The privacy bomb and cost of personal data debt

I often hear architects talk about technical debt but it strikes me that a different debt is waiting for insurers.

Imagine a world where the regulator says that a customer owns data about the customer, regardless of where it is stored. The key observation here is the decoupling of ownership and control with storage. Most regulators have gone nearly this far and made statements about consumer ownership of consumer data, so perhaps it's not out of step with reality. This is discussion so far but perhaps the technology hasn't caught up with the intent. If we ignore the limits of technology …

There are perhaps 3 models emerging:

  • A. The data remains where it is and is controlled from there. Requires APIs…
  • B. The data moves as customer moves. Requires data standards…
  • C. Customer data is held in a shared environment. Requires APIs and data standards

Let's take a moment to really think that through for an insurer. If you hold data about a customer in your systems, that data is owned by another party. Ownership here is a complex word – it implies but is not limited to controlling access to the data, determining appropriate use of the data, revoking access to the data, determining how long that data is kept.

Scenario A
What if the storers are obliged to provide these controls to the owner of the data and actually – what if that obligation exists regardless of whether that owner is a customer?

Such a scenario may make it prohibitive for insurers to capture and store data directly. What would the world look like in such a scenario? Insurers would request access to customers data and have to disclose why they want the data, what they will do with it and perhaps the algorithms used  in order to offer products. Such a world might favour insurers with simpler pricing algorithms that are more expensive but customers understand what is being done with the data.

If we take it a step further, in theory there would be intermediaries emerge who help manage consumer data and help consumers simply share their data with trusted partners. I would suggest most people would not dig into the detail of who is sharing what so a service that says, "we've found these 15 services that only use the data in these ways and we've packaged that up for you" would be most welcome.

If however, we take existing businesses into this world then suddenly enterprises will be faced with the issue of how do they offer appropriate controls and management around the data already in place.

The standard already exists for sharing information in this way leveraging OAUTH as is used by Twitter, LinkedIn, Google and Facebook.

Scenario B
The cost for doing migration and conversion will lie with the party holding the data. A different type of debt.

This is the model the insurance industry is assuming will come to pass but it requires shared data standards which are harder to implement than API standards. There is also the issue of potentially lossy data migrations – I.e. The quality of the data is reduced in the migration – will this be 'OK' from a regulatory point of view?

Further this is more confusing for a consumer since the mechanism and means to manage access to the data will change each time there is a move. An approach intended to increase portability and movement could become an inhibitor as consumers grow concerned about retraining.

In theory though, this would allow insurers to differentiate on trust and service – a place where they already play.

Scenario C
The greatest challenge with a shared environment is who is the trusted party? Google, Twitter, Facebook and LinkedIn among others have made moves into authentication but they don't hold all the data and regulators in multiple countries are seeking to grasp control and this is a topic for Insurtech startups as well.

Some see Blockchain as a possible solution – the data in a shared open place, but secured and encrypted.

At this point this seems like the least likely solution, requiring the greatest cooperation and investment from the industry and governments. Regulators at this point seem to be supporting the other two.

Which will come to pass
There is a clear trend with private data becoming more valuable, but the cost of storing it is becoming more onerous. Regardless of which of the scenarios comes to pass or if some other scheme emerges – insurers must balance the cost of storing the data and the value it may bring now and in the future.

What does Brexit mean… ?

This is the question on everyone's lips. I had delayed writing this in the event that some clarity emerged but in day 5 of Brexit that clarity and certainty is proving elusive – indeed uncertainty seems to characterise the whole affair. This has been a discussion within the European team (thanks to Jamie and Nicolas) for some time and this post will briefly concentrate on the impact of the events so far on insurers with operations and interests in Europe. This will not discuss the UK governments response thus far.

The only certain thing about Brexit as it stands is uncertainty. Will Brexit really happen? When will the process start? Who is negotiating? What is the opening position? What we can say with some confidence there will be little regulatory and legal change in the short term and some unknown quantity of regulatory and legal change in the medium term.

The key unknown is the continuing participation in the single market and the other institutions in Europe, particularly the passporting. This more than Brexit itself, will define how strongly businesses with operations in the UK will respond.  Those with headquarters and staff in the UK to be present in the EU will need to reconsider this position if Britain leaves the single market as well as the EU – or indeed if any of the agreements reached put this position in jeopardy.

