This is the speech as drafted and may differ from the delivered version.
It is a real pleasure to be at the British Insurance Brokers' Association (BIBA) Conference today. I want to use my time on the subject of our Business Plan for the next year, and the issues that we have picked out in the general insurance world. I want to then take one particular issue that is attracting much more attention generally, namely the subject of data and its use. I could have given this speech the sub-title ‘9 Days and Counting’. You would rightly have concluded that my counting skills had gone severely off for the royal wedding. I am not trying to match that for popular appeal when I say that it is 9 days to go until the European Union (EU) General Data Protection Regulation (GDPR) comes into force.
The FCA has a broad remit. The work we do affects every household and business in the UK. This puts even more emphasis on having a Business Plan that explains how we approach our task, and where on the waterfront we will be placing a particular focus, on which issues and risks to our objectives to protect consumers, to protect the integrity of financial markets, and to promote effective competition in the interests of consumers.
Quite rightly, we have to make choices on our priorities. This year those choices are more challenging because we have had to put together a plan that reflects the level of resource the FCA needs to dedicate to EU withdrawal. To be clear, I say that without any judgement on Brexit itself. Our job is to roll our sleeves up and get on with the task of effective implementation.
We are working on the basis that the UK’s exit from the EU will take place in March next year. After this, we expect a transition or implementation period to take effect, which we strongly welcome. We think that having such a period is in the interest of all parties in this process, for two reasons.
First, because we need a period of time in which there is clarity and stability about the relationship between the UK and the EU so that we can put in place remedies for the risks that could arise from a sudden change in that relationship, which we tend to call the cliff-edge risks. And second, it is surely better to have a period when we need to prepare for that future relationship knowing what it will be. I would like to think that is a consensual statement.
Let me continue for a moment on the so-called cliff-edge risks. These arise in large part if there is a sudden and disorderly falling away of the passporting system without having an effective plan to bridge to the future. The passporting system goes both ways, from the UK to the EU, and from the EU to the UK, so both sides have a strong interest in orderly transition. This is not about one side asking for a favour or picking a cherry. The risks of not getting this right are considerable, because without passporting the authorisations of those firms that rely on it fall away in the market into which they passport, unless some other action is taken. This matters; because the authorisation provides the legal basis to continue to service existing contracts in many EU countries including the UK.
That may sound a bit dry, but it isn’t. In insurance, servicing a contract means the legal basis to pay on claims to policyholders and receive premiums from them. The most recent information suggests that this could affect £27 billion of insurance liabilities and 10 million UK policyholders and around £55 billion of insurance liabilities and 38 million policyholders in the rest of the European Economic Area (EEA). So, this is not a small issue.
I am now going to indulge in what could be regarded as a question from the Brexit version of Trivial Pursuit. As of this April, 5,910 financial services firms were passporting out of the UK under EU Directives, and 8,629 firms were passporting in. If I asked the question, which EU Directive, and hence which financial services activity, has the most passports each way – and here’s one clue, it's the same answer both ways – which would you guess? The answer is the Insurance Mediation Directive, in other words the insurance brokers and intermediaries passport. The numbers, by the way, were 2,775 out of the UK and 5,853 into the UK. That's just under 60% of all the passports. I have to confess that I would not have guessed that in advance of knowing. However, let me add an important caveat, particularly for the inward passports. Since they are mostly so-called services passports, involving cross-border selling with no branch presence in the UK, we don’t know how many of these passports are in active use.
Last December, the UK Government committed to legislate to allow insurance companies from the rest of the EEA to continue to service insurance policies held by UK-based customers by creating a regime of temporary permissions and did the same for other financial services. This is very welcome, and I am grateful to the Government for their commitment to provide this backstop assurance for policyholders in the UK.
