New EU Act Regulates AI in Insurance

The EU aspires to be the global leader in safe artificial intelligence (AI). By introducing a strong regulatory framework that fosters responsible AI development and deployment, the EU seeks to get to grips with potential threats to health, safety, and fundamental human rights, and therefore, develop an AI ecosystem that benefits everyone. Accordingly, insurers will now have to demonstrate a level of good intention when designing, developing, and deploying AI systems.

Explainable, accurate, unbiased, and compliant AI, and the tools and processes required to meet obligations under the responsible AI framework insurers put in place, will be a cornerstone required by insurers.

While interpretable AI, the ability for an underwriter or a regulator to be able to audit an individual application at case level to determine why a model made a particular decision for a particular consumer, will help insurers to foster a culture of responsible AI where data is considered a significant asset.

The new legislation ensures either developing in-house expertise or partnering with vendors is no longer just a ‘nice to have’ when it comes to AI development in life and health insurance.

The European Insurance and Occupational Pensions Authority (EIOPA), the independent advisory body to the European Commission, the European Parliament and the Council of the European Union acknowledges that AI is providing a wide range of opportunities to support growth and development within the insurance industry.

Petra Hielkema, the chairperson of EIOPA, noted that insurers leverage AI to explore opportunities to provide consumer advice, guide policyholders through claims procedures, and enhance pricing and underwriting processes.

However, in an article in September 2023, Hielkema pointed to three specific implications for the insurance sector: 

1. The nature of the EU AI Act was ‘horizontal’ in an attempt to cover many sectors. However, this ‘catch all’ approach could raise integration challenges for an industry like insurance that is highly regulated. 

2. A harmonised set of standards is envisaged by the EU AI Act, to be developed by the European Standardisation Organisations to provide guidance and compliance tools to help meet the requirements. 

3. Most of the requirements of the Act will focus on systems deemed ‘high risk.’

The EU AI Act takes a risk-based approach and categorises risks as follows: 

• Minimal risk: most AI systems such as spam filters and AI-enabled video games face no obligation under the AI Act, but companies can voluntarily adopt additional codes of conduct.

• Specific transparency risk: systems like chatbots must clearly inform users that they are interacting with a machine, while certain AI-generated content must be labelled as such.

• High risk: high risk AI systems such as AI-based medical software or AI systems used for recruitment must comply with strict requirements, including risk-mitigation systems, high-quality of data sets, clear user information, human oversight, etc. 

• Unacceptable risk: for example, AI systems that allow “social scoring” by governments or companies are considered a clear threat to people's fundamental rights and are therefore banned.

Hielkema noted that certain use cases in life and health insurance will be considered high-risk and that the impact of the AI Act depends on the outcomes and guidance provided for its effective implementation. 

The European Commission has already launched its consultation and published a first high-level draft on a Code of Practice for general-purpose artificial intelligence (GPAI) models providers intended to address vital areas such as transparency, copyright-related rules, and risk management. 

According to a KPMG summary of the questionnaire used in the consultation process, possible AI use cases in the insurance sector include:

• Insurance pricing and underwriting to advice

• Compliance 

• Fraud detection and anti-money laundering (AML)

• Customer service

The summary also notes additional legislation which may be relevant, alongside the EU AI Act, including the Insurance Distribution Directive (IDD), the Solvency II and institutions for occupational retirement provisions (IORPs) and the Anti-Money Laundering Directive.

Finally, it points out several key areas the questionnaire sought input on including use cases, opportunities, risks and challenges, barriers, and bias. 

The EU intends to finalise the Code of Practice by 2 May 2025, giving insurance companies time to get to grips with the Act. 

Organisations which provide and deploy AI systems are obliged to ensure their workforce attains sufficient levels of AI literacy by February 2025. 

The Act will prohibit AI systems deemed to present an unacceptable risk after six months, while GPAIs will have 12 months to comply with the rules.

EU Member States have until 2 August 2025 to assign national competent authorities, oversee the application of the rules for AI systems and carry out market surveillance activities, while most of the AI Act will start applying on 2 August 2026.  

Sanctions for companies not complying with the rules will include fines of up to 7 percent of the global annual turnover for violations of banned AI applications, up to 3 percent for violations of other obligations and up to 1.5 percent for supplying incorrect information.

The EU AI Act ensures commercial AI can no longer be ignored, and insurers now need to plan for whatever level of an AI-impacted future they envisage for their companies and customers. 

AI has been the subject of much hype but regardless of where insurers stand on the topics, there is a clear framework being developed which will provide guidance for many years to come. It is now incumbent on all insurers to understand their place in the post-AI Act regulatory world, contribute responsibly and transparently to the debate on AI in insurance and, most importantly, understand how AI will impact their business now and into the future as it grows in visibility and significance.