Risk and compliance implications of AI in the Insurance Industry

Artificial intelligence (AI) could be one of the biggest game changers for the insurance industry in the next 10 years: AI concepts and approaches are on the cusp of moving into the mainstream and reshaping the status quo. This will require careful consideration by all stakeholders.



Markus Salchegger - Partner - Risk Advisory - Deloitte

Thomas Wiedenmann - Senior Manager - Risk Advisory - Deloitte

Philipp Widemann - Senior Manager - Risk Advisory - Deloitte

Published on 12 February 2019

Share this article



One day in 1975, a Kodak engineer decided not to embrace a prospective new digital technology, thereby sealing the fate of the world’s leading photography company. As insurance executives consider artificial intelligence (AI) and the question of whether to use this technology, they would do well to remember this decisive strategic mistake.

AI could be one of the biggest game changers in insurance history and undoubtedly constitutes a paradigm shift. It offers a wide range of opportunities: faster and more efficient claims management and application processes, better prospective healthcare advisory services, and a variety of on-demand insurance services. This boosts customer and stakeholder expectations and generates innovation pressure. At the same time, it is important to remember that the insurance sector is heavily regulated. This leads to tension between the constant drive to innovate and improve and prospective regulatory pitfalls, not to mention potential risk and compliance issues.

This article will explore the potential of AI technology and consider the implications of existing regulatory requirements and compliance risks for the usage of this technology. We will also look at a number of conflicting examples.

AI is an extremely fashionable term but how is it defined and which technologies and approaches does it cover? AI can be defined as [1]

  • Machine learning
  • Deep learning
  • Visual recognition
  • Speech recognition
  • Natural Language Processing (NLP)

AI software uses technology and algorithms to automatically extract concepts and relationships from data and learn independently from data patterns.

AI can be used to effectively assess drivers and trends in the insurance industry and secure further efficiency gains. These efficiency gains are making smart operating model concepts indispensable. All over the world, insurance providers are currently planning and conducting business/operating model efficiency programs. In light of this, the World Economic Forum (WEF) and Deloitte have presented a study that explores AI transformation areas like pricing, cost and claims, sales, and customer experience.[2]

AI transformation areas

Pricing and underwriting

Pricing transformation may involve adopting new underwriting and risk monitoring approaches in order to improve manual processes like document reviews or even eliminate them altogether. Automation and data analytics can also be used to increase pricing efficiency and accuracy, while sophisticated, real-time risk monitoring improves capital efficiency in back-testing and model validation.


Insurance products are complex but AI can be used to simplify the sales process and even open up opportunities in emerging markets through digital and scalable channels. Approaches like advanced visual recognition and third-party app integration can be used to improve and expand distribution strategies for every branch.

Claims and costs

Claims and costs professionals could use AI to create new workflows that will be more accurate and responsive to customer needs. For example, response processes (i.e., for claims adjudication and personal data administration) could be automated. Additionally, new analytical models and external data can be used to reduce fraud and the substantial costs associated with it.

Customer experience

The AI transformation areas we have mentioned have the potential to result in innovations throughout insurers’ entire value chain. This would have profound implications for the customer experience. AI will open up opportunities to make more efficient and focused use of internal data to provide individualized services. Real-time and geo-tracking approaches will enable users to have their needs met on demand (for example, because chatbots will handle conversations and interactions). Prevention through predictive analytics will cut costs. Given that AI will also result in innovations in the field of risk management, Deloitte tools like BEAT and EMILIE can be used to improve the customer experience.


BEAT is a fully integrated voice and interaction surveillance platform that monitors customer interactions across a variety of risk factors. It is underpinned by a Deloitte-built machine learning platform that has been trained to identify negative outcomes using a variety of language and behavioural elements.


EMILIE is a chatbot using cognitive technologies that allows a user to speak to the system in natural language as if he or she were talking to another person. EMILIE automatically detects the user’s intent and asks any follow-up questions to fulfil any pre-programmed requests.

AI and the regulatory landscape

AI is developing fast, and so is the need for authorities to assess the suitability of existing regulatory requirements and establish new regulatory frameworks that will set long-term standards for the usage of this highly data-driven technology. However, the gap between the surveillance capabilities of regulators and compliance teams is widening. Nevertheless, the adoption of AI strategies in the insurance industry will directly lead to the tremendous challenge of managing the pace of technological progress and the extent of regulation in regions like Germany, Europe, and the United States.

The General Data Protection Regulation (GDPR) in the EU affects all of the transformation areas we have mentioned. Data portability and customer data usage disclosure requirements are just two examples of the challenges ahead.[3] The fields of data analytics and machine learning affect topics like pricing optimization, claims management, and payment processes, as well as individualized solutions and digitalized sales strategies. It is really an ordeal to collect, handle, and manage GDPR-compliant data within AI data black boxes.

