ICP 3 Information Sharing and Confidentiality Requirements

The supervisor obtains information from, and shares information with, relevant supervisors and authorities subject to confidentiality, purpose and use requirements

[ + ] 3.1

The supervisor requests information, including non-public information, from relevant supervisors and authorities with respect to insurers.  

3.1.1
Information requested by a supervisor from a relevant supervisor or authority may include:
  • information on strategy, business activities and business models including prospective and recent acquisitions or disposals of insurance business;
  • financial data relating to an insurer;
  • organisational structure, both legal and management structure;
  • information on the management and operational systems and controls used by insurers;
  • information on individuals holding positions of responsibility in insurers  such as Board Members, Senior Management, Key Persons in Control Functions and Significant Owners;
  • information on individuals or insurers involved, or suspected of being involved, in criminal activities;
  • information on any failures to comply with supervisory requirements, regulatory investigations and reviews, and on any restrictions imposed on the business activities of insurers;
  • information concerning regulated entities related to the insurance group, whether undertaking insurance business or other financial business which is subject to regulation, and information concerning non-regulated entities related to the insurance group such as service companies or holding companies;
  • specific information requested and gathered from a regulated entity; and
  • reporting information within groups to meet group supervisory requirements, including subsidiaries and non-regulated holding companies.
3.1.2
Relevant supervisors and authorities, whether in the same or a different jurisdiction, may include:
  • other insurance supervisors;
  • supervisors responsible for banks and other credit institutions;
  • supervisors responsible for investments, securities, pensions, financial markets and other sectors;
  • authorities responsible for the recovery or resolution of insurers;
  • authorities responsible for anti-money laundering or combating the financing of terrorism; and
  • law enforcement agencies.
[ + ] 3.2

The supervisor shares information, including non-public information, with relevant supervisors and authorities at its sole discretion and subject to appropriate safeguards.

3.2.1
Supervisors and authorities are responsible for ensuring the safe handling of confidential information. Although the existence of an agreement or understanding on providing requested information may not be a prerequisite for sharing information, the supervisor is encouraged to use agreements, including memoranda of understanding (MoUs), to facilitate information sharing between relevant supervisors and authorities. Such agreements are important to information sharing among supervisors and authorities to establish a framework to facilitate the efficient exchange of confidential information and document the types of information that may be shared as well as the terms and conditions under which the information can be shared and passed on to other relevant supervisors and authorities. Such agreements may be distinguishable from coordination agreements used in supervisory colleges (see ICP 25 Supervisory Cooperation and Coordination).  
3.2.2

The supervisor should use bilateral or multilateral agreements to facilitate information sharing because they provide the basis for a two-way flow of information and the basis for confidential treatment of the information shared. The IAIS MMoU is an example of a multilateral memorandum of understanding for cooperation and exchange of information between supervisors related to the supervision of insurance legal entities and insurance groups. All signatories to the IAIS MMoU undergo a validation of their laws and regulations to demonstrate compliance with the MMoU’s strict confidentiality regime. For this reason, if all relevant parties are signatories to the IAIS MMoU, it is the preferred framework for multilateral information exchange.

3.2.3

Supervisory colleges can provide a framework for supervisory cooperation and crisis management in which information sharing between involved supervisors occurs on an ongoing basis.

3.2.4

Information sharing is particularly important for the operation of a supervisory college. For a supervisory college to be effective there needs to be mutual trust and confidence among supervisors, particularly in relation to exchange and protection of confidential information.

3.2.5

Each member of the college should take measures necessary to avoid the unintentional divulgence of information or the unauthorised release of confidential information. It is important that appropriate information exchange agreements or other arrangements are in place between the members of the supervisory college to ensure that information can be exchanged in a secure environment.

3.2.6

Where confidential information exchanged within a supervisory college is communicated to relevant supervisors or authorities who are not involved in the college, supervisors should:

  • have a formal mechanism in place between the group-wide supervisor and the other supervisors or authorities to ensure the protection of the confidential information. Such mechanisms could be included in the relevant information sharing agreements; and
  • obtain the prior consent of the supervisor having provided such information.
[ + ] 3.3

The supervisor requesting confidential information (the requesting supervisor) has a legitimate interest and valid supervisory purpose related to the fulfilment of its supervisory functions in seeking information from another relevant supervisor or authority.

