Data Protection Law
While InsurTech is disrupting the traditional means by which insurance products and services are provided and accessed by consumers, it also gives rise to a range of regulatory concerns, in particular around the use of data.
What is InsurTech?
InsurTech is a portmanteau of “Insurance” and “technology”. InsurTech does not have an agreed definition, but is instead used as a broad term covering the use of technology in the insurance value chain and the rethinking of existing processes, usually across the following themes:
- Product innovation in relation to novel risks arising from new technologies.These include new products such as pay-as-you-go (PAYG), parametric, disaster relief, connected device and sensor and peer-to-peer (P2P) type products, usually enabled by leveraging one or more aspects of disruptive technologies.
- Deployment of disruptive technologies across the insurance value chain. The application of innovative technologies (or a combination), such as internet of things (IoT) devices and artificial intelligence (AI), large data sets (Big Data) to facilitate product development, distribution, underwriting and claims and administration practices.
- Development of new technology-enabled insurance business models. These include start-ups reimagining discretionary mutual models and industry consortia seeking to reinvent the insurance value chain through technologies such as blockchain or distributed ledger technology (DLT).
- Rethinking existing insurance processes using technology. The development of new technology platform solutions for adoption by the wider market, with a view to automating paper-based processes and centralising the reconciliation and storage of data.
Awareness of InsurTech solutions and their underlying technologies, coupled with effective mitigation and management of the risks associated with their adoption are vital in a regulated sector pursuing rapid change. The development of new technologies, such as drones, cryptocurrencies and automated vehicles, has prompted product innovation relating to the emergence of new risks created.
The Financial Conduct Authority (FCA) has indicated its support for innovative products and services coming to the UK market and new business models being applied, while maintaining its position as a technology agnostic regulator. To this end, the FCA has created a “regulatory sandbox” as part of its wider innovation agenda (known as “Project Innovate”). This helps innovators navigate the layers of financial services regulation and aims to promote competition in the interest of customers. The sandbox aims to facilitate a “safe space” for InsurTech start-ups to prove their business plans without immediately incurring all the costs and regulatory consequences of engaging in regulated activities.
Big Data analytics
The traditional underwriting model for insurance is based on a combination of customer responses to proposal forms, historical claims data and risk studies; data that is used by analysts to predict consumer behaviour and identify patterns in claims losses.
Within the underwriting context, InsurTech solutions seek to alter traditional models by exploiting the connectivity facilitated by IoT devices and the vast amounts of data points available for analysis, or “Big Data”, that they accumulate. The accumulation of Big Data sets and developments in data analytics capabilities, including AI tools employing machine learning and deep learning techniques, have the potential to inform increasingly precise and segmented underwriting decisions. This is allowing some insurers to offer cover for risks on better terms than would have been possible without this data. In some cases, customers would not have been able to obtain cover without it. Big Data analytics is also used to facilitate prediction of consumer behaviour in the underwriting process, enabling insurers to assess risk more precisely, price policies better and estimate necessary reserves accordingly.
Legal and regulatory implications of Big Data
The most obvious and wide-reaching legal and regulatory implications for InsurTech relate to the assemblage and analysis of Big Data sets:
- Data privacy.Much of the Big Data being gathered in insurance products constitutes “personal data” under the GDPR. Personal data is defined broadly under European data protection law and includes pseudonymised data. Even if an ID has been attached to an individual (rather than a name or other types of more obviously personally identifiable data), it is still possible that personal data is being processed and data protection issues therefore need to be considered. The key GDPR considerations in the context of Big Data are:
- Transparency requirements. The GDPR sets out requirements for consent on the part of the individual to the use and processing of their personal data (including in relation to wholly automated decision making). This can be challenging in the context of Big Data, particularly when the specifics of the intended use of data may not be known at the point at which data is collected and notices are given.
- Purpose limitation. Under the GDPR, data collected for a specified purpose cannot then be used for an incompatible purpose.
- Data minimisation. The principle of data minimisation means only processing data that is required for the purposes for which it is collected and therefore not collecting unnecessary data.
- Storage limitation. Finally, the GDPR includes a requirement around storage limitation – not keeping more data in personally identifiable form then is necessary, or for longer than is necessary.
Accordingly, it is important to undertake a privacy impact assessment when accumulating and analysing a Big Data project. It will also be key to consider the terms of privacy notices, the specifics of the types of data to be analysed and any steps that can be taken to anonymise it and potentially take it out of the scope of the GDPR data protection regime.
