March Regulatory Bulletin

The General Data Protection Regulation (GDPR) is a new law, relating to personal data, which will come into force 25th May 2018. It will replace the UK’s Data Protection Act, and similar legislation across the European Union.

For more information on the GDPR and what you need to do to ensure you are compliant visit the ICO website (external link). 

We are making some changes that will impact you regarding contract changes, fair processing notice website changes and data transfers. Please ensure you read about these changes and take note of the recommended actions you need to take. 

Contract changes

• We will be amending our TOBAs, these will be ready to be sent out to you shortly.
• If you operate under a delegated authority from Hiscox you may already have received an amended contract to reflect the GDPR, if not, you can expect to receive one in the coming days.
• As part of our duty to ensure GDPR compliance we may ask privacy questions as part of our ongoing relationship management with you.

Action: Ensure you read and confirm your acceptance to contract changes.

Fair Processing Notice website changes

• Brokers (and partner websites, including MGAs) should look to update their website privacy notices to be GDPR compliant. 
• Documents provided by Hiscox will be updated with the Hiscox privacy notice and distributed / uploaded as appropriate.

Action: For websites managed by Hiscox, brokers will need to provide the updated privacy notice to Hiscox as soon as possible to enable the website to be updated in time for 25th May 2018.   

Data Transfer

One of the risks that you may already be thinking about is the risk of breach when you are transferring personal information regarding a client or potential client to Hiscox.

It is easier to think of how we exchange data in the following three pockets of activity:

• Personal data
• Sensitive data
• Large volumes of data

Personal data
Hiscox protects its emails by using what is called Transport Layer Security’, or TLS, to protect emails, both inbound and outbound. This is convenient for everyone as all the protection happens in the background without you having to do anything special. However the level of security does depend on the receiving server, so encryption cannot be guaranteed unless it is enforced.  Where it is supported, enforced TLS can be adopted by both yourself and Hiscox which will guarantee encryption every time. Provided TLS is supported by your emails servers this is quick and easy to implement.

Action: Contact Fran Varley at uk&[email protected] with the subject line "Personal data encryption" requesting to make arrangements to enforce encryption and ensure all our email communications are encrypted. Please provide your contact details and preferred method of contact so we may email or call you back. 

Sensitive data
There are occasions when we might want to add some additional protection to our data, for example when we are sharing sensitive (or special category) data. By May 2018, where Hiscox regularly share sensitive data we will be implementing secure messaging. This is unlikely to affect the majority of you but where it does, it means that you will receive a notification email and you will simply enter a password to access the message. You’ll be able to reply and send us secure messages too.

Action: If you share sensitive data with us and would like to use our secure message facility, please contact Fran Varley at uk&[email protected] with the subject line "Secure message facility" to make arrangements to set up secure messaging. Please provide your contact details and preferred method of contact so we may email or call you back. 

Large volumes of data
Delegated authorities, schemes and binders often send the data for multiple risks via Bordereau. Sharing large volumes of data at once increases the impact of any potential data breach. Therefore greater security is required than can be afforded by email and so Hiscox will be rolling out Enhanced File Transfers (EFT). EFT is a secure method of transferring large files can be implemented quickly and easily. 

For third parties that engage in this level of data transfer and are currently using email, we will contact you over the oncoming weeks to set up our EFT links.

To discuss any of the above further or to arrange your data transfer mechanisms please contact:

Fran Varley, GDPR business analyst, UK & Ireland
Email: uk&[email protected]

You may already be aware that the IDD implementation date is delayed from 23rd February 2018 to 1st October 2018. This has been confirmed by HM Treasury at a UK level, but isn’t likely to be officially confirmed by the EU until later in the year.  Furthermore, the lack of final rules creates a further element of uncertainty.  As such, Hiscox has decided to take a pragmatic approach to rolling out changes to ensure  compliance with the directive and will be doing so throughout 2018. 

The directive places requirements on both Insurers and Brokers and as such there are mandatory activities you are required to complete both as an entity in your own right and as a part of your relationship with Hiscox before the directive comes into place. 

Hiscox would like provide you with any support you may need in order to achieve compliance. The following does not outline all your regulatory responsibility, but does highlight some of the main areas of responsibility for those that relate to our relationship.

Implementation guidance for UK and Ireland

UK

• The FCA issued their third (3/3) policy statement earlier this year; this responds to feedback received to CP17/33 (the third IDD CP), as well as feedback on certain matters deferred from CP17/23 (the second CP), and feedback to the IDD-related aspects of two Quarterly Consultation Papers (CP17/32 and CP17/39).
• It is expected the final rules will be issued imminently and confirmation of the delay will arrive soon after.

Ireland

• For Ireland, the Central Bank of Ireland may not issue implementation guidance in the same ways as the FCA have done, however they currently state that firms should comply with all EIOPA guidelines.

What are Hiscox doing in readiness to support our shared requirement to comply?

• If you broke personal lines policies, Hiscox will provide you with an Insurance Product Information Document (IPID) for you to issue to customers for all new business, renewals and mid-term adjustments. 
• This document will reference the schedule for policy term dates, sums insured and payment method.  These documents will be made available on our broker centre, replacing policy summary and key facts documents. 
• If you have a Scheme with Hiscox, these are likely to be emailed directly to you.
• Over the remainder of 2018 we expect to start emailing all IPIDs to you as part of our quote and policy documentation.
• Provision of a target market document, which will detail the customer group you should be selling our product to. We will likely upload these documents to our document centre online or emailed to you directly.

