The use of technology in general insurance is increasing at a cautious pace due to the perceived lack of regulatory guidance or guardrails.
APRA guardrails
In respect of the General Insurance industry, it’s more likely that APRA will shape the governance for the use of technology rather than ASIC. Having said that, the influence of ASIC will continue to be significant at the operational level especially for Insurance brokers.
We have already seen the influence of CPS 234 (Information security) on the industry & moreso with CPS 230 (Operational risk). APRA regulated insurers are responsible for their service suppliers therefore the Prudential Standards result in a cascading effect leading to industry change for Insurers and their Underwriting Agencies, TPAs and other service suppliers. A similar situation exists for Lloyds coverholders due to UK regulations and governance applying to Lloyds underwriters.
ASIC recently released REP 798 Beware the gap: Governance arrangements in the face of AI innovation (29th October 2024).
ASIC reviewed how 23 AFS licensees and credit licensees are using and planning to use artificial intelligence, how they are identifying and mitigating associated consumer risks, and their governance arrangements. The report outlines the key findings from that review.
ASIC commented but on the whole, the way licensees used AI was quite cautious in terms of decision making and interactions with consumers: AI generally augmented rather than replaced human decision making and there was only limited direct interaction between AI and consumers.
From a regulatory compliance perspective, the blending of human expertise and technology efficiency appears to be the sensible approach in the short to medium term. As a rule of thumb, the more severe the consequences of non-compliance, the higher involvement of people in technology driven processes and decision-making.
The theme from ASIC’s report was that the (t)he maturity of governance and risk management did not always align with the nature and scale of licensees’ AI use (finding 7).
This supports an APRA driven approach for governance. Start with insurers and allow the changes to cascade downstream to service suppliers and throughout the industry.
Regulations are technology neutral
It’s important to note that financial services laws are technology neutral. The AFSL general obligation to provide financial services ‘efficiently, honestly and fairly’, does not care whether human or technological means are used to provide the financial services, provided the overarching obligation is met. This is supported by the AFSL adequate resources general obligation, requiring AFS Licensees to have adequate resources (that is, the adequacy of human, technological and financial resources) to provide the financial services. This requirement does not apply to APRA regulated insurers as their obligations in this respect are covered by Prudential Standards such as CPS 234 and 230.
Technology and the law – General insurance: where to start?
The starting point should be Australia’s AI Ethics Principles
Australia’s 8 Artificial Intelligence (AI) Ethics Principles are designed to ensure AI is safe, secure and reliable.
They will help:
- achieve safer, more reliable and fairer outcomes for all Australians
- reduce the risk of negative impact on those affected by AI applications
- businesses and governments to practice the highest ethical standards when designing, developing and implementing AI.
As ASIC identifies in Rep 798 (t)here are a number of resources that licensees can draw on as they deploy AI, such as the recently issued Voluntary AI Safety Standard. This standard gives practical guidance to all Australian organisations on how to safely use and innovate with AI.
International resources are also useful, such as the Digital Operational Resilience Act (DORA) applying to the European Union.
DORA is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers.
It is important to note that Category C APRA regulated insurers must comply with CPS 230 however DORA provides a sound base.
Technology as a compliance control
It’s important that when testing the use of technology in a production environment that the technology enables you to meet your regulatory & Code obligations.
Many insurance brokers are adopting automation to meet the Informed consents for insurance commissions effective 9th July.
The question I’m often asked is whether brokers can use automation to provide the consents information notice to retail clients. The answer is yes, provided you meet your obligations under the regulation.
Given the re-election of government at the recent Federal election, it’s likely that the 2nd tranche of Privacy Act changes will proceed. These changes will impose additional requirements on general insurance firms where technology is used to collect, manage and use customers personal information. In addition from 11 December 2026, your Privacy Policy must contain instances where personal information is used in a computer program, where the program makes a decision.
Further assistance
The increasing use of technology in General Insurance does not reduce the requirement to comply with financial services laws (or Industry Codes). Contact me, Paul Muir should you require assistance in ensuring the ongoing adequacy of your compliance measures, as your business adopts automation and AI.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.