior positions at the ISPs. The IA may specify any examination requirements associated with the registrable functions, together with guidance on eligible qualifications and criteria for an exemption from the required examination. The Draft also strengthens enforcement by preserving the IA’s jurisdiction for two years after registration cancellation for pre‑cancellation acts, error or omissions.

On prudential capital, the Draft proposes a proportional formula for ISPs, that is, higher of a fixed floor and 2.5% of annual income from insurance activity, or such other amount as shall be prescribed by the IA from time to time. This departs from the fixed minimum requirement tied to activity/licensing types that apply under the current framework.

A bespoke outsourcing regime for ISPs is introduced, covering notification, due diligence, ongoing monitoring, audit/access rights for the IA, contract content, sub‑outsourcing control, continuity and proportionate application to service providers. The Draft proposes a notification requirement to the IA for material outsourcing to a service provider with the authority reserving the right to raise concerns, and an express prohibition on outsourcing of core functions, including but not limited to (a) overall management and strategic decision-making, (b) internal audit function, (c) compliance function, (d) risk management function and (e) actuarial function.

The Draft introduces formal controller and close‑links regimes for ISPs with pre‑notification thresholds at 20/30/50 percent, data on integrity/soundness, and a defined “close links” perimeter at 20 percent ownership or control, whereas current regulatory regime references fit‑and‑proper and general oversight without such granular controller/close‑link processes. This means controllers, significant shareholders, and group entities with close links to ISPs under the Draft will face new notification, assessment and approval expectations, including evidence of integrity, financial soundness, and non‑impairment of effective supervision.

Finally, a new complaints and transparency reporting structure is proposed which requires semi‑annual reporting to the audit committee, quarterly “substantive non‑complaint” reporting to the IA and risk‑based annual financial reporting within 90 days. With regard to the quarterly reporting to the IA, the ISPs shall detail substantive non-complaint communications, including suggestions, inquiries or expressions of dissatisfaction, that may indicate systemic or operational issues requiring regulatory attention. These are more structured and frequent than the current regime for ISPs.

Significance for the KSA insurance market

The new ISP‑specific architecture reduces ambiguity and raises accountability for these firms, helping align conduct and governance with modern supervisory practice and improving policyholder outcomes and market integrity.

Under these proposed changes, licensing will become more front‑loaded, with comprehensive planning, projections, governance, and operational readiness documentation required at application and prior to go‑live, alongside the IA’s ability to impose conditions or refuse on stated grounds. Proportionate capital calibrated to business scale, documented systems and controls, and a full outsourcing framework should professionalise the services ecosystem supporting insurers, reducing operational, conduct and third‑party risks across the value chain. Clear rules around controller/close‑links including the requirement for transparency should enhance supervisory visibility, reduce group‑link risks, and make entry and variation decisions more predictable. Extended jurisdiction after license cancellation of a registered person increases deterrence and confidence in supervisory outcomes.

What should businesses do now

We anticipate the Draft to be available for public consultation during the course of 2026 which will give an opportunity for the sector stakeholders and interested parties to provide their feedback and opinions. In the meantime, the businesses should start putting together a readiness program in anticipation of the introduction of some of the proposed changes.