This is the first part of a two-part analysis of the top ten insurance regulatory developments in 2020 by Locke Lord lawyers. The first part covers COVID-19, Insurtechs, Data privacy, Racial equality and Pharmacy benefit managers. ºThe second installment, on January 26, will analyze Antitrust, Captives, Service Contracts, Travel Insurance and Surplus Lines.
COVID – 19 Pandemic Turmoil
The COVID-19 pandemic had serious adverse consequences for virtually all US companies, including insurance. While business interruption insurance coverage litigation has dominated this year’s insurance news and the impact on property and casualty insurers who write this type of coverage and their insured business customers, state insurance regulators have also faced important challenges in after the pandemic. Their responses included:
- Impose moratoriums on cancellations and non-renewals of certain types of insurance policies for non-payment of insurance premiums by policyholders based on financial difficulties related to COVID-19
- Requiring deferral of insurance premiums collection by insurers
- Require auto insurance premium reimbursements based on reduced risk exposures because of government home emergency state orders
- Facilitating remote testing and licensing of insurance agents
- Facilitating the use of electronic signatures, remote online notaries and telehealth
- Demanding cost-sharing exemptions (deductibles and co-payments) on health insurance policies for COVID-19 tests
- Require early refills of controlled drugs covered by health plans
- Suspension of deadlines for insurance claims and appeals
- Examining network adequacy requirements for health insurers
In short, the state’s insurance regulators reacted quickly and skillfully to the challenges spurred by the pandemic faced by the insurance industry and the insurance clients they protect.
On the federal side, the US House of Representatives in May introduced the Pandemic Risk Insurance Act (“PRIA”), modeled after the Terrorism Risk Insurance Act of 2002, as amended (“TRIA”). PRIA was characterized by Congresswoman Maxine Waters as “a reinsurance program similar to the [TRIA] for pandemics, limiting the total insurance losses that insurers would face. ”PRIA would require participating insurers to” provide “insurance coverage for a” covered public health emergency “, which includes” any outbreak of infectious disease or pandemic “on terms that do not differ materially from the terms applicable to losses arising from others Like TRIA, participating insurers would need to satisfy individual and industry-wide deductibles before requesting federal reimbursement for losses. Critically, however, as currently contemplated, participation in the Pandemic Risk Insurance Program would be voluntary in nature, while TRIA is a mandatory program applicable to certain commercial property and accident insurance policies.
InsurTech’s growth and regulatory reaction
Despite, or perhaps because of the COVID-19 pandemic, no area of technology was hotter than insurtech in 2020. With several companies going public through SPAC transactions (Clover and Metromila) or direct listings (Limonada, Raiz and OSCAR), as well as investments that value others at well over a billion dollars (Hippo), insurtech quickly moved from niche to mainstream, fueled in part by the industry’s focus on automation, efficiency and digital platforms that allowed them to scale despite the restrictions of COVID-19.
Recognizing the rapid development of technology-enabled insurance platforms, the National Association of Insurance Commissioners (“NAIC”) responded with both reforms to previously outdated laws that inhibited these insurtech business models and increased the focus on potential future regulation of big data, artificial intelligence, machine learning and accelerated insurance underwriting.
On the reform side, NAIC updated the language in its Unfair Business Practices Act Model on anti-discounts and incentives that previously restricted almost all discounts and incentives to allow the provision of certain services and items at reduced or no cost, if such items or services result in risk mitigation, along with other accommodative reviews. This change has been the focus of insurers for several years and would allow, for example, a commercial insurer to offer its policyholders a free water leak detection system as a way of mitigating damage by pipe rupture.
With regard to increased regulation of insurtechs, while NAIC has not adopted or recommended any specific model of law or regulation with respect to artificial intelligence and machine learning, the Big Data and Artificial Intelligence Working Group has adopted the “Principles of AI “, highlighting the five principles he will use in assessing AI regulation, that is, that the use of AI by the insurance industry must be (i) fair and ethical, (ii) responsible, (iii) compatible, (iv) transparent and (v) safe, secure and robust. In addition, the NAIC Producer Licensing Task Force is finalizing a white paper on the role of chatbots and artificial intelligence (AI) in insurance distribution and the potential need for regulatory oversight of these technologies, something that the insurtech industry will do be intensely focused in 2021, especially in light of California’s recent adoption of BOT Aja. Likewise, Casualty’s Actuarial and Statistics Task Force adopted a white paper on the regulatory review of predictive models, while the Accelerated Subscription Working Group continued its work on developing regulatory guidance on the use of external data and analysis of data in the accelerated life subscription.