3.3.1
A legitimate interest is derived from the powers and responsibilities the requesting supervisor has in relation to the subject matter of the request. For example:
  • if the requesting supervisor only has the power and responsibility to supervise intermediaries and not insurers, it may not have a legitimate interest in requesting information relating to an insurer; or
  • if the requesting supervisor requests information relating to an insurer that has no current or planned operations or other connections to the requesting supervisor’s jurisdiction, it may not have a legitimate interest in requesting such information.  
3.3.2

A valid supervisory purpose is relevant to the requesting authority’s performance of a supervisory task. Valid supervisory purposes may include information requested for the purposes of:

  • licensing;
  • suitability criteria;
  • intra-group transactions such as loans and extensions of credit, parental guarantees, management agreements, service contracts, cost-sharing arrangements, reinsurance agreements, dividends and distributions;
  • prevention of financial crime, such as fraud, anti-money laundering or combating the financing of terrorism;
  • ongoing supervision, including preventive and corrective  measures and sanctions; and
  • exit from the market and resolution.
3.3.3

A supervisor may voluntarily provide information to other relevant supervisors so as to better enable the supervisors’ fulfilment of their supervisory functions. In such cases, the supervisor providing information should adhere to the same requirements as though the information had been requested by a requesting supervisor.

[ + ] 3.4

The supervisor that has received a request for confidential information (the requested supervisor) from another relevant supervisor or authority:

  • assesses each request for information on a case-by-case basis; and
  • responds to requests in a timely and comprehensive manner.
3.4.1

In principle, the requested supervisor is expected to share information with a requesting supervisor with a legitimate interest and for a valid supervisory purpose

3.4.2

In deciding whether and to what extent to fulfil a request for information, the requested supervisor may take into account matters including:

  • the nature of the information to be provided;
  • the purpose for which the information will be used;
  • the ability of the requesting supervisor or authority to maintain the confidentiality of any information received, taking account of the IAIS MMoU or other existing agreements in each jurisdiction;
  • whether, in the context of supervisory college or otherwise, the request is covered by a coordination agreement;
  • whether it would be contrary to the interest of the jurisdiction of the requested supervisor; and
  • relevant laws and regulations in each jurisdiction (in particular those relating to confidentiality and professional secrecy, data protection and privacy, and procedural fairness).
3.4.3

While requests for information should normally be made in writing, the requested supervisor should not insist on written requests in an emergency situation, and should not unreasonably delay a response to an oral request for information made for a valid supervisory purpose by a requesting supervisor.

3.4.4

The requested supervisor may receive a request for information which is not already in their possession. In such circumstances, the requested supervisor should, if it considers it reasonable, obtain that information from the insurer or other entities from which it has the power to obtain information.

3.4.5

If the requested supervisor denies a request, it should explain its reason for the denial to the requesting supervisor or authority.

3.4.6

Lack of strict reciprocity should not be used by the requested supervisor as the reason for not sharing information that would otherwise be appropriate to share, particularly in an emergency or other crisis situation. Strict reciprocity in terms of the level, format and detailed characteristics of information requested is not required.

[ + ] 3.5

The requesting supervisor uses confidential information received from the requested supervisor or authority only for the purposes specified when the information was requested. Unless otherwise agreed, before using the information for another purpose or passing it on to others, the requesting supervisor obtains agreement of the requested supervisor or authority.

3.5.1

The requesting supervisor should specify the intended purposes of the information sought. Additionally, MoUs may address purposes for which the requested information may be used by the requesting supervisor.

3.5.2

The requesting supervisor first obtains agreement with the requested supervisor or authority before passing on requested information. Supervisors and authorities are encouraged to request information directly from the requested supervisor, rather than from the requesting supervisor, to provide an opportunity for direct dialogue and further consultation. Requesting supervisors should ensure that appropriate confidentiality requirements are in place and the information is only passed on to another relevant supervisor or authority with a legitimate interest and – in case of a supervisory authority – for valid supervisory purposes.

3.5.3
There are specified circumstances within the IAIS MMoU where signatories are expected to consent to the passing on of information to other relevant supervisors and authorities. This includes situations where passing on information will assist:
  • other IAIS MMoU signatories in the fulfilment of their supervisory functions; and
  • other relevant domestic financial sector bodies such as central banks, law enforcement agencies, relevant courts and other authorities (see Annex B of the IAIS MMoU).
3.5.4

Conditions imposed by the requested supervisor on the passing on of information to third parties should not prevent the requesting supervisor or authority from being able to use the information for its own valid supervisory purposes.

[ + ] 3.6
In the event the requesting supervisor has received notice of proceedings, which may legally compel it to disclose confidential information which it has received from the requested supervisor, the requesting supervisor:
  • to the extent permitted by law, promptly notifies the requested supervisor; and
  • where consent to disclosure is not given, uses all reasonable means to resist the demand and to protect the confidentiality of the information.
3.6.1

Where allowed by the laws and practices of the jurisdiction, a requesting supervisor required to disclose confidential information by legal compulsion should place, or seek to place, protections from disclosure on that information. Such protections could include:

  • a protective order placing restrictions on use or further distribution of the confidential information; or
  • limitations on the means and location of the disclosure of the confidential information.