Sign In

Insurtech Rules

​​

​Article No.​

​Saudi Central Bank

Insurtech Rules

Introduction

​Definitions

One

a)     SAMA: the Saudi Central Bank.

b)     Insurtech Activities: any solutions or services that use technology and are provided in an integrated manner within the scope of the Insurance Activities.

 

c)      Insurance Activities: any activities that include or result from shifting burdens of risks from a person to an insurance company, which is obligated to indemnify the insured against loss or damage, as well as any other necessary, complementary or supporting activities of the insurance activities.

d)     Rules: the Insurtech Rules.

 

e)     Instructions: regulations, rules, guidelines, principles and instructions issued by SAMA.

f)       Customer: a natural or legal person that deals with the Insurtech Company.

 

 

g)     Insurtech Company: a legal person licensed by SAMA to engage in any Insurtech Activities.

Objectives of the Rules

Two

The Rules aim to:

 

  • Define the regulatory and supervisory framework and concepts for engaging in Insurtech Activities.

  • Protect the rights of Customers of insurtech companies.

  • Develop and encourage Insurtech Activities.

Scope of Application​

Three

The Rules shall apply to any person engaging in any Insurtech Activities.

Provisions for Engaging in Insurtech Activities and for Licensing​

Qualification for Engaging in Insurtech Activities

Four

1.      No person may carry out Insurtech Activities without a prior license from SAMA.  

 

2.      Insurtech Activities shall be carried out only by legal persons.

 

Licensing Provisions

Five

1. No person may carry out Insurtech Activities without a prior license from SAMA.   


2. Insurtech Activities shall be carried out only by legal persons.


Licensing Provisions

1. Entities qualified to carry out Insurtech Activities shall submit a license request to SAMA prior to engaging in Insurtech Activities. The request submitted must include the following:


a) The business model/framework of the insurtech to be engaged in, including the vision and objective and products to be sold.

b) The legal entity to be established and the partners' information.   

c) Expected capital.


d) A feasibility study that includes expected operating expenses, income and profits.

e) The technological arrangements to be made for engaging in Insurtech Activities.

f) Any other requirements set by SAMA for the purpose of reviewing the license request.

2. SAMA considers the license request within 30 days. Upon SAMA's approval of the request, the applicant shall receive a notification thereof to begin the procedures for establishing the Insurtech Company.


3. After the establishment of the Insurtech Company, a request for an initial license shall be submitted to SAMA,


 along with the following requirements:



a) Memorandum of association/articles of association.

b) A complete Fit and Proper Form for the general manager/CEO.


c) The Insurtech Company's plan to comply with the provisions of the Rules.

d) Any contracts or agreements arising from the technological arrangements set out in Item (e) of Paragraph 1 of this Article. 

e) An insurance policy that covers professional liability.

f) An emergency and business continuity plan that includes actions to be taken if one or more components of the technological system go(es) down. The plan must include corrective measures to ensure business continuity, and the mechanism for reporting to SAMA.

g) Any other requirements set by SAMA.


4. SAMA considers the initial license request and issues a decision whether or not to grant the initial license within 15 days from the date of receiving all required documents.


5. Upon obtaining the initial license, the Insurtech Company shall:

a) Commence the licensed Insurtech Activities within the period specified by SAMA.

b) Not market or advertise the licensed Insurtech Activities without prior approval from SAMA.


c) Provide SAMA with a summary of the insurtech operations carried out by the Insurtech Company on a monthly basis through the application form provided by SAMA.

d) Inform SAMA, on a monthly basis, about any risks that appeared or were discovered during conducting Insurtech Activities.


e) Inform SAMA immediately, about any vulnerabilities that appeared or were discovered during conducting Insurtech Activities.

f) Meet any other requirements set by SAMA.

6. Upon ensuring the Insurtech Company's compliance with the requirements set forth in Article 5 hereof, SAMA issues the license for Insurtech Activities and determines the types of Insurtech Activities that the Insurtech Company is licensed to carry out. Such license shall be renewed annually. ​


Obligations of the Insurtech Company

Technological Environment-Related Obligations

Six

The Insurtech Company shall develop and operate the electronic platform to carry out Insurtech Activities and shall develop standard technological interfaces. The Insurtech Company shall:

 

1.  Ensure information exchange and electronic communication with the users of Insurtech Company's systems for the purpose of exchanging basic Customer information.