Uncertainty breeds volatility in the markets, a depressed investment environment and bond rates will hit the market further, particularly life insurers. This could well impact sales of investment products across the EU and UK until some certainty is restored. Existing products would not be safe either, with some investors looking to cash out.

The outlook for technology investment is trickier. If anything the pressures for reducing costs, agility and flexibility will be exacerbated. In the short term it is reasonable to assume reduced investment with alternate investments and clarity increases. It is plausible that this will affect the InsureTech market as well – particularly in London.

For UK insurers, It is likely that the FCA will engage with insurers and the ABI as the UK seeks to set out how it differentiate itself from the EU which will require agility and flexibility from the insurers to adapt to the new opportunities. A similar process may occur within the EU.

As is probably clear above, the one thing needed is clarity.

Do follow our Brexit posts from the wealth management team as well

The UK’s First Personal Insurance Policy for ‘driverless cars’: Too early or just in time?

Yesterday, we received a press release announcing the launch of a new insurance proposition targeted at personal use for ‘driverless cars’ from Adrian Flux in the UK. This news arrives hot-on-the-heels of the Queen’s Speech last month that announced the UK Government’s intention to go beyond its current ‘driverless’ trials in selected cities and legislate for compulsory inclusion of liability coverage for cars operating in either fully or semi-autonomous mode.

As the press release suggests, this may be the world’s first policy making personal use of driverless cars explicit in its coverage (we haven’t been able to validate this yet). Certainly, up until now, I suspect that most trials have been insured either as part of a commercial scheme or, as Volvo indicated last year, by the auto manufacturer itself or trial owner. 

What I find particularly interesting about this announcement is that they have laid the foundation for coverage in their policy wording and, in doing so, been the first to set expectations paving the way for competition.

Key aspects of the coverage (straight from their site) include:

  • Loss or damage to your car caused by hacking or attempted hacking of its operating system or other software
  • Updates and patches to your car’s operating system, firewall, and mapping and navigation systems that have not been successfully installed within 24 hours of you being notified by the manufacturer
  • Satellite failure or outages that affect your car’s navigation systems
  • Failure of the manufacturer’s software or failure of any other authorised in-car software
  • Loss or damage caused by failing when able to use manual override to avoid an accident in the event of a software or mechanical failure

Reflecting on this list, it would appear that coverage is geared more towards the coming of the connected car rather than purely being a product for autonomous driving. Given recent breaches in security of connected car features (the most recent being the Mitsubishi Outlander where the vehicle alarm could be turned off remotely), loss or damage resulting from cyber-crime is increasingly of concern to the public and the industry at large – clearly an important area of coverage.

Given the time taken to legislate, uncertainty over exactly what the new legislation will demand, and then for the general public to become comfortable with autonomous vehicles, I suspect that it may be quite a few years before a sizeable book of business grows.  Often, the insurance product innovation is the easy part – driving adoption up to a position where it becomes interesting and the economics work is much harder.

Maybe this launch is a little too early?  Or maybe it's just-in-time?  Regardless of which one it is, in my opinion, this is still a  significant step forward towards acceptance. I also suspect that some of these features will start to creep their way into our regular personal auto policies in the very near future. I wonder who will be next to move?

If you’re interested in learning more about the potential impact of autonomous vehicles on the insurance industry, why not register here for Donald Light’s webinar on the topic tomorrow.

 

A positive note for Brazil: A few insurance market developments to follow with interest

The world seems convulsed these days. No matter where you live, something significant is developing around you or about to burst.

Brazil has not been the exception. Economic slowdown and corruption allegations involving high officers in government and the private sector, have led to massive social protests. The Panama Papers only to continue to build a lack of trust on things changing easily. But Brazil is a huge economy, with very talented people and industries that can compete at world-class level. Some things need to change for sure; with a trusted leadership is just a matter of time for Brazil to come back to the right path.

On a specific note about insurance, some positive insurance market developments in Brazil were top news this week and I thought it was worth sharing with you:

  • SUSEP – Superintendência de Seguros Privados of Brazil approves use of Digital Certificates for regulatory purposes
  • SUSEP resolution establishes new rules and criteria for Vehicle Popular Insurance
  • Project of creating a Regional Hub of Reinsurance to be sent to the Finance Ministry

Brazil writes ~45% of the direct premium of the region and more than triples the Mexican insurance industry premium, the second largest insurance market.; so anything happening in Brazil will have an impact in the Latin American insurance market as a whole.