However, I hope that we will see an agreement between the UK and the EU which means that this backstop is just that, and instead we have a permanent commitment to open financial markets. In the absence of that agreement to date, we need the backstop. But, and this ’but’ is very important, such a temporary permissions regime implemented in the UK cannot cover customers in the rest of the EEA with policies from a passported UK insurer. At present, such customers are reliant on their UK insurance company transferring existing contracts to legal entities located in the EU, a more complicated process. Any change or backstop arrangement here is in the gift of the EU not the UK. I very much hope that we will see progress soon to deal convincingly on both sides with these transaction risks, and I welcome the process being established by Mark Carney and Mario Draghi to assist with this work.
Can I add here that if as insurance brokers you feel uncertain about the issue of contract continuity and on what you can place reliance, and thus the implications for contractual terms, please do come and talk to us and we will do our best to assist.
The FCA Business Plan for 2018-19
I want now to move on to highlight a number of the major themes in our Business Plan for this year. It is crucial that our work on Brexit does not prevent us from fulfilling our statutory objectives – the bedrock of what we do.
I am going to describe the 7 cross-sector priority areas that we have identified, based on assessments of where intervention can have the greatest impact, or where there is the greatest harm or potential for harm to our objectives. You will immediately see that some of these priority areas are more closely related to general insurance than others, so I will make this description fairly brief. I will then go on to focus on those which do relate closely to general insurance, providing more detail on these by drawing on our latest Sector Views publication as well as the Business Plan.
Let’s start then with the 7 cross-sector priorities.
M Firms’ culture and governance. We will continue to support and engage with firms to ensure their purpose, leadership, governance arrangements and approach to rewarding staff do not lead to harm to customers. Key work in this area includes finalising the rules for the extension of the Senior Managers and Certification Regime to all FSMA firms.
- High-cost credit. We have already taken action to protect potentially vulnerable consumers by putting in place new rules for high-cost short-term credit firms, as well as taking supervisory and enforcement action against credit firms who don’t meet our standards. This year we will consolidate this work by looking at alternatives to high-cost credit, focusing on solutions designed to increase choice and availability and barriers which may stymie these efforts.
- Tackling financial crime. We will do this by ensuring that firms have adequate systems and controls in place to prevent criminal activity occurring and that markets are not being used to harbour or facilitate financial crime and money laundering.
- Data security, resilience and outsourcing. Our work here focuses on ensuring that firms are more resilient to cyber-attacks and technology outages. One area we are focusing on is outsourcing arrangements, where the service provider supports many firms and so the impact of any disruption is magnified.
- Innovation, Big Data, technology and competition. FinTech and Big Data are transforming financial services. We will seek to maintain a regulatory environment where consumers and firms can maximise the opportunities of competition, innovation and Big Data while ensuring consumers don’t suffer harm as a consequence of those innovations. Particularly exciting over the coming months will be our work with fellow regulators on a blueprint of the global sandbox – in which innovative firms can test in multiple jurisdiction, minimising time to market.
- The treatment of existing customers. If competition is working well in a market, it should not overly disadvantage existing customers over new ones. Part of this is ensuring consumers are making informed decisions. We know, for example, that there are people who just renew their insurance automatically every year – how do we ensure they’re empowered to shop around and get a good deal?
- Long-term savings, pensions and intergenerational differences. The UK population is changing, and so are its financial needs. An ageing population, increased life expectancy and greater onus on consumers to manage their financial futures present challenges and possible harms. Areas like unsuitable pension transfer advice, effective competition in non-workplace pensions and savings adequacy work will be our focus here. This year we will also deliver a package of remedies as part of the Retirement Outcomes Review.
These priorities illustrate well the size of the landscape under the FCA’s remit and the scale of the challenges we face, but also why it is, for us at least, such an exciting plan to take forward.
Specific Business Plan Priorities for general insurance
I now want to move on and focus more on a couple of these priorities which are important, but not unique to general insurance, namely the treatment of existing customers and data use, security and resilience. I am going to start by briefly describing the key elements of our Sector Views as they relate to general insurance.
It almost goes without saying that general insurance is a very important sector both in its retail and wholesale forms. In many parts of the sector we see strong competition to acquire new business, which we welcome. In retail markets we have focused on switching rates as an indicator of competition and the fairness of pricing. In the personal lines market, just over a year ago we introduced rules requiring greater transparency from firms at renewal. We will be reviewing the impact of this requirement as more evidence becomes available.
We are also seeing the application of technological innovation to the business of general insurance. What lies behind quite a bit of this change is the ability of insurers to assess risk with more accuracy, thereby segmenting consumers and offering personalised products, thus prompting growth in on-demand insurance products. We expect to see further development of insurance products along these lines and likewise technological advances in the availability and analysis of data are likely to drive further innovation. This underlines the fact that insurance is by its very nature a data-hungry activity.
Operational resilience is a focus across our whole landscape, and rightly there is close attention on the risks from IT outages and cyber-attacks. Unauthorised loss or disclosure of customer data has also become a more significant issue, not least as a product of a number of high profile incidents some of which have originated in the financial services sector, others not.
I now want to move on to the issues highlighted in the Business Plan in relation to general insurance before spending the remainder of my time on one specific issue, data.
One of the most significant regulatory changes in 2018/19 will be the implementation of the Insurance Distribution Directive (IDD) which comes into force on 1 October 2018. The IDD will help reduce conflicts of interest and ensure firms act in consumers’ best interests.
The IDD should reduce the risk that firms will sell unsuitable products to consumers. It requires firms to identify the target audience for products to ensure they are designed to meet these consumers’ needs, and regularly review these products to ensure they continue to do so.
On other Business Plan issues, I want to start with the wholesale insurance sector. There have been significant changes in the sector. Recent years have seen brokers developing new services and business practices. Given these changes, we are exploring how well competition is currently working and whether it could work better in the interests of clients.
Last year we began a market study to assess whether brokers use their bargaining power to get clients a good deal, if any conflicts of interest exist and how broker conduct affects competition. We aim to publish our interim findings from the market study by the end of this year. This report will set out our analysis and preliminary conclusions, and any potential solutions to address identified concerns.
In the retail sector, I want to start with renewal pricing, an important issue. I am grateful for the work that BIBA is doing in this area, along with the Association of British Insurers (ABI).
We are currently in the midst of some work to better understand pricing practices in retail general insurance, focussing on home insurance. As with any work since the publication of our Mission, this will consider what effect current pricing practices have on particular groups of consumers, including vulnerable consumers. We expect to report our key findings in the third quarter of this year. Once we’ve concluded this discovery work, formalising the debate, we’ll assess whether we need to act to ensure future insurance pricing practices support a market that works well for its customers.
I am grateful for the work that BIBA is doing in this area, along with the ABI. As the guiding principles published by BIBA and the ABI last week indicate, insurance customers’ loyalty should not be penalised, and it’s essential that firms are fully implementing our rules on renewal disclosure.
Certainly our expectations could not be clearer, insurers and intermediaries need to ensure that they are treating all their customers fairly when selling or renewing cover.
The next subject to highlight involves the provision of insurance to vulnerable consumers. As noted in our Consultation Paper on Our Future Approach to Consumers, while not necessarily vulnerable, some consumers can find that they are inadvertently excluded from participating in financial services due to their specific characteristics or circumstances, or that firms actively do not wish to service them due to the perceived risk that they represent. When a consumer faces barriers accessing financial services this undermines their ability to take responsibility for their own financial security, which in turn potentially damages their longer-term wellbeing.
This summer, we will publish a Feedback Statement from our Call for Input on Access to Travel Insurance, which looked at the challenges for firms and consumers in providing and accessing fairly-priced cover for people with pre-existing medical conditions. We want to understand the market and consumers’ journeys better and use this as an opportunity for industry, regulators and consumer groups to work together to produce meaningful change for vulnerable consumers.
Our concern here is that the market for travel insurance appears to be segmented between more mainstream and specialist providers. The former may have a limited appetite to insure more serious medical conditions. Specialist providers are prepared to insure consumers with these conditions, and quite often at lower premiums based on a more in-depth risk assessment. But consumers may often be unaware of the lower premiums offered by specialist providers.
We are aware that at least 100 BIBA members advise that they can place travel insurance for specialist cancer cases. I think the issue is one of signposting, where to go to find it. But let me say thanks to BIBA for your ‘Find a Broker Service’. Our feedback indicates that it really does help, as does the agreement between BIBA, the ABI and the Government on access to insurers for older consumers. So, I think the issue is how to ensure the signposting is effective, and particularly in the area of price comparison websites. Our Financial Lives survey found that 76% of respondents use a price comparison website (PCW) when comparing different single trip travel insurance from different providers. I know that the PCWs do not belong to BIBA, and I am not going to venture into that field save to say that I hope we can all work together to improve the signposting. And, I should add that we used travel insurance as an important case study. The principle of good signposting should apply as a general matter for insurance for all consumers.
I want now to move on to the subject of data. As I mentioned earlier, Big Data is one of our priority themes. I am going to divide my remarks on data into two points: first, why the subject is important in insurance; and second, the issues we face today and the impact of the new EU data regulation.
Insurance by its very nature is a data-hungry business – the assessment and pricing of risk depends on good data on the insured. So, it should be no surprise that we see insurers very active in the Big Data and data-use field. My starting point is that the much expanded access to and ability to process that goes with Big Data has clear positives and some risks of harm. The positives come from better assessment and pricing of risk, and also that if – as is happening – it allows insurers to price risk on a more individual basis, rather than putting us in sub-groups. This can not only improve risk assessment, but also can create a virtuous outcome where if we are individually assessed, we are incentivised to improve our habits – say our driving if it can be directly observed – and this could be a good thing. We may drive more carefully if we can count the benefit of doing so in a lower premium. This doesn’t work so well if we are in sub-groups whose average behaviour we can do little to influence.
So far so good: less good is if greater access to data enables at least one of two outcomes. Suppose, hypothetically, our behaviour and the outcomes become highly predictable. That makes insurance less useful or even impractical. This may matter in areas like health insurance. We are some way away from that state of affairs I think. But suppose – as we have seen happen – more access to data allows an easier identification of those who do not observe their premium rate when renewing a policy. This could lead to unfair outcomes, particularly if the person is vulnerable and/or there is a risk of someone being financially excluded . That is a harmful and unwanted outcome.
Let me give one more example that we have also seen. Suppose the greater access to data allows more sophisticated data mining to price the risks of insured persons. But suppose that mining produces results which say that it is statistically significant that your risk will appear to depend on some observed data variable, but I can provide no plausible reason to explain that. This can be called correlation rather than causation (you can find an association between the two things but it is very hard to tell a convincing story about why it exists). A appears to lead B but I can provide no convincing reason why. I would contend that it is hard to explain to a customer that I am pricing them on this basis but I can't really explain why that should be so. I would think twice about doing this, but we have seen it happen.
I now want, finally, to move on to the broader debate on data. It's timely, with the EU GDPR coming into effect on 25th of this month. I am going to start with the GDPR.
What are the important features of GDPR? GDPR places more emphasis than before on those processing personal data being accountable for and transparent about the lawful basis for that processing; in other words, identifying the processing and explaining it to individuals. The notion of genuine consent is important here, namely that individuals have real choice and control for instance through positive opt-in rather than default mechanisms or pre-ticked boxes. Genuine consent builds trust and engagement, and thus the representation of firms. But there are other bases on which data can be processed, beyond consent which include contract requirements and legal obligations.
GDPR also places more emphasis on the rights of individuals in respect of their data. Individuals must, for example, be given more information than before about how their data are processed, be allowed access to their data and have more control about how they are used (including a new right of ‘portability’).
A number of principles underpin GDPR. Important here are responsibility and accountability and thus the role of governance in firms. Turning the principles into practice requires a more proactive approach on the obligations of controllers to and the rights of individuals. It requires contracts to be in place when using a third party data processor, but having a contract in place does not mean that the responsibility for compliance with GDPR can be outsourced. And last, but not in any way least, there is an important security principle around the protection of individuals’ data.
