YEARBOOK & DIRECTORY
Finance Dublin Yearbook 2024
Digitalisation – a growing feature of regulation at Irish and European levels
Eoin Caulfield and Marguerite Sinnott of the William Fry (Re)Insurance Unit discuss Irish and European regulatory developments in 2024 and how they are embracing digitalisation “in a relatively light touch but effective way”.
Digitalisation and broader innovation themes are a growing feature in the insurance sector. This is seen across the entire insurance ‘value chain’. It includes firms dealing with customers through digital channels, often now with no direct human interaction, through to back-end activities with a heavy reliance on technology. Many insurers and intermediaries also now have complex outsourcing and cloud dimensions. 
The pace and nature of developments brings with it challenges for regulators. Legislators and regulatory authorities (the Oireachtas, Central Bank of Ireland and relevant EU bodies including EIOPA) must assess if a ‘rules based’ or prescriptive approach is always best. There is a trend by regulators towards embedding good culture in firms and enforcing a need for best customer outcomes. There is a recognition that law and regulation, to the extent it means detailed rules, cannot always keep up or be sufficiently future proofed given the speed change.
Regulatory initiatives
The Irish and European regulatory bodies have been active seeking to understand the benefits and risks relating to technology and other innovation areas and to legislate accordingly. It is a balanced approach. While the speed of change brings with it a broader good (and regulators are fully accepting of this) it needs to operate within appropriate parameters.
An example of a risk-based approach, similar in ways to the Solvency II Directive, is the new Artificial Intelligence Act. Different aspects of a firm’s use of AI will now be stratified from ‘high’ to ‘low’ as concerns end-user risk and it is then regulated (to a greater or lesser level) accordingly.
A similar approach can be seen in the new Digital Markets Act and Digital Services Act which at the EU level will regulate online platforms. Many of the online platforms are expanding into cross-selling activities associated with insurance products. The value of data and client lists is obvious but appropriate use is a key theme of regulators. This builds on areas like the GDPR. There is recent guidance from EIOPA and the Central Bank of Ireland on areas including data ethics, use of cloud and cyber risk.
Best interests of customers
So-called ‘conduct standards’ put in place for firms but also now attaching some direct obligation onto customer-facing personnel and those exercising management or other oversight is a new feature. Examples are the Central Bank of Ireland’s proposed update to the Consumer Protection Code and its Individual Accountability Framework. The use of these standards aims at ensuring, in a relatively light-touch but effective way, that there is always a sufficient and customer-centric approach taken.
Much of the new regulation, such as the updated Consumer Protection Code, seeks at the same time to be ‘tech agnostic’. Regardless of how a firm gets to an end-sale it should be fair. The psychology as a customer navigates through an app or platform must be carefully considered and not lead to pre-determined conclusions (e.g. that a product is purchased rather than not). Broadly speaking, there must be equivalence of treatment regardless of whether selling via a tech channel or a traditional physical presence. There is the need to ensure no-one is left behind relative to technological advances. It includes regulatory requirements on appropriate treatment of ‘vulnerable customers’ and the less tech-savvy generally.
DORA and related developments
Operational resilience in business models is a related area that is getting much regulatory focus. This recognises the increasing sophistication of insurer business models both as concerns technology and at key pinch-points such in the use of outsourcing.
Firms will be preparing for the Digital Operational Resilience Regulation (DORA) which is new EU legislation effective from January 2025. DORA brings together provisions addressing digital operational risk, outsourcing, operational resilience, recovery planning and IT & cybersecurity risks.
The approach, recognising the international nature of activities, has been to create a single EU statute taking in all these areas but which can operate in the same way for all Member States.
Apart from regulated financial services firms, including insurers, DORA brings into regulatory scope external service providers that are viewed as systemically significant. This includes, for example, having direct effect for the main cloud providers such as AWS, Azure and Google Cloud. They will now be regulated by a designated EU financial services regulator, in many ways just like an insurer and any or other type of regulated firm.
