INTERVIEW: How insurance tech challenges regulation to keep pace in U.S.

NEW YORK (Thomson Reuters Regulatory Intelligence) - Insurance technology is a rapidly growing fintech derivative that exploits advances such as artificial intelligence and big data to create new insurance business models or products, maximize efficiency, mitigate insurance risk and improve customer service.

A panel of binary codes is seen inside Huawei booth at the Mobile World Congress in Barcelona, Spain, February 27, 2019.

Examples of insurance technology, or “insurtech” include:

Insurance based on real-time data – This category includes sensor-based insurance and user-based insurance (UBI). For example, traditional auto insurance policies charge premiums based on aggregated historical data such as driving records. UBI auto insurance, however, uses “telematics” devices that collect, process and communicate real-time data to enable insurers to charge premiums based on a policyholder’s individual driving habits, such as distance, speed and braking. Other applications include the use of sensors to assess and mitigate insurance risk by detecting structural problems in buildings, workplace safety violations or warnings in health vital signs.

Social insurance – Traditional insurance policies charge premiums based on the claims activity of large pools of policyholders. Social insurance aims to enhance insurer profitability while lowering premiums by assessing risk based on the claims activity of small pools of policyholders that know, and presumably trust, each other.

Legacy insurers and startups hope that these and other innovations will yield more accurate underwriting including risk pricing, risk mitigation tools, and a better experience for customers. But these innovations raise many questions, including whether insurance regulation can keep up with the pace of innovation.

Thomson Reuters Regulatory Intelligence reached out to Robert Fettman of the international law firm Hogan Lovells for his take on the regulatory outlook for insurtech. Fettman is a transactional attorney and insurance law expert based in the firm’s New York office.

Fettman’s responses in this e-mail exchange, edited for length, reflect his own views:

Q: The National Association of Insurance Commissioners (NAIC), the coordinating body of state insurance regulators, in 2017 established its Innovation and Technology Task Force to help keep on top of insurtech industry developments. Is there a need for a stand-alone NAIC model law for insurtech regulation? Or do you think the existing framework, with tweaks, will be sufficient to establish regulatory clarity for the industry?

Fettman: A common refrain heard these days from insurance regulators around the country goes something like, “tell us which laws, specifically, are hindering insurtech developments and we’ll address those.” Regulators are loath to make wholesale changes to insurance laws they believe have served the industry well for decades, if not longer, particularly when the case for why existing regulations cannot be tweaked to accommodate emerging technologies has not, in their view, been well articulated. Given that there exists no consensus as to what precisely “insurtech” even means, it seems unlikely a stand-alone insurtech model law or regulation would be considered at this point in time.

Q: Anti-rebating laws generally prohibit insurers from providing to policyholders anything of value except insurance. These laws may affect the ability of insurtech companies to offer other things of value, such as telematics devices. Can you tell us about the progress that the NAIC is making to address this issue, including potential revision of the NAIC Unfair Trade Practices Act (Model 880)?

Fettman: The insurtech industry has been grappling with questions around applicability of anti-rebating laws for some time now. We have seen, for example, companies offering a digital platform allowing developers and businesses to integrate insurance services directly into their websites or apps (so-called Application Programming Interfaces, or APIs) having to navigate these issues following several high-profile regulatory actions.

In an effort to address the need to modernize anti-rebating laws, the NAIC Innovation and Technology Task Force voted, at its August 5, 2019 meeting, to start the process of amending the model Unfair Trade Practices Act as it relates to the general prohibition of rebating. Others, including North Dakota’s insurance commissioner, who at that meeting discussed draft guidelines recently issued by North Dakota to address the anti-rebating issue, were advocating for less formal methods of updating anti-rebating laws, such as by regulatory pronouncement, than a model act revision, which could take a year or longer. The National Council of Insurance Legislators (NCOIL) is also looking into this issue and is purportedly further along in the process.

Q: Some insurtech products offer “robo-advisory” or “virtual agent” services. How does insurance regulation affect what insurtech companies can do in the realm of insurance brokerage activities? What about advertising and marketing?