SUSEP, responsible for the control and supervision of insurance markets, private pensions, capitalization and reinsurance, published in the Diário Oficial da União, Instrução n° 79 which regulates about the use of digital certificates in the standard public key infrastructure of Brazil (ICP-Brasil).

Electronic signatures produced with ICP-Brazil certificates become mandatory for decision-making content documents with external circulation, for regulatory acts of the supervised and for other procedures that require proof of authorship and integrity in an external environment to SUSEP. Electronic files produced within the scope of practice of SUSEP will have authorship guarantee, authenticity and integrity ensured in accordance with the law.

“Insurers have a strong interest in digitization based on their planned budget increases between 2015 and 2016. The increase between insurers’ 2015 and 2016 budgets is reflective of the fact that most insurers are at the basic stage of digitization with much room for growth and innovation” said my colleague Colleen Risk in her recent report: You’ve Got Mail: Two Decades Later, Why Are We Still Talking About E-Delivery Rather Than Doing It?. The research shows that challenges related to e-Signature include compliance, legal, risk management, agency, IT and insurance operations. SUSEP support to the use of digital certificates will have a positive impact in the industry enabling higher levels of digitization and efficiency.

Continuing with SUSEP, its resolution establishing new rules and criteria for the operation of the Vehicle Popular Insurance was well received by the National Confederation of General Insurance, Private Pension, Life, Health and Capitalization companies (CNseg) and the CNSP. The National Council of private insurance (CNSP) adopted, in a meeting held on March 30 2016, the provisions for vehicle popular insurance that will have as primary market the owners of vehicles with more than five years of use. The new insurance policy will primarily feature the use of parts from disposed vehicles at auto salvage yards for vehicle repair, which will be possible thanks to law 12977 of May 2014, which regulated the disassembly of vehicles across the country.

Despite aimed to cars manufactured more than five years ago, the popular insurance will not be restricted to that segment. Any insured can opt for the new product, provided it is advised that the repairs will be made with parts used or second-hand. The rules also provide that these pieces cannot be used when involving the safety of passengers, such as the braking system, suspension, seat belts, among others. The minimum coverage should guarantee compensation for damages caused to the vehicle by collision.

While there are some points that can be enhanced, so as to make possible a greater penetration of the product this comes very handy in order to offset the effects of the country's economic moment by expanding insurance market and protecting the assets of the people that see their purchasing power affected. Some suggested enhancements to the rule could be allowing the use of generic parts, non-original parts, but certified by the manufacturer. Also looking to the effect in cost that working with out of network repair shops could have. Market estimates indicate a potential reduction of up to 10%-30% in value compared to traditional products depending on the age of the vehicle.

In the same line of looking to expand the insurance market, the President of the National Federation of Reinsurers (Fenaber), Paulo Pereira, announced on April 5th at a news conference during the 5th Reinsurance Meeting of Rio de Janeiro, the project of creating a Regional Hub of Reinsurance that must be sent to the Finance Ministry before early June. If the hub is implemented, he said, could help double the size of the Brazilian reinsurance market. "We are creating conditions for reinsurers to settle in Brazil to sign out-of-country risks, mainly from Latin America. The Brazilian reinsurance market today is $ 2.5 billion, and that of Latin America, of $ 21 billion. So if we can attract 10% of this market, we will be doubling in size" he estimated.

Pereira pointed out, however, that it will be necessary to provide a good reason to appeal to great players to the country. He believes changes need to be made to the labor environment, to regulation and to taxes so they become an important incentive for bringing the world's largest reinsurance companies to the hub.

Efficiency and market growth are two underlying principles in these market developments. It’s good to see that from the insurance perspective, Brazil does not stay arms crossed waiting to see what happens. This is a positive note for Brazil, at a time where the good news does not abound.

