º¬Ðß²ÝÉçÇø

Everybody has great expectations for AI, and insurers are no exception. But how does the industry, which safeguards the risk management of others, secure its own operations against unpredictable new technology and also meet compliance requirements? Norman Luo, head of compliance at AXA Tianping Property & Casualty Insurance, has some answers

With the expansion of artificial intelligence application in the field of insurance, AI management has quickly become a ¡°compulsory course¡± for insurance institutions. AI legislation has been making strides in tandem, as frequent legal disputes compel insurers to identify the legal and regulatory requirements for AI application.

This means incorporating AI management into the framework of their own risk compliance management to avoid adverse consequences incurred by a violation.

Some foreign-invested insurers in China are already setting up compliance governance frameworks for AI. To ensure security and compliance while applying technological innovation to spur growth, they are sorting out the AI technologies used in their business activities and establishing systems to regulate their application.

Insight into compliance governance of AI application at insurance institutions not only serves as a guideline for the industry, but also companies in other industries wishing to establish AI compliance management systems of their own.

Incorporating data compliance

Since the successive promulgation of China¡¯s Cybersecurity Law, Data Security Law and Personal Information Protection Law, most commercial organisations have established governance frameworks for data compliance.

AI compliance management may, and often should, be incorporated into the same framework, since operating an AI system often relies on the processing and analysis of vast amounts of data.

Such incorporation can help establish a uniform compliance framework ensuring that the development, deployment and use of AI are not only technically sound, but also legally and ethically acceptable. The integration can also be conducive to improving compliance efficiency and reducing legal risks.

AI-wielding insurers should make use of established data governance standards in assessing the lawfulness and compliance of AI¡¯s data processing.

The scope of such an assessment includes:

• Data source review to ensure that sources processed by the AI system are lawful to avoid using illegally obtained or unauthorised data;
• Observing the minimum data principle so that only data necessary for a specific purpose is collected and stored;
• Securing consent of data subjects for processing their personal data, informing them of the purpose, scope and method of such processing; and
• Ensuring data protection measures are adequate to prevent data breaches, damage or unauthorised access.

For example, when using ChatGPT, an employee may inadvertently copy and paste code, files or other information containing confidential company data into a conversation, resulting in a data breach. There are already public news reports of such data breaches at Samsung Electronics, Amazon and elsewhere.

In response, some companies have taken steps to restrict employee use of ChatGPT, such as imposing byte limits for uploading, or banning the use of ChatGPT altogether.

Such data breaches may have already violated data protection regulations ¨C such as the EU¡¯s General Data Protection Regulation (GDPR) ¨C as unauthorised data transfers may infringe the principles of minimum data and data security.

If such breaches further involve leakage of clients¡¯ personal information, the company may be liable, not only for direct commercial losses but also penalties and reputational damages.

However, the unique attributes of AI technology and the requirements of laws and regulations mean that existing data compliance management cannot be simply replicated in its entirety. Rather, rules need to be expanded to ensure there are no significant omissions.

AI compliance management focuses on the decision-making process of AI systems, algorithmic transparency and bias, ethical and social impacts, and the protection of user rights and interests. Technological characteristics, such as algorithmic complexity and model training data, should also be taken into account to formulate the best compliance strategies.

For example, if an insurer considers the application of AI for underwriting, it runs the risk of bias. Typically, AI underwriting systems are based on historical data and algorithms to assess risk and decide whether to proceed, as well as setting premium rates. Any bias in these data and algorithms can be learned and amplified by the AI system, leading to unfair underwriting decisions.

In response, insurers need to take a range of measures to identify, assess and mitigate potential bias and discrimination, including using diverse datasets to train AI underwriting models, ensuring that the data covers different regions, sexes, ages, ethnicities and socio-economic backgrounds.

Conducting regular audits of the AI underwriting algorithms is also essential to increase transparency of the AI¡¯s underwriting decisions and ensure the decision-making process can be explained.

These assessments and risk mitigation measures are not present in original data compliance management systems. Instead, they integrate AI-specific compliance requirements such as transparency, explainability, fairness and absence of bias.