Digitalisation and broader innovation themes are growing features in the insurance sector. This is seen across the entire insurance 'value chain'.
It ranges from firms dealing with customers through digital channels, often with no direct human interaction, through to back-end activities with a heavy reliance on technology. Many insurers and intermediaries also have complex outsourcing and cloud dimensions.
Regulatory approach
The Central Bank of Ireland, EIOPA, the European Commission, and the European Parliament have been active in seeking to understand the benefits and risks of technology and to regulate accordingly.
EIOPA's Report on Digitalisation of European Insurance Sector (April 2024) highlighted the variation in approaches to digital across the EU while recognising the increased use of technology. It notes, for example, that the use of chatbots is expected to rise significantly. A lack of IT skills and understanding within firms is also identified.
Risk-based regulation
The new Artificial Intelligence (AI) Act is an example of a risk-based approach to technology, similar in ways to the Solvency II Directive. Different aspects of a firm's use of AI will now be stratified from 'high' to 'low' as regards end-user risk, and it is then regulated (to a greater or lesser level) accordingly.
Similarly, the Central Bank of Ireland's consultation on a new Consumer Protection Code, which closed in June 2024, avoids prescriptive detail. As regards digitalisation, it instead aims to be more principles-based. It mirrors the EIOPA commitment in its 'Digital Strategy' document (September 2023) to remain "technology neutral and people first."
In parallel with initiatives in the financial services area, cross-sectoral legislation includes the new Digital Markets Act and Digital Services Act which now regulate online platforms. Many of the online platforms are expanding into cross-selling activities associated with insurance products. The value of data and client lists is obvious but appropriate use is a key theme of regulators. This builds on areas like the GDPR. There is recent guidance from EIOPA and the Central Bank of Ireland on areas including data ethics, use of cloud and cyber risk.
Digitalisation – 'securing customers' interests'
Digital channels will need to be operated in the future according to 'best outcomes' based regulation. This is like the recently introduced 'consumer duty' in the UK and Ireland, the proposed updates to the Consumer Protection Code (2024), and the Individual Accountability Framework's new 'conduct' and 'business' standards.
There is a focus on ensuring firms in their digital offerings are always thinking about good outcomes for consumers. Regardless of how a firm gets to an end-sale, it should be fair. The psychology as a customer navigates through an app or platform must be carefully considered and not lead to pre-determined conclusions (e.g. a product is purchased rather than not). This approach can also be seen in the new EU Distance Marketing of Financial Services Contracts Directive, which must be transposed by all Member States by end-2025.
Whilst these areas seek to address digital sales directly, there is also a regulatory theme that no customer should be unduly 'left behind' through tech developments. There must be equivalence of treatment, whether selling via a tech channel or a traditional physical presence. It includes regulatory requirements on the appropriate treatment of 'vulnerable customers' and the less tech-savvy generally.
DORA and related developments
Operational resilience in business models is a related area that is receiving much regulatory focus. This recognises the increasing sophistication of insurer business models, both in terms of technology and at key pinch-points, such as the use of outsourcing.
Firms are preparing for the Digital Operational Resilience Regulation (DORA), new EU legislation effective from January 2025. DORA brings together provisions addressing digital operational risk, outsourcing, operational resilience, recovery planning and IT & cybersecurity risks. The approach, recognising the international nature of activities, has been to create a single EU statute taking in all these areas but which can operate in the same way for all Member States.
Apart from regulated financial services firms, including insurers, DORA brings into regulatory scope external service providers that are viewed as systemically significant. This includes the main cloud providers, such as AWS, Azure, and Google Cloud. They will now be regulated by a designated EU financial services regulator, in many ways, just like an insurer or any other type of regulated firm.
A version of this article previously appeared in Finance Dublin 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.