31% of EU insurers actively used AI in 2018 with a further 24% at proof-of-concept stage, according to the European Insurance and Occupational Pensions Authority (EIOPA). New products, like IoT devices generating real-time risk assessments or usage-based and parametric insurance covers, are launched every week. Meanwhile, regulators are concerned by possible poor customer outcomes but have not yet adapted standards to address digital innovation. Insurers face significant challenges when they seek to apply “old economy” conduct of business and consumer protection regulation to digital distribution models. Now further tech regulation is heading the industry’s way, driven by the EU’s Digital Decade Strategy. Insurers must add legal skillsets to their digital innovation projects to manage the resulting business and regulatory challenges.
How will AI regulation impact insurance business?
The EU draft Artificial Intelligence Regulation (AIR) will prohibit use of AI technologies that create “unacceptable risk”. Examples include real-time remote biometric identification systems in public spaces and applications of social scoring. The prospect of insurers using such systems is remote, so the real industry focus will be on technologies classified as “high” and “limited” risk under the AIR. No specific insurance application is identified as high-risk, but insurers will still need to consider each listed use case carefully for potential impacts.
As an example, AI used for creditworthiness evaluations and credit scoring is high-risk. However, insurers are more likely to consume credit data produced by others than to use or develop credit scoring systems themselves. Biometric identification and categorisation systems are high-risk, so life insurers proposing to use such systems in underwriting could be impacted. Outside the insurance value chain, there are high-risk use cases of AI that are relevant to all businesses such as filtering CVs in recruitment processes and taking promotion decisions.
How could insurers come within scope?
AIR will impose obligations on users and providers of AI systems. Depending on system architecture, insurers are likely to be users and could be providers where they become involved in systems development directly or through incubators. Providers have extensive obligations under AIR. A user can be considered a provider where it places its name or trademark on a system or substantially modifies the system.
Providers of high-risk systems must ensure that:
They have systematically updated risk management processes
The processes must be tested for fitness for purpose
Systems use training, validation and testing data sets that comply with data quality and governance requirements, and
Systems have detailed technical specifications available to users, logging capabilities, and permit adequate human oversight to be maintained.
Insurers that are only users of high-risk AI systems will have more limited obligations, mainly to use the system in accordance with technical instructions, monitor its operation and maintain logs.
Where an AI system is classified as limited-risk, users’ obligations are more limited again. Systems designed to interact with individuals, eg, chatbots, must make it transparent to users that they are interacting with a system. Individuals interacting with emotion recognition systems and biometric categorization systems must be specifically informed that a system is operating. Finally, systems that generate deep fakes must disclose that the image or other content has been artificially generated.
The AIR proposes heavy fines for serious breaches. In practice, as users rather than providers, insurers’ exposure to these should be limited. However, the reputational damage of any breaches could be significant, especially as different sectoral regulators increasingly cross-report breaches. An example of this can be seen in the recent case of Ireland’s Competition and Consumer Protection Commission reporting alleged price signaling by insurers to the Central Bank of Ireland.
Apart from AI regulation, what other issues could arise?
Having satisfied AIR requirements, insurers will need to apply regulatory conduct of business and consumer protection rules to their customer engagement models. They must also ensure that the AI system outcomes do not breach applicable anti-discrimination and equality laws and meet regulatory expectations regarding internal governance. EIOPA has produced draft guidance in this area stating that insurers should consider potential negative consumer impacts when determining the appropriate governance measures. This requires insurers to consider fairness of outcomes and to mitigate the potential exclusionary impact of rating factors like credit scores used in AI systems. Data must be fit for purpose and insurers should make reasonable efforts to monitor and mitigate data biases. Insurers should keep records of the measures put in place to ensure fairness/non-discrimination where AI systems are used. They may also need to develop relevant metrics for high-impact customer engagements.
Insurers must give meaningful explanations to enable customers to make informed decisions when interacting with AI. Insurers should establish and document appropriate levels of human oversight and embed them in their governance systems. They should adopt sound data governance practices, ensuring accuracy, completeness, security, traceability and auditability, throughout the AI life cycle. Finally, the systems themselves should be robust and fit for purpose, produce stable and steady outputs, and be deployed in a secure IT environment.
What should insurers do next?
Insurers must be well positioned for what McKinsey predicts will be a radical transformation of the insurance value chain through AI by 2030. If businesses have not yet done so, they should launch their AI innovation strategy reviews or project working groups now. In our experience, internal working groups often find it challenging to drive change in an area where the legal and regulatory environment is still evolving. Creative legal thinking and alternative scenario planning is sometimes needed to reach concrete recommendations. We strongly recommend that insurers budget for and allocate extensive levels of internal and external legal resources to their AI working groups from the outset to maximise their chances of positive outcomes.
For more information or with any questions, please contact a member of our Fintech team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.