Simultaneously, the Department of Defense in the US has established a project for Explainable Artificial Intelligence (XAI). The aim of this program is to provide machine learning techniques via an open platform that offers models that are easier to understand and enable humans to understand and manage AI-driven innovation.[4] Furthermore, the White House has also declared ownership of data as well as its responsible and traceable usage as a topic of the utmost importance.[5]

The claims/costs transformation areas as well as sale and user experiences are highly driven by compliance aspects such as sanction and embargo requirements, identity validation, and data traceability. These topics are currently under scrutiny by authorities in all of the regions mentioned. If underwriting is automated, exposures in sanctioned countries could be covered. Payments could be processed on behalf of people or companies that are on black lists. Furthermore, fully digitalized and automated identification processes could fail. If AI is used for information relating to tax and financial reporting, companies need to keep the key figures and data processing procedures as well as their corresponding technical and functional documentation to assure historiographic transparency and evidence.

Especially as regards sales transformation, the insurance distribution directive (IDD) contains regulator expectations in the context of AI techniques that require action. For example, the IDD states that every customer must be provided with the best possible service in respect of price and performance[6]. It cannot be guaranteed that highly individualized data-driven solutions will meet this obligation and not deprive the client of access to other prospective services.

The application of AI in the context of Pillar I of Solvency II also requires a very high level of data quality. It is mandatory for data quality criteria in relation to accuracy, completeness, and appropriateness to be met by internal models. Additionally, the actuarial function is in charge of the data quality of technical provisions, for example.[7]

Requirements for insurers’ businesses to be organized in a suitable manner, which are often derived from subordinated jurisdictions of the European Insurance and Occupational Pensions Authority (EIOPA) and National Association of Insurance Commissioners (NAIC) in the US, also emphasize data responsibility, traceability, and historiography, irrespective of whether or not companies use AI.

In many regions, equal treatment acts such as the German General Equal Treatment Act (AGG)[1] and Title VII of the Civil Rights Act in the US[2] also contain high risks regarding automated and optimized pricing approaches. It could be the case that AI is unable to ensure equal treatment, e.g., regardless of gender and origin. This has the potential to result in significant fines and consequences.

But what should insurers do now? As the graphic outlines, they can choose to adopt one of three possible stances.

Firstly, there is the risk-averse stance that involves avoiding risk at all costs and waiting for stricter, clearer regulations. The opportunities are that organizations may save money and stay successful through traditional values and unbroken trust in their brand. The risk is that these conservative organizations will end up like the former world-class photography company.

Secondly, there is the balanced stance in which opportunities and risks are well-balanced and organizations do not embark upon an AI transformation without an implemented risk and compliance management concept and assessment. Based on this, the business and target operating models are designed via risk-based approaches and recognize prospective pitfalls throughout the value chain.

Thirdly, there is the first-movers’ stance. Leading firms may embrace the opportunities associated with being a pioneer, believing that innovation will win out over risk. Nevertheless, their risk exposure is extensive because digitalized value chains based on AI are not compliant and sunk costs could be significant.

Which stance do you prefer?


[1] Deloitte 2017: Managing Risk with Artificial Intelligence

[2] WEF 2018: New Physics of Financial Services

[3] The General Data Protection Regulation (EU) 2016/679 (“GDPR”)

[4] Defense Advanced Research Projects Agency: Explainable Artificial Intelligence

[5] The White House (2018): Briefing Statements, Artificial Intelligence for American people

[6] Insurance Distribution Directive (EU) 2016/97

[7] Solvency II Delegated Acts (EU) 2015/35

[8] Federal Government of Germany: Allgemeines Gleichbehandlungsgesetz (AGG)
[9] U.S. Equal Employment Opportunity Commission: Title VII of the Civil Rights Act of 1964 (Pub. L. 88-352)


As our examples illustrate, AI is an up-and-coming technology that will disrupt core insurance and enterprise functions. The outlined requirements within transformation areas show that data is the main issue and challenge in terms of innovation. Data is both a blessing and a curse, and insurers have an obligation to carry out appropriate useful data preparation as well as regulatory conformity handling as regards operational, reputational, strategic, and regulatory risks. Well-balanced handling of opportunities and risks via risk-based operating models will ensure insurers are able to address.

Share #DeloitteInsideNow


Risk advisory

Leading organizations understand that risk is a source of competitive advantage. By managing risk more effectively these organizations unleash their full potential, creating and protecting value for all of their stakeholders.

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at