What you need to do now

The below is taken from the directive, we have summarised in order to assist your preparation ahead of 1st October 2018:

• You need to ensure you are compliant with all requirements for IDD ahead of the deadline.
• Some of these requirements we are sure you will already have in place, however some will require activity between now and go live and it is advised this activity is not underestimated.
• Although the activity required to deliver these requirements is your responsibility, we as partners will endeavour to support and guide you where possible.
• For those of you that hold delegated authority on behalf of Hiscox, we will be incorporating these requirements as part of our standard audit, whereby we will be seeking explicit evidence of compliance.

Your people

• Firms should make sure that people doing insurance distribution activities possess appropriate knowledge and ability in order to complete their tasks and perform their duties adequately. Staff must be trained adequately and be competent. The minimum amount of Continuous Professional Development (CPD) should be 15 hours per year and should be relevant to role.
• People who conduct insurance distribution activities should be in good repute – minimum requirements are a clean criminal record, or a clean record with no criminal offences linked to crimes against property or crimes related to financial activities. They also shall not have previously been declared bankrupt unless they have been rehabilitated in accordance with national law.

Your business

• Your business must hold professional indemnity insurance covering the EU of at least €1,250,00 AOC and €1,850,000 in the aggregate.
• To ensure compliance, companies should approve, implement and regularly review internal policies and procedures.
• You should act in accordance with the best interests of the customer.
• Remuneration or incentives should not result in an employee recommending a product to a customer when the insurance distributor could offer a different product that better meets the needs of the customer. Remuneration should not conflict with the duty to act in accordance with the best interests of their customers.
• Marketing and documents should be fair, clear and not misleading. Marketing materials must be clearly identifiable as such.
• If you operate a website, it is likely you will need to identify and make changes in order to be compliant with the IDD. 
• If you manage your website through the Hiscox Schemes or E-Trade team, they will be in touch with you to manage these changes over the coming months.
• You should be aware of and make the necessary changes regarding advice and standards depending on whether advice is or is not given

Your processes

• Paper policy documents at all stages of the policy must be offered with equal weight to email, free of charge. 
• For personal lines (non-commercial) insurance contracts an Insurance Product Information Document (IPID) should be distributed to the customer
• Prior to conclusion of contract, the distributor should specify the demands and needs of that customer with objective information about the insurance product in a comprehensive form. Any contract proposed should be consistent with demands and needs. Where advice is provided, a personalised recommendation should be provided explaining why a particular product best meets the demands and needs. There is certain information that an intermediary/undertaking needs to disclose to the customer prior to conclusion of contract.

Should you have any queries on any of the above information regarding the Insurance Distribution Directive please email us uk&[email protected]. 

As a result of the UK’s decision to leave the European Union, we are making some necessary changes to our business structure to ensure continuity of cover to all our customers with European risks. Brexit is structural not strategic for Hiscox, so in most cases you should see and feel very little change from us, if any at all. 

A key implication of Brexit is the loss of ‘passporting rights’ which allow Hiscox to conduct cross-border business throughout the European Economic Area (EEA) either directly from the UK or through our branch offices across Europe. Hiscox currently operates through an insurance company (Hiscox Insurance Company Limited), an agency (Hiscox Underwriting Limited) or via Lloyd’s of London, all of which are registered in the UK and will therefore lose their passporting rights.

Our priority is to ensure we can continue to provide products and services to policyholders with EEA risks; what that looks like will vary slightly depending on which part of the business you work with.

We will continue to refine our plans further over the coming months, particularly as more becomes known about Brexit from the UK government and as we all get more clarity over a transition period.

Progress so far

• We have established a new European insurance company in Luxembourg, called Hiscox S.A., which received its licence from the Luxembourg regulator in January 2018 and has an A rating from S&P. Hiscox S.A. will become the new home for the EEA-domiciled risks that we write through our European and UK branch networks. 
• We are also obtaining approval from the relevant authorities to establish a new European insurance agency to operate in the EEA.
• Lloyd’s of London has established a new European insurance company domiciled in Brussels, which is in the process of obtaining regulatory approval from the Belgian regulator. We will utilise the Lloyd’s Brussels subsidiary for those parts of the business where we need to, such as our London Market business.

Next steps

• We intend to transfer all affected live policies and historical liabilities from Hiscox Insurance Company Limited to Hiscox S.A. as part of a legal process known as a Part VII transfer, which is proposed to take effect from 1 January 2019, with new business also being written into Hiscox S.A. from that date. This will ensure continuity of cover post-Brexit for all policyholders with European policies. Quotations will continue to be provided in the normal course of business and, depending on timings, will be either from Hiscox Insurance Company Limited or Hiscox S.A.
• Subject to obtaining the necessary regulatory approvals, we also intend to start writing both new and renewal business via our new European insurance agency from 1 January 2019.
• We are working closely with Lloyd’s in terms of timings for when new business and renewals will go into the Lloyd’s Brussels subsidiary, and will adopt the Lloyd’s toolkit where we can. We are also working with Lloyd’s to establish the appropriate procedures for writing policies that have both EEA and non-EEA risks. Where we work with coverholders (or anyone with underwriting authority) that are writing EEA risks through the Hiscox Syndicates at Lloyd’s, we are working to ensure the appropriate new Lloyd’s approval and/or underwriting authorities are in place.

We will keep you updated on our Brexit plans over the coming months, and there is nothing for you to do for now when it comes to working with Hiscox post-Brexit. If you have any questions about what Brexit means for your work with Hiscox, please speak to your usual Hiscox contact.