Out-Law Guide 10 min. read
30 Mar 2005, 4:02 pm
This guide is based on UK law. It was last updated in February 2008.
As well as rules set down by the Financial Services Authority, financial services companies who sell online must comply with e-commerce legislation and should always consider important contract law and commercial issues.
The E-commerce Regulations and Distance Marketing of Financial Services Regulations will apply when contracts are formed with consumers, and these are discussed in separate OUT-LAW guides. Companies must also take into account laws and regulations which apply equally to online and offline transactions, such as legislation relating to unfair terms in consumer contracts. This guide will concentrate on the non-legislative side, dealing with some of the commercial and risk issues which should be considered when selling financial services products online.
While the financial services industry has traditionally been an early adopter of new technology to streamline processes and manage customers, by and large it has relied on tried and tested methods to achieve initial sales. With the notable exception of parts of the insurance sector (particularly general insurance) it is fair to say that few financial services products are available for purchase in a straight-through online process with no offline element.
There are barriers to online processing which help to explain why the financial services industry has been reluctant at times to move to online selling. The investment needed to ensure that systems are robust, technically efficient and legally compliant with regulatory standards, as well as the legal complexity and relative uncertainty of completing 'sophisticated' contracts online, both act as significant deterrents.
However, there are increasing drivers of change which are forcing the financial services industry to re-evaluate the cost balance between adopting online systems and the perceived barriers to doing so. Perhaps the greatest driver of change is the need to maximise the effective use of consumer data. Principal profits on financial services products generally accrue from selling multiple products to the same consumer. The benefits online selling gives for ownership of data, and the ability to exploit it effectively, should not be overlooked.
A straight-through online sales process – where the application is completed and submitted online without the need for signed documentation or product provider intervention or additional steps outside of the online process – is a way of reducing overheads and speeding up the new business process, and there are other obvious benefits in a move to online selling.
The online process also carries risk, not least where the company does not hold a signed application form. However, it is important to remember that the hazards of online selling apply offline too. The potential for fraud, for example, is no greater than it is with paper-based applications.
While risk cannot be eliminated entirely, it can be reduced to an acceptable level through the relevant contracts and through careful attention to, and control of, the online sales process. The formalities for contracting online and offline are essentially the same, but it is important to get the online sales process right (both legally and contractually) to ensure that the contract is properly formed and enforceable. Three areas which are important to consider are:
There are increasingly few contractual situations which require a signature for them to be legally valid. We conclude contracts every day without any need for a signature – every time we buy something from a shop, for instance.
While signatures are not legally required to conclude most contracts, they are designed to increase security in the contractual process. To different degrees they help to:
Complex financial services products, like life insurance, have to date largely relied on traditional 'wet' (i.e. ink on paper) signatures to show these three elements. But it is important to remember that, as a method of security, wet signatures themselves are inherently flawed and susceptible to fraud.
Digital signatures have their basis in law under the Electronic Signatures Regulations, which implemented the EU's Electronic Signatures Directive. Digital signatures come in a variety of forms, and the choice of which form to use will be judged against the level of certainty required for the three elements above and the risk associated with the relevant product.
At the simplest level, a digital signature could be a user clicking the 'buy' button on an e-commerce website. The English Law Commission has confirmed that in its view this constitutes a valid signature. At a more secure level, digital signatures can take the form of electronic certificates, with encryption systems to ensure that the recipient knows that only the sender could have 'signed' the document.
In terms of selling financial services products online the method of ‘signature’ adopted will depend on the level of certainty which the vendor has determined it needs. In most cases, where identity can be validly established through other methods (for example, a credit search – which also helps to comply with Money Laundering obligations), the main purpose of the signature is to indicate an intention to be bound by the terms of the contract. In these cases a simple 'click' signature may be sufficient.
In choosing which method to use, the vendor also needs to consider issues of cost and practicality. For example, it is common for financial advisers to use digital certificates, but surveys have shown that very few individual consumers use them.
A medical report is a common, if not universal, part of the underwriting process for certain financial services products, most notably life insurance policies. Unfortunately, at present it is the main impediment to completing the sale in a fully straight-through process. Where an application requires a medical report, BMA guidance to doctors is that consent should be given 'in writing'. Specifically, the guidance states that doctors should refuse to complete a medical report unless a copy of the individual’s written consent has been provided for the doctor’s retention.
The phrase 'in writing' has been determined by the English Law Commission and BERR (formerly the DTI) to include digital signatures, which would allow individual consent to be given online. However, the BMA directs doctors not to rely on an electronic copy of the signed consent unless satisfied that the company requesting the report has ‘robust mechanisms’ for verifying that the document has not been altered in any way. It is unlikely that doctors will want to put themselves in the firing line by making that call themselves. It had been thought that the eGPR project – a service to enable the electronic exchange of insurance reports - would have moved things forward, but it is not clear what stage this initiative has reached or whether it has fallen by the wayside, at least for the time being.
