Feature

Insurtech is the fusion of technology and business models to enable, enhance and disrupt the provision of insurance services, and it is becoming a key growth driver for early adopters worldwide. At its heart is the ability to enhance the customer experience, making buying insurance, paying premiums and making claims easier than under traditional business models.

Innovative insurtech solutions provide an ability to enhance business operations and scale rapidly, presenting a risk (including possible market share erosion) to insurers that are slow to adapt to digital business solutions.

However, there are inherent risks in technology-driven solutions, especially if a business’s underlying infrastructure cannot cope with rapid growth, or change management strategies are limited or non-existent. Understanding and managing the relevant business and regulatory risks to your insurance business when developing insurtech solutions will therefore be an essential component of your digital transformation journey.

Market disruption

Disruption in the insurance market is inevitable. New Zealand has already seen the rapid impact of FinTech in the financial services sector, and insurers can certainly take cues from the banking industry, which has encountered similar disruption.

New entrants providing technology-driven insurance solutions are putting impetus on insurers to adapt to these technological advancements. The ability for technologically savvy start-ups to develop innovative business solutions and customise those solutions for the regulatory environment in different jurisdictions is intensifying competition between traditional insurance companies, established technology companies and start-ups.

In New Zealand, Cyber Indemnity Solutions (CIS) is one such new entrant. CIS recently announced a new cyber insurance product, has now launched in Australia, and expects to expand further internationally. CIS used New Zealand’s scale and expertise in programming to test their product (which provides digital asset protection insurance) in a micro space. CIS is not a licensed New Zealand insurer. Instead, it licenses insurers to use its policies (which includes a cyber insurance product), systems and software. Insurer partners can embed the insurance policy content into their own cyber policies and/or provide it concurrently with their policy offerings.

Established insurance companies are also investing in insurtech solutions. Sovereign has recently announced that it has created a cloud data centre through Amazon, capable of powering “innovations, integrations and automations” for Sovereign and its customers. In practice, a cloud data centre can be scalable to a business’s needs, and when coupled with an integration suite, can produce customer-centric, data-led experiences in various forms (including through applications and platforms).

Planning and preparation are essential to performing strongly in an insurtech market.

Globally, Insurtech is appearing in various guises with start-ups targeting all areas of the insurance value chain. These include, for example:

• data analytics and developing risk analysis programs (e.g., using algorithms to more accurately assess a customer’s risk profile, policyholder behaviour or for more precise insurance pricing);
   
•  industry-specific technology (e.g. technology that helps farmers to farm better, reducing their overall risk);
   
• bespoke policies (including on-demand, event-specific insurance policies or insurance for digital businesses);
   
• smart contracts (i.e. programs using distributed ledger technology to facilitate the automated performance of contractual obligations (e.g. for assessment and payment of claims) without the need for human intervention);
   
• establishing centralised claims platforms (that can be accessed by companies, insurers and insurance brokers to manage claims more efficiently); and
   
• aggregator services using algorithms that assess an applicant’s insurance need, and match an insurer’s product to that need.

In addition to the above insurtech uses, there are examples of start-ups looking to remove the need for a traditional insurer altogether by using peer-to-peer business models. A peer-to-peer business model allows insureds to pool their capital, self-organise and self-administer their own insurance.

Be prepared

Planning and preparation are essential to performing strongly in an insurtech market. Identifying and managing the risks presented by insurtech will be a key aspect of any digital transformation project. Insurers that develop clear growth strategies that incorporate technology driven, customer-centric solutions, that use technology to strengthen their identity (ensuring cultural identity and brand are not compromised), and that have a keen understanding of the regulatory framework and risks, will be better positioned to provide sustainable business models.

Regulatory considerations

Regulatory ambiguity is perhaps one of the biggest challenges facing regulators in this area. Insurance legislation written as recently as seven years ago did not anticipate the way technology would be developed and applied in today’s market. Ultimately, regulation will need to evolve to ensure the right balance between policyholder protection and encouraging innovation.

