EIOPA public consultation on the ‘Discussion Paper on open insurance: accessing and sharing insurance-related data’

1        Do you agree with the definition and the approach to open insurance highlighted in the Discussion Paper? If not, please describe what aspects would be essential to consider additionally?

Finance Finland welcomes the open-minded EIOPA discussion paper on assessing and sharing of insurance-related data and we highly appreciate the on-going work of the EIOPA to consider the different aspects of open finance concentrating especially on the issues relevant to insurance.

However, Finance Finland finds it vital to narrow down the open insurance definition. The insurance data opening, if any, should be started from carefully chosen areas of business and data and enough time should be given for impact assessments and risk analysis thereof before moving on to other business lines and datasets. Without a precise definition, it is also difficult to assess the net impact of the open insurance from the industry, consumer or supervisory angle. Some of the sub-elements or terms used are not clearly defined, leaving the definition open to interpretation, e.g., “consumer” is a limited concept for discussing all the possible customer types that the insurance industry deals with.

Additionally, we believe that data usage, access and sharing should be considered in a broad context, with focus on cross-sectoral data sharing between all sectors of the society. The focus of open finance should not be solely on the financial sector, but broadly on all sectors of the society. In this respect, focusing only on open insurance appears to be too narrow of a view, and could be misleading. The focus should be on what kind of data should be opened, not who uses it.

The discussion paper lacks elaboration of the purpose or objective of open insurance framework. Comparable data sharing regulations, e.g. PSD2 have a clear goal-oriented purpose and structure, and is strongly anchored in the customers interests.

It is also unclear who the intended beneficiary is supposed to be. Consumer, industry and supervisory angles are lifted in the discussion paper, but e.g. society is currently not addressed. Insurance first and foremost exists to facilitate risk sharing among individuals in society.

2        In addition to those described in this paper, including in Annex 1, do you see other open insurance use cases or business models in the EU or beyond that might be worth to look at further from supervisory/consumer protection perspective?                

What types of data would be subject to data sharing should also be carefully considered. In this regard, it is important to consider which areas would really benefit from data sharing from a customer value perspective.

Finance Finland believes that, in general, the increased access to data generated by the financial sector, and also by other sectors (both public and private), provides innovation and competition potential for the industry. Data generated by commerce and e-commerce sectors, data regarding the housing company shares or real property, data collected by vehicles, ESG reporting data and real-time accounting data of businesses as well as taxation data can be mentioned as examples of such potentially relevant data. Hence, the open data initiatives should be considered from a holistic perspective. It should be carefully analysed what data has the potential to enable the financial sector to provide better products and services for their customers, for example.

3        Do you think regulators/supervisors should put more focus on public comparison websites where the participation is compulsory for undertakings? What lines of business could be subject for that? What risks, benefits and obstacles do you see?

An open finance policy may indeed increase the provision of comparison services of financial products. However, it is important that the information provided to the customer in such comparison services is fair and not misleading. For example, the focus could be mainly on the differences in price and less on the other terms and conditions, such as coverage of the financial product, which are essential to know when making informed decisions with regard to insurance products. Service levels, channels offered and claims experience are also important in this regard. Hence, the increased price transparency could come at the cost of less transparency in other areas relevant to insurance offerings. Excessive price focus could also de-incentivize product and service innovation, which is not in the customers’ long-term interest.

 It should also be noted that majority of insurance products aren’t comparable between Member States due to differences in jurisdictions, structure of social services, tax systems, customer preferences, market practices etc. Local insurance solutions have been tailored to the market needs over decades, and we see limited customer value in attempting to homogenize the product and service structure. Therefore, participation to these comparison websites and tools shouldn’t be compulsory.  Furthermore, it is important to have well-functioning monitoring and enforcement by national authorities.

In the development of the Motor Third Party Liability Insurance Directive the insurance sector sees no need for compulsory comparison websites.

4        Please describe your own open insurance use case/business model and challenges you have faced in implementing it, if any.

