2020 INSURANCE REGULATORY OUTLOOK FROM DELOITTE: STATUS QUO NOT AN OPTION FOR INSURERS: The Deloitte Center for Regulatory Strategy, Americas prepares a cross-industry series on the forthcoming year's top regulatory trends, eyeing some of the issues that will have a significant impact on businesses: We excerpt liberally from the text....

* With the increasing prevalence and effectiveness of technology around the globe, the status quo is no longer an option. To keep up with the pace of change, the insurance industry should continue evolving its approach to keep up with the myriad of challenges that it is facing, and more importantly, the opportunities that it can take advantage of in this 4th industrial revolution. Regulatory, legal, and compliance functions are being asked to do more with less, while grappling with new and emerging challenges that stem from the near ubiquitous use of advanced technologies to meet the increasing cost pressures and need to deliver value beyond limitations with traditional approaches to testing, monitoring, analysis, and supervision.

In this digital world, new threats are emerging along with new laws and regulations to help protect consumers and the markets. Regulators, both domestic and foreign, are focused on data privacy protections to mitigate the risks that result from improper collection, handling, storage, and use of data. Cyber threats continue to become more sophisticated and more damaging, putting even more urgency around developing protections from bad actors, both external and internal.

Against this backdrop, insurance companies should continue to modernize and rationalize their regulatory, legal, and compliance functions and their practices. Insurance companies that take a holistic view of regulatory risk management may find efficiencies that can lead to streamlined and rationalized programs. A modernized compliance function can help insurance companies achieve compliance as efficiently and effectively as possible by "thinking forward" and then harnessing the leading available compliance practices and technologies to comply with current and future regulatory requirements. Some companies are even looking at their regulatory and compliance risk management programs as a competitive differentiator that enables them to be more nimble in the market place.

Regardless of how the changes promulgated by lawmakers and regulators affect insurance companies, it is imperative that they continue to modernize and rationalize their regulatory, legal and compliance risk management programs so that they can meet applicable laws, regulations, and oversight and monitoring expectations in a sustainable, proactive, and cost-effective way.


Insurers have spent a lot of time and money preparing to comply with the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But have they done enough?

The immediate concern, particularly for those subject to the new CCPA once enacted, is implementation and execution of compliance plans. Have insurers done enough to meet the new standards and avoid potential stiff penalties and reputational damage, or are there elements they have overlooked? What course corrections still need to be made?

Looking ahead, insurers need to brace themselves for additional regulatory initiatives. For example, New York is debating its own stringent privacy rule that goes further than either GDPR or CCPA by establishing insurers and other data collectors as information fiduciaries and allowing private causes of action.

The good news for organizations with a global footprint is that much of the effort that has gone into GDPR compliance overlaps with what needs to be done for CCPA (see figure 10). Also, the European Court of Justice recently ruled that the GDPR's "right to be forgotten," which allows individuals to ask that their personal information be removed from websites, news articles, and databases, cannot be applied outside the European Union. In essence, this means such a right will not exist in the United States without federal or state laws mandating it, easing the burden on insurers with US operations.


Many insurers are struggling to meet the new regulatory requirements because their siloed legacy systems lack integration. The overwhelming volume of data being maintained can also be a problem. Insurers should consider establishing a more comprehensive information governance program that addresses these and other data management and privacy challenges, not just to meet compliance standards, but also to enable better business decisions and actions.

One potentially helpful approach is data minimization, which involves setting protocols to automatically flush superfluous information on a regular basis. Insurers are learning that one of the leading ways to protect sensitive information from a breach is to carefully and legally discard that information when it is no longer needed for legal or business reasons.

Insurers should also realize that regulatory compliance is only half the story. From a business perspective, insurance companies should consider increasing their engagement with customers to better utilize all the new data at their disposal--for the mutual benefit of the company and the customer. Treating data as a tradable asset that consumers knowingly and willingly exchange for something of value could be turned into a competitive advantage.

Key questions to ask

Insurers need to know exactly what and where data about specific consumers is being stored, how complete and accurate it is, and how it is being used and protected. They should also ask themselves:

* Do we have the appropriate leadership, structure, capabilities, resources, collaboration, and support to manage data privacy risks in the context of our business model and goals?

* Have we organized our compliance and privacy functions to best provide support for-and oversight of-our business and operations?

* How do our information governance programs and capabilities stack up against industry standards and our industry peers?

* What new uses and technologies for data are planned, and how might we engage with customers more effectively to access data in return for added value?

* Does our chief privacy officer have the skills and stature to coordinate privacy and data governance efforts across the organization--and to positively affect...

To continue reading