Legislation – 2018 Insurance market | DAC Beachcroft


At a glance

Automated and Electric Vehicles Act 2018

Civil Liability Bill

Counter-Terrorism and Border Security Bill

Data Protection Act 2018, General Data Protection Regulation and ePrivacy Regulation

Energy Efficiency (Private Rented Property) (England and Wales) Regulations 2015

European Union (Withdrawal) Act 2018

Financial Guidance and Claims Act 2018

Insurance Distribution Directive

Network and Information Systems Regulations 2018

Senior Managers and Certification Regime

Automated and Electric Vehicles Act 2018. 

This Act received Royal Assent in July 2018. In addition to enabling policy regarding electric vehicle charging infrastructure, the Act sets out a new compulsory insurance framework for ‘out of loop’ automated driving, paving the way for the introduction of highly automated vehicles (AV) on Britain’s roads by 2020/21.

The key provisions include:

  • A system of classification. The Secretary of State for Transport is required to publish and keep up-to-date a list of motor vehicles that require an AV policy. The definition of AV has been tightened to ensure that it covers only Level 4 and 5 vehicles that are capable of automated driving, and not where the driver is expected to retain an element of control.
  • A ‘single policy’ approach. Motor liability insurers are required to deal with all claims where the vehicle is operating in AV mode at the time of an incident and where the vehicle was at fault. This duty extends to the ‘disengaged’ driver of the AV, who is effectively treated as a third party. It further extends to situations where the AV is hacked by a third party. This approach ensures simplicity for consumers and a swift route to compensation for innocent victims of road traffic collisions.
  • A right to exclude or limit liability. Insurers have the right to limit or exclude their liability where the policyholder or person in control has failed to undertake “safety-critical software updates” or if unauthorised modifications have been made. However, in order to exclude or limit liability in respect of an insured person who is not the policyholder, that person must have knowledge of the fact that the vehicle was operating with out-of-date software, or that an unauthorised modification had been made.
  • A right of recovery. Insurers are to be given a statutory right of recovery against the manufacturer of the AV, following established product liability laws, preserving the ‘state of the art’ defence. It is anticipated that the supply chain for AV will be complex, including both hardware and software manufacturers. Insurers will need to work with vehicle manufacturers to ensure efficient processes for recoveries. In order to achieve this and to avoid unnecessary frictional costs, a post-collision data sharing agreement is imperative.
  • Limitation. The schedule to the Act makes provision for the necessary amendments to the Limitation Act 1980 to ensure that victims of road traffic collisions caused by AVs have three years from the date of accident or knowledge to bring a claim, in keeping with the insurance framework for conventional vehicles.
  • Review. The Secretary of State for Transport is required to report, within two years of publication of the list of AV, on the impact and effectiveness of section 1 (classification of vehicles requiring an AV policy) and also the extent to which the provisions of Part 1 ensure that appropriate insurance is in place for vehicles that are capable of safely driving themselves.


Civil Liability Bill 

On 20 March 2018, this Bill was laid before Parliament, driving on the whiplash reforms and introducing changes to the process by which the discount rate is calculated and reviewed. At the time of writing, after robust scrutiny in the House of Lords, the Bill is continuing its progress through Parliament.

Part 1 of the Bill relates to whiplash reform and, to a significant extent, reflects the provisions of the Prisons and Courts Bill (which failed to proceed into legislation due to the 2017 snap general election). Damages for whiplash injuries (which may include minor psychological injuries) are to be calculated by reference to a tariff (which is to be set by regulations) and pre-medical report offers are to be prohibited. The definition of whiplash injuries has been extended to include injuries to soft-tissue in the neck, back and shoulder.

This part of the Bill has proved to be somewhat contentious. An attempt to remove the tariff altogether was only narrowly avoided in a Lords' vote. The Bill can expect further scrutiny as it passes through the House of Commons. The Government has said it will make insurers ‘accountable’ for their commitment to pass on savings to consumers.

The Government had intended the whiplash reform elements of the Bill to be implemented by April 2019; in its response to the Justice Select Committee's report dated 17 July 2018, it now proposes testing of the new system from October 2019 and implementation of the new measures, including the increase in the small claims track, by April 2020.

