How is GDPR impacting insurance firms and what are they doing to ease compliance?
GDPR has not just been burdensome on financial services, but offered new opportunities, whether it’s getting firms to actually understand their data or even improving existing regulations, according to a panel at the Global InsurTech Summit 2019.
There is an unprecedented level of regulations entering the market, stretching financial institutions resources further than ever. Typically, regulations are met with a lot of negativity and how they will impact a business severely; however, in the end they offer a lot of benefits for consumers, but also the institutions. The panel at the Global InsurTech Summit, which included senior staff from AutoRek, SCOR, Direct Line, and Theta Lake, discussed the regulations impacting insurance firms and how they’re being received.
GDPR has probably been the most notorious regulation over the past couple of years, and it has big implications across the entire financial world. We are quickly approaching the year anniversary of GDPR and while fear levels were astronomical on its launch, the year passed rather smoothly. When the regulation deployed on 25th May 2018, firms across Europe were worried by the magnitude of the task to protect all their data and cope with endless streams of information requests. However, information requests were not as abundant and the major firms were the only ones in the regulators eyesight on launch, and in large, had their systems ready. As time passes, regulators expectations of GDPR compliance will be higher and fines will likely increase as well, but the regulation has not just brought challenges, but offered some improvements.
Priscilla Cournède, head of group prudential and regulatory developments at SCOR said, “GDPR is an improvement in the regulation processes. In France what we appreciate about GDPR is that it removed our obligation to get an authorization from the authority when we use data. Sure it’s a burden, but there’s some sort of improvement with this regulation compared to the past where we had to wait for months before we could get authorization from the French regulator.”
One of the added bonuses of GDPR is that it has forced financial institutions to acknowledge the information they have about consumers, rather than just storing it and losing it in a system. While this might not seem like much of a benefit, data has become such a powerful tool for companies to improve how they interact with a consumer. Legacy systems or isolated databases have hindered an institution’s ability to access their data for a long time, but now it is also preventing AI technologies from reaching their full potential as they simply cannot leverage all of the data a firm has. As you would expect, this requires a hefty amount of changes to the infrastructure of an institution’s operations, particularly regarding communications and customer interactions.
Theta Lake founder and CEO Devin Redmond said, “One of the reasons why GDPR is front and centre is because it changes the approach to a lot of things. It’s not a lie to say that a lot of organizations have had very straight forward policies to data retention for communication requirements. If I’m supposed to archive and store it, I’m probably not really looking at it. I just capture it and check I’ve met that obligation from a MiFID perspective or a Dodd Frank or a SEC 17a-4 perspective. With GDPR, you run into this additional requirement that shifts that whole mindset, because now I actually need to know what’s inside of that data, and that will force me to figure out how I have to handle it.”
He continued to explain that GDPR is helping to ensure institutions keep up with things they should already be doing. At many organisations, the concept of archiving has typically been that you keep information for five years and then remove it, but most of this data is still there simply because it got lost. Now they’re forced to know what they have and store it properly, improving data privacy, as well as cyber risk.
David Baker, director of group regulatory risk and compliance, Direct Line Group agreed that GDPR has brought with it a lot more transparency with data. Although, he believes data protection has been driven more by cyber threats, than requirements of regulations.
He said, “It strikes me that over the last couple of years, barely a week goes by without seeing a firm losing data or a firm using data in a way that it shouldn’t have done. And it gets called out and it gets a load of brand damage and reputation damage and sometimes litigation. GDPR raises that higher because the fines now are not half a million pounds in the UK, they are 4% of your turnover. So, it definitely focuses minds. But actually, I think we’re in a world now, which is so interconnected, that is so driven through digital means and the need of cybersecurity means you can’t really be a serious player unless you’ve got an answer to protecting your crown jewels, which is your customer data and information. So, it makes good sense. I think regulations are catching up with that. I think businesses have kind of recognized the need to do this sometime ago.”
Clarity has been the biggest success for GDPR, and consumers are beginning to realise they have control of their data and do not just need to bend to the will of an organisation. Access requests have been available in the past, but now a business must clearly demonstrate the information they give a consumer is really everything they have. Companies now need consent for how they will use data and are clearly showcasing what data is being used for and ensure it will not be used in another unspecified manner. This does not come with problems, as access requests need to be completed quickly and differentiation needs to be made between significant and less significant data. Going one step further, data protection regulations differ around the world, and getting a system compliant with one could be completely different to somewhere else.
Priscilla Cournède added, “One thing we are struggling with is that the regulations around data protection and data privacy are very different from one country to another one. And so, we are talking about GDPR in the European Union, but you have different regulations in the States, in Asia, and that’s a challenge for us, as we insure globally. Our market is really the world and not one country, or a couple of countries and the multiplicity of regulations on one topic is really a challenge for us.”
Regulators role in compliance
When firms are preparing for new regulations, regulators are often put in the firing line for not offering the right support, but they are not at fault. The panel all agreed that regulators have been doing a very good job with regulations and if firms want to ease compliance, the key is getting hands-on involved with the regulators as early as possible.
Devin Redmond stated that with regulations like MiFID II or Dodd-Frank, which are both focused around communication environments, it is hard to keep up with compliance alone just because communication is changing so quickly. Since these regulations were deployed the tools available have changed, for example, Twitter and Instagram adding video tools.
He said, “Regulators are trying hard to keep up with the spirit of communications. I know it creates an administrative burden for everybody in a lot of different ways, but the reality is they understand there are more and more ways that consumers and clients can be harmed, and they’re trying to put guard rails in place and they’re trying to keep ahead of all the things that could eventually affect downstream on those consumers. So, they’re working hard at that and I think that’s something that affects all of us, but it is really important.”
The UK’s Financial Conduct Authority was one of the bodies which Redmond had praise for, commending their “forward thinking in terms of creating the Sandbox, and creating an opportunity to get introduced to RegTech.” Other regulators are following suit, building sandboxes and innovation centres to support the adoption of RegTech solutions. Priscilla Cournède agreed that the sooner and institution gets involved with a regulator the better it is.
She added, “For Solvency II we engaged with them early and they really want to understand what we did. Approval for the internal models we used to calculate the solvency of the group took us four years to get. It took a while for our supervisors to understand the model, but that was really worth it and we really appreciated the challenge they gave us and the feedback they gave us on our model.”
One distinction she made was that in France the regulators and the supervisors are very separate entities and its important to coordinate with both to ensure the smoothness of compliance.
David Baker said, “I’d totally agree to engaging early on is really important, particularly for technology providers where you’re trying to disrupt the market or doing something slightly differently. Where that involves sort of a different interpretation of the rules, the policies of the precedent, absolutely engage early. And that is with the policymakers and the supervisors and the supervisory approach, because it can often vary by different parts of the landscape of supervision. Those that supervise even big insurers versus small insurers for example, or life insurers versus general insurers could interpret it slightly different.”
Copyright © 2019 RegTech Analyst