- Pricing practices.Regulators are concerned that Big Data creates the potential for underwriters to create customer profiles and price based on data collected about customer income and appetite for shopping around. Regulators are also conscious of practices where pricing is set based on an expectation that customers will provide enhanced underwriting data, with those who are unwilling to provide this being penalised with increased premiums.
- Micro risk segmentation.Regulators are concerned that analytics of Big Data is likely to result in more sophisticated and predictive underwriting models, with underwriting increasingly being performed on the basis of ever smaller or more segmented pools of risk or categories of insureds. This has the potential to pose moral hazard issues in relation to the creation of “uninsurable” risks or classes of risk.
InsurTech Artificial Intelligence
Various forms of AI are in widespread use across the insurance value chain, particularly in distribution and claims administration where defined (and often time-consuming) processes, procedures and actions are commonplace.
AI’s most tangible impact to date has been in the areas of policy monitoring and claims processing, which are gradually becoming subject to intelligent automation to improve efficiency and produce cost-savings, consequently lowering premiums. One example of this is through the development of chatbots and other forms of robo-advisers, which are designed to simulate an intelligent conversation and replace humans in various insurance processes.
A number of InsurTech solutions focus on embedding fraud deterrence and detection software as part of claims management processes. Smartphones enable photographs and videos to be sent to claims managers to evidence damage. Online claims forms can be monitored to identify amendments to draft submissions in response to requests later in the process for evidence or a verbal summary of the relevant loss. Fraud detection software, often utilising AI, can also enable earlier and more effective detection of fraudulent claims, through discerning human emotions by monitoring facial expressions and natural language.
GDPR requires algorithms used in decision making relating to retail insurance products to be explainable. AI is also attracting an increased focus from regulators. They are keen to ensure that the implementation and use of such technologies in the insurance value chain is subject to appropriate systems and controls and that requirements to be able to explain how decisions are made are met. This can be challenging particularly in the context of some non-deterministic forms of AI, such as deep learning applications, which are programmed to learn through their own errors.
Financial institutions using AI should ensure that they have governance processes in place relating to the use of AI within their organisations that ensure compliance with law and ethical standards, and set processes for ensuring these matters can be properly audited. It will also be important to ensure that board members are educated on the forms of AI being used in their operations and the potential implications of these technologies on business processes in practice.
See our blog on AI for more information.
Big Data and web scraping
In the insurance context, terms such as “web scraping” describe practices leveraging publicly available online data to assist with pre-population of proposal forms, underwriting decisions and claims assessment. These practices give rise to a number of issues from a contractual, data privacy, IP and reputational perspective:
- Intellectual Property.Consideration will be required as to whether collection of data through web scraping from third-party sources would constitute a breach of any IP rights (principally literary copyright and database rights infringement).
- Many websites’ terms and conditions have express prohibitions against the collection of content and materials from their site and often refer to web scraping specifically. There are a number of tools by which third parties do make their data available to other sources. However, these are often subject to various licence terms, which may place controls on what can be done with the data.
- Most companies want to make sure that they are giving their client base, and the individuals with who they interact, assurances that their data is being handled responsibly. There is a risk that the collection of data from third-party sources could be seen to be intrusive or inappropriate, which could have a negative reputational impact on the company.
- Data protection.The GDPR specifically requires that individuals must be told about the sources of collection of personal data, which will be relevant where data is not collected from the individuals themselves but from third-party sources. There are rules under the GDPR that apply in relation to decision-making that is taken on a solely automated basis and produces legal effects relating to the individual or other similarly significant effects. Guidance from the Information Commissioner’s Office (ICO) suggests that this could include decisions taken about insurance premiums. The rules around automated decision-making are such that consent is likely to need to be obtained to undertake this type of activity if it does in fact fall within the scope of automated decision-making under the GDPR. There are also requirements around providing individuals with rights to challenge decisions that are made automatically and potentially to obtain some human involvement in that process.
See our blog on web scraping for more information.
InsurTech – The benefits of technology
Being able to analyse data on a big scale has enhanced an industry for which information is the main source of its operations. Being able to do this through automation, access to publicly available information online and without the need for a human perspective comes with a load of legal consequences. Whilst the FCA encourages innovation in insurance, with some believing it can improve customer experience, the ethical dimension is tied up in a range of regulation which needs to be built into any InsurTech system.
EM Law specialises in technology law and data protection law. Please get in touch with one of our lawyers if you need any help.