Eoin Caulfield
The pace and nature of developments brings with it challenges for regulators. Legislators and regulatory authorities (the Oireachtas, Central Bank of Ireland and relevant EU bodies including EIOPA) must assess if a ‘rules based’ or prescriptive approach is always best. There is a trend by regulators towards embedding good culture in firms and enforcing a need for best customer outcomes. There is a recognition that law and regulation, to the extent it means detailed rules, cannot always keep up or be sufficiently future proofed given the speed change.
Regulatory initiatives
The Irish and European regulatory bodies have been active seeking to understand the benefits and risks relating to technology and other innovation areas and to legislate accordingly. It is a balanced approach. While the speed of change brings with it a broader good (and regulators are fully accepting of this) it needs to operate within appropriate parameters.
An example of a risk-based approach, similar in ways to the Solvency II Directive, is the new Artificial Intelligence Act. Different aspects of a firm’s use of AI will now be stratified from ‘high’ to ‘low’ as concerns end-user risk and it is then regulated (to a greater or lesser level) accordingly.
A similar approach can be seen in the new Digital Markets Act and Digital Services Act which at the EU level will regulate online platforms. Many of the online platforms are expanding into cross-selling activities associated with insurance products. The value of data and client lists is obvious but appropriate use is a key theme of regulators. This builds on areas like the GDPR. There is recent guidance from EIOPA and the Central Bank of Ireland on areas including data ethics, use of cloud and cyber risk.
Marguerite Sinnott
Best interests of customers
So-called ‘conduct standards’ put in place for firms but also now attaching some direct obligation onto customer-facing personnel and those exercising management or other oversight is a new feature. Examples are the Central Bank of Ireland’s proposed update to the Consumer Protection Code and its Individual Accountability Framework. The use of these standards aims at ensuring, in a relatively light-touch but effective way, that there is always a sufficient and customer-centric approach taken.
Much of the new regulation, such as the updated Consumer Protection Code, seeks at the same time to be ‘tech agnostic’. Regardless of how a firm gets to an end-sale it should be fair. The psychology as a customer navigates through an app or platform must be carefully considered and not lead to pre-determined conclusions (e.g. that a product is purchased rather than not). Broadly speaking, there must be equivalence of treatment regardless of whether selling via a tech channel or a traditional physical presence. There is the need to ensure no-one is left behind relative to technological advances. It includes regulatory requirements on appropriate treatment of ‘vulnerable customers’ and the less tech-savvy generally.
The psychology as a customer navigates through an app or platform must be carefully considered and not lead to pre-determined conclusions.
DORA and related developments
Operational resilience in business models is a related area that is getting much regulatory focus. This recognises the increasing sophistication of insurer business models both as concerns technology and at key pinch-points such in the use of outsourcing.
Firms will be preparing for the Digital Operational Resilience Regulation (DORA) which is new EU legislation effective from January 2025. DORA brings together provisions addressing digital operational risk, outsourcing, operational resilience, recovery planning and IT & cybersecurity risks.
The approach, recognising the international nature of activities, has been to create a single EU statute taking in all these areas but which can operate in the same way for all Member States.
Apart from regulated financial services firms, including insurers, DORA brings into regulatory scope external service providers that are viewed as systemically significant. This includes, for example, having direct effect for the main cloud providers such as AWS, Azure and Google Cloud. They will now be regulated by a designated EU financial services regulator, in many ways just like an insurer and any or other type of regulated firm.
Eoin Caulfield is a Partner and Head of William Fry’s Insurance Department and Marguerite Sinnott is a Senior Associate.
William Fry LLP’s (Re)Insurance Unit is consistently ranked “Tier 1” in the sector and in deal and value terms across Irish M&A activity. Please contact Eoin Caulfield, Marguerite Sinnott or any member of William Fry’s Insurance & Reinsurance Team for legal and regulatory advice.
William Fry LLP’s (Re)Insurance Unit is consistently ranked “Tier 1” in the sector and in deal and value terms across Irish M&A activity. Please contact Eoin Caulfield, Marguerite Sinnott or any member of William Fry’s Insurance & Reinsurance Team for legal and regulatory advice.