Regulation on Internal Systems in Insurance and Private Pension Sectors (“Regulation”) has been introduced in Official Gazette dated 25 November 2021 and numbered 31670.
The Regulation aims to regulate the procedures and principles regarding the internal control, risk management, actuarial and internal audit systems to be established by insurance, reinsurance and pension companies, special institutions operating in the insurance and private pension sectors, and insurance and reinsurance brokers with legal personality, and their operation. The Regulation replaces the Regulation on Internal Systems of Insurance, Reinsurance and Pension Companies (“Repealed Regulation”) published in Official Gazette dated 2008 and numbered 26913.
Unlike the Repealed Regulation, the Regulation stipulates the establishment of an audit committee (“Audit Committee”), which consists of at least two non-executive board members, and aims to assist the board of directors in the performance of audit and supervision activities. With the Regulation, the duties of the Audit Committee regarding the internal control, risk management, actuarial, internal audit, independent external audit functions and other services have been determined. Qualified institutions as well as insurance and reinsurance brokers with legal personality are not required to form an Audit Committee.
Similar to the Repealed Regulation, the Regulation also includes the minimum qualifications that information systems must have. Furthermore, the Regulation additionally contains of issues such as data confidentiality, log records, authorization and access control, continuity, and thus, improves the system and data security.
As an important change, the data localization has been introduced, making it mandatory to have primary and secondary systems in Turkey. However, unlike similar regulations regarding banking, payment services, capital markets and various other regulated sectors, it has been explicitly stated that, services such as e-mail services, teleconferencing or video conferencing are exception to the requirement to have primary and secondary systems in Turkey.
The Regulation also lays down the rules regarding controls such as the communication structure and establishment of effective communication channels, business continuity management and plan, internal control function, controls on the execution of activities, controls on communication systems and information systems, compliance controls, and controls on service procurement.
In the Regulation, unlike the Repealed Regulation, regulations regarding the actuarial function are included. In this context, the aim and scope of the actuarial function, the actuarial function, the actuarial unit, the qualifications of the actuarial unit personnel, and the responsible actuary have been.
Please see this link for the full text of the Regulation published in Official Gazette dated 25 November 2021 and numbered 31670 (only available in Turkish).