What insurers need to know before developing apps in the cloud

Apps and cloud services will be a vital part of that. Take Cuvva, one of a new breed of technology based insurance disruptor business becoming known as insurtech companies. Its iOS app enables anyone to purchase car insurance for as little as an hour, or any other specific period of time. It can determine an 'hour long premium' and provide cover where a customer needs to borrow a car, drive a friend who has been drinking home late at night or in other circumstances.

Developing applications in a cloud computing environment is one way to give businesses the level of agility they need, but UK insurers need to consider how regulators treat this activity.

The FCA and the cloud

The Financial Conduct Authority (FCA) is currently reviewing 60 consultation responses it has received to draft guidance published late last year in which it gives direction on the extent to which financial services businesses can outsource important business functions to the cloud. The guidance is significant because it shows that the FCA is willing to enable financial services businesses to use cloud solutions.

In its proposed guidance the FCA has said: "We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules."

Financial services regulatory concerns

Any business operating in the insurance sector and subject to FCA rules must be aware of the regulator's concerns around the cloud. One concern it identifies is the extent to which regulators can access data and premises on which data are processed in a cloud environment.

Both the FCA's rules that apply broadly to financial services businesses, and those which apply specifically to most insurers, require that regulators be given the ability to access data and premises on which data are processed in an outsourcing context. This is also a theme that is reflected in the Solvency II framework. It is hoped that the FCA's guidance will clarify the scope of these audit and access rights as part of its finalised guidance.

Any insurer planning to outsource cloud app development should take this into account. It should also be aware of the FCA's views on supply chain visibility and the extent to which data remains within the customer's control, both of which will be relevant to cloud sourced solutions.  

Data protection concerns

Much of the app development process will not concern personal data – data that relates to living individuals. However, where the use of personal data is used in the development process insurers should also be aware of changes to data protection laws. 

The General Data Protection Regulation, which has been largely finalised at EU level, will over the next few years introduce a significant amount of change to how businesses can use personal data. In an app development context, businesses will need to be more careful to make sure that they are using data for the same purpose for which it was collected.

There is also a related concern around transferring data outside the EEA. The invalidating of the safe harbour agreement between the EU and the US last year has made it more challenging for some technology providers to demonstrate that they comply with rules which restrict the transfer of personal data outside the EU. While an 'EU-US privacy shield' has been agreed at a political level to replace the safe harbour framework it is still due to be scrutinised by the data protection regulatory authorities. This is due to take place in mid-April.   

If regulation is not to act as a barrier for insurance businesses looking to outsource app development to the cloud and respond in an agile way to market developments, a clear understanding of both the current financial services and data regulatory landscapes, and those to be in force in the near future, is essential.

Yvonne Dunn and Luke Scanlon are financial technology experts at Pinsent Masons, the law firm behind Out-Law.com