The mechanism for reviewing the discount rate, which was reduced in February 2017 from 2.5% to minus 0.75%, is the subject of Part 2. The Bill amends the level of risk on which the rate is based from very low risk or no risk, to a range from more than a very low level of risk to less risk than would ordinarily be accepted by a prudent and properly advised investor who has different financial aims. This move is expected to see the discount rate rise to between 0% and 1%.

In a welcome move, the Government has given in to pressure in the House of Lords to conduct the first review as soon as possible. Amendments have been agreed to remove the need for an expert panel for the first review and to start that review within 90 days of Royal Assent, without needing a further Order to bring these measures into force. Allowing for parliamentary uncertainties, it remains probable that a new discount rate will be set before the end of Q1 2019.

For subsequent reviews, the Bill requires the Lord Chancellor to establish an advisory panel of four independent experts, chaired by the Government Actuary, who will review the rate not less than every five years. The focus of all reviews will be on actual investment behaviours and real-world analysis of investment returns.

Insurers and compensators should be encouraged by the progress of these reforms. The implementation of the Bill should maintain the principle of 100% compensation and ensure that damages for whiplash injuries become proportionate to the level of pain and suffering they cause.

This Bill only applies to England and Wales. Scotland has recently produced its own draft legislation on the discount rate, with a similar but slightly different review mechanism proposed. The Damages (Investment Returns and Periodical Payments) (Scotland) Bill will proceed broadly in parallel, with implementation expected in mid-2019. That Bill also includes provisions to permit the courts in Scotland to order periodical payments whether or not the parties consent, bringing the Scottish system into line with the powers existing in England and Wales since 2005.


Counter-Terrorism and Border Security Bill 

The legislation governing Pool Re originally limited coverage to physical damage to property and business interruption resulting directly from it. However, it has become apparent in recent years that, if it is to provide a comprehensive solution for the market, Pool Re needs to extend the cover provided.

In November 2017, Pool Re announced an extension to its cover to include damage caused by acts of terrorism using a cyber trigger. This became available with effect from April 2018.

The Government has now gone further, announcing in a written ministerial statement on 22 March 2018 its intention to amend the Reinsurance (Acts of Terrorism) Act 1993. On 6 June, this Bill was introduced to the House of Commons. The amendments will extend cover to include terrorism-related non-damage business interruption losses. If the Bill is passed, Pool Re will be the first terrorism insurance pool in the world to extend its cover in this way. In taking this step, the role of Pool Re will remain relevant to the London market and the evolving nature of risks being addressed by a wider spectrum of insurers.


Data Protection Act 2018, General Data Protection Regulation and ePrivacy Regulation 

Data protection law in the UK has received a radical overhaul in 2018. The EU’s General Data Protection Regulation (GDPR) applied directly in all member states from 25 May 2018; the UK’s Data Protection Act 2018 was enacted on 23 May 2018 and its main provisions came into force on 25 May 2018; the EU’s ePrivacy Regulation is expected to be approved in late 2018.

The GDPR aims to protect EU citizens’ personal data regardless of where that data is processed. Businesses that collect, record, use or disclose data relating to an identified or identifiable natural person are now required to comply with the GDPR standards on data processing, record keeping, risk management and data breach reporting, or face fines of up to the higher of €20 million or 4% of annual global turnover.

The Data Protection Act 2018 replaces the 1998 Data Protection Act with a new, comprehensive data protection framework designed for the digital age. This lengthy piece of legislation implements the GDPR standards alongside UK legislation covering law enforcement data, national security data and permitted exemptions to the GDPR. The Act aims to ensure modern data use can continue while strengthening the control and protection individuals have over their data.

The key provisions include:

  • Implementing the GDPR standards into UK law across all general data processing.
  • Tailored exemptions from the GDPR for certain organisations operating in journalism, research, financial services and legal services.
  • Setting the age when children can give consent for the online processing of their personal data at 13.
  • Giving citizens more control over their data including the right for 18-year-olds and over to have their data deleted if there are no legitimate grounds for retaining it.
  • Providing a bespoke regime for the processing of personal data by the police, law enforcement and criminal justice agencies.
  • Providing appropriate safeguards to enable the intelligence agencies to manage security threats.
  • Providing additional powers for the Information Commissioner to regulate and enforce data protection laws including the ability to levy fines up to the higher of €20 million or 4% of an organisation’s annual global turnover for the most serious breaches.
  • The preservation of existing offences in the 1998 Act and the introduction of new offences of (i) intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and (ii) altering records with the intent to prevent disclosure.

