Tech vs. Insurance Regulators: Toward a New Data Status Quo

apei.jpg

For insurers, third-party data presents new opportunities, but also new regulatory challenges, many of which have yet to be determined by regulators. In this exclusive interview, Alyssa Pei, partner at A.T. Kearney discusses emerging technology, privacy and regulatory concerns, as well as the gaps between insurers’, regulators’ and consumers’ concerns.

INN: What concerns do insurers face regarding the use of third-party data?

Alyssa Pei: There are a variety of themes. How do you integrate that into your systems? How do you allow for the usage of third-party data? And how do you vet your vendors and partners to make sure their compliance and protections are sufficiently strong to meet your own internal criteria? Generally speaking, the insurance industry's criteria tend to be more rigid than the providers’. There is a set of questions around that that we find executives wrestling with. And from a regulatory perspective, that touches directly into both compliance and protection of personally identifiable information; but also into data privacy and management.

INN: What are the questions insurers need to ask?

AP: “What information am I getting? Is it personally identifiable? Is it personally-identifiable financial information?” In that case, they are bound by both state and federal regulations. “Is it personally identifiable by name and address, but also behavioral?” There are very few consistent regulations, at a national or state level, that govern consumer behavioral data. That's the information that’s increasingly top of mind for insurers because it is the most fruitful in driving better underwriting, profitability and business outcomes. It's also the most fruitful in providing better benefits to their consumers because, if they can see something in that data, and they can suggest that you change your driving behaviors, or you take preventative measures around a house, they can benefit their policy holders significantly by preventing claims instead of paying claims.

INN: What's outdated from a regulatory perspective?

AP: There's a lot of regulatory structure that is extremely outdated based on the proliferation of data and how it can be used. As CIOs, CEOs and product leaders think about what's happening on that landscape, they need to think about what position they want to play, because the regulations haven't been put into place. That doesn't mean that they won't be. That's where they're going to want to weigh in and make sure that they're not overly binding. The other consideration for them is that many companies, and probably many of their business partners, already are driving a degree of self-regulation, particularly around data privacy. And in this country, it’s mostly in line with what the EU passed at the beginning of last year. The EU put in place fairly extensive regulations around personal data and “the right to be forgotten.” It applies, at least in theory, equally to anybody living in the EU and any EU citizen living abroad. That has implications, completely untested, for firms that do business outside of the EU, but that deal with EU citizens. On that front, there is a pretty strong community that self regulates around privacy and data protection. It's a community that bears watching and participation in.

INN: Data from wearable technologies increasingly will available to many sorts of businesses, but insurers will want it, too. Where does regulation play into those concerns?

AP: That brings up two points. The first is that wearable are part of an ecosystem. Insurers are not the sole provider, purveyor or beneficiary. It's not a closed system anymore. The old models were entirely closed systems because they insured you, typically for years; they knew you and what your risk factors were. But it was all based on their experiences with you, some modeling, and they rated you on you.

Now lots of other companies know about you, too, in ways that can be useful for rating and for policies. And consumers are concerned because they haven't completely decided what they think an insurer should know about them because there's a financial outcome attached to it. That’s why we don't all voluntarily sign up for telematics devices. I'm not sure that I want my insurance company to know how I drive, but Apple and Waze probably do know exactly how I drive [laughs]. I freely part with that information for better traffic reports.

INN: Are there regulations that prohibit access or use of that data from Google Maps or equivalents? It's not yet personally identifiable, or is it?

AP: Yes and no. There's no regulatory standard that says an insurance company can't use that information. There are standards that say, state by state in every department of insurance, whether or not an insurance company can use that information to determine your premium. So that's where it breaks down. Every state has different requirements on what qualifies as a ratable variable. California insurers can't use telematics data to rate auto insurance, whereas Montana or Wyoming recently approved a pilot on rating from an app on a cell phone, not an embedded device; these are very different landscapes. That's a new complexity of operations that tends to fall less in the CIO's camp and more in products’.

INN: Progressive now is using mobile phones to collect telematics data, not even for customers, but for volunteer consumers who might want to get a quote from Progressive. What kind of regulatory concerns or hoops might they have had to jump through to offer such a thing?

AP: In the states in which they are offering it, they will have had to prove that there's high correlation between the information they're collecting and the standard rating variables that they use. They'll have had to cover that ground. They're probably going through an exercise to accumulate enough data to convince to DOIs that it's good data. It's sort of a chicken and an egg thing: you need the data to prove to the DOI that it's good data, but you have to be able to collect it as well. You think about the future and you extend beyond the connected car.

This will absolutely be an issue in homes when you think about what Nest and Google, and Lowe's and Iris Home Monitoring, and all the alarm systems, will be able to say about individual consumer's behaviors in their own houses.

INN: Do you think regulators are able to grasp data proliferation and legitimize it by approving insurance products that address these opportunities and needs?

AP: That will be case-by-case and state-by-state. I say that for two reasons. One is the lack of progress toward a federal governing body for insurance; state DOIs guard their power quite jealously. The other is when you look a the traditional regulations around collection of personal data; they're out of the original scientific inquiry philosophy; which is: “I'm going to tell you why I'm collecting this information and what the benefit to you are; and you're going to approve or disapprove the collection of your personal information specifically for that purpose and in that context.”

INN: And that's the dialogue between the regulator and insurer, as opposed to the insurer and the consumer?

AP: It's both, because the 1974 Privacy Act governs what needs to be said to a consumer when personal information is collected. All carriers, apps, etc. say: "We're collecting your personal information. Do you approve or disapprove for these purposes?" Where the gap is widening is that personal behavioral data now is being collected and the potential use of, and the context for, is unknown. Big data and analytics create opportunities to ask questions in very different ways on a wide source of data. For example: the information we provide through our phones that Google Maps knows about us. I haven't recently read the extremely long privacy and use–of-data agreement but, realistically, it can’t cover every possible future scenario considering the rate of change in the industry. That's the philosophical switch that the regulators and the regulations haven't caught up to.

INN: This is speculative, but are regulators feeling pressure from the insurance establishment to keep these products traditional? Insurers generally seem resistant to change.

AP: They are feeling two pressures: one from the consumers, to make sure no particular group will be disadvantaged by any regulatory changes. Think about the strength of the consumer lobby in hurricane-prone states. Regulators have been pressured into forcing traditional carriers to offer both home and auto -- if they want to continue doing business -- in those states. If State Farm wants to insure cars in Florida, for example, they have to sell a certain amount of home insurance. That's the power of the consumer lobby.

I think they will face pressure from that segment that has privacy concerns, that fears they will be disadvantaged by technology and surveillance. On the other side, insurers understand that this creates a real opportunity for them to be better providers to consumers and to be better, stronger businesses. Technology enables them to be much more selective of the risks they cover. Insurers are very interested in making use of this information. They are putting pressure on the DOI from a product standpoint, but they also are beginning to introduce this dialogue around new rating variables.

My suspicion is that, because insurers are risk averse by nature and are not a fast-moving industry, they will probably keep pace with regulators. And they will apply pointed pressure for particular outcomes. 

For reprint and licensing requests for this article, click here.
Mobile technology Law and regulation Data security
MORE FROM DIGITAL INSURANCE