5        Do you see other open insurance use cases in RegTech/SupTech that might be worth to look at further from supervisory/consumer protection perspective?

6        Please describe your own open insurance use case/business model in RegTech/SupTech and the challenges you have faced in implementing it, if any.

7        Do you agree the potential benefits for the a) industry, b) consumers and c) supervisors are accurately described?

In general, Finance Finland agrees with the potential benefits for the different stakeholders mentioned in the discussion paper. However, when thinking about the potential benefits of open insurance for different stakeholders, it should be bear in mind that the aspects that might at first seem like a benefit, may turn out to be risks in the long run and vice versa. For example, opening all data may seem as a benefit for consumers as it at first may increase competition: new competing companies may appear, as the data that was handled by a few firms before, opens up for everybody. However, in the long run, the obligation of opening all data may decrease competition, as there is no benefit to be gained in developing data and the companies. Having said that, Finance Finland finds it challenging to evaluate the possible impact, if any, on the level of future insurance premiums.

In addition, Finance Finland has some doubts about the other benefits mentioned in the discussion paper. For example, it is mentioned that open insurance could lead to more tailored insurance products and to an adoption of a consumer-centric approach. However, we see that mandatory standards and regulatory requirements are likely to narrow insurers capacity to innovate on products, possible altering competitive dynamics to customers’ detriment. One could also argue that the transparency that the Internet-era has induced, has already forced insurance companies to become extensively consumer-centric. Finance Finland questions to what extent a strict non-voluntary framework would incentivize insurers to seek the best possible solutions for customers.

Lowering entry barriers is also mentioned as a benefit for the industry. However, Finance Finland believes that competition should take place at a level playing-field and there should not be different tiered rules for incumbents vs. market entrants. We also question what purpose it serves to lower entry barriers.

From the consumer point of view, the discussion paper mentions that the open insurance would mean more product variety. At a theoretical level, standardization implies limiting the scope – thus implying less rich and diverse data, for the intended trade-off of making it easier to transfer across different parties and stakeholders. Too much variety may also make the already abstract products even harder for a consumer to compare, and this may not be beneficial in the long run.

Additionally, it is not clear whether open insurance will reduce costs in the end, as some of the potential benefits (if realized) are outweighed by new concerns. In addition, open insurance in itself will require implementation and development which will create new costs. With regard to comparison sites, Finance Finland does not see them as pure benefit to customers, please see our answer to question number 3 for more details.

From the supervisory point of view, we support making existing mandatory reporting more efficient and making some of the supervisory reporting processes automated. However, we have some doubts on the purpose and value of real-time data sharing. Specifically, we fear this could end up blurring the roles between supervisor vs. industry players and skewing the highly valuable long-term systemic oversight into short-term agendas. We would therefore remain sceptical towards broadening the reporting scope or increasing its frequency. The costs and practical complexities arising also from the scope of the supervisory technology outlined are significant, and we question if they are proportionate to the expected benefits. A careful analysis of costs and benefits should be done before any real-time supervision initiatives are introduced.

8        Are there additional benefits?

Enriched claims and compensation data could be used on a societal level, e.g. for statistical purposes, loss prevention as well as allocating money to infrastructure investments. To some extent this could be done on the basis of real-time data. However, the insurers must be fairly compensated for producing such data.  

9        What can be done to maximise these benefits?

A careful risk assessment should be done to estimate the benefits and risks related to the opening of data. The benefits must be greater than the risks for both insurers, clients and the society. The starting point for open data should be broader than the financial sector alone, and the opening of different stakeholders’ data should be compensated in a fair manner.

10     Do you agree the potential risks for the a) industry, b) consumers and c) supervisors are accurately described?

In general, Finance Finland agrees with the potential risks for the different stakeholders mentioned in the discussion paper. The data security and privacy risks are however not described thoroughly enough in the paper. With open insurance, the number of access points and authentications methods would increase. Depending on the method used, e.g. screen scraping, this may cause a risk of not knowing who accessed the data. If the players don’t know who uses the data, it cannot be protected. Hence, if the regulation is inadequate in terms of data security, the insurance industry should not be held liable for any data breaches or misuses of third parties.