Fettman: Whether it’s necessary to obtain a producers license has long been a question for insurance-related actors like banks, real estate professionals and affinity groups, to name just a few, looking to promote insurance products. The rise of insurtech in the insurance distribution channel has simply resurfaced these well-explored issues but with a digital twist.

Each state has its own licensing requirements, necessitating an insurance producers license in order to “sell, solicit, or negotiate” insurance, which terms generally capture activities such as explaining coverage, quoting insurance rates, or urging prospective customers to buy a certain policy or obtain insurance from a particular insurer. Most states, however, do not require a license if a person’s activities are limited to advertising without the intent to solicit insurance, and under certain circumstances will allow the payment of referral fees or commissions by an insurer or licensed producer to unlicensed entities.

Most regulators are of the view that insurtech firms should be subject to the same facts-and-circumstances analysis as non-tech actors with respect to whether a given activity triggers producer licensing requirements. For example, the NAIC’s Producer Licensing Task Force is looking into the role of chatbots and artificial intelligence in the distribution of insurance and the regulatory supervision of these technologies. The task force’s forthcoming white paper on this topic is expected to discuss the application of existing producer licensing requirements to these emerging technologies.

Q: State licensing is a fact of life for insurers, brokers and other insurance industry participants. Can you give us some examples of how regulators have characterized the activities of insurtech companies to require some kind of licensing?

Fettman: Insurtech firms getting involved in underwriting and pricing must appreciate the insurance regulatory landscape governing product development or risk potentially running afoul of various insurance regulations. A company that has a model that impacts rate filings, for example, may be acting as an advisory or rating organization and may require licensure under state insurance laws. And even where state law is unclear whether licensing requirements extend to such firms, we have seen regulators insist on some degree of oversight or review of third-party data providers and telematics as a condition to approving the utilizing insurer’s policy rate filings.

Q: In March, 2019, Kentucky became the first state to create an insurtech regulatory sandbox, which allows insurers and others to beta test their innovations in a structured and supervised environment. How has the industry reaction been, and have other states or countries adopted similar or different sandbox models?

Fettman: As even a casual observer will note, insurtech has permeated virtually every aspect of the insurance industry. And with this advent, comes the continued call for regulators to create a controlled environment similar to the fintech/insurtech “sandbox” concepts implemented in the UK and other countries for the industry to field-test new technologies without fear of regulatory reprisal.

While Kentucky recently became the first state to create an insurtech sandbox, several other U.S. states have indicated publicly that they believe their insurance laws contain sufficient flexibility to permit the issuance of regulatory variances and waivers (e.g., no-action letters) to insurtech firms seeking to test new products without the need for a formal sandbox.

Some in the industry are questioning whether the concept of a regulatory sandbox for insurtech is even appropriate, arguing that allowing a technology company, but likely not a traditional carrier, to avoid certain insurance regulations, many of which are designed to protect the insurance-buying public, is antithetical to a regulator’s primary duty to safeguard the insurance marketplace.

Q: Given the tremendous amount of personal data that insurtech companies handle, are there any special issues that insurtech companies should consider in the area of data privacy or cybersecurity?

Fettman: Cybersecurity is a risk that every company – in every industry and of any size – should be focused on given the dramatic increase in cyberattacks over the past several years, and the resulting proliferation of law and regulation. Regulatory bodies around the world have issued laws, regulations, guidelines, standards, and frameworks to address cybersecurity risks, some of which are generally applicable while others are industry-specific. Examples include the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, the New York Department of Financial Services Cybersecurity Regulation (and the similar NAIC Data Security Model Law being adopted across the states), the Health Insurance Portability and Accountability Act (HIPAA), U.S. state breach notification laws, and the EU General Data Protection Regulation (GDPR).

The “reasonableness” of an organization’s cybersecurity program in the eyes of regulators will continue to evolve over time in response to the changing cyber threat landscape. As insurtech companies may hold large amounts of personal data, they should monitor these developments closely and understand the associated obligations that may apply to them.

