Technology & Innovation of Tuesday, 27 August 2024

Source: Sean Isaac Addo Mensah, Contributor

AI regulation begins – What the EU AI Act means for insurtech industry

Sean Isaac Addo Mensah Sean Isaac Addo Mensah

The beginning of August saw the coming into force of the European Union’s Artificial Intelligence Act (AI Act), a landmark regulation that is poised to have significant global ramifications.

As the world’s first comprehensive legislative framework laying down harmonised rules on artificial intelligence, this Act sets a precedent that is likely to be followed by many jurisdictions worldwide.

In an age where digital transformation continues to develop at breakneck speed, this Act seeks to ensure that AI systems in the market are safe, trustworthy and comply with fundamental rights and values.

While the AI Act boasts of a broad scope and ambitious objectives that are commendable and essential in today’s global village, it is set to have a major impact on specific industries. One of such industries is the Insurtech sector, which has seen rapid growth in recent years through the integration of AI-driven technologies.

There are questions as to whether the industry may face substantial challenges under the new regulatory regime. This essay aims to explore the extent to which the EU AI Act will affect the Insurtech industry, considering both the opportunities and the potential regulatory burdens it introduces.

How does the act affect the industry?

As outlined in the explanatory memorandum of the Proposal for the Act, this framework is a ‘balanced and proportionate horizontal regulatory approach to AI’. It provides that its scope covers users and providers of AI systems within the Union.

As such, every sector that uses AI systems are bound by this legislation, including the Insurtech industry. This broad application is to ensure that AI systems adhere to consistent standards of safety, transparency, and accountability, regardless of their specific use case.

Also, the Act introduces a risk-based classification system that categorizes AI applications into distinct levels of risk: unacceptable, high-risk, limited-risk, and minimal-risk.

While minimal risk and limited-risk AI systems require a moderate level of regulation and unacceptable AI is outrightly banned under the Act, high-risk systems – systems that pose significant harm to health, safety, or fundamental rights, as per Article 7 of the Act – must adhere to a series of stringent obligations, including rigorous testing, transparency requirements, data governance measures, and the need for human oversight.

Insurtech’s use of AI systems were classified as high-risk by the European Council, much to the concern of some insurers. According to Insurance Business Magazine, William Vidonja, head of conduct and business at Insurance Europe, expressed disappointment with this decision, stating that it was made without proper analysis or impact assessment, save for a limited safety-related use case in digital infrastructure.

When one considers that insurtechs use AI-driven tools for credit scoring, customer profiling, and fraud detection, which directly influence decisions that can have a profound impact on individuals, such as the approval or denial of insurance claims or the determination of premiums, it is not a wonder that the high-risk classifications remained, especially as this specifically pertained to life and health insurance. With this in mind, it is evident that companies in the Insurtech space are obliged to comply with the requirements of the Act.

Challenges

The burden of additional regulation on the insurtech industry

One significant challenge the new Act presents to Insurtech is its addition to an already complex and heavily regulated industry. Among these numerous legislative frameworks are the Solvency II Directive (2009/138 EC), a regulatory directive that establishes rules for the operation of self-employed direct insurance and reinsurance activities within the Community, the supervision of insurance and reinsurance groups, and the reorganisation and winding-up of direct insurance undertakings. Another framework is the Insurance Distribution Directive (2016/97 EC) [IDD], which focuses on ensuring transparency, fair treatment of customers, and the distribution of insurance products that meet the needs of consumers.

The addition of the AI Act to the industry poses an extra burden on Insurtech firms, as it not only reinforces some of the existing obligations in the above-mentioned directives but adds more requirements. An example can be found in Article 10, which deals with data and data governance.

The AI Act provides that training, validation and testing data sets must be relevant, error-free, representative and complete. It further requires that such data sets consider the elements particular to the setting (whether geographical, functional or behavioural) in which the AI system is to be used, in order to prevent the mitigation of biases.

These are significant requirements which are not explicitly mentioned in Solvency II or IDD, and will demand that Insurtechs invest heavily in ensuring their data sets comply with these rules. There is the likelihood that startups may struggle with the allocation of resources to meet these standards.

Impact on innovation & speed to market

The arrival of the Act also poses the possibility that quick innovation in the Insurtech industry may be stifled by its stringent requirements.

It is trite knowledge that technology develops at lightning speed in our world, and in many sectors that leverage it, there is the need to stay up to date on the newest developments. This might prove cumbersome for Insurtech firms, however, if one considers the new requirements of the Act. The classification of their AI systems as high-risk mandates compliance with all the requirements established in Chapter 2 of the Act. They are also to undergo conformity assessment procedures and be issued with certificates from notified bodies and an EU declaration of conformity before appearing on the market.

These are lengthy and expansive processes to follow, and Insurtech companies may need to undergo extensive testing and validation of their systems before they can enter the market. This can affect their ability to innovate rapidly.

Increased post-market liabilities

The addition of further layers of liabilities after the approval of AI systems and their subsequent placing on the market could also prove to be another challenge for players in the Insurtech space.

Under Title VIII of the Act, Insurtech firms as providers of AI systems are expected to comply with the following demands:

They must establish robust post-market monitoring systems for their systems. This involves continuously tracking the performance and safety of their systems, and collecting and analysing data to ensure that the AI system continues to operate in accordance with the laws.