Until the BMA reviews its current guidance, the most obvious solution is to instruct the applicant to print and sign a consent form at the end of the process. The extent to which this will postpone the applicant being put on risk is discussed below in terms of balancing risk for the provider.
One of the key concerns for product providers with a straight-through process is the lack of a signed application form which the business can fall back on as evidence, for example, to show that the consumer applied for that product or failed to make full disclosure of material facts.
However, if the online sales process has been properly designed and there is a secure audit trail for the application process, the provider will have a record of the concluded contract. Amongst other things, that record should show:
The vast majority of information collected by financial services companies during the online quote and application process will be personal data under the Data Protection Act. In some cases, and almost certainly in life insurance applications, the information will include 'sensitive personal data', relating amongst other things to the physical or mental health of an individual.
Whenever personal data is collected the individual must be told, at the time of collection, certain key information, including how his or her data will be used and whether the data will be shared with group companies or other third parties. Where sensitive personal data is collected the applicant's consent may need to be obtained. Consent may also be required where the data is to be processed in non-EEA countries. The data must then be processed in accordance with the Data Protection Act, particularly in accordance with the eight data protection principles. Overriding these is the obligation to process data fairly and lawfully.
In respect of a straight-through process, this means that the consumer must be given a full notice on how their data will be used and in some cases will be required to consent (for example by checking a box to say that they agree) to the use of their data for certain purposes.
Where more than one party is involved in the transaction (for example, the product is being sold through an aggregator site or through a 'brand' put together by a joint venture of providers) it is vital that the agreements between these parties deal with issues of data use and management, and clearly set out who 'owns' the customer and his or her data. The data collection notice to the individual will also need to make it clear who is collecting the data, who the data is being shared with, and the uses that those third parties will be making of the data.
Failure to follow the requirements of the Data Protection Act can mean enforcement action by the Information Commissioner, criminal liability, and fines imposed by the Financial Services Authority, but damage to reputation if often the greatest risk. For more information see our guide to Data Protection.
Decisions on risk-weighting are commonplace within the financial services industry and online sales will involve a number of issues in risk allocation. Each different product, or class of products, will raise its own individual concerns.
For example, with the online sale of a life insurance product there are likely to be two specific risk allocation issues which arise: first, the decision on whether to accept the applicant on the basis of the information provided; and second, putting the applicant on risk with immediate effect where some element of the sales process is outstanding (e.g. medical report still to be provided).
The first issue is as much technical as it is legal, and relates to underwriting decisions. At the heart of an online sales process will lie software designed to analyse the information given by the applicant and determine if an instant underwriting decision can be made. Online underwriting systems can also identify the terms (including ratings and exemptions) that will apply according to the risk profile of the individual. However, while the underwriting system is a technical way to enable sales to be completed online, the number of sales which can be completed still depends on the underwriting parameters set by the product provider and the risk threshold at which applications need to be referred for manual underwriting.
The second risk allocation issue will be whether, on the basis of the information provided, the life insurance application is accepted online and cover starts immediately. Completion of the contract may await some final element – such as the receipt of the medical consent form with a 'wet' signature– and a decision will have to be taken as to whether the insurance company is prepared to accept the risk of covering the individual in the interim. Again, some element of risk-weighting will be inevitable.
In assessing how risk is allocated and managed as part of the online process, it is important not to overlook the customer experience; there is a balance to be sought between the two. Detailed questions may help with real time underwriting decisions and increase the number of applications that can be accepted online, but that is not much use if the number of applications declines because customers are put off by the lengthy application process.
Further considerations arise where there are additional parties involved in the sales process, for example where sales are made through intermediary extranets, portals, content aggregators and “white label” sites (such as those run by supermarkets). Different models raise their own risk issues, but the main risk with all of these is that the product provider is at least one step removed from the customer.
Where a provider sells directly to consumers it maintains control of the online sales process, including what information is given to the applicant during the process and when. Where a third party is involved there is a greater risk of the customer’s attention not being drawn to the policy terms, of an inadequate data protection notice being presented and of non-disclosure of material facts. An insurance company may have difficulties relying on contractual exclusion clauses if the sales process was inadequate.
There is also the question of what the parties’ respective roles and responsibilities are. For example, which party is responsible for ensuring that the website and sales process are compliant, who is responsible for presenting the customer with a data protection notice, and who will be liable if data is modified or becomes corrupted during transmission from one party to the other?
As mentioned at the start of this note, risk cannot be eliminated entirely but it can be reduced to an acceptable level in the contracts and online sales process: this can only be done if the parties fully understood what each party is going to be doing and the risks that arise from those activities.