Pursuant to Article 35(2)(b) of Insurance and Reinsurance Business and Other Related Issues L.38(I) 2016 ("the Law"), the Superintendent of Insurance, who is the competent supervisory authority, must disclose the general criteria and methods used in the supervisory review process (SRP), including the tools being developed.

For the implementation of this procedure, based on Article 38 of the Law, the Superintendent requires from the insurance and reinsurance undertakings ("the undertakings") to submit information that is necessary for the purposes of supervision.

The SRP is defined in Article 39 of the Law. Through this process, the Superintendent evaluates the strategies, processes and information procedures established by undertakings, in order to comply with the laws, regulations and administrative provisions, which are enacted by law.

The SRP includes the following:
(a) The control and evaluation of quality requirements related to the governance system (strategies and policies, structure / organization, risk management system, internal control system, etc.).
(b) The risk assessment.
(c) The assessment of the ability of undertakings to make their own assessment of the risks they face, taking into account the environment in which they operate.

The above evaluation concerns in particular the compliance of undertakings with the requirements of the Law in relation to:
(a) the system of governance, including the assessment of the own risk and solvency, provided for in Chapter Four, Section 2 of Part II of the Law;
(b) the technical provisions, provided for in Chapter Six, Section 2 of Part II of the Law;
(c) the capital requirements provided for in Chapter Six, Sections 4 and 5 of Part II of the Law;
(d) the investment rules provided for in Chapter Six, Section 6 of Part II of the Law;
(e) the quality and quantity of own funds, provided for in Chapter Six, Section 3 of Part II of the Law, and
(f) in case the insurance or reinsurance undertaking uses full or partial internal model, the continuous compliance with the requirements for full and partial internal models, provided in Chapter Six, Section 4, Section 3 of Part II of the Law.

In addition, the Superintendent monitors and evaluates the processes and procedures that undertakings use to identify, assess and manage the existing risks associated with their business, and the adequacy of the methods and practices they apply, in order to identify potential events or future changes in economic conditions that could adversely affect their overall financial position. He also assesses their ability to cope in the event of such possible events or future changes in economic conditions.

The supervisory review of insurance and reinsurance undertakings is carried out on the basis of the relevant internal procedures of the supervisory authority, taking into account the provisions of the Law and the relevant Guidelines of EIOPA. This examination also covers both offsite and onsite inspections.

The supervisory review process is based on three pillars / stages (Guideline 1):

(1) Risk assessment.

(2) The detailed review.

(3) The supervisory measures.

The inspections and evaluations are carried out on a regular basis and with consistency over time, in accordance with the principle of proportionality at all stages of the supervisory review, and the officers are in on-going communication with the supervised undertakings (Guideline 5).

(1) Risk Assessment (RA)

For the RA, the supervisory authority takes into account all relevant information derived from various sources, such as:
(a) Regular and ad-hoc quantitative and qualitative reports, which are submitted to the supervisory authority by the supervised undertakings.
(b) Information and findings from onsite inspections.
(c) Information, which is submitted to the supervisory authority by the supervised undertakings, through ad-hoc surveys/questionnaires.
(d) Results of stress test exercises.
(e) Statistical analyses of market development and experience of previous years, early warning indicators, risk indicators, previous findings and conclusions for undertakings of both the authority itself and other authorities and organizations and institutions.
(f) Exchange of information within colleges and/or on the basis of cooperation protocols with other supervisory authorities and/or through joint studies conducted through EIOPA.
(g) Exchange of information with the other supervisory authorities of the financial system, as well as with the Ministry of Finance, and other stakeholders (such as the Cyprus Association of Actuaries, the Cyprus Insurance Companies Association, and other associations / associations / organizations).
(h) Collection of information from the internet, the press and the media.

Based on the data/information collected, the supervisory authority first conducts relevant thorough analyses (Guideline 28) of the key indicators (both for the revenue and the amount of liabilities and assets), and then conducts the Risk Assessment (Guideline 12) of the undertaking, both at an individual level and at a market level (Guideline 7), the undertakings are classified into levels of risk and priority, and a supervisory plan is prepared.

The AR includes, inter alia, the following (Guideline 13):
a) Assessment of information (Guideline14).
b) Determination of the undertaking risk and impact classification (Guideline 15 and 17).
c) Determination of impact classification for groups (Guideline 16).
d) Determination of the outcome of the risk assessment framework (Guideline 19).
e) Creation of a supervisory plan and determination of the intensity of supervision (Guideline 20).
f) In the case of insurance groups, if there is a college of supervisors set up under Article 248 (2) of the Solvency II Directive, the contribution of the aspects of the supervisory plan to the college work plan, as the case may be.

Regarding point (e) above, the supervisory inspections are prioritised, the priorities of the officers, the degree of detail and the frequency of the inspections (outside and inside) are then determined. On the basis of the supervisory plan, the frequency of submission of regular supervisory reports is redefined, and where necessary, the need and the extend for additional information, and the affected undertakings are informed no later than 3 months before the end of the financial year (Guideline 23).

(2) Detailed Review (Guideline 25 to 27) and onsite inspections (Guideline 29 to 32)

Where necessary, the supervisory authority adds to the supervisory plan also detailed review, for specific areas of risk (Guideline 25), and requests additional information (Guideline 26).

These reviews include three stages which are: (a) The planning, (b) the onsite work and (c) the conclusions. The conclusions resulting from the detailed review are recorded and made internally accessible for supervisory purposes (Guideline 27). The conclusions from such reviews are communicated to the undertaking and it is given the opportunity to respond within a reasonable time.

Where necessary, the supervisory authority adds to the supervisory plan regular or specific onsite inspections (either general for all risks or detailed for specific risk areas).

(3) Supervisory Measures (Guideline 33 to 42)

After the completion of the supervisory review, and after the conclusions have been drawn for any weaknesses and actual or possible deficiencies or cases of non-compliance, which may lead to supervisory measures, the appropriate measures, based on the provisions, tools and procedures provided by the Law, are determined and taken. These are prioritised based on their severity as well as the level of risk for insolvency. The measures are notified in writing and in a timely manner to the undertaking. The notification shall include an appropriate timetable within which the undertaking should take the necessary action.

During the implementation of the measures, the supervisory authority monitors whether they are properly implemented by the undertaking, and also evaluates them and, where necessary, updates the supervisory plan, taking into account the effectiveness of the supervisory measures implemented.