Below is a brief summary and some observations of the key legislation affecting the provision of insurance in New Zealand:

Insurance (Prudential Supervision) Act 2010 (IPSA)

• The IPSA is the primary Act regulating insurance business in New Zealand. Its primary purpose is to promote the maintenance of a sound and efficient insurance sector and promote confidence in the insurance sector. The Reserve Bank’s current review of IPSA presents a timely opportunity to future-proof the Act to accommodate technological innovation, and the Reserve Bank has indicated a willingness to do so, consistent with its aim of promoting cost efficiency in the insurance sector. IPSA focuses on legal entities carrying on the business of insurance in New Zealand and places minimum governance, capital adequacy and solvency obligations on the licensed insurer as a legal entity. IPSA will therefore capture all significant insurance activity carried on by such licensed insurer entities, including services provided through technology-based innovations. In addition, the broad definition of “contract of insurance” under IPSA could arguably include innovative new contracts including smart contracts using artificial intelligence and distributed ledger technology, as long as the contract involves, among other things, the transference of risk in accordance with the definition.

The draft Code is still being written, so it is not yet clear how robo-advisory services will be monitored and assessed under the new Code.

However, areas where IPSA could benefit from ‘future-proofing’ amendments include:

• the “carrying on insurance business in New Zealand” test: This test is linked to companies that are required to be registered (including as overseas companies) under the Companies Act 1993. The issue of territorial reach is relevant here, when overseas-based entities may offer digital insurance services from an offshore jurisdiction, without triggering the requirement to register as an overseas company under the Companies Act;
   
• licence conditions and risk management provisions: The scope of these should reflect specific risks associated with providing insurtech innovations. Sensible amendments would include incorporating new licence conditions that relate to insurance services through an automated platform, or a requirement to include, for example, procedures for managing risks associated with insurtech in a licensed insurer’s risk management programme (e.g. cyber risk and change management risks); and
   
• adopting a broad exemption regime: Allowing the Reserve Bank to issue class or individual exemptions from aspects of the regime or from the requirement to be licensed, making it easier for new entrants and traditional insurers to bring innovative insurance solutions to the market as they emerge.

New financial advisers’ regime

• The Financial Services Legislation Amendment Bill (currently before Parliament), repeals the Financial Advisers Act 2008 (FAA) and will move the relevant financial adviser provisions into the Financial Markets Conduct Act 2013. The new regime will enable the provision of “robo-advice” or digital advice services (including advice on insurance products), establishing new standards of conduct and governance that will take into account the provision of advice through both traditional and digital channels. Specifically, the new regime:
   
• will require insurers providing a financial advice service to retail clients to be licensed as a “Financial Advice Provider”;
   
• will enable Financial Advice Providers to be licensed to provide digital financial advice (as the requirement for a human to provide personalised advice will be removed); and
   
• will introduce a new Code of Conduct (Code) which will set standards of professional conduct for those providing regulated financial advice (including for “robo-advisers”).

The draft code is still being written, so it is not yet clear how robo-advisory services will be monitored and assessed under the new code. However, maintaining the standards of consumer protection provided by the legislation, while encouraging providers to harness emerging technologies, will likely be a key objective of the Code Working Group (the group tasked to establish the code).

In addition to the code, the conditions that the Financial Markets Authority (FMA) will likely impose on a robo-advice licence may include strict governance and disclosure obligations on Financial Advice Providers offering advice via a robo-advice platform. The Australian Securities & Investments Commission’s (ASIC) guidance for digital-advice licensees provides some indication as to what licensees might expect under the new regime. ASIC’s expectations in respect of digital advice licensees include (among other things):

• a requirement for the financial advice provider to have at least one responsible manager who meets the minimum training and competence standards;
   
• to ensure there is at least one person that has an understanding of the technology and algorithms used to provide digital advice;
   
• to conduct regular reviews of the digital advice generated by algorithms to ensure it is legally compliant;
   
• to ensure the business has sufficient technological resources to maintain client records and data integrity, and to protect confidential information;
   
• to establish and maintain adequate risk-management systems; and to assess cyber security using recognised frameworks.