Q: To what extent have the insurance industry or regulators addressed the issue of proxy discrimination, which occurs when software programs generate biased outcomes, even though the biases are not intentionally programmed into the software? For example, discrimination might occur if insurance algorithms recommend higher premiums for certain zip codes, which can be interpreted as a proxy for race.

Fettman: As computing power grows exponentially, it has opened the insurance actuarial modeling world to new and sophisticated forms of data collection and analysis, including data mining, statistical modeling and machine learning. At the same time, the ability of AI and machine-learning to analyze data at very granular levels has regulators concerned about consumer protection.

Algorithms that utilize geographical data or other individualized information, for instance, may effectively create proxies for sensitive characteristics such as race, religion, gender, etc., prohibited from consideration by insurance law. As such, it has become more and more challenging for insurance regulators to evaluate filed rate plans that incorporate increasingly sophisticated technology-based predictive models which may include proxies for prohibited discriminatory factors.

Indeed, a June 2019 U.S. Government Accountability Office (GAO) report on the insurtech industry raised concerns regarding the potential for prohibited factors to creep into underwriting models and premium rates, particularly where the models are developed by data scientists as opposed to actuaries who better understand insurance-specific requirements.

To address these issues, the NAIC is currently compiling best practices for regulators to use in reviewing insurance company filings containing complex predictive models. In addition, the NY DFS issued a circular letter in early 2019 prohibiting the use of external data sources or tools by a life insurer unless it has determined that the external sources do not collect or utilize prohibited criteria, and the insurer may not simply rely on a vendor’s claim of non-discrimination as a justification for a failure to independently determine compliance with anti-discrimination laws.

Q: Can you discuss some of the tension that might exist due to an insurtech company’s desire to protect the intellectual property of its technology and a regulator’s or court’s desire to see the inner-workings of the technology -- for example, to determine if any rights have been violated? What are some ways that companies and regulators can work together to overcome these obstacles?

Fettman: Insurtech stakeholders have been very vocal about the need for regulators to ensure the confidentiality of proprietary data models submitted for regulatory review or approval — and regulators largely are sympathetic.

To date, the NAIC has tasked a number of committees with looking into ways to afford such protection. The Market Regulation and Consumer Affairs Committee is reviewing state insurance privacy protections regarding the collection, use and disclosure of information gathered in connection with insurance transactions, and a newly formed Artificial Intelligence Working Group, which is to study the development of artificial intelligence and its use in the insurance sector, will review privacy, marketplace dynamics, and the state-based insurance regulatory framework.

Q: Another developing area in insurtech is smart contracts, which use blockchain technology to convert standard contracts into code. This can work for example, when the claims outcome is unequivocal, such as when a payout is based on “objective” parametric data, such as wind speed or rainfall total, rather than the more amorphous amount of “losses.” Are there other promising insurance applications of smart contracts or blockchain in the pipeline? What are some of the regulatory hurdles?

Fettman: Many see tremendous potential for blockchain technology in the insurance industry, especially the ability to bring efficiencies and cost savings to existing insurance processes. Smart contracts implemented in connection with a blockchain offer even more potential benefits to the insurance industry. For insureds, the implementation of smart contracts could remove key pain points in the claims filing process while reducing claims handling expenses for insurers.

A good example of smart contracts’ potential is in connection with parametric flight delay insurance policies that run on a blockchain. However, the fundamental nature of smart contracts presents a number of regulatory and compliance hurdles under existing insurance laws. At the threshold, a determination, on a case-by-case basis, is needed whether smart contracts with insurance-like features are actually subject to regulation as “insurance” contracts under state law, or are they, for instance, derivative contracts subject to other regulatory regimes. And if regulated as “insurance”, are automated payments via smart contract even allowed, particularly if funds are to be escrowed? In addition, the immutable and often irreversible nature of smart contracts could pose challenges in the context of insurance delinquency proceedings.

(Jason Hsieh is a contributing writer for Regulatory Intelligence.)

*To read more by the Thomson Reuters Regulatory Intelligence team click here:

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Aug 22. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters