Insurance companies are bracing themselves for disruption in their industry by investing in insurtech startups. In Asia, Singapore and Hong Kong are leading hubs for insurtech. Companies such as FWD and MetLife have made investments in insurtech solutions and innovation hubs. The growing focus on the sector means that investors and startups have to start grasping the legal issues for this burgeoning sector, including regulatory, data privacy and IP.
Insurtech has been a buzzword globally in recent months. Like fintech for banking and finance, it describes how technology can be used to create new businesses or increase revenue in the insurance industry. Startups making use of chatbots, apps, data and artificial intelligence can create, for example, more customised policies based on user data or cheaper products by refining the levels of risk of users. Insurance companies and other investors have noticed the potential of these insurtech startups and want to benefit from their innovations. Globally, investment in insurtech startups reached $1.7 billion in 2016.
A number of factors are driving interest into insurtech, including regional growth opportunities and supportive government initiatives. “The tremendous regional opportunity for insurtech has been driven by population growth, a rapidly emerging middle class and increasing smart phone penetration coupled by diminishing effectiveness of existing distribution and consumer expectations that extend beyond simple insurance products and into the risk management territory,” says George Kesselman, co-founder of InsurtechAsia.
“Insurance companies are looking to expand their market share,” says Grace Tan, partner in the insurance practice at Withers KhattarWong. “They are looking into underwriting opportunities away from traditional investment products.”
Singapore has taken a holistic approach and wants to target fintech/insurtech hub as a growth sector, with the Monetary Authority of Singapore rolling out initiatives such as enabling digitisation of insurance.
The legal risks of an insurtech investment include regulatory, IP and data privacy. “It is important to map out the landscape and jurisdictions where the insurtech will be employed. In each of these jurisdictions, investors need to consider whether there are any regulatory barriers to entry or even if there are none, whether any licensing is required, as this may also draw out timelines to launching their product or service,” says Stephanie Magnus, principal in the corporate & securities practice at Baker McKenzie Wong & Leow. For example in Singapore, investment activities by insurers are regulated under the Insurance Act and regulations under the Monetary Authority of Singapore (MAS). Insurers can invest in insurtech startups through equity or debt financing, subject to the requirements of the Insurance (Valuation and Capital) regulations, but the MAS may be able to relax certain requirements such as minimum paid-up capital and board composition through the fintech regulatory sandbox guidelines issued in November 2016.
Kesselman warns that insurers should be aware that if the investment in an insurtech startup creates a controlling share, the startup would be deemed to act under a proxy of the insurer and unless the startup has been subjected to the same stringent compliance standards as that of the insurer, it would increase the insurer’s regulatory and compliance risk.
“Regulatory constraints are mainly due to regulators trying to balance their responsibilities to grow the industry while safeguarding consumers,” says Kesselman. “Regulators are much more comfortable with a collaborative model where insurtech startups partner with incumbents to enhance their operational and customer experience capabilities. There is a lack of harmonisation across various regulatory environments. For example, if a startup passes a sandbox test in Singapore, it doesn’t mean it can passport that approval to ASEAN countries.”
“It is timely for Asia to consider some form of a passporting regime, where an insurtech platform that is licensed in country A could be allowed to offer its services in country B without any further licensing,” says Nizam Ismail, partner at RHTLaw Taylor Wessing. “Alternatively, regulators in Asia could consider a mutual recognition regime, whereby an insurtech company in country A could be deemed to be regulated by a regulator of equivalence by the regulator in country B, without the need for an additional licence.”
Ismail notes that regulators should adopt a risk-focused approach that applies a sliding scale of requirements depending on the risks of the insurtech platform. “There is no place for a one-size-fits-all approach to regulations in this day and age.”
“Data privacy and IP rights are very important when insurance companies perform M&A transactions,” says Tan. “Companies need to make sure the transfer of IP rights is done properly, especially in cross-border transactions.”
“It is important to look out for any non-disclosure agreements between parties involved or any confidentiality clauses in contracts which would help to ensure that any data exchanged between parties is suitably protected,” says Lim Ren Jun, an IP practitioner and colleague of Magnus at Baker McKenzie Wong & Leow. “Another issue would be whether the IP created by the startup actually vests in the startup itself, or whether contractual arrangements must be made between the startup and third-party developers to ensure that all IP rights flow back to the startup to preserve the value of the company.”
“From a data privacy angle, one of the key issues would be for insurance companies to ensure that the insurtech startups have obtained the relevant consents for the collection, use or disclosure of any personal data it has,” says Ken Chia, principal in the IT & communications practice at Baker McKenzie Wong & Leow. “In particular, given resource constraints, insurtech startups may not have necessarily prioritised data protection as a key focus. Personal data collected by an insurtech startup would typically be regarded as an asset of the startup.”
“Insurance companies should ensure that such asset is not tainted by potential liability,” adds Chia. “Determining the scope of consent obtained will also help assess whether the data can be transferred to and used by the new owner and whether it can be repurposed. Due diligence would be important in ensuring that post-acquisition, insurance companies are able to fully utilise the potential of the insurtech startups, including the use of any such personal data held by such startups.”
Cybersecurity risk is an area to watch for, especially with new regulation coming in for Singapore. “At present, cybersecurity in Singapore is governed by the Computer Misuse and Cybersecurity Act (CMCA), which sets out the framework for the prosecution of cybercrime. In addition, a new cybersecurity law is in the works,” says Lim. “The new Act is expected to complement the CMCA by instituting standards for incident reporting, audits and risk assessments. A draft of the new Act is expected to be published in the course of this year.”
As in any investment situation, employees are also an important part of assessment of whether to invest and should not be forgotten. “Employees are key. Investors should ensure that when investing, there are mechanisms in place to retain employees. These could include earn-out clauses or putting in place a suitable employee stock option plan,” says Magnus.
Insurance companies and those looking to invest into insurtech companies should be aware of the regulatory, IP and data privacy issues when participating in M&A transactions. With cybersecurity risk being a growing concern, it is also a threat investors should watch out for.