 

Personal musings from one of the world’s first InsurTech incubators

Last Friday (and flowing into the weekend), I was privileged to take part as a mentor in the final selection process for the first “InsurTech” cohort of the StartupBootcamp’s accelerator programme targeted at the insurance industry. This programme claims to be one of the first specialist “InsurTech” accelerators to be run globally by an independent firm. The programme has attracted pretty impressive backing from the industry with firms like Admiral, Allianz, Ergo, Intesa SanPaulo, LV=, Momentum, LBG/Scottish Widows, Tryg and UnipolSai taking partnership roles. To give you an idea around the scale of achievement of those who got through, the process started with circa 1.3k interviews, 250+ applications, 42 short-listed ideas and then whittled down to just 18 finalists…from which just 10 could be accepted onto the program. These ten firms will now go on to be mentored during their start-up phase, have their ideas challenged and further developed from people within the industry and independent entrepreneurs and, in doing so, build the network they will need to both attract funding and find new clients. Over the two days that I spent with the finalists, there were a number of themes that came through the submissions. Here are my personal musings: Data featured strongly across nearly all of the initiatives. Having access to either unique sources of data (whether from a home move, from a travel plan or from connected world) and a model for assessing underwriting risk appeared to be a winning combination. Digital engagement, aggregation and ‘robo-advice’ are hot topics. What I found most interesting was the focus on underserved markets, whether targeting prospects with poor health records, in difficult to reach populations around the world, or educating Gen-Y/Z of the value of insurance. Addressing underserved markets profitably is a big issue that the industry often struggles with. A fertile area if tackled well. What impressed me the most, however, was the passion and sense of purpose displayed by the teams in fixing something that just feels ‘plain wrong’ to them. The Internet of Things (IoT) is going to change the industry’s client engagement experience and liability profile. Five initiatives related to the IoT were submitted. Three were focused on wellbeing, one on the connected home and one on drones. Although it didn’t quite make it into the final ten, I found the drone initiative fascinating. With Amazon and others itching to launch commercial drone services at scale, this is a market that is set to grow. Drone insurance could be the next ‘fleet’ or ‘auto insurance’ (as was pointed out by my fellow mentor Charles Radclyffe). Certainly, the current risk models in use today are immature and unlikely to be adequate for a world where autonomous vehicles are delivering packages across our heads 24×7 (assuming the regulator allows it). Sadly, the drone initiative didn’t quite make it into the final ten. Personally, I wonder if it’s just maybe a little too early, but perhaps still one to watch for the future? As with anything IoT related in insurance currently, each initiative will face a shared challenge. Although the proposition concepts may be compelling, the instrumentation rate of adoption will ultimately set the pace for growth. The IoT is still in its infancy across the industry and convincing prospective clients to share their instrumented personal data is no small undertaking. Data permissions are a growing concern for both individuals and regulators. It was refreshing to see some of the propositions pitch personal digital vaults as part of their propositions, whether for managing data from connected devices, personal wellbeing or personal belongings. Although it’s not yet clear how the market will develop for these services or how they will be monetised beyond a simple subscription model, services like these may suddenly find themselves in the limelight once regulators step in to protect personal privacy. Regulatory compliance. It wouldn’t be the insurance industry unless there was at least one idea focused on regulatory compliance. What if you took all of your regulatory compliance reports produced, aggregated them, and then analysed them? A really simple idea without a huge amount of cost involved. It was a refreshing couple of days. I look forward to seeing how their ideas and propositions develop over the next year. If you’d like to know more about each of the final ten, details can be found here.

A pivotal day for the insurance industry

There were a few key assumptions underlying Celent’s End of Auto insurance report:
  1. Cars would crash less, requiring lower claims expenditure and lower premiums
  2. Cars would drive themselves, liability would shift to manufacturers and ‘driver insurance’ would be a thing of the past
Today with Volvo’s announcement (also linked here) that they would accept all liability for the car in autonomous mode we see the first of three steps towards the end of auto insurance. This is a key moment in human history, a pivotal moment that will redefine how human beings travel albeit that may not be apparent today. Today, this looks like an inevitable check box on the route to autonomous cars. It is in fact both. Now the other manufacturers must follow suit or relegate themselves to manufacturing cars with no autonomous ability. Immediately, Blockbuster and Kodak come to mind. Initially they may deal with this through captive insurers but this will change over time. I mentioned this is the first of three steps. The next inevitable one will take place in the court of law, perhaps after the first death where the car was liable. Here the specifics will be tested and understood. This will be a different milestone in different jurisdictions. The third step will be a few years from now, when the autonomous systems have had enough time to partially fail due to poor maintenance. I am assuming we still own the cars at that point we’re not just renting them by the hour. At this point clarity will be given to who is responsible for making sure an autonomous system is still fit to drive on the road. Governments and lawmakers will have to define a minimum capability that is required before one can turn on the system. In some countries it may happen sooner than others but one imagines this will be a reactive exercise as manufacturers challenge their liability due to customers meddling with or failing to maintain the equipment. As interesting and drawn out as these second and third steps are, history will show they are insignificant compared to the point in time when the first manufacturer stood up and said they would accept full liability for their cars when in autonomous mode. Update: Other manufacturers are already following suit. and the Volvo CEO is already calling on the US government to establish testing guidelines as part of the speech.

