Blockchain is “the most important invention since the Internet itself” according to Marc Andreessen. And there is no doubt that there are huge potentials for the insurance sector to exploit such technology, but as any new technology, it will also lead to new legal risks.
The Bank of England defines blockchain as “a technology that allows people who don’t know each other to trust a shared record of events“.
The main peculiarity of the blockchain is the existence of a shared record, a ledger, distributed to all the participants allowing multiple parties to transfer and store information in a space that is secure, permanent and easily accessible.
The McKinsey Panorama Fintech database currently registers over 200 blockchain-related solutions, of which about 20 provide use cases for insurers that go beyond payment transactions – either as specific applications or as base platforms. Also, even traditional insurance companies, such as AXA and Generali, have started to invest in blockchain applications and Allianz has just recently announced its successful pilot of a blockchain-based smart contract solution to automate catastrophe swap transactions.
Automate underwriting and claims handling, but also fraud detection
The most common usage of blockchain in the insurance sector is in the automation of underwriting and claims handling. Indeed, if applications for insurance policies, contract terms and claims are recorded in a blockchain, a so called “smart contract” can automatically:
- Select the applications that should be accepted and the applicable terms, including pricing
- Pay premiums on the occurrence of the conditions set out in the contract
- Identify frauds
- Potentially profile customers/claimants in much more detail
The above can be achieved relying on data that can be obtained through the sensors of telematics devices and/or public and private sources. Internet of Things technologies can for instance enable to have a full understanding of the reasons leading to an accident in an industrial plant or involving a car and, if such data is recorded on a blockchain, the payment of the premium can be almost instantaneous.
But if the same IoT technologies can record on a blockchain the information obtained from public and private sources about the loss of a luggage during a flight, a customer might receive the payment of the premium from his travel insurance company even already at the exit from the airport, rather than after weeks or months.
Also, a blockchain where all claims from different insurance companies are recorded can help to identify frauds since for instance it can detect if more than one claim has been filed for the same accident or if a customer is “black listed”.
This would be a revolution for the insurance sector not only in terms of more efficiency for customers, but also with reference to cost savings as no liquidator would be involved since the process would be fully automated.
Privacy restrictions are not “friends” of full automation
One of main privacy issues that might derive from the usage of blockchain in the insurance sector is that the upcoming EU General Privacy Regulation provides that individuals “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her“.
Exceptions to such rule apply when an automated decision is either provided by the law, such as in the case of fraud prevention systems, or is necessary to enter into a contract or is based on the individual’s prior consent. But, in the latter two scenarios, individuals will still have the right to obtain human intervention to express their point of view and to contest the decision which is commonly known as the right to receive a justification of the automated decision. Therefore a system which is 100% automated can exist, but a right of appeal to a human would be still possible.
Likewise, the deep automated profiling of individuals required to ensure the immediate action by the blockchain implies the need to collect personal information from different sources and this shall comply with the strict regime introduced by the EU General Privacy Regulation which provides sanctions up to 4% of the global turnover of the breaching entity or € 20 million, whatever is higher. A so called “data protection impact assessment” and a privacy by design approach focused on data minimization and security of technical and organization measures implemented shall be put in place.
Lack of full control might lead to risks
But the above is not the sole risk associated to the usage of blockchain in the insurance sector. One of the main issues affecting public blockchain is the inability of controlling and stopping its functioning. The perfect example is given by a blockchain based decentralized autonomous organization (DAO). This is a new form of legal structure in which ownership, management and control "are automated and human involvement is limited or removed, based on a pre-agreed rule set".
If everything is automated and out of control, does it mean that none is liable for illegal activities performed through a DAO? Or on the contrary, the mere participation to the DAO creates a distributed liability of all its participants as a partnership made of all its participants?
An interesting parallel can be made with the rules applicable to Internet service providers (ISP) as interpreted by courts. The rules regarding the liability of ISPs are set out in the European E-Commerce Directive which provides for:
- The liability exclusion for ISPs in relation to contents published by their users, unless they become aware of the illegal activity perpetrated
- The lack of obligation on ISPs to monitor the conduct of their users
Despite the above principles, courts have been focusing on the distinction between:
- “Active” Internet service providers that categorize and organize contents published by their users, also providing features to them in relation to the usage and search of contents, to which the liability exclusions do not apply
- “Passive” ISPs which do not offer the above features and to which the umbrella of liability exclusions prescribed by the European eCommerce Directive do apply
The difference between the regime applicable to blockchain and the one regulating ISPs’ liability is based on the fact that the EU eCommerce Directive introduced special rules to exclude such liability. Similar rules are not prescribed by regulations governing the blockchain (if any).
It might be argued that if a DAO cannot be controlled, there is no negligence or wilful misconduct. And therefore no liability arises. But it might be also argued that either the creation of the DAO trigger liabilities itself or, as mentioned above, all the participants to a DAO can be deemed jointly liable.
In case of a private blockchain, the lack of control on the functioning of the platform does not apply. But is this sufficient to trigger a liability of the company managing the platform? Given the number of transactions that can occur at the same time and automatically on a blockchain, principles similar to those applicable to ISPs might be applicable. Also, a private blockchain might lower the level of security that is the peculiarity of a blockchain like Bitcoin and would considerably limit the amount of data that can be aggregated.
All in all, I still believe that blockchain will be a real “revolution” for the insurance sector, but the implementation of such technology will require a quite deep legal review.