[This post has been authored by Angeline Priety and Nisha Nahata, fourth year law students at Gujarat National Law University, Gandhinagar. Part I can be found here.]
In Part I of this essay, we looked at how Insurtech is shaping up in India within the current legal framework. Identifying emerging risks is essential to ensuring the industry is here to stay. In Part II, we look at the challenges before the industry and suggest recommendations to build trust in the minds of the consumers.
Challenges faced by the evolving Insurtech industry
Lacuna in Sandbox Regulations
The Exposure Draft does not allow individuals to participate in the Sandbox. This effectively excludes companies promoted and managed by individual promoters. The guidelines in an attempt to encourage engagement of start-ups have set up minimum eligibility requirements such as a networth of ten lakhs and a standing of one financial year. It is likely that individual promoters would back start-ups that fall within this lower rung and thus the former exclusion works against the intent of having low barriers to entry. No reason for the exclusion has been cited in either the Exposure Draft or the Sandbox Report. The Regulations are vague on details to be disclosed while making an application. Apart from creating regulatory uncertainty, this also opens up IRDAI’s discretionary decisions to be challenged as arbitrary.
Data Security and Cyber Attacks
In an age where data is increasingly valuable, data intensive industries such as Insurtech are susceptible to cyberattacks, hacks and database leaks. Sensitive personal data such as financial data, health data etc if hacked or unlawfully accessed could be used to perpetrate identity theft, insurance fraud etc. At present, Insurance sector only has Guidelines on Information and Cyber Security for Insurers issued by IRDAI requiring insurers to follow “adequate safety practices” to protect personal data. The 2017 Puttaswamy judgment recognised privacy, and with it informational privacy as a fundamental right. Since then, Courts have raised the standard of protection and what is considered “adequate” has been transformed.
An overarching data protection law in line with the Puttaswamy judgment is yet to be passed where consent, data limitation and purposeful use are at the heart of data usage. In the absence of a specialised data protection law in India, the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 [“SDPI Rules”] are the norm. Both passed before privacy was recognised a fundamental right, they need a major overhaul to truly protect privacy and secure people’s data in the age of Internet of Things, Big Data and Artificial Intelligence.
Specific to the Insurtech industry, companies must adopt a minimum standard of readiness to combat sudden cyberattacks. The SDPI rules recognise the International Standard ISO/IEC 27001 on Information Technology-Security Techniques as an approved security standard, which can be adopted by a body corporate using personal information. Regulators like RBI and SEBI have gone a step further to prescribe security standards for the players they govern respectively. For example, RBI guidelines obligate banks to follow ISO/IEC 27001 and ISO/IEC 27002. A similar mandate specifying the most appropriate security standard for insurtech firms has not been prescribed by the IRDAI. This has been done previously in Singapore- Monetary Authority of Singapore through its Technology Risk Management Guidelines prescribed mandatory requirements of infrastructure security specific to Insurtech firms. India on the other hand is yet to be proactive in that area. If it wishes to foster the growth of this industry such efforts focussed on gaining trust of consumers would be of paramount importance.
Algorithmic bias is no longer a thing of futuristic movies but a real risk that comes with deep machine learning technology. Algorithms can reproduce and intensify biases of their programmers and propagate discriminatory treatment if not vetted periodically. The insurance industry is no stranger to discrimination – for instance a study by Consumer Federation of America which observed that minority neighbourhoods were made to pay higher insurance premiums as compared to similarly risky non-minority neighbourhoods for no explicable reason. A similar disparity came to light in the Association Bedge des Consommateurs Test-Achats ASBL Case where the European Court of Justice prohibited insurers from taking a person’s gender into account when calculating premiums for it observed that the algorithms used routinely made young males pay higher premiums than females of the same age group.
Bias of programmers are in fact harder to weed out than in algorithms. A periodical monitoring of the algorithm would help mitigate perpetuation of bias. Additionally it may help to conduct studies closer to home to identify patterns in the relation between personal factors and insurance policies and then take decisions such as ECJ’s in the previous case.
Recommendations and Conclusion: The Way Forward
Identifying potential challenges is an integral first step, the next step includes looking for ways to pre-emptively combat these risks. In this section we list out a few recommendations to combat the highlighted issues:
- Data Protection: The insurance landscape has both insurers and intermediaries dealing with a policy holder’s data and hence data protections efforts must be mandated on both sides through a data protection law. Usage of technology like blockchain to submit and process claims would protect policyholder’s data while also securing insurers from cyberattacks. Consider the example of the Bank of China: it partnered with leading insurance companies to launch its own blockchain for claim management. This ecosystem not only reduces operating costs but would also heavily secure transactions.
- Ethical AI: Insurers using data driven technologies must assure companies and customers that algorithms used to make critical decisions aren’t biased or untrustworthy. Taking a page from the United Kingdom may be helpful to this end. In UK, a new Centre for Data Ethics and Innovation was set up specifically to advice the government on challenges that may arise with AI technologies. Additionally, the Financial Conduct Authority had published an interim report examining algorithms used by insurers to profile customers in order to determine risk and thereby ascribe premium prices. This enables finding harmful risk related correlations which stem from bias and unequal treatment. Princeton University is building devices that detect to detect bias in automated models and audit algorithms however success rate is unclear. Additionally, transparency in algorithms (or source codes) and regular algorithm audits must be mandated to weed out bias. However to effectively enforce these measures, existing laws preventing discrimination traditionally must be contextualised to the digital space.
- Automated decisions: AI and Big Data are still emerging technologies and until they can uphold constitutional protections, automated decision-making must function with human oversight. For example, Article 22 of the GDPR does not allow complete automated decision making specially to predict behaviour such as the case in customer profiling for Underwriting purposes. Instead it establishes a right to human-in-the-loop and a non-binding right to explanation. Safeguards such as this in the Indian framework could help control misuse and mitigate dangers of using AI.
India presents an untapped market with it constituting only 1.7% share in the global insurance market and with a penetration rate of only 3.7%. With an increase in smartphone users and wider access to the internet, the Insurance industry has grown rapidly since 2017. As for Insurtech, India is still at the Sandbox stage and it is yet to be seen if IRDAI would even permit Insurtech in the commercial space. If it was to do so, the decision would not be independent of the aforementioned challenges which would have to be addressed simultaneously to truly ensure that Insurtech is here to stay.