Consumer Data Right presents new legal risks and challenges for insurers.
Consumer Data Right (CDR) gives a consumer more control over their information, enabling them to access and share their data with accredited third parties to obtain better deals on everyday products and services. The Australian Government sees the CDR as central to driving competition in the market for key services, including by making it easier for consumers to compare offerings and switch between providers.
CDR is an economy-wide reform that has already been rolled out in the banking and energy sectors. The implementation of CDR in the insurance sector is fast approaching.
To keep ahead of these changes and to achieve best practice compliance, it is important you are aware of the risks and receive advice on how they may impact you.
In particular, this Article will address key legal challenges including compliance with CDR Rules, information security, policy comparisons, technology capability, and Australian Financial Complaints Authority (AFCA) pricing. Challenges with the roll-out of CDR in the banking sector will also be identified.
Any person who wishes to collect or use CDR data to provide products or services to consumers will require data recipient accreditation.
Therefore, insurers must meet the accreditation requirements stipulated in the Competition and Consumer (Consumer Data Right) Rules 2020 (the Rules). These obligations can be onerous and failure to comply may result in sanctions. To receive accreditation, an applicant must:
Section 56EO of the Treasury Laws Amendment (Consumer Data Right) Act 2019 (the Act) states that each person who is an accredited data recipient must take the steps specified in the Rules to protect the CDR data from misuse, interference, loss, unauthorised access, modification or disclosure. This is a civil penalty provision (section 56EU). Therefore, if the insurer fails to follow these steps, they may be sanctioned.
Applicants must also have internal dispute resolution processes that meet the requirements set out in the Rules designated to that sector. Currently, Part 5 of Schedule 3 covers the banking sector, and Part 5 of Schedule 4 addresses the energy sector.
Once CDR is introduced into the insurance sector, the Rules will presumably be updated to include the internal dispute resolution obligations for insurers. Therefore, accredited insurers must be aware of such legislative amendments and ensure compliance with any updated rules.
Notably, the Accreditor may suspend or revoke accreditation in certain circumstances including where:
Consequently, it is vital that once accredited, insurers continue to meet their obligations under the Rules to avoid the suspension or revocation of their accreditation.
The Office of the Australian Information Commissioner is generally supportive of the strategic vision for CDR (also known as open insurance) which aims to deliver benefits to consumers and drive innovation and competition by increasing data flows across sectors. However, these benefits do not come without practical risks, such as information security and privacy.
Division 5 of Part IVD of the Competition and Consumer Act 2010 (Cth) creates a set of legally binding privacy and confidentiality rights and obligations with respect to CDR data through thirteen Privacy Safeguards. The Safeguards are supplemented by the CDR rules which outline what an accredited data recipient must do to comply with each Safeguard. The Safeguards will apply to an accredited data recipient, despite the Australian Privacy Principles.
For example, to receive accreditation, an applicant must have processes in place to adequately protect data (rule 5.12(1)(a)). Schedule 2 Part 1 of the Rules outlines the steps an applicant must take to ensure the security of CDR data. This includes implementing a formal controls assessment program as well as managing and reporting security incidents.
Furthermore, Schedule 2 Part 2 of the Rules sets out the minimum information security controls. For example, an accredited data recipient of CDR data must take steps to secure their network and systems within the CDR data environment, such as firewalls and data segregation.
Failure to comply with the Rules in Schedule 2 may result in a civil penalty.
A challenge facing the implementation of CDR is the lack of standardisation of key terms used in insurance contracts and policy documents. These definitional inconsistencies are commonly viewed as a barrier to conducting product comparisons and would likely hinder the expansion of CDR in the insurance sector.
When differences arise in how insurers define key terms, this places consumers in a confusing situation and prevents them from making informed decisions when comparing insurance policies. Consequently, the desire for standardised definitions has been lobbied in numerous reports and submissions by key consumer advocate bodies. Therefore, insurers should stay alert and on top of any reforms to the insurance industry, specifically in relation to the clarification and standardisation of key terms and definitions.
One of the biggest challenges facing insurers looking to implement CDR is their lack of ecosystem capabilities. Similar barriers were experienced in the banking industry.
Insurers are encountering obstacles when attempting to develop the technological foundations required to generate value from their ecosystem approaches. Although a majority of insurers believe they retain the requisite ecosystem skills and resources, research indicates that many insurers are significantly overestimating their readiness.
As such, insurers will need to:
AFCA can consider complaints made about insurance products. For example, a consumer can make a complaint about the price of a fee, premium, charge, or interest rate if that cost was incorrectly applied, not disclosed, or misrepresented to the consumer. This may present a challenge with the implementation of CDR as the increased data could result in inappropriate price optimisation practices. Consequently, this may place consumers in a situation where they cannot access insurance claims or challenge their premium increases.
The General Insurance Code of Practice (the Code) imposes a range of obligations on insurers who have adopted the Code. The General Insurance Code Governance Committee (the Committee) independently monitors the Code to ensure insurers comply with their obligations.
If an insurer adopts the Code and subsequently breaches it, the Committee may impose sanctions under Part 13 of the Code.
The rise of open banking offers insurers valuable insights into how CDR is likely to impact them. For example, business models will need to change. Open banking has forced banks to find new ways to engage with customers. Open insurance will put similar pressure on insurers. Insurers will need new business models that enable them to thrive in the economy.
After the launch of open banking in Australia, banks were met with a range of challenges. Key issues included the complexity of the Rules, customer education, compliance, and cost.
The significantly high costs associated with accreditation presented a barrier to implementation. In a submission paper to the Australian Competition and Consumer Commission, FinTech Australia recognised that ‘many Australian FinTechs were unable or unwilling to take the time, and incur the expense, to become accredited data recipients under the CDR Regime.’ It was estimated that achieving accreditation would cost as much as $250,000.
Moreover, a lack of education and knowledge around open banking has made consumers less likely to consent to their data being shared. To avoid a similar pitfall, insurers should educate consumers on how CDR can improve the management and control of their insurance.
There are many practical challenges facing insurers ahead of the implementation of CDR. As such, early engagement and mapping out of issues will be crucial to ensure a successful roll-out.
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Matthew Bode, Partner