2.  Ensure the readiness of the technological infrastructure of other entities that the Insurtech Company will be linked with to allow the exchange of data and information.

3.   Ensure efficient and quick electronic communication through the Web services and the electronic platform.

 

4.  Include the technological, operational and security risks in the risk profile, establish precautionary controls and review them regularly.

 

5.  Develop technological and security incident response plans to ensure effective incident management and business continuity, and inform SAMA directly in case of business interruption or security incidents that are classified as medium or high risk.

6.  The Insurtech Company shall, comply with requirements related to information security.

7.  Carry out any procedures required by the Insurtech Activities.

Information Accuracy and Maintenance-Related Obligations

Seven

  • 1. The Insurtech Company shall, using a reliable source, verify the Customer's identity and the accuracy and validity of the information, data and documents submitted by the Customer electronically.

  • 2. The Insurtech Company shall keep electronic records of its Customers' documents and identity papers that were obtained during conducting Insurtech Activities for a period specified by SAMA.

  • 3. While observing relevant Instructions, the Insurtech Company shall create an electronic record for each Customer and set the following procedures and measures at a minimum to protect Customer record:

  • - Verifying the Customer's email address and phone number by sending a verification (authentication) link to the Customer.

  • - Establishing the necessary procedures to ensure that the information provided is up-to-date, for example, the national address.

Information Confidentiality Obligations​​

Eight

1.   The Insurtech Company shall protect and maintain the confidentiality of Customer data and shall not disclose such data to other parties or use them for illegal purposes, except as required by relevant laws and Instructions. The Insurtech Company shall also keep records and documents of all insurance transactions and deals.

 

 

 

2.   The Insurtech Company shall take all necessary security measures and procedures to protect the information exchanged with Customers electronically, and shall use the latest technologies and programs to ensure the protection and safety of payments made through the Insurtech Company's website, all information and data shall be stored in Saudi Arabia.

3.   While observing relevant laws and Instructions the Insurtech Company shall keep backup copies on an ongoing basis and ensure the integrity, functioning and recoverability of data.

 

Obligations for Engaging in Insurtech Activities

Nine

1. The business plan for the insurtech operations shall be approved by a decision of the Insurtech Company's board of directors after obtaining SAMA's non-objection. This plan shall be reviewed annually by the Insurtech Company's board of directors, and SAMA's non-objection shall be obtained when making any material change to the Insurtech Company's strategy, SAMA may request an amendment or a change to the business plan, whenever deemed necessary.

2. The Insurtech Company shall clarify the nature of the services provided for Customers through the electronic platform, and ensure that the nature of the relationship between the Insurtech Company and relevant parties is clear.

3. The Insurtech Company shall publish the licensing information on its electronic platform.

The Insurtech Company shall set appropriate approvals and acknowledgements on its electronic platform and 4. allow Customers to read and agree to them before using the electronic platform.

5. The Insurtech Company shall clarify and post on its electronic platform all terms and conditions of use of the electronic platform, security instructions, payment methods, information confidentiality, any other Instructions related to the use of the platform, and all data that must be disclosed under law.

6. The Insurtech Company shall provide a feature through its electronic platform that enables Customers to upload their photos and files to benefit from the service provided by the Insurtech Company.

7. The Insurtech Company shall use the two-factor authentication (2FA) process to complete granting the service to a Customer. SMS-based two-factor authentication shall be supported as one of the 2FA methods. The Insurtech Company shall notify Customer through electronic communication channels once the Customer is entitled to the service.

8. The Insurtech Company shall disclose the amount or percentage of the financial consideration received for providing the service.

9. The Insurtech Company shall notify Customers initially of any additional charges or expenses for any related services.

10. The Insurtech Company shall obtain the Customer's approval before making any changes to the terms of disclosure and the conditions that the Customer has agreed to initially before being entitled to the service.

11. If the service is for a fixed period of time, the Insurtech Company shall notify the Customer in ample time prior to the end of the service.

