By Sanad Arora
Technological Disruption in the financial sector is nothing else but a fancy exaggeration of the word “financial technology” (‘Fintech’), but what matters right now, is not the technical jargon that is associated with Fintech, but the revolutionising impact it is having on the realm of finance. Fintech has got its paws everywhere, from asset management, personal loans, money transfers to fundraising. One sector which has particularly been at the centre of Fintech innovation is the “Internet of Things” (IOT). In light of the impact “Internet of things” has had over the insurance sector, this article attempts to answer how the insurance sector should be regulated in line with this upcoming technology in light of data privacy, while giving a brief overview of the regulatory reforms that could be implemented to curb this issue.
In India, the insurance sector hasn’t been updated in a long time and has been long overdue for a major overhaul. Until recently, technological advances have not questioned the core business model of how insurers serve their clients, but Inga Beale, CEO of Lloyds of London, writes: “It is no secret that as an industry we are lagging behind the rest of financial services when it comes to digitalisation and the use of new technologies. There are no more excuses. If we don’t adopt and embrace new technology, we won’t have a future” (Bael, 2017). The above comment made by Inga Beale accurately represents the reality which every business is tackling right now, especially in the insurance sector. India has lagged in insure-tech and is finally now catching up to speed with the rest of the world (Economic Times, 2017), with companies like ICICI Lombard and Bajaj Allianz at the helm of it. The ICICI Lombard invested around Rs. 43 crore in technology last fiscal year, focusing on machine learning, Artificial Intelligence(‘AI’), and data analytics, among others, to increase operational efficiency (IBEF, 2019). IOT technology o is to track marine cargo consignments for corporate customers. Bajaj Allianz is using IOT technology on a policy where it provides accidental insurance cover for children. In that policy, the insurance company installed a GPS beacon in the identity cards of students where it tracks the real-time location of the children (Money Control, 2018). In the case of Aviva Insurance, it has partnered with Amazon and has launched an application called Aviva on Alexa to enable it to answer insurance-related questions in an instant (Tech Herald, 2018). A similar application has been launched by Bajaj Allianz named ‘Boing’ where it provides 24/7 customer assistance and solves customer complaints in an instant (Maru, 2016). Max Life Insurance considers it to be a big achievement for itself on leveraging an automated claims processing system, which uses analytics models to identify clear cases and process them immediately (Kumar, 2018). As may be construed from the above provided examples, the insurers are using data collection instruments to accentuate their capacity, to provide better and more efficient services to their end consumers and all these activities fall well within the ambit of legality. In the next section the author extrapolates on how insurance companies can exploit such and why such data collection should be regulated.
Keeping in mind the above-stated facts, it is not disputed that the consumer data which is being collected is not protected, but the actual cause of conflict over here is with regards to the treatment of the data which is being collected by the service providers. In fact, the Insurance Regulatory and Developmental Authority of India (IRDAI) came out with a specific set of regulations called the Cyber Security Guidelines, 2017 to ensure that the consumer data is not compromised and is tightly guarded (Bishnu & Aakulu, 2019). It is important to realise that all this data which is being collected is very specific and granular and can lead to certain inequitable outcomes for the society, one of which can be discrimination against policy buyers based on their risk assessment. IRDAI does not prohibit the insurers to use the technology and other mechanisms to encourage their policyholders to adopt healthy practices (IRDAI, 2016), which essentially boils down to the fact that wearables can be used by insurers to offer variable premiums to the policyholders if they adopt a healthier lifestyle. IRDAI has already approved an idea that comprises a comprehensive wellness program over a wearable device (The Hindu, 2021). What IRDAI needs to realise is that even though the relevant privacy statutes imposed by it apply to these companies, those statutes only secure the “Sensitive Personal Data” as described in the Sensitive Personal Data or Information Rules 2009 (SPDI rules). The sensitive personal data includes passwords, mental and physical condition, medical history sexual orientation, etc., but the data which the companies are using to exploit consumers has more of a behavioural nature to it and does not fall within the definition of Sensitive Personal data as given in the SPDI Rules. For example, Bajaj Allianz recently came out with driver’s insurance that uses telematics to adjust insurance premiums on driving habits (Bajaj Allianz, 2021). What telematics essentially does is track how the car is driven, what is the acceleration, brake speed, etc. However, what it also does is give the control to the insurance company of the driver’s location through GPS, because this will help the company to analyse the veracity of the claim being made in case of an accident (Wipro). At first, this data aggregation doesn’t look harmful, but what the consumers need to realise is that this data not only provides information to the insurance company on the quality of the driving but also at what locations the person driving the car stops and for how much time. This is because the data is being transmitted constantly and considering the rise in data analytics firms, there is a market for such kind of data. Even though the sale or sharing of such kind of data is legally permissible because the consumer is himself consenting to it, but everything legal does not mean it is right. This data can be shared with other insurance companies or data analysis firms which can make countless different inferences essentially concerning what kind of a lifestyle a person has, which can lead to discrimination against the consumer when it comes to buying insurance. And because of this fallout in the IRDAI regulations, the flexibility which the insurers have with the data they collect increases exponentially since not all the data they collect falls within the definition of Sensitive Personal Data. This way the insurance firms can exploit the market by only choosing to cater to the customers who pose the least risk of availing the benefits of the insurance policy, excluding every person who according to their algorithms bears more risk than the rest of potential customers, by outrightly denying them to avail insurance or by charging them higher premiums for it, turning a higher profit for themselves at the end. The insurance company’s need to realise that eventually if this kind of granular implementation is brought to the insurance sector, it would cause dismay in people to take up insurance and these dwindling numbers of policyholders would lead the insurance companies to flout the law of large numbers. The law of large numbers states that the greater the number of policyholders the better the insurance companies can estimate the insurance premium and thereby reducing the risk exposure for themselves (IRMI). The next section in the article suggests the potential regulatory reforms which could be enacted to ensure that the consumer data is not exploited by the insurance companies.
