| Does the Tech Partner need an insurance intermediary licence? |
An insurance intermediary licence is required to carry out any regulated activities under the Insurance Ordinance Cap. 41.
Regulated activities include:
- negotiating or arranging a contract of insurance
- inviting or inducing a person to enter into a contract of insurance
- inviting or inducing a person to make a material decision
- giving regulated advice
Material decision and regulated advice relates to making an application for insurance, continuance, renewal, termination, surrender, assignment of insurance, exercising any right under a contract or insurance, or making or settling an insurance claim.
The concept of “arranging” is broad and includes actions that would bring a contract of insurance into effect. If a person collects a premium, the Insurance Authority (IA) may take the view that this is “arranging” a contract of insurance.
Inviting and inducing would require an element of encouraging or persuading a person to enter into a contract of insurance; for instance, a push notification message offering a new insurance product. This contrasts with merely providing information, which is not considered “inviting or inducing”.
The IA has issued several explanatory notes which can be accessed here. |
For Tech Partner:
Will your technology or platform be client facing or only supporting insurer?
Are clients able to purchase insurance through your platform or technology and will you be collecting any premiums?
Will you be promoting any products or merely providing information?
If licensing is required, will you be acting for the insurer (an insurance agency/agent) or for the client (an insurance broker)? |
| Are there any requirements for the service /collaboration agreement? |
GL14 Guideline on Outsourcing (“GL14”), issued by the IA, sets out requirements for outsourcing arrangement. “Outsourcing” refers to an arrangement whereby the service provider is performing services that would otherwise be performed by the insurer, such as processing insurance applications, policy administration and claims processing.
Any material outsourcing (being any outsourcing arrangement which may significantly impact the insurer if disrupted or falls short of standards), must be notified to the IA at least three (3) months before the outsourcing arrangement commences. The insurer will need to address any concerns of the IA. If the IA does not raise any objections within the three months, the insurer may take it that the proposal is acceptable to the IA. GL14 can be accessed here. |
Do the services involve any outsourcing?
If so, is it material outsourcing? (significant impact on insurer)
Does the outsourcing agreement comply with requirements of GL14?
Has the outsourcing arrangement been notified to the IA along with supporting documents? |
| Are there any requirements for cybersecurity? |
GL20 Guideline on Cybersecurity, issued by the IA, sets out minimum cybersecurity requirements for insurers. GL8 Guideline on the Use of Internet for Insurance Activities also provides, among other requirements, that all practicable steps must be taken to ensure a comprehensive set of security policies and measures that keep up with the advancement in internet security technologies shall be in place and electronic payment system (e.g. credit card payment system) shall be secure.
Insurers are required to follow the Cyber Resilience Assessment Framework to carry out risk assessment and submit assessment reports to the IA.
Insurers must also have a cyber incident response plan and need to report any cyber incidents to the IA within 72 hours of detection.
GL20 can be accessed here. |
Does the new technology involve any cyber risks? If yes, what is the insurer’s assessment
What are the ways of mitigating cyber risks with the new technology
What will happen if there is a cyber incident? How will the Tech Partner and insurer co-operate and respond to the incident? |
| What are the requirements for personal data? |
The collection, use, storage and access of personal data must comply with the Personal Data (Privacy) Ordinance Cap. 486 (“PDPO”), the Data Protection Principles (“DPPs”), and relevant guidelines issued by the Office of the Privacy Commissioner (PCPD).
Personal data must therefore be collected for a lawful purpose that is necessary and adequate (“DPP1”).
Personal data must not be used for a new purpose unless with the data subject’s express and voluntary consent (“DPP3”).
The data user must take all practical steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use (“DPP4”).
There are also various other issues to keep in mind including:
- Where data user engages a data processer, it should adopt contractual and other means to ensure the data is processed in accordance with DPPs. For instance, refer to Outsourcing leaflet issued by the PCPD (Outsourcing Leaflet, which can be accessed here).
- Section 33 of the PDPO prohibits transfer of data overseas unless certain conditions are met, but this section is not in effect. Despite this, the DPPs still apply for any personal data transferred overseas.
- The PDPC has issued the Artificial Intelligence: Model Personal Data Protection Framework issued by the PDPC (“Model Framework”), which can be accessed here.
- If cloud computing is involved, data users must ensure its use complies with DPPs. Please refer to Guidance on Cloud Computing issued by the PCPD (CC Guidance), which can be accessed here.
- If the InsurTech solution involves collection or use of biometric data (which includes physiological data and behavioural data), please refer to the Guidance on Collection and Use of Biometric Data issued by the PCPD, which can be accessed here.
|
Will the technology collect or use any personal data?
Will the Tech Partner be processing any personal data for the insurer; and if so, does the contract make clear the security measures to be adopted, the return of personal data, etc. as required by the PDPO and the Outsourcing Leaflet?
Is there any transfer of data overseas; and if so, are there additional measures for protection of personal data
Is AI involved and if so, has the Model Framework been complied with?
Is cloud computing involved and if so, does it comply with CC Guidance?
Is there collection or use of biometric data? If so, has a privacy impact assessment been conducted to help avoid or minimise any adverse impact on individuals concerned? |