For consumers, opening up insurance data may reveal such sensitive personal information, that might be true for the rest of the customers life, and beyond. This paired with potential “consent fatigue”, i.e. customers are frequently asked to accept elaborate texts on small handheld devices, often granting access uncritically, may cause the customers to give access to lifelong sensitive information.

The potential risks depend on the intended purpose and eventual design of an open insurance framework. Depending on these factors the risks might have different likelihood and impact.

11     Are there additional risks?

Finance Finland has found additional risks for the industry and consumers and supervisors. For the industry, open insurance may increase the cost of regulatory compliance, both directly and indirectly, and distort competition, if trade secrets are included in the shared data. Opening interfaces in large scale can also create new and difficult risks in terms of cyber resilience.

If insurers are forced to open all of their data, this may decrease the amount of development that the insurers are willing to do, as the results of the development work has to be shared with everyone. It may be wiser for the insurers to wait for someone else to provide the developed information and to develop it further to an even better product. There is also a risk that expensive IT development will lead to higher insurance premiums.

Opening the insurance data shouldn’t lead to increased reporting to supervisors. Additionally, supervisors should have enough resources and competence to monitor new, innovative business models and market players.

A careful risk assessment should be done to estimate the benefits and risks related to the opening of data. It may be impossible to re-call regulation even if open insurance ends up impairing the markets or customers. It could be very difficult to revoke the framework , because the data has already been shared. Therefore, the consequences should be thoroughly thought through and evaluated in advance. Opening up too much data in one go, may induce too many risks at once.

12     Do you consider that the current regulatory and supervisory framework is adequate to capture these risks? If not, what can be done to mitigate these risks?

Finance Finland believes that the customer perspective should remain at the core of open insurance framework. Given the sensitive nature of insurance data, customers must have absolute confidence in the security of their data, full control over the data being shared and to whom and the right to determine to which services and under what conditions their personal data will be used. Customer education should be an essential part of any consent management framework, so that customers do not unknowingly end up trading their data for privacy. The consent should always be explicit and the scope of the customer’s consent must be clear and verifiable, particularly when it comes to what data is to be shared. Appropriate technical standards, procedures and mechanisms need to be adopted in order to mitigate the risk of more personal data being shared than covered by the consent and to limit the consent to a certain time period and for the specific use case. The different issues regarding the possible withdrawal of the customer’s consent also need to be considered. For example, customers should easily be able to monitor to whom which consents have been granted and be empowered to withdraw consent at any time in a simple manner. Furthermore, customers who do not share data should not be penalized by not being able to access generic features of a certain service, vis a vis customers who choose to share their data.

Finance Finland believes that screen scraping technology should be prohibited in the context of open finance due to privacy and security reasons. Screen scraping enables the third party bot to get access to a large amount of customer´s private data without the customer or insurer being notified or aware. Examples of such private data includes sensitive health information, details about the customers financial situation, detailed information about current assets, past claims, incidents, accidents and more. Data regarding co-insured persons, which the customer legally rarely has the right to share without the co-insureds explicit consent, could also be accessed. In practice it is difficult to see how the consents given for services based on screen scraping can be explicit and informed when the customer is not in control what data is shared. The insurance companies do not have any mechanisms to identify if it is the customer or a bot using the customers access token to get data or perform actions. This is a challenge when it comes to compliance with privacy and security regulations.

The desire to achieve a level playing field between companies regarding access to customer data must not override the interests of consumers, taking into account all consequences. We recognise the possible problem of unfair pricing strategies and misuse of consumers’ financial data, for example. However, we think that this is a cross-sectoral issue that concerns all businesses. It should be treated in a consistent manner following the evolving guidelines in the EU. If there were specific rules just for the financial sector, they could easily end up being contradictory with other rules imposed on the sector.