To remedy this from happening, the IRDAI must come with even more stringent regulations when it comes to data protection of the policyholders. As we have identified the crack in the armour being the lack of statutory protection to the data which is collected, IRDAI must stop this from happening by adopting a consent-based model, where an equivocal consent should be provided by the policyholder for the data which is being collected on him. Further, the request for consent should be easily understandable and not have any technical jargon which the average policyholder might not be able to understand. Moreover, insurers should only be allowed to collect data that is relevant to the kind of insurance they are providing and nothing else. Even if they can’t help the segmentation of data while they are collecting, they should be asked to dispose of it post collection. IRDAI should also recognise the private nature of the data which is being collected and falls outside the scope of “sensitive personal data”. Such data should also be granted protections against unbridled use by insurance companies for the purposes of differential pricing and they should not be allowed to sell it to other entities.
IRDAI can also adopt the practice of self-regulation by corporates when it comes to regulating insure-tech. Even though companies can’t be completely trusted when it comes to self-regulation, but this can act as a convenient ancillary for the official regulators if blanket sanctions are imposed on the companies, for example imposing a fine on every company if one company defaults on regulatory provisions (De Seabra, 2018). Because the nature of instruments that can come up in insure-tech can be very diverse, it can become extremely difficult for the regulators to keep track of idiosyncratic amounts of data that is collected by the insure-tech companies. Since the insurance companies would be more aware of the data that they are using, they would also possess knowledge of the various permutations and combinations with which their data can be used, that might not be apparent to the regulators. This will result in not only reducing the workload which comes with the monitoring of companies but would also lessen the cost associated with such regulation.
Another way of tackling the conundrum of how insurers can use the data which they receive can be Regulation Technology (Regtech). It is an emerging area of Fintech which helps in regulatory and compliance-related requirements. Since new technologies bring with themselves a new set of regulations, Regtech brings with itself two forked benefits, both for the regulatory authorities and the Insurance company. With the help of Regtech, the regulatory authorities would be able to easily look through the risk assessment algorithms and the aggregation of big data by the insurance companies. Essentially what it does is to analyse the parameters which are being used to make those models and provide the regulatory authorities a proper insight on the basis and the objective of the algorithms which are being used by the insurers. For example, with the help of ORCAA which is an algorithm auditing software, the regulatory can find out if the algorithms being employed by the insurance companies lead to any sort of bias or discrimination concerning selecting clients (ORCAA). So, if the data is being used in a manner that is leading the insurers to be unfairly biased towards policyholders, the IRDAI can come in and take appropriate action. Meanwhile, the insurers can benefit from it when it comes to easing their compliance and making it more economical. An insurance company that is using insure-tech would have to engage in compilation, aggregation, and compartmentalisation of data, which would not only be time-consuming but also costly for the insurer. To deal with this hassle, an insurer might outsource this work to a Regtech company which would take care of not only the data but further assists the insurer to meet the regulatory compliances in reference to that data, making this process extremely efficient and inexpensive (De Seabra, 2018).
Steps towards a more nuanced and well-balanced regulatory regime can also be made by taking up a broader approach to regulation and looking at other jurisdictions for inspiration, just like what RBI is doing right now by finalising on the regulatory sandbox regime (Chakraborty, 2019) which originally was founded in the UK in 2016 (The FinReg Blog, 2019). The regulatory sandbox approach would help in conducting tests of the new fintech instrument in a simulated environment which would help in analysing the benefit and risks that the new technology poses (The Economic Times, 2019).
The recent technological development in the insurance sector has led to the creation of instruments that not only increase the proficiency of insurance as a service but also its versatility. However, that increased efficiency comes at the risk of appropriation of consumer data and violation of their privacy, which certainly should not be tolerated. With such varied technologies being used in the sector, suitable regulations must be applied to protect the policyholders from being exploited. Since the adoption of this technology is very new to the Indian insurance market, the regulatory approach to such innovations is also in its nascent stage. In the midst of all this, it becomes all the more necessary for the regulators to organise themselves and keep up with the pace of changing technology, so as to ensure a fair market to the consumers.
About the Author
Sanad Arora is currently a law student at Jindal Global Law School, pursuing B.B.A. L.L.B (Hons.).