A few years ago, there was a whole revolution of the financial sector industry and its regulations, which ultimately culminated into what we now call Twin Peaks regulation. Under the Twin Peaks model of supervision, the Insurance Act was promulgated with certain aspects enforced by the Prudential Authority (PA) and others by the Financial Sector Conduct Authority (FSCA).
Policy Protection Rules (PPR), which are being enforced by the Financial Sector Conduct Authority (FSCA), are by far the most far reaching pieces of regulation for insurers, which impacts not only insurers but, brokers/intermediaries, policyholders, members of the policy or scheme, and ultimately beneficiaries of the benefits being provided under a policy. The PPR are made up of 21 Rules which are focused on achieving fair outcomes for all mentioned stakeholders, but ultimately the policyholder and its members. Please view our PPR info-guide here.
The PPR enforces greater stringencies across the insurance sector, and with the insurer responsible for a number of regulatory requirements, including the maintenance of comprehensive, accurate member databases, for members. In as much as it benefits and provides protection for the policyholder, it provides operational challenges for the insurer. The administrative burden of compliance to the rules carries a cost and provides a challenge as insurers rely heavily on policyholders to help ease the burden and assist with the data compliance and management. This being said, the policyholder can be assured that there is better protection for policyholders and members.
Adding to the insurers regulatory compliance is the Protection of Personal Information Act (POPIA) which governs privacy compliance. With the PPR requiring us to delve deeper into our policyholders and members, POPIA instructs that we do so without compromising the private details of said individuals. In order to communicate meaningfully with policyholders and members of group schemes, insurers require certain information about those policyholders from retirement funds or employers. PPR requires that at the very least, insurers have information which includes the policyholder’s name, identity number, and their contact details which would include email addresses, and cell phone numbers when they are available. This information is personal in nature and is subject to POPIA.
In this regard, the new PPR requires an insurer to have an effective data management framework in place. The data protection management framework envisaged in the new PPR should include appropriate strategies, policies, systems, processes and controls relating to the processing of personal information of policyholders. In terms of POPIA, insurers may not use the data for any other purpose, other than the purposes stipulated in the agreement entered into with the retirement fund or the employer. This may entail that data sharing agreements be put in place even within entities within the same company. Even where the personal information of members is outsourced to third parties, it remains the insurer’s responsibility to conduct due diligence on those third parties to ensure compliance with its own data protection responsibility.
The practical consequence of compliance to these regulations for insurers is that where insurers struggle to obtain and maintain information in the manner envisaged by the regulations, policies will have to be terminated or new business turned away as the risk of doing business outside of compliance carries a risk on the operating license of the insurer. Engagements with regulators are ongoing to highlight the plight of insurers on items that are problematic.