13     Do you agree with the barriers highlighted in this chapter?

14     What additional regulatory barriers do you see?

In the insurance sector, there are possible limitations and restrictions for insurance undertakings wishing to implement innovative digital strategies. Under the Solvency II regulatory framework, some new digital activities might be classified as “non-insurance business”. Data sharing should also be carefully considered in the context of competition law and intellectual property law.

15     What are your views on possible areas to consider for a sound open insurance framework highlighted by EIOPA in this chapter? Are there additional underlying aspects or other aspects under concrete areas to consider for a sound open insurance framework?

EIOPA notes that there is no uniform understanding or definition as to what open insurance means exactly. However, a sound open insurance framework needs to be based on a firm understanding of the definitions, purpose and intended goals, while always maintaining a customer-focused approach.

16     What are the key differences of between banking and insurance industry which are important to consider in light of open insurance implementation? (e.g. higher variety of products, more data, including sensitive health data in insurance).

The insurance sector as a whole uses a lot more data than the banking sector. The data includes sensitive information including health data that often is gathered during the years, even decades. The data is more varied than in the banking sector, and it serves the business model differently. The data used in insurance industry tends to be longer term data than in the banking sector, and the decisions are made in a longer period.

In addition, the majority of insurance products are not comparable across Member States, due to differences in jurisdictions, structure of social services, tax systems, customer preferences, market practices etc. Put differently, local insurance solutions have been tailored to the market needs over decades. Finance Finland sees limited customer value – if any – in attempting to homogenize the product and service structure.

17     Data used by different insurers varies significantly between companies, operations and products. Additionally, there isn’t a common approach or framework on data processing on the European level. Moreover, majority of insurance data isn’t in a standardised format. What are the ‘lessons learned’ from open banking that might be relevant to consider in open insurance?

PSD2 is not opening up data widely in a banking industry, but rather sectoral regulation, that regulates only the payment services. The scope of regulation is therefore fundamentally different and arguably not comparable to open insurance, and the question of differences between the banking and insurance industries does not seem that relevant. The payment service industry is fundamentally different to insurance in terms of the business model and operating logic. Furthermore, the scope presented in the Discussion Paper spans multiple fields of insurance, e.g. life-, non-life and pension – each with their own characteristics: they have different purposes, operational- and business models and data.

Finance Finland finds it important that the impacts, costs and benefits of the revised Payment Services Directive are carefully and comprehensively assessed and analysed before any decisions on the wider opening of customer data are made.

Finance Finland has recognised several weaknesses and challenges in the PSD2, and therefore, any new initiative in the area of data sharing should not be based on the PSD2 framework as such. A mandatory framework for data sharing would also require significant investments in technical infrastructure and compliance, and therefore there should not be an obligation to share data to third parties free of charge. A mandatory obligation without any compensation would also hinder the possibilities to develop other digital services that could potentially create more benefits and value for customers. Furthermore, data protection and security related issues must be carefully considered and solved before introducing legislation on data sharing beyond PSD2.

In Finance Finland’s view, PSD2 hasn’t fully achieved its goals mainly due to delayed and incomplete regulation process. Especially, lack of proper standardisation has caused many challenges.

18     Do you think open insurance will develop without any regulatory intervention? (e.g. without PSD2 type of compulsory data sharing provisions)

Yes. Insurance companies are already sharing information with different operators.

19     Do you think open insurance should be driven voluntarily by industry/private initiatives or driven by regulatory intervention?

We are supportive of efforts to facilitate improvements to the industry. However, we believe it is important to first define a clearer purpose for open insurance and deploy appropriate responses to ensure the purpose is most efficiently achieved. Pending on intent, this could imply regulatory or voluntary interventions.