The Solvency II preparation finish line is close

Solvency II – the European Union prudential capital regulation – will come in to effect in January 2016 after more than a decade of preparation. For many European insurers it means they are reaching the end of the long road of deep preparation but others have already turned their preoccupations in other directions. For instance the Solvency II regulation came in to effect already this year in Denmark and their level of preparation allowed Danish insurers to adapt to the new regulation. But let’s recall what Solvency II is and why it is an important regulation for the European insurance industry. Solvency II is the set of regulatory requirements for insurance firms that operate in the European Union. The rationale is to facilitate the development of a single insurance market in Europe while securing an adequate level of consumer protection. It is based on three pillars:
  • The first pillar defines capital requirements. It quantifies the minimum capital requirement (MCR) and the solvency capital requirement (SCR).
  • The second pillar provides qualitative requirements in terms of supervision and review. Indeed, the European Commission wants to emphasize the need for insurance companies to implement efficient risk management systems.
  • The third pillar introduces the market discipline concept. Insurance companies have to promote transparency and support risk-based supervision through market mechanisms.
What makes Solvency II a comprehensive regulation is the fact it includes all types of risks and is not restricted to purely insurance risk. With this it better captures the reality of what an insurer’s risk profile is. Key elements of this approach is of course the diversification effect and this is why we see consolidation among small insurance players who lack diversification in their business (notably small mutuals in France for instance). Going forward we expect other geographies to follow the same principles and we think it is important that multinational companies learn from their European preparation. Of course Celent and Oliver Wyman have been working on Solvency II in the recent past. We have also published research providing our views and opinions on this topic. A recent report has been published by Oliver Wyman in collaboration with Morgan Stanley looking more particularly at various consequences and notably on cash for insurers. If you are interested to know more here is an abstract: European Insurance: Generating Cash in a Volatile Solvency II World. For the insurance companies that are interested to better understand the vendor landscape we have published a report profiling vendors with a Solvency II offering a few years ago: Solvency II IT Vendor Spectrum: 2012 Edition.  

UBI, personal data and the global implications of the European Union data directive

On Monday, I was asked to present at a UBS conference for investors on technology disruption facing the industry. It was far from Celent’s usual audience of business leaders and technologists, and as a result the questions being asked were quite different, sometimes challenging, however refreshing at the same time. One of the most interesting sections of the day for me was looking at the adoption of usage based insurance (UBI) across the industry and the implications for data protection. Ever since personal data was first discussed as having the potential for emerging as a new asset class at the World Economic Forum in 2011, capturing and incorporating personal data into the proposition design has been seen as a potential gold mine, fueling the creation of many start-ups and, in our industry, propositions based upon understanding individual risk and investment behaviors. It’s hard to think of any digital proposition today that doesn’t require you to first mark a check-box to say that you’re willing to give up the rights to some of your personal data as part of standard terms and conditions. When used well, it can enhance the experience enormously. As an avid Netflix ‘box-set’ watcher, I’m sure that I’d quickly get lost (or bored) without it for example. However, I’ve also learnt to be increasingly picky about who I let have access to my data and what links I click. I’m often amazed by how many apps want access to my location without seemingly having a purpose for it. What’s harder for me to know, however, is what happens to my data once I’ve given permission for where I can see it benefits me to do so. At Celent, we’ve talked for quite a while about how personal data willingly shared could be a major asset in fuelling new proposition design and aiding risk avoidance. It’s not just UBI propositions that can benefit. The potential applies to all nearly all propositions – including commercial and specialty. Data sources such as LinkedIn, Twitter feeds, Glassdoor, and potentially even driving patterns could prove to be an interesting indicator of the quality and morale character of senior management teams for example. However, at the heart of these propositions or services needs to be an acute understanding of the legal implications and ethics around personal data use. One related piece of upcoming legislation discussed that every insurer with operations in Europe needs to be aware of is the new European Union Data Protection Directive. This directive seeks to unify data protection laws across Europe and is due to be finalized later this year, with a likely implementation date set in 2016. One of its aims is to protect the consumer and, in doing so, strengthen the laws on security, privacy, residency, permitted use and portability. The maximum fine for a firm getting it wrong could be as large as 5% of global turnover. So, for example, if you’re a US or Chinese insurer with operations in an EU country that suffers from a data breach or allows sensitive personal data to leave permitted EU jurisdiction, then your global profits could take a nasty hit. So, how does this relate to UBI and the use of personal data within the design of propositions and servicing? Well, apart from the obvious security, anonymity and archival implications, insurers will need to watch carefully what data they use and the permissions consumers have signed up for around its use, probably placing them squarely in control of it. These changes will inevitably tip the balance more firmly in favor of the individual. Open, transparent, incentivized and positive engagement around the use of personal data will need to become the norm. The days of fortuitous use or situations where policyholders are unaware of how much of their data is being used to underwrite risk may be numbered.