12. The Insurtech Company shall provide a mechanism that enables Customers to communicate easily with Customer service representatives.

​Insurtech Code of Conduct

Ten

1. The Insurtech Company shall work with honesty, transparency and fairness and fulfill all of its obligations to Customers in accordance with the agreement entered into between the Insurtech Company and the Customer and as per relevant laws, regulations and Instructions.

2. The Insurtech Company shall, within its field of specialty, use the necessary professional skills and due diligence in dealing with Customers. The Insurtech Company shall also promote professional competences through training and working with experts in the field. It is the duty of each Insurtech Company and its employees to develop their skills and update their knowledge in the field of work.

3. The Insurtech Company shall not discriminate against (current or future) Customers based on race or gender. The Insurtech Company shall provide convincing reasons for refusing, canceling or discontinuing the provision of the service.

4. The Insurtech Company shall deal fairly and honestly with Customers at all stages of relationship. The Insurtech Company must fulfill its obligations under the laws, regulations and Instructions.

5. The Insurtech Company shall ensure that sufficient administrative, financial, operational and human resources are maintained to carry out its business and serve its Customers.

6. The Insurtech Company shall inform Customers of all relevant information in a timely manner, so that Customers are able to make appropriate and informed decisions. In addition, the Insurtech Company shall take reasonable measures to ensure the accuracy and clarity of the information provided for Customers.

7. The Insurtech Company shall take reasonable measures to identify and address any conflicts of interest in order to ensure fair dealing with all Customers. When a conflict of interest occurs, the Insurtech Company shall disclose such conflict to the Customer and shall not unfairly prioritize its interests over those of the Customer.

8. Advertisements of the Insurtech Company shall not contain any false, misleading or negative statements about any competitors in the insurtech business.

Customer Rights​

Eleven

1. The Insurtech Company shall have a mechanism in place for Customers to submit their complaints. The mechanism should be fair, clear and effective and should support follow-up and fast processing of complaints in accordance with laws, regulations and Instructions issued by SAMA and relevant authorities.
2. ​The Insurtech Company shall set a clear mechanism for the cancelation of or withdrawal from the service by the Customer. Such mechanism shall be agreed upon with the Customer before providing the service. The Insurtech Company shall also establish provisions for the Customer on how to cancel/withdraw from the service, along with provisions for recovering the amount paid by the Customer.

Control and Supervision​

Twelve

The Insurtech Company shall: 


1. Obtain SAMA's approval before making any modification to the documents or data that were submitted when applying for a license.

2. Not engage in any business or activities other than the licensed insurtech business, except after obtaining SAMA's approval.


3. Provide SAMA with a quarterly report on activity developments, covering technical and security environment, volume of transactions and number of Customers.

4. Comply with the internal policies, procedures and controls in accordance with the Anti-Money Laundering Law and its Implementing Regulations, the Law on Combating Terrorism Crimes and Financing and its Implementing Regulations, and the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide issued by SAMA.


5. Abide by Know Your Customer (KYC) procedures, identify the Customer, verify the Customer's identity, establish that the Customer is the real beneficiary through a reliable source, and document the Customer's identity.

6. Set appropriate internal controls and procedures to ensure compliance with the requirements stipulated herein. In the event that the Insurtech Company outsources or contracts with other parties to provide services related to insurtech business, the Insurtech Company shall obtain SAMA's approval on outsources or contracts, and ensure that all parties involved comply with such Rules and Instructions.

7. Notify SAMA immediately of any material changes or technological or financial risks that the Insurtech Company may face.

8. Provide SAMA with any required information or documents. 


​Non-Compliance​

Thirteen

1.     The Insurtech Company shall comply with the Cooperative Insurance Companies Control Law and its Implementing Regulations, the Electronic Transactions Law and its Implementing Regulations, the Anti-Cyber Crime Law, and any other regulations, Instructions or circulars issued by SAMA regarding the practice of insurtech business.

 

2.     Non-compliance with the provisions hereof shall be deemed a violation of the Saudi Central Bank Law and the Cooperative Insurance Companies Control Law and may subject the violator to regulatory penalties.

 



Up
By continuing to use our website, you acknowledge the use of cookies Privacy Policy