So, there we have the short-version of GDPR. Let me now give a second perspective on this landscape. It draws on work commissioned by the Financial Services Consumer Panel and conducted by the Management Department of the London School of Economics (LSE). I am grateful for the Panel for sponsoring this work which is a valuable input. The perspective is very much on financial data, and is much more an assessment of the world as it is using structured surveys. It is the world into which the GDPR lands if you like.
An important and positive conditioning point is that the vast increase in the processing of data can lead to more innovation and competition in financial markets and can open the markets up to consumers. That said, the risks are that such processing can exacerbate information asymmetries, create conflicts of interest among commercial parties involved and can increase the risk of some consumers being excluded.
A key finding of the LSE work is that consumers don’t understand the value of their personal data, and therefore what ownership really means.
Let me offer a few thoughts on the issue of how each of us values our data. It is unsurprising that the value is little understood since the uses of data are changing so rapidly. Second, bad shocks can undermine the credibility and hence the value attached to data processing, and we have had quite a few of those – think loss of data incidents and misuse incidents. The attitudes that get formed can be highly contextual, over time, over the types of data, and the organisations using data.
The conclusion I draw from this is that it is unsurprising that consumers find it hard to put a value on their data. We should not base our protections on assuming that they do know this value. There is, however, a subtle but important distinction between whether consumers know the value, and what they value. The LSE study suggests individuals value privacy, but it is less clear what degree of privacy they expect and assume given the pace of change. But, many really value speed of access and expect it, the need for speed if you like. The trade-off between speed and privacy may be an example of the conflict between short-term rewards and longer-term goals. But if we come back to the GDPR and the theme of consent, the need for speed tends to suggest that the process of consent is viewed as tedious once the decision has been made to go ahead. This is a challenge.
This brings me naturally to the form of consent. GDPR puts emphasis on the importance of informed consent to share and use personal data. The LSE study found that terms and conditions (T and Cs) used were ineffective at explaining the intended use of data to customers, and did not leave those who read them much wiser, and in the testing done the T and Cs mostly were not read. The GDPR definition of consent as “freely given, unambiguous and informed”, or put another way a genuine choice which can be revoked, does not start therefore against a promising background.
Once again, the need for speed point is relevant here. And in the LSE tests, more than half of the participants believed that the consent they had given was uninformed. It begs the important question, namely what is informed consent in a world of large-scale data processing where speed is of the essence, and how can it operate in a world where the behavioural bias is to favour short-term rewards over longer-term goals? It is therefore welcome that in its recent Consumer Green Paper the Government set out its intention to improve the clarity of on-line Terms and Conditions.
The LSE study asks an important question which I will paraphrase as, if you don’t look at T and Cs, what do you rely on to make these choices? The answer is a form of what can be called the presumed wisdom of the crowd and third parties with a particular role to play, including regulators. In this, there is a high degree of social acceptance which draws on pre-existing assumptions of sources of protection. Thus, on-line reviews are an assumed source of protection, and therefore assumed to be unbiased. The regulatory environment shapes the form and scope of customer trust, and here I define regulation broadly. But it turns out that when probed, awareness of the specifics of the regulatory environment is at best very general. The risk here is immediately apparent, namely that the presumed compensating factors for the absence of scrutiny of the consent decision are not as well understood as they should be in that situation. Responsibility is therefore assumed to be transferred to a combination of suppliers and public bodies.
I am not going to attempt to summarise all of the FCA Business Plan in a shorter space than the description I have provided. But let me finish with a few reflections on the issue of personal data. The major expansion of data processors has complicated the line of sight for consumers on what is being done or can be done with their personal data. This major change forces judgement on issues that are hard to assess, such as how much do I value my privacy. Services that can appear to be free to consumers are typically not, but this forces to the forefront the difficult issue of what value, explicit or implicit, we put on our data. Closely following on is the issue of how a growing realisation of the value and security of our data leads to views on what is, and is not, acceptable in terms of the use of our data. This is important, because trust in the process of handling data is likely to be linked to the uses to which the data are put. The FCA is not the primary regulator in this field, that role is taken by the Information Commissioner. But our role in protecting consumers and in the integrity of markets inevitably means that we are focused on the use and misuse of personal data. Thank you.