Hong Kong Insurance Authority changes guidance on governance – what you and your board need to know

Global Publication July 2017

Earlier this year the minimum governance standards for Hong Kong authorized insurers changed as part of a two-phase reform. James Parker and Marina Sherer from our Hong Kong office set out a summary of the key changes.

From January 1, 2017, the first phase of changes to the Hong Kong Insurance Authority’s Guidance Note on the Corporate Governance of Authorized Insurers (GN10), took effect. The second phase of changes (which are more substantive) will take effect from January 1, 2018, allowing more time for transition. A new requirement for persons in “control functions” to be fit and proper and for their appointment to approved by the newly established Insurance Authority (IA), will take effect when section 13AE of the Insurance Companies Ordinance (as amended) (ICO) commences.

GN10 sets out the minimum standards of corporate governance that are expected of Hong Kong’s authorized insurers, with many of the changes being made to reflect the International Association of Insurance Supervisors’ Insurance Core Principles 7 (Corporate Governance) and 8 (Risk Management and Internal Controls).


As part of the amendments, the application of GN10 has been extended. From January 1, 2017, GN10 applies to

  • Authorized insurers incorporated in Hong Kong generally, save for those in run-off (provided that, in the case of a long-term insurer, its annual gross premium income from renewal business is less than HK$20 million).
  • Authorized insurers incorporated outside Hong Kong where 50 per cent or more of the insurer’s annual gross premium income pertains to its Hong Kong insurance business (unless an exemption is obtained from the IA).

Captive insurers are encouraged to adopt GN10 as appropriate.

Summary of the key changes

We set out below a short summary of the key changes, when they take effect and a list of potential action items.

Changes effective January 1, 2017


Action item

Spread and level of expertise in Board
It is advisable for the Board to have an adequate spread and level of expertise in key areas of insurer’s business, such as underwriting, claims, actuarial, finance, and investment (paragraph 4.2.2).

Consideration to be given to the composition of your board of directors and whether your existing board has an adequate spread and level of expertise in the areas most relevant to your business.

Chairman/chief executive
The role of Chairman and chief executive should not be performed by the same person (paragraph 4.4.1).

If your board is currently chaired by your chief executive, a new Chairman will need to be appointed.

Fair treatment of policy holders
When setting business objectives and strategies, the board should consider the fair treatment of policy holders as well as the long term financial soundness of the insurer and the legitimate interests of its stakeholders (paragraph 5.1.1(a)).

Boards need to keep policyholders front of mind when setting business objectives and strategies. GN10 indicates that the Hong Kong regulator’s intention is that policy holder interests should be considered a board issue as well as a regulatory issue.

Review of committees
The Board should review its committees, at least annually, to ascertain whether the members of the committees collectively and individually remain effective in discharging their responsibilities (paragraph 6.7.1).

Schedule at least an annual review of any committees to assess and consider the effectiveness of the committee and its members.

Chair of the audit committee
An independent non-executive director (INED) should chair your audit committee (paragraph 8.4.2).

Consider appointing an INED as chair of the audit committee, if an INED does not currently hold that role.

Cyber security
Insurers are encouraged to have policies and procedures in place to identify, prevent, detect and mitigate cyber security threats (paragraph 7.17.1).

To the extent not already in place, consider adopting a cyber security policy commensurate with the scale and complexity of your business.

Business continuity planning
It is suggested that insurers should have a business continuity policy and a business continuity plan for both going-concern and gone-concern situations. The policy and plan should identify viable measures and actions the insurer can take to restore its business activities under different stressed conditions or by way of precautionary measure (paragraph 7.18.1).

Consider adopting a business continuity policy and a business continuity plan.

Changes effective January 1, 2018


Action item

Standalone risk committee*
Insurers will need to have separate audit and risk committees (paragraph 8.2).

If you currently have a combined audit and risk committee you will need to consider when you split them into separate  committees and which personnel will sit on each. If you currently have only an audit committee you will need to establish a risk committee. Terms of reference for the risk committee will need to be prepared.

From January 1, 2018, the number of independent directors sitting on your board will need to increase from 1/5th to 1/3rd (paragraph 4.2.3).

Across the market this will result in much greater demand for INED services. Consider approaching any additional INED(s) in advance.

Insurers will need to have a written remuneration policy which “should not induce inappropriate or excessive risk taking” (paragraph 9.1).

The remuneration policy should motivate directors and employees to pursue the long-term growth and success of the insurer and demonstrate a clear relationship between performance and remuneration (paragraph 9.2.3).

If you do not currently have a remuneration policy, you will need to adopt one. If you already have a remuneration policy, it will need to be reviewed for compliance with the revised guidance note.

Changes effective when section 13AE of the ICO commences


Action item

Fit and proper persons in “control functions” Whilst GN10 envisages delegation, insurers will need to satisfy themselves, and the IA, that any persons solely or jointly responsible for the performance of a “control function” are fit and proper. For these purposes “control functions” include actuarial, financial control, internal audit, compliance, risk management and intermediary management functions (paragraph 4.6).

The IA’s prior consent will need to be obtained before a senior executive who will carry out a control function is appointed, so additional time will need to be factored in when an appointment is proposed.



Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .