AI regulation advice issued for insurance industry by EIOPA
EIOPA Issues Guidance on AI in Insurance Sector
The European Insurance and Occupational Pensions Authority (EIOPA) has provided detailed guidance on how existing insurance sector rules apply to artificial intelligence (AI) systems. This guidance, which does not introduce new legal requirements, aims to clarify supervisory expectations based on a risk-based and proportionate approach [1][2][3].
The key governance principles outlined in EIOPA's Opinion on AI governance and risk management emphasize data governance, documentation, transparency, human oversight, cybersecurity, and explainability.
Data Governance is crucial for ensuring the reliability of AI systems, with a focus on managing data quality, integrity, and privacy.
Documentation of AI systems is essential for transparency, auditability, and regulatory scrutiny.
Transparency requires clear communication about the use of AI, including explainability of AI decisions to stakeholders.
Human Oversight is necessary to ensure human intervention capabilities in AI operations, mitigating risks and preventing misuse.
Cybersecurity measures are vital to protect AI systems against threats such as data poisoning or adversarial attacks, with a focus on IT infrastructure resilience and business continuity plans.
Insurance undertakings are required to assess AI system risks and tailor governance and risk management measures proportionately to those risks. Ongoing monitoring is crucial to detect issues like model drift or data degradation, and the consideration of AI system interconnections (e.g., via APIs) that may affect overall security or performance [3][4].
EIOPA's approach is flexible, allowing firms to align AI governance with their business models and strategies. Two years after publication, EIOPA will review supervisory practices across competent authorities to promote convergence in AI oversight and plans to issue further thematic analyses and guidance on specific AI use cases [1][5].
The Insurance Distribution Directive and the Solvency II Directive are described by EIOPA as a sound approach for integrating AI-based tools. These directives provide broad, technologically neutral governance and risk-management principles for integrating AI-based tools [1][2].
AI systems categorized as high-risk or prohibited under the EU's AI Act are excluded from the scope of the guidance. Since the EU's AI Act came into force in summer 2024, AI systems in all sectors, including insurance, have been subject to horizontal regulation [6].
The guidance issued by EIOPA is aimed at supervisors in the insurance industry, with a focus on fostering greater supervisory convergence among National Competent Authorities. EIOPA also plans to develop more detailed analyses of specific AI systems or emerging issues related to their use in insurance [1][5].
[1] EIOPA (2022). EIOPA Opinion on AI governance and risk management. Retrieved from https://eiopa.europa.eu/documents/10185/2793740/EIOPA+Opinion+on+AI+governance+and+risk+management+2022-04-28+EN.pdf/2808e947-4e0e-4b0a-9b36-c3f06d09305c
[2] EIOPA (2022). EIOPA Opinion on AI governance and risk management: Q&A. Retrieved from https://eiopa.europa.eu/documents/10185/2793738/EIOPA+Opinion+on+AI+governance+and+risk+management+Q%26A+2022-04-28+EN.pdf/a159e11f-11f5-480d-8c57-5a9b803b8b8c
[3] EIOPA (2022). EIOPA Opinion on AI governance and risk management: Executive Summary. Retrieved from https://eiopa.europa.eu/documents/10185/2793739/EIOPA+Opinion+on+AI+governance+and+risk+management+Executive+Summary+2022-04-28+EN.pdf/6e6e648a-a16d-4113-b83f-337f19f89153
[4] EIOPA (2022). EIOPA Opinion on AI governance and risk management: Frequently Asked Questions. Retrieved from https://eiopa.europa.eu/documents/10185/2793741/EIOPA+Opinion+on+AI+governance+and+risk+management+FAQs+2022-04-28+EN.pdf/c7c1c0a1-54f3-415d-a186-e05a80b76959
[5] EIOPA (2022). EIOPA Opinion on AI governance and risk management: Key Messages. Retrieved from https://eiopa.europa.eu/documents/10185/2793742/EIOPA+Opinion+on+AI+governance+and+risk+management+Key+Messages+2022-04-28+EN.pdf/e2c44f11-355c-4c65-88d8-53419d90e884
[6] European Commission (2022). Regulation (EU) 2019/2020 of the European Parliament and of the Council of 27 November 2019 on the establishment of a framework to facilitate equal treatment for victims of crimes where the criminal activity or a significant aspect of it takes place in the European Union or Norway and the United Kingdom, and amending Council Framework Decision 2002/629/JHA. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R2020&from=EN
The guidance issued by EIOPA for the insurance sector encourages thorough documentation of AI systems to ensure transparency, auditability, and regulatory scrutiny, aligning with principles of data governance.
In a push for technological advancement and innovation in the financial sector, the European Insurance and Occupational Pensions Authority (EIOPA) emphasizes the necessity of cybersecurity measures to protect AI systems from threats, although new legal requirements have not been introduced.
