Latham lawyers explore the latest insurtech trends and regulatory developments impacting the sector in Europe and Asia.

Disruptive technology is revolutionizing insurance, enabling insurers to achieve growth by leveraging big data and creating innovative solutions to enhance customers’ digital experience. We are pleased to launch Insurtech Insights, a series of webcasts to discuss the most recent trends in the insurtech space and how to navigate regulatory developments.

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

The FCA is considering whether alternative data could introduce new risks to market integrity.

By Rob Moulton, Fiona Maclean, Stuart Davis, and Charlotte Collins

The FCA’s recently published Insight article explores how alternative data might give rise to market abuse risks. The article reports a significant increase in spending on alternative data in recent years, leading to questions about whether access to such data might provide recipients of the data with an unfair informational advantage over other market participants.

While traditional sources of data, such as a company’s financial statements, may contain inside information and must be treated appropriately before they are made public, the nature of alternative data is less clear-cut. Alternative data does not come from the company itself, and may derive from (or be extrapolated from) a number of sources. Alternative data may allow those with access to know things about a company that others in the market do not know, or that the company itself does not know. This may be the case, even if, as is frequently the case, the pool of structured/unstructured data used by the analytics engine is in the public domain. Evidently, this could provide trading opportunities that put the holder of such information at an advantage, as compared with other market participants.

A key example of where alternative data has raised concerns recently is in relation to so-called “secret polling”. The government has had exchanges with the FCA concerning the potential use of private polling data to obtain a trading advantage in advance of election results. The regulator’s view is that, while the Market Abuse Regulation (MAR) might be engaged by such activities, MAR would only apply if the underlying information were to constitute inside information. This is unlikely to be the case, unless the information met the MAR recital 28 test of information “routinely expected by the market” to be published, such as weekly BBC opinion polls. Therefore, MAR does not restrict the sharing of polling information that is not inside information. However, this position clearly raises political questions of fairness, as those able to pay for and access the data may well gain an advantage in the market, and those providing the data may not understand the use to which it will be put.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

As several PSD2 deadlines approach, PSPs must comply with reporting and notification requirements, as well as with their GDPR obligations.

By Christian F. McDermott, Fiona M. Maclean, and Jagveen Tyndall

Though the majority of the provisions relating to the revised EU Payment Services Directive (PSD2) came into force in the UK on 13 January 2018, the regulatory technical standards (RTS) and strong customer authentication measures (SCA) will come into force on 14 September 2019. The FCA has issued a helpful reminder setting out some important deadlines that payment service providers (PSPs) must meet to be compliant.

Application Programme Interfaces

PSD2 allows third party providers (TPPs) to build payment service infrastructures upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open application programme interfaces (APIs). Financial institutions seeking to enable such access can do so by either constructing dedicated interfaces built on these APIs or through adjusting existing customer interfaces. In both instances, such interfaces and their accompanying customer authentication measures must be in place by 14 September 2019.

GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

By Christian McDermott, Calum Docherty, Stuart Davis and Anne Mainwaring

The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).

The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.

The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).