The regulatory path implies ensuring certain activities are followed-through, but which may come at the cost of other initiatives or efforts. As such, the regulatory pathway takes away the industry’s ability to self-regulate and make those trade-offs. PSD2 exemplifies this dynamic well, where ASPSPs are restricted in their ability to bring services outside PSD2’s scope to market and inducing high costs on the industry participants. Finance Finland wants to highlight that strict regulatory intervention should predominantly be deployed to deal with clear and defined market failures.

As a starting point, in order to avoid imposing potentially heavy regulatory burdens on insurance companies, data sharing should generally be industry-led and based on voluntary agreements or in the framework of data partnerships. Many existing initiatives in the insurance sector work well and have proven to be successful. It should be ensured that these can continue to thrive.

Any regulatory initiative should be well defined and limited to specific business areas or products. A careful assessment should be done in respect of technical standardisation of data interfaces and the quality and structure of data. A special attention should be paid to data protection and security. Additionally, liabilities of the data usage should be defined clearly.

20     Do you have views on how the EU insurance market may develop if some but not all firms (e.g. based on different industry-wide initiatives) open up their data to third parties?

21     What datasets should be definitely included in the scope of a potential open insurance framework? What data should be definitely excluded from the scope of open insurance framework? Are there any data sets you currently do not have access or do not have real-time access or where you have faced practical problems, but you consider this access could be beneficial? This could include both personal and non-personal data (e.g. IoT devices data, whether data, sustainability-related data, data on cyber incidents etc.). Please explain your response providing granular examples of datasets.

Data which constitutes trade secrets or other business sensitive information should not be subject to data sharing, e.g. tariffs, risk management data, compliance and supervisory reports.

22     In your opinion, which regulatory/licensing approach would be best for the development of sound open insurance framework (e.g. unlocking the benefits and mitigating possible risks)? Could an increased data sharing require revisions in the regulatory framework related to insurance data? Please explain your response.

23     Could you provide information which helps to evaluate the cost of possible compulsory data sharing framework (e.g. based on your experience on PSD2 adoption)?

24     In the absence of any compulsory data sharing framework in insurance as it is currently the situation, how do you see the role of EIOPA and national supervisors to guarantee proper market oversight and consumer protection?

25     This Discussion Paper highlighted some of the ethical issues relevant to open insurance (e.g. price optimisation practices, financial exclusion, discrimination). Do you see additional ethical issues relevant in light of open insurance?

26     What functions and common standards are needed to support open insurance and how should they be developed? Please consider this both form self-regulatory angle and from possible compulsory data sharing angle.

27     What existing API/data sharing standards in insurance/finance in the EU or beyond could be taken as a starting point/example for developing common data sharing standards in insurance?

28     Do you believe that open insurance only covering insurance-related data could create an un-level playing field for incumbent insurance undertakings vis-a-vis other entities such as BigTech firms? Please explain your response

Finance Finland supports efforts towards fair data sharing in which the treatment of different players is based on a true level playing field and reciprocity. The opening of the data should not be solely focused on the financial sector, but broadly on all sectors of the society. Otherwise, all market players will not have the same opportunities to offer innovative services for their clients.

29     How do you see the market will develop in case the data sharing is extended to non-insurance/non-financial data? What are the biggest risks and opportunities?

30     Do you have any comments on the case studies in Annex 1?

31     Are there any other comments you would like to convey on the topic? In particular, are there other relevant issues that are not covered by this Discussion Paper?

There are more customer types than only consumers, the main archetype highlighted in the discussion paper, such as organizations or unions, corporate clients, small and medium enterprises and single-owner entities. In other words, the customer relations in the insurance industry are often complex and multifaceted. It is even often the case that the buyer of the insurance product is not the same as the insured party, for example. This has great impact on the discussion papers’ views and arguments, especially with regard to consents, security, privacy aspects. In summary, it implies that the scope of the proposed open insurance framework might be misguided, and its benefits and risks are not accurate and need to be re-evaluated.

Finance Finland has taken part in the creation of the response of Insurance Europe, and supports the aspects brought forward in this response as well.

FINANCE FINLAND

Lea Mäntyniemi
Director of Legislation