Navigating the Open Insurance landscape: A legal perspective for 2023
Open Insurance: A definition
Open Insurance is a way for insurance companies and other players in the insurance sector to share personal and non-personal data, usually via standardized and interoperable APIs (Application Programming Interfaces) (EIOPA, 2021). They can then use that data to create new products and services and improve existing ones.
Open Insurance data include, for example, Know Your Customer (KYC) data, premiums paid, coverage, claims reporting and compensation, and data from IoT sensors. And on-demand, pay-as-you-go, parametric policies, more efficient comparators, and innovative ways of managing insurance products are just a few examples of what Open Insurance may enable.
There’s no specific regulatory framework for systematic data sharing in the insurance industry, like the PSD2 directive for open banking (Directive (EU) 2015/2366). But players in the insurance ecosystem are using bilateral or plurilateral agreements to share information. And Open Insurance is one of the fastest-growing insurtech trends.
Open Insurance is essential for the digitization and innovation of the entire industry. More non-insurance players are entering the insurance market. And insurance is changing from a traditional sector where closed and stratified legacy systems are standard to an open ecosystem based on collaboration. The success of Open Insurance projects also depends on analyzing legal risks and devising contractual architecture, including key clauses.
Widespread use of Open Insurance has many benefits for industry players, customers and regulators.
For operators – both established companies and new market players – data sharing could lead to a wave of innovation. Potential benefits include greater efficiency in process management and fraud prevention, increased competition with new business models appearing on the market, and faster go-to-market.
Automated access to data from insureds and other sources could make it easier and more efficient to analyze and underwrite risk. Even more so when combined with AI and machine learning tools. Augmented underwriting and augmented automated underwriting are good examples of new innovative processes.
There are also benefits for brokers. With greater availability and variety of data, they’ll be able to accurately and conveniently select products for their clients and negotiate with insurance companies.
For customers, the main benefits of Open Insurance are:
- more choice of innovative insurance products
- more straightforward comparison of products from different companies
- more transparency and ease in switching from one operator to another
Operators sharing data could also shorten the KYC process. They may also create advanced dashboards and platforms where customers can manage their banking/insurance products and have third-party services like payment, mobility, health and wellness all on a single interface.
Supervisory Authorities could also benefit from the wide availability of data and, where available, real-time access. This would increase the effectiveness of supervision and control activities. And it would decrease the time spent collecting and verifying information.
Alongside the many benefits, we have to consider the risks. First, data could be processed outside the permitted purposes and limits or even worse, be subject to data breaches. Data breaches could have serious consequences for data subjects given the sensitive data often processed in the insurance industry (eg health status, claims data). Other risks relate to IT security and the possibility that greater openness of operators' infrastructure may make it easier for malware and cyber-attacks to spread.
New ways of calculating premiums could make insurance coverage inaccessible to some. And people who don’t have access to or don’t know how to use technology may be excluded.
Anti-competition is also a risk. If a small group of companies hold most of the quality data, new players will find it hard to get a foothold in the market. There are also technical barriers to overcome.
Coping without a specific regulatory framework
With the PSD2 Directive, the European legislator laid the foundation for the open banking model. This means third-party payment and information service providers can now access users' payment accounts, authentication procedures, and personal data. This access is permitted under certain conditions and subject to the users' consent, irrespective of contractual relationships between the account servicing payment service providers and third-party providers.
Insurance operators can also use the PSD2 model. But its scope of application is limited to payment accounts and related data. There are no regulations like PSD2 designed for systematic data sharing in the insurance industry.
How insurance and banking differ
The traditional banking world and the insurance world are very different. One of the main differences is the type of data processed. Data related to insurance products is diverse. And it often includes sensitive information like health status, habits, mobility, and claims. Companies and other entities analyze and process data for their internal purposes and to improve product and services. So they may not want to give access to information they see as an intangible asset and which is often protected as a trade secret.
Unsupervised actors like technology companies and big tech could play a key role in the Open Insurance ecosystem, with significant consequences. These players could have access to insureds’ data but not grant access to their databases on a reciprocal basis. And risks to consumers could increase. The entities in question are not subject to the same level of regulation and supervision and adequate consumer protection standards and operational resilience as supervised entities. But the new European Regulation on operational and digital resilience for the financial sector (DORA Regulation - EU Reg. 2022/2554) will also apply to ICT service providers and should help mitigate such risks.