On the cusp: regional integration in Asia

It’s 2015, the mid-point of the decade and a good time to start looking at major trends in Asian financial services over the next five to ten years. One of the major themes will be regional integration, which is another way of saying the development of cross-border markets. There are at least two important threads here: the ongoing internationalization of China’s currency, and the development of the ASEAN Economic Community (AEC) in Southeast Asia. RMB internalization is really about the loosening of China’s capital controls and its full-fledged integration into the world economy. And everyone seems to want a piece of this action, including near neighbors such as Singapore who are vying with Hong Kong to be the world’s financial gateway to China. The AEC is well on its way to becoming a reality in 2015, with far-reaching trade agreements designed to facilitate cross-border expansion of dozens of services industries, including financial sectors. While AEC is not grabbing global headlines the way China does, we see increasing interest in Southeast Asia among our FSI and technology vendor clients. From Celent’s point of view, both trends will open significant opportunities across financial services. In banking, common payments platforms and cross-border clearing. In capital markets, cross-border trading platforms for listed and even OTC products. In insurance, the continued development of regional markets. Financial institutions will be challenged to create new business models and technology strategies to extract the opportunities offered by regional integration. It’s the mid-point of the decade, and the beginning of something very big.

Risk, reward and cyber-scurity

For most people the amount of time, skill and effort required to get access to our family photos far outweighs the possible value someone would find there in. Thus, security measures based on making it really quite difficult to get to the data while at the same time not too hard to use have become increasingly popular. I would file username and password security in here. Occasionally, the digital assets on the other side are valuable to the right group. Banks use 2 factor authentication and a variety of non-digital schemes to ensure security. Even World of Warcraft where rare digital swords and armour carry their own value offer broader measures of security to protect accounts. The recent leak of a number of celebrities private photos shows that there are other assets worth the time and effort required to break this level of security. The risk associated with the data insurers hold has to date been quite minimal. There are health, specialty lines and large commercial lines where this isn’t the case, but for most people the data held by insurers and available through portals is largely innocuous and available through other means. As insurers start to tap into wider data sources and the Internet of Things it is imperative that the industry considers how it protects it’s customers. A simple example from products available today: some insurers likely hold the real-time location of the car driven by celebrities and millionaires children, thanks to the increasing popularity of telematics based car insurance. This brings with it increased security, the opportunity to recover the car if stolen and the opportunity to bring much needed assistance swiftly if the car and driver suffer an  accident. In the wrong hands this data is sadly highly valuable and thus worth the time, effort and risk to assault and try to recover. Whilst the details around the leak are still emerging it is clear that it is incumbent on the providers of these services to offer sufficient security in the first place and to educate it’s users on appropriate use. To insurers looking at cloud and portals, I say consider the edge cases – the celebrities using your security for instance, those for whom there are organised groups who would be rewarded for getting the data. Take into account the type of data available through various security schemes and portals, some information is naturally less sensitive. No one will read a story about a film star’s driving score and premium due next month, but where they drove and when – well maybe that’s a headline you don’t want your name associated with.