Insurers should not fear EU AI Act, DORA will reduce reporting burden, says EIOPA chair

Insurance firms have nothing to fear from the European Union’s Artificial Intelligence (AI) Act, while the arrival of its Digital Operational Resilience Act (DORA) has actually streamlined reporting, said Europe’s top insurance supervisor, at Insurtech Insights Europe on March 20.

In her keynote speech, Petra Hielkema, chair of the European Insurance and Occupational Pensions Authority (EIOPA), said: “The AI Act should not result in a lot of additional requirements [for the financial industry] because insurance is already a highly regulated sector.”

The data quality standards, data components, and record-keeping practices required for high-risk AI systems under the act are already largely covered by Solvency II regulations, she added.

Advocating for sector

EIOPA has fought an ultimately unsuccessful battle with lawmakers for insurers use of AI to be excluded from categories that could be deemed high-risk under the act, Hielkema said.

However, she believed the financial services group on the AI Board of Supervisors would be able to successfully advocate to keep everyday AI tools used by insurers — such as mathematical optimisation methods and traditional statistical models — out of scope. She was hopeful the European Commission would soon “clarify that certain AI tools are not AI systems”.

EU policymakers and regulators had been working hard to find a balance between innovation and regulation, “aiming to strike a balance” between allowing ideas to flourish and avoiding any “harmful impacts”, said Hielkema. The goal of the act was to create “a human-centric environment where new technologies can thrive safely, responsibly and with confidence”. Sandboxes for fintechs and other developers to test their technology and gain an understanding of how regulation would affect them would further support innovation she said.

DORA lifts reporting burden

As with the AI Act, DORA’s reporting obligations are not new for financial services firms, since they are already required to carry out operational resilience testing and incident reporting, Hielkema said. DORA’s single reporting schedule, which replaced multiple previous demands from different supervisory bodies, would also benefit insurers.

Another advantage was DORA’s introduction of direct supervision of critical third parties. Whereas previously insurance companies had had to spend time with supervisors tracing their operational resilience through “what could be 10 different steps” in a value chain before they reached the final point, now EIOPA would supervise the final points directly.

The three European financial supervisory agencies will produce a list of critical third parties — expected to include all of the large cloud providers — by the summer, and begin direct supervision of their operational resilience thereafter.

International consensus?

Responding to a question from the audience, Hielkema, who is also vice chair of the International Association of Insurance Supervisors (IAIS) and chairs its fintech group, said she enjoyed a good dialogue with her US colleagues, and there was “common interest in making sure that AI can thrive” while simultaneously managing its risks.

Both her Chinese and US peers had a willingness to exchange information on their approach to supervising AI, she added.