Principle 5 (storage and security of personal information) is especially critical as insurers now have access to ever- increasing quantities of policyholder data.

Class exemption for robo-advice

• A class exemption to enable digital advice under the existing FAA regime, prior to enforcement of the new financial adviser regime, is currently under consultation by the Financial Markets Authority (FMA). The exemption will enable the provision of robo-advice by removing the requirement for personalised advice to be provided by a natural person. To address the risks posed by the scalability of digital advice (i.e. poor outcomes could affect a larger number of consumers), the FMA has proposed various limits and conditions. These include:
   
• limiting the exemption to products which are easy to exit (including, for example, general insurance products such as home, contents and vehicle insurance). The FMA has omitted personal insurance products
   – such as life, health and income protection
   – from the types of products that would be covered by the exemption, on the grounds that such products cannot always be easily exited, and the consequences of failing to disclose material information are high. FMA has sought submissions on this approach, suggesting that personal insurance products could be included in the exemption, provided they are subject to a value cap or duration limit; and
   
• providing disclosure tailored to robo-advice and maintaining appropriate expertise to provide the personalised robo-advice service.

The FMA has indicated that the requirements under the exemption may be different from those that will finally apply once the law reform takes place. Importantly, based on the FMA’s indicative timing, the exemption anticipates the ability to provide digital-advice in New Zealand by late 2017, supporting the growing demand for digital-advisory services.

Importantly, based on the FMA’s indicative timing, the exemption anticipates the ability to provide digital-advice in New Zealand by late 2017, supporting the growing demand for digital- advisory services.

Financial Markets Conduct Act 2013 (FMCA)

The FMCA, which regulates the offering of financial products in New Zealand, is a modern Act designed to be flexible and to encourage innovation in the market. The fair dealing provisions under part 2 of the FMCA apply to persons providing a financial service (which includes “acting as an insurer”). The provisions (which include the obligations not to engage in conduct that is misleading or deceptive, or make a false or misleading representation, in respect of a financial service) are broad and will apply to insurance services provided through both traditional channels and via online platforms or mobile applications.

These fair dealing provisions, together with the financial adviser regime discussed above, provide the FMA with oversight over the way in which insurance products are marketed and sold. The FMA has already signalled that it will be looking closely at life insurance sales and advice. With the added complexity, and potential risk around digital sales channels, we see it as a real possibility that the FMA will focus on insurtech innovation and compliance with the fair dealing provisions of the FMCA.

Privacy Act 1993

While the 12 privacy principles in the Privacy Act apply broadly to any personal information collected by an insurer (including any third-party platform provider), advances in technology have dramatically changed how information is collected, stored and shared. Principle 5 (storage and security of personal information) is especially critical as insurers now have access to ever-increasing quantities of policyholder data.

The Privacy Commissioner has recently recommended changes to the Privacy Act and a new Privacy Bill is expected to be introduced this year (although timing is currently unclear). The recommendations are based on rapid changes in data science and information technology in the five years since the last review and, if adopted, could mean, among other things, an increase in the penalty for a serious or repeated breach of the Privacy Act to a fine of up to NZ$1 million for body corporates. Additional guidelines for data use are being developed by the New Zealand Data Futures Partnership, which is currently consulting the New Zealand public in relation to how information about them is used and shared.

Enforcing stricter penalties and narrowing defences under the new Privacy Bill will go some way to ensuring companies invest heavily in security and data management. However consideration should also be given as to whether more prescriptive regulation is needed in respect of technical / organisational measures – including, for example, in relation to data transferability between providers, IT management, cyber security and internal controls for outsourcing services.

Conclusion

Increasingly, there is an impetus on insurers to compete against, and/ or work with, new entrants and established technology companies to improve customer engagement through technology, and to digitise certain back-office functions to create more efficient and nimble business models.

While existing laws and regulation have tended to lag behind technological developments, there is an increasing awareness and acceptance by regulators of the need to accommodate technological innovation in the delivery of business products and services. Awareness of changes in the way in which regulation applies in this new environment must be maintained as a key developer and user requirement at all stages of the digital transformation journey.