The insurance sector also has more variety and less standardization of products than the banking and financial services sector. And there are fewer touchpoints and less interaction between insurers and their customers.
For these and other reasons, a "copy-and-paste" application of the PSD2 model in insurance may not be the right way forward.
Open Insurance contracts
Without a specific regulatory framework for sharing insurance data systematically, Open Insurance projects are implemented through contracts between the parties involved. More than a third of the respondents to the 2021 EIOPA consultation said that Open Insurance would continue to develop regardless of the introduction of a specific regulatory framework.
These contracts can take different forms depending on the type and scope of the project, the entities, and the jurisdictions involved. Some cases simply involve one party providing technology to another. This can be qualified as a services provision (eg providing cloud-based services to insurance companies for the digitization of processes). Others involve licensing contracts or the transfer of anonymized information in the form of trade secrets or sui generis databases, or agreements on the processing of personal data.
Open Insurance projects can be long-term and involve different participant contributions, such as data, technology, and know-how (eg customer bases, processes, and business models). So it’s not uncommon for them to take the form of partnerships, corporate or contractual joint ventures, or consortia. This is often the case when operators and technology companies develop innovative insurance products or services (eg digital distribution of policies, reward programs for healthy behavior, or digitization of claims and settlement processes).
Open Insurance projects require careful analysis before they start. The contracts and related operational flows must be legally sound and compliant, particularly regarding industry regulations and the privacy and data protection framework. The possible use of advanced technologies, like AI systems or blockchain and other distributed ledger technologies (DLT), must be handled with a high degree of care. Where the project is launched in different countries and jurisdictions, the analysis must also consider the specificities of the local regulatory framework. And good project management is essential.
Open Insurance contracts should include some essential elements:
- the parties’ undertakings and guarantees for the objectives of the project
- the type and quality of data involved
- the related flows and scope of exploitation
- compliance with the applicable legislation throughout the processing chain starting from collection
- data governance and governance of the project itself
- interoperability of the parties' IT and API systems
- hardware and software architecture configurations
- technical and organizational security measures
Another relevant issue concerning the processing of personal data is offshoring and processing data outside the EU/EEA. If the data used in the contract is anonymized and it doesn’t fall within the scope of the data protection legislation, the recipient must ensure the anonymization technique used is in line with the highest technical standards and that the data can’t be traced back to the natural person.
As for intellectual property, it’s necessary to identify the specific means through which the transfer or licensing of data is carried out and regulate the ownership (or co-ownership) of any derivative work.
In addition to the contractual provisions concerning the birth and 'life' of the contractual relationship, it’s also necessary to consider the circumstances that might justify termination and its operational consequences.
Is legislation coming soon?
Some industry stakeholders expect proposals for specific regulation of Open Insurance to be presented in Europe in 2023. The proposals should cover both legal rules to regulate access and systematic data sharing, and the technical standards (eg in terms of APIs) required to enable the ecosystem to be fully operational. Establishing technical standards may be delegated to the relevant Authorities. Meanwhile, many operators have joined associative Open Insurance initiatives to establish common standards for APIs and data portability. One of these is the Open Insurance Initiative Network (OPIN), comprising 61 companies worldwide. Other initiatives are the Free Insurance Data Initiative (FRIDA) and the Open and Embedded Insurance Observatory in collaboration between the Italian Insurtech Association and Accenture.
In June 2022, EIOPA presented the results of the public consultation carried out in 2021 along with a new discussion paper.
Responses about the adequacy of the current regulatory framework for Open Insurance are particularly interesting. More than half (52%) of the respondents do not consider it adequate for risk management. But 18% believe it is. Most stakeholders also highlighted the importance of the level playing field principle, ie "same business, same risks, same rules," the convergence of supervisory activities, and the need for the authorities to have adequate resources (staff, budget, technical expertise).
The EIOPA consultation shows that most industry stakeholders welcome the adoption of a PSD2-like regulatory framework for systematic and mandatory data sharing in the insurance sector. But some respondents think the best approach would be self-regulation. A minority group believes that statutory sharing should be limited to only certain types of data (data collected by IoT sensors or only concerning certain lines of business and/or specific products).
A common theme among many responses is ensuring regulation does not hinder voluntary Open Insurance initiatives based on contracts between parties. Pending possible developments in the regulatory framework, Open Insurance continues to grow through voluntary initiatives. It’s one of the most promising developments in insurtech in terms of investment and innovation.