As e-signatures, e-documents, and e-records proliferate, insurers must be careful that they, their third-party service providers (TPSPs), and reinsurer partners maintain compliance with federal and state regulations.
Regulatory developments in analytics, data usage, and data security have the potential to affect insurer technology strategy. E-signatures and e-delivery have become a key enabling technology in the insurance industry’s rush to digitize everything due to the pandemic. At the same time, Fair Credit Reporting Act (FCRA) regulations have an impact on the storage of an individual’s credit and consumer information for employment, insurance, and credit transaction purposes. Insurers must also carefully consider data exchanged with TPSPs—including reinsurers—as part of their data security obligations.
E-signature and E-records
There are federal guidelines and specific state regulations insurers should keep in mind as they expand their use of e-signatures. State and federal regulations embrace mostly very similar concepts recognizing the legal effectiveness of electronic signatures and records along with their delivery and retention.
The acceleration of digital transformation since the pandemic hit means rethinking relationships between information, people, and processes, given new and evolving capabilities. Digital can impact the insurance buying experience, and e-signatures can and are being applied across the insurance value chain, including areas as disparate as product development, marketing, claims, and finance.
As the use of e-signature spreads, insurers must be certain that the language that is being signed off on is correct for the specific product and state, and they must update it as laws and regulations evolve. Modern customer communications management solutions can make these updates easier.
The Fair Credit Reporting Act
There are two intersections between technology and the FCRA. The first arises when an insurer utilizes a web-based application process for employees or independent contractors and obtains a consumer report to evaluate the candidate in that process. The insurer must provide the applicant with a disclosure that a consumer report may be obtained and receive the applicant’s authorization in a document that consists only of the disclosure and authorization.
The second issue occurs when an insurer has received consumer information and is storing it electronically. The Federal Trade Commission requires that electronic media be destroyed or erased in such a manner that the information cannot be read or reconstructed.
The data in consumer reports must be governed, curated, maintained, and entered in a catalog or glossary to facilitate strong reporting and analytics. The glossary will determine how long the element can be retained, who can see the element, and potentially how frequently this type of data needs to be refreshed. Data governance best practices also suggest that a data steward should be responsible for updating the rules for this type of data as state regulations evolve.
Data Security Obligations on Reinsurers
Data security obligations continue to impact insurers and their TPSPs, including reinsurers. Ceding companies are beginning to realize that they are not only spreading their risk; they are also spreading their insureds’ personal information. As such, ceding companies are insisting reinsurers abide by the same data security and privacy agreements as any other TPSP.
Ceding companies should require contractually that all reinsurers attest that they comply fully with relevant regulations, document where they do not, and specify a timeline with high-level action steps for remediation. Data movement to other countries (including data backups) will need to be specifically restricted if it contains protected information. Contracts should also provide for NIST audits of reinsurers performed by an outside assessor and for reinsurers to pay fines that carriers incur as a result of data exposure by a reinsurer.
Agreements should also mandate multi-factor authentication, encryption of data in transit and at rest, and audit-log proof that personally identifiable information is treated confidentially.
As digitization progresses, the data created will need to be appropriately secured and governed. Data governance and a supporting data ecosystem are now mandatory.
On March 24, please join Novarica and Locke Lord LLP when they discuss these new regulatory developments in analytics, data usage, and data security, from the latest Insurance Technology and Regulatory Compliance, Vol. 6.
Add new comment