trending Market Intelligence /marketintelligence/en/news-insights/trending/Jok_as1WvbV92SbD9fNPqw2 content esgSubNav
In This List

Tackling new EU data rules could cost insurers more than Solvency II

Blog

The Big Picture 2022 Insurance Industry Outlook

Podcast

Next in Tech | Episode 37: Insurance impacts on technology and vice versa

Case Study

A Prestigious Global Business School Gains a Competitive Edge

Video

S&P Capital IQ Pro | Unrivaled Sector Coverage


Tackling new EU data rules could cost insurers more than Solvency II

Preparing for and operating under the European Union's new data protection rules could cost insurers more than tackling the region's Solvency II insurance capital regime, according to one consultant.

Research by another consultancy has shown that insurers will face far higher costs per employee than other industries in implementing the new mandates, which came into force May 25, and there are indications that work will continue long after the deadline.

Under the new General Data Protection Regulation, firms face fines of €20 million or 4% of annual turnover for violating the new rules. Requirements include reporting a data breach within 72 hours of discovery and responding within a month to subject access requests, by which customers can ask to see what data is held about them.

Costlier than Solvency II

Although he did not put a figure on the potential cost for insurers, PricewaterhouseCoopers insurance and investment management data analytics leader Craig Skinner said in an interview: "If you add up project costs, the transition into business as usual spend and the business as usual spend, it certainly will be at the level if not above Solvency II." He added that GDPR costs would likely fall somewhere between expenditure on Solvency II and the cost of implementing new global insurance accounting rules, IFRS 17, which come into force in 2021.

The Association of British Insurers estimated that Solvency II, which took effect Jan. 1, 2016, cost U.K. insurers and reinsurers £3 billion.

Not all agree that the cost of GDPR will be onerous for Europe's insurers. Speaking at an event May 23, Moody's associate managing director Antonello Aquino said: "[European insurance] companies have certainly put in some effort, but I don't have a sense that it was very costly — nothing as costly as Solvency II or changing accounting [regime]."

But insurers could have it tougher than other industries. Management consulting firm Sia Partners estimated in January that the average cost per employee for nonbank financial services — mainly insurers — on the U.K.'s FTSE 100 large-cap stock index was £719. This was the highest of all industries studied, and compared with £553 for banks.

"Large insurance groups face a disproportionately high average per-employee implementation cost," Sia said in its study.

Worse off

Insurers are an outlier because of the volume and breadth of data they collect to price coverage and vet claims, Sia Partners senior manager David Coolegem said in an interview. For example, an insurance company may check the social media profile of a personal injury claimant it suspects of fraud to ensure they are as incapacitated as they say.

"Insurance companies do a great deal of trying to combat fraud, so they try to collect a lot of information which may be not directly linked to the claim or the person but is [relevant] to make sure it is not a fraudulent claim," Coolegem said. That means insurers "need to put more effort into listing what data items they are collecting, justifying why they need them and putting the right safeguards in place around those pieces of personal data," he added.

On the pricing side, insurers have been collecting ever more detailed data to charge a rate that is more tailored to an individual. One example is telematics for car insurance, where prices are set using data about how safely someone drives. Coolegem said: "[Telematics] can help lower insurance costs when the person drives well, but you are now collecting another set of data and people may want to make sure you provide the risk safeguards around it."

Disparate systems

PwC's Skinner said a lot of cost could come from dealing with customer requests to see the data an insurer holds or to insist that old data is purged. Because many insurers have aging IT infrastructure that was built up in a piecemeal fashion, accessing and safeguarding this data could be difficult.

Since Dec. 1, 2016, the EU's Deposit Guarantee Schemes Directive has required banks to have a single customer view, with all the data on a specific person in one place, which Skinner said is "a real leg up" for banks in GDPR readiness. He added: "We've never had to do that in insurance. Over time, we could have, over many policy admin systems and other disparate systems, six versions of Craig Skinner and not really be too pushed to work out who is the unique Craig Skinner. That is a massive problem when we come to look at a subject access request or a request for erasure or a request for portability."

The upshot is that insurers are likely to be working on GDPR-related matters after May 25. Skinner said: "A lot of projects are in a transitional phase now running up to the end of the summer or even into Christmas."

Sia Partners associate partner Hannan Nasib added: "There is an uptick in people's awareness of what their rights are in respect of data. Is that now going to be used as a lever by customers, and therefore would the cost go up and will there be further implementation work required post May 25? Absolutely."