Expansion of the Data Security and Privacy Regulation
California Consumer Privacy Act
Like all other companies that collect or receive non-public consumer information about California residents, the insurance industry will be affected by the California Privacy Rights Act (“CPRA”). CPRA, which was adopted in November 2020 through the approval of voters of Proposition 24 of the California electoral initiative, increases and strengthens consumer privacy protections under the California Consumer Privacy Act, which was applied on July 1, 2020. CPRA, among other newly created consumer privacy rights, gives consumers the right to limit the use and disclosure of a new category of “sensitive” personal information, including health, financial, racial data and accurate geolocation. It also allows consumers to correct inaccurate data about them and establishes the California Privacy Protection Agency, a new state agency that will apply the CCPA in place of California’s attorney general.
National Association of Insurance Commissioners data privacy and security laws
The NAIC Data Security Model Act, which is a cyber security breach law applicable to most insurance industry licensees, has now been adopted in one form or another in eleven states. During 2020, Indiana, Louisiana and Virginia became part of this list, which is likely to expand in 2021.
The NAIC Privacy Protection Working Group (D), formed in late 2019, began its work in 2020 in reviewing the needs and area to modernize the NAIC Insurance Information and Privacy Protection Model Law (created in 1982) and the Privacy of Financial Information and Consumer Health Regulation (created in 2000 following the Gramm-Leach-Bliley Act). Possible updates for these two models may take the form of certain concepts of the CCPA and the European Union’s General Data Protection Regulation.
First application of the NY Department of Financial Services cyber security regulation
In July 2020, the New York Department of Financial Services filed its maiden enforcement action under its cybersecurity regulation against First American Title Insurance Company for allegedly unauthorized access to hundreds of millions of documents containing consumers’ non-public personal information , due to a known vulnerability on the company’s public website, making data accessible without any need for login or authentication. This case serves as a strong warning that the NYDFS will seek further alleged violations of its cybersecurity regulations.
Racial and safe equality
In the wake of the national awakening regarding the impact of race on various institutions in the United States, NAIC formed the NAIC Special Committee on Race and Insurance (“Special Committee”) and asked: “The disparate impact of risk on price decisions on the basis constitute unfair discrimination? ”
Almost all states follow some version of the NAIC Unfair Business Practices Act (“Model Law”), which generally prohibits “unfair discrimination” against “individuals or risks of the same class and essentially the same danger” with respect to both rates and insurability. ”The Model Law specifically prohibits taking into account the individual’s sex, marital status, race, religion or nationality, but only with respect to insurability, not with regard to the fees charged to such consumers (except in the case of race, which was prohibited under the Civil Rights Act of 1964). Notably, only a few states have explicit laws that limit the use of some of these factors in certain branches of insurance (for example, Michigan now prohibits all non-determining factors in determining personal car insurance rates and New York through its Circular Letter No. 1 now requires that life insurers prove that all AI, machine learning and “alternative data” and their sources do not have a distinct discriminatory prohibited impact on protected classes). Instead, most states have not detailed very specifically what constitutes unfair discrimination in their statutes or regulations
NAIC, state insurance regulators, consumer advocates and the insurance industry as a whole are especially focused on the exponential growth of the industry’s dependence on artificial intelligence, machine learning and big data. Some observers predicted the end of most risk-based underwriting and pricing as we now know it for much of the insurance industry in light of these issues, just as underwriting health insurance was simplified through the Affordable Care Act. However, regulations are more likely to focus on monitoring to ensure that these disparate impacts do not occur and are promptly corrected when they do occur.
Pharmaceutical Benefit Managers Regulation
Over the past few years, several states have passed legislation designed to regulate pharmaceutical benefit managers (“PBMs”) to protect small pharmacies or small pharmacies that, in some cases, received reimbursements from PBMs for prescription drugs covered by health plans less than that the costs of pharmacies to buy these drugs. In December 2020, the Federal Supreme Court, in Rutledge v. Pharmaceutical Care Management Assn. (an opinion of 8 to 0), determined that an Arkansas PBM statute was not replaced by ERISA.
Arkansas law requires PBMs to (a) frequently publish their maximum allowed cost (“MAC”) lists for prescription drugs when their wholesale cost increases and (b) reimburse pharmacies for their purchases of prescription drugs at an equal price or higher than its wholesale cost and allows pharmacies to refuse to sell a prescription drug if a PBM’s refund rate is less than the pharmacy’s purchase cost. The Court found that ERISA did not prevail over the Arkansas PBM law because, although the law had the effect of increasing the costs of an employee benefit plan, the law did not force employer-sponsored group health plans to adopt any changes. substantial in the plan, noting that not all state laws that affect an ERISA plan and Arkansas PBM law do not refer to ERISA, do not apply exclusively to ERISA plans and apply to PBMs, regardless of whether they administer an ERISA plan. This decision nullifies a 2018 case from the Eighth Circuit that found ERISA to have anticipated a similar North Dakota law and should avoid an appeal pending in the 10th Circuit of an Oklahoma District Court case that upholds an Oklahoma PBM law against a challenge from ERISA preemption.
Next: Antitrust, Captives, Service Contracts, Travel Insurance and Surplus Lines.