Regulation: Jan 2017

Regulation of the insurance and legal markets continues to be a minefield for many in the market.  What changes are coming in the next few months?

1. Financial Conduct Authority

The FCA is currently consulting with a wide range of questions to ask for views on their role as a regulator, with responses due by 26th January 2017.  This comes after the Treasury Select Committee said in the summer that there was a strong case for separating enforcement from the FCA into an independent body, which the FCA does not necessarily agree with.

In the meantime, one of the FCA’s priorities which directly affects insurance is ‘Innovation & Technology’, where a ‘Regulatory Sandbox’ (a place to test new ideas with regulatory requirements) is being launched – though news in November shows only one idea has been put through*.

The FCA also has a call for input on Big Data open, which will contribute towards their first detailed study of this area, including how the regulatory framework affects its development and how it affects competition and consumers.

What we are keenly waiting to see is the impact of the transfer of the regulation of claims management companies (CMCs) from the MoJ to the FCA, after the Government accepted Carol Brady’s recommendation in her review of the CMC market.  This is likely to complete in 2018 (see Other Civil Justice article).

2.  EU DPA Directives

The proposed EU General Data Protection Regulation will provide a single pan-European data protection regime, and will apply from May 2018.  In many respects this is expected to be little more than a tidy up of areas on which there have been technical disagreements.  The Regulation will impact the industry’s counter fraud response in several ways, including:

• Enhancing the responsibility and accountabilities of organisations that process personal data.
  
  
• Requiring organisations processing personal data to appoint a Data Protection Officer (DPO) who must act as a “mini-regulator” within the organisation, ensuring compliance with the new Regulation, and with a legal obligation to notify all data breaches to the supervisory authority (ICO). There is currently no de-minimis reporting level, with all breaches to be notified to both the supervisory authority and affected data subjects as soon as the DPO becomes aware of the breach.
  
  
• Implementing requirement to obtain explicit consent for data processing.
  
  
• Codifying the ”right to be erased”.
  
  
• Increasing the penalty for breach to the higher of €100 million, or 5% of global turnover, albeit that an initial warning may be given for a first and non-intentional non-compliance.
  
  
• The timing of Brexit could be interesting, given the expected date of legislation coming through, however the UK is very unlikely to adopt a different stance to what is agreed so far in the Directives.

3.    Private investigators

Regulation of the private investigation industry was due to come into effect in 2014, and there was considerable ambiguity over the extent to which insurer and supplier teams would be captured by the provisions.  Two years later and it appears the answers are still far from being provided.  We continue to monitor and will inform clients if any progress is made, however with all the other market reforms taking place, we suspect this is at the back of a very long queue.