They must report any serious incidents or malfunctions of their systems that constitute a breach of obligations under Union law to the relevant authorities. They, therefore, must implement procedures to quickly identify, document, and report such incidents and malfunctions not later than fifteen days after being notified of the same.

They must also maintain detailed records of their systems, including the results of conformity assessments, technical documentation, and post-market monitoring data, and should grant full access to the market surveillance authorities upon request.

These extra obligations add to the complex regulatory burdens Insurtech firms carry, which they cannot afford to flout. In the event that non-compliance is discovered, they must face the possibility of penalties, ranging from 30 million euros to 6percent of their worldwide annual turnover for the financial year.

It is evident that the implementation of the AI Act imposes significant and complex requirements on the Insurtech industry, necessitating that its players develop and implement robust strategies to ensure compliance. While these requirements are challenging in nature, they also offer the industry opportunities to enhance their services by leveraging the provisions of the Act.

Opportunities

Trust and enhanced reputation

One of the aims of the Act is to promote transparency among providers of AI systems, and by adhering to these regulations, Insurtech firms have the potential to enhance their reputation and build customer trust. For instance, the Act mandates providers of AI systems to set up a quality management system that includes, among other things, a strategy for regulatory compliance, systems and procedures for data management, and procedures for record keeping of all relevant documentation and information. It also mandates providers of high-risk systems to maintain records of automatically generated logs their systems create.

Compliance with these requirements offers Insurtech firms an opportunity to position themselves as reputable and trustworthy entities in the industry, thereby attracting clients and strengthening their market standing.

Competitive advantage through ethical AI

It ought to be remembered that the passage of the AI Act coincides with ongoing debates surrounding the ethical use of artificial intelligence. While AI has proven to be both beneficial and transformative to society, its techniques have also been employed in ways that pose significant risks and ethical concerns. The Act’s Explanatory Memorandum highlights a primary objective of the legislation: to instil confidence in individuals and other users to adopt AI-based solutions, while also encouraging businesses across the various sectors to innovate and develop these technologies.

Consequently, the regular tech-savvy customer is more inclined to patronise businesses that prioritise ethical use of their AI systems. Insurtech firms that capitalise on this and develop AI systems that are in line with the Act’s ethical requirements have an advantage over other firms that may struggle to comply with the same.

For example, a firm that adheres to Article 10 of the Act (as previously discussed) would possess a distinct advantage over a non-compliant firm, as informed customers would recognise that the risk of encountering bias is significantly reduced with the compliant Insurtech firm.

The use of regtech and compliance solutions

As previously mentioned, the insurance and Insurtech sector is characterised by extensive regulation. Vidonja, in his critique of the classification of Insurtech activities, emphasized that the industry is already governed by a comprehensive EU regulatory framework, in addition to various national regulations and EU legal mandates such as the General Data Protection Regulation (GDPR). The AI Act is thus another layer to an already extensive list of regulations that industry players must navigate effectively to avoid unwanted sanctions.

The rise of RegTech, short form for Regulatory Technology, marks a significant development. Defined by KPMG as “technology-driven services to facilitate and streamline compliance with regulations”, this newer subset of Fintech possesses a wide scope, ranging from regulatory compliance and management to tax and general compliance. It is particularly valuable to companies and firms in heavily regulated industries.

This presents Insurtech firms with the opportunity to either collaborate with RegTech companies or develop their own specialized solutions to ensure compliance with the AI Act. Considering that the challenges posed by technology are best addressed through technological solutions, this approach is both logical and strategic.

Can the African and Ghanaian insurance market learn from the arrival of the AI Act?

As previously discussed, the AI Act is certain to set a precedent that other jurisdictions will follow, including Africa. The insurance market, particularly that of Ghana, is gradually adapting to the technological changes, and critical lessons ought to be learned from the arrival of the Act.

One key takeaway is the importance of proactive regulation and compliance. Just as the AI Act introduces a risk-based classification system for AI applications, Ghana’s insurance industry can benefit from similarly categorising AI systems under the Insurance Act 2021, ensuring that AI-driven tools used by insurance and Insurtech firms for processes like credit scoring and fraud detection are both effective and safe. Adopting clear regulatory guidelines will help avoid disruptions and build consumer trust in AI-driven services.

Another vital lesson is the need for rigorous data governance and bias mitigation. It is crucial that the regulatory body, the National Insurance Commission, prioritise that AI systems used by Insurtech firms are trained on representative and high-quality data to avoid biased outcomes. Ensuring and maintaining systems of such standards will improve the industry as a whole and increase customer confidence.

Conclusion

The official passing of the EU AI Act represents a pivotal development in the regulation of artificial intelligence technology, with its impact sure to be felt in the Insurtech space. Despite its introduction of stringent requirements that could pose challenges to Insurtech firms, particularly in the areas of data governance, innovation speed, and post-market monitoring, it also offers significant opportunities.

Despite its recent coming into force, its implementation will be a gradual process. This provides Insurtech companies with the necessary time to work towards compliance, enabling them to enhance their reputation, build trust with customers, and gain a competitive edge through the ethical use of AI. The rise of RegTech also presents a strategic pathway for the industry to navigate the new regulatory landscape effectively.

Ultimately, as the AI Act sets the global standard for AI regulation which will be followed by other jurisdictions in the near future, Insurtech firms that proactively adapt to these changes will be well-positioned to thrive in a digital environment that continues to evolve with each passing day.