Big data: A big opportunity for insurers, but what about customer ethics?
Big data: A big opportunity for insurers, but what about customer ethics?
The use of big data and artificial intelligence is rapidly increasing in the insurance sector, both in Ireland and beyond. While data has always been collected and processed by insurers to inform underwriting decisions and pricing, the way in which data collected is combined and assessed to generate information and predictions about consumers’ characteristics, behaviours and lifestyles has evolved. In this short insight, we explore some recent Irish regulatory themes and suggest some areas of focus for insurers.
Regulators across the globe are increasingly focussed on the customer impacts of insurers’ evolving innovations in the use of big data. For example, in its recent Consumer Protection Code Review Discussion Paper - Engagement Update, the Central Bank of Ireland (CBI) commented that it is supportive of the opportunities innovation brings, but mindful of the risks it poses for both firms and consumers.
Most recently, the CBI published its findings from its Data Ethics Within Insurance Project. The project was undertaken by the CBI to further develop its understanding of the use of big data and related technologies (BDRT) across the insurance value chain and ethical considerations relevant to the use of such technologies. It surveyed 12 insurers from life, non-life, health and reinsurance sectors as part of the project. The CBI’s findings can be read in its report published on 2 August 2023 (the Report).
As part of its ongoing review of the Consumer Protection Code, data was collected by the CBI over the course of 2021 and 2022 exploring how insurance firms were using BDRT across their value chain and how they planned to use it in the next three years. The Report is part of the CBI’s broader focus on the theme of digitalisation and follows the publication of its Digitalisation in Insurance Survey in May.
What is big data and related technology?
While there is no one agreed definition, the term big data has been described by the European Supervisory Authorities (which include EIOPA) as meaning datasets so large and complex that they cannot be handled by traditional data processing software. In the Report, the CBI indicated that the type of data being used by firms in this context includes:
traditional data – loss data (e.g. claim reports from accidents), population data and demographic data
non-traditional data – firms’ own digital data (e.g. acquired through interaction with consumers through call centres and gathered from online behaviour), geocoding and location tracking, online media data and other digital data.
Examples of “related technology” identified in the Report include:
AI and predictive modelling
sutomation of form filing on insurance applications
robotic process automation.
The CBI’s key findings on the use of BDRT within the insurance value chain were:
all firms surveyed were using or planning to use BDRT within the pricing and underwriting stage of the insurance value chain
most firms surveyed were already using or intended to use BDRT at the sales, distribution and marketing stage
most firms surveyed considered BDRT had the biggest impact on the pricing and underwriting stage and the least impact on fraud detection and post sales services.
The Report identified benefits of the use of big data in insurance such as enhanced claims processing, increased consumer engagement, more personalised products, and lower admin costs.
A number of risks and issues were also identified in the report including:
the risk of excluding certain consumers (such as those with poor digital literacy)
data protection issues
complex outsourcing risks
ensuring informed consent from consumers.
The Report contains an assessment of how the selected firms were incorporating data ethics into their governance and risk management processes. The exercise confirmed that only a limited number of selected firms had express policies or an explicit focus on ethical considerations as part of their governance structure. In particular, the CBI noted that it was observed that when insurers made use of third-party providers of BDRT, there was a reliance on GDPR in the procurement process rather than a specific consideration of data ethics.
Areas needing focus by insurers
In its conclusions in the Report, the CBI noted that more focus may be needed to ensure adherence with prudential and consumer protection requirements, specifically in relation to the ethical use of BDRT. The CBI also noted that when adopting the use of BDRT, the obligation on firms to act in the best interests of their customers remains a key responsibility.
The CBI also outlined that it expects firms as they increase their use of BDRT to adopt a consumer-focused approach including careful consideration of ethical issues arising from the use of BDRT. The CBI noted that this included due consideration of the potential risk for bias or unfair treatment, such as exclusion of certain customers, or misuse of customer data.
The CBI has indicated that it will continue to expand its understanding of the nature and extent of the use of BDRT and will evolve its supervisory approach accordingly in a way which is flexible and proportionate.
Under the Consumer Protection Code 2012 (CPC), insurers in their dealings with customers must act in accordance with a series of general principles. These include overarching principles of acting fairly and with due skill and care “in the best interests [of customers]”. While “ethics” are not expressly referenced in these general principles, it is difficult to conclude but that ethics and fairness are very much interlinked.
Among the themes emerging from the Consumer Protection Code Review Discussion Paper last October, were how best to describe (or prescribe) what the CBI described as the “fundamental responsibility to place the best interests of consumers at the centre of how products and services are designed and delivered”. While the CBI had proposed that guidance would be developed on what it means for a firm to act in the best interests of its customers, there has been some debate as to the form such guidelines would take in stakeholder feedback on this topic. Many firms argued that any guidance should be principles-based rather than prescriptive and that an appropriate balance must be struck between consumers’ interests and other stakeholders’ (including firms’ and their shareholders’) interests.
Against this evolving backdrop, we suggest that insurers’ boards and senior management should consider the following:
Have you established governance practices in relation to the management of risks arising from the use of BDRT? For example, have you a data governance committee or a specific policy (beyond a GDPR policy) in relation to data ethics?
Have you a “consumer champion” or any senior employee focussed on ethical outcomes for consumers? Has that person reviewed your firm’s use of BDRT and if they have, have their views been brought to the board?
Where outsourcing is involved in your firm’s use of BDRT, your firm remains fully responsible. Have you appropriate controls and governance in place?
Is someone in your firm monitoring domestic, EU and international developments on best practice on the use of BDRT?