Possibly the most important provision for the insurance industry is the creation of a new legal ground for processing special categories of data were necessary for an insurance purpose. A full overview is provided in Other Developments.

The ePrivacy Regulation will bring in higher privacy standards for electronic communications. Electronic communications service providers will need to comply with strict rules covering the processing and storage of content and metadata, direct e-marketing communications and the use of cookies. The initial implementation date was 25 May 2018 to coincide with the GDPR, but this timetable proved too ambitious. It is unclear whether the UK will have left the EU by the implementation date (which, at the time of writing, has not been fixed), but the UK has said it will maintain EU data protection standards after Brexit.


Energy Efficiency (Private Rented Property) (England and Wales) Regulations 2015 

These Regulations came into force on 1 April 2018 and require landlords of privately rented domestic and non-domestic property in England and Wales to ensure that their properties are compliant with the Minimum Energy Efficiency Standard. This Minimum Standard requires at least an Energy Performance Certificate (EPC) rating of E before a landlord can grant a new tenancy to new or existing tenants.

This Minimum Standard will be extended to apply to all rented properties, irrespective of whether a new tenancy is being granted, from 1 April 2020 for domestic properties and 1 April 2023 for non-domestic properties.

Landlords should check their property and consider energy efficient improvements or risk their portfolio becoming unmarketable in 2020. Exemptions do exist but must be registered. Landlords who do not take action before a new letting can face fines of up to £150,000.

Insurers should continue to ask residential and commercial landlords more specific questions about energy efficiency and occupancy and consider the impact on their reinstatement provisions. 2018 is also seeing the emergence of new energy efficiency insurance to offer protection against a shortfall in energy savings, giving property owners and lenders a guarantee that savings will be achieved even if the energy saving initiatives do not yield intended results.


European Union (Withdrawal) Act 2018 

Brexit will continue to create considerable uncertainty for insurers and brokers, not least because all agreements between the UK and the EU27 are likely to be inter-conditional – in other words, nothing is agreed until everything is agreed. Political brinkmanship has long been a characteristic of EU negotiations, but it makes planning for the future a complex exercise.

Assuming agreement is reached and ratified, the key date will move from 30 March 2019 to 1 January 2021. This is the date that the proposed transition agreement will fall away, meaning that most of the consequences of the UK leaving the EU will be deferred until that date. However, we are no closer to clarity on whether, for example, passporting will continue after that date or what the implications will be for EU27 nationals wishing to live and work in the UK, or vice versa.

The UK has at least set out its position on EU27 insurers and brokers that wish to continue carrying on business in the UK post-Brexit. HM Treasury announced on 20 December 2017 that it would, if necessary, legislate to create a ‘temporary permission’ regime to enable European Economic Area (EEA) firms that currently passport into the UK to continue their activities in the UK for a limited period after Brexit. It will also ensure that obligations under insurance contracts can continue to be met by such insurers after Brexit, even in the absence of any wider deal on passporting.


Financial Guidance and Claims Act 2018 

This Act, which received Royal Assent on 10 May 2018, will merge three Government-sponsored guidance services (the Money Advice Service, the Pensions Advisory Service and Pension Wise) to create a new Single Financial Guidance Body (SFGB). The SFGB should be operational from late 2018 and should help ensure that members of the public can access good-quality, free-to-client, impartial financial guidance and debt advice.

The Act also introduces changes to the regulation of claims management companies (CMCs). The scope of regulated activities continues to include referral, advice and management of claims for defined service areas, notably claims for personal injury and the mis-selling of financial products. Tougher regulation is expected when the Financial Conduct Authority (FCA) takes over regulatory responsibility of CMCs from the Ministry of Justice in April 2019. CMCs will be subject to mandatory re-authorisation by the FCA, to include the Senior Managers and Certification Regime and there will be tougher rules on advertising and marketing, as well as tougher sanctions for non-compliance. The FCA will cap the fees that CMCs can charge for their services in financial mis-selling claims, with the power to impose similar caps in other areas if needed.

In a notable victory for interested Peers, including DAC Beachcroft’s Lord (David) Hunt of Wirral, the Act extends regulation of CMCs to Scotland for the first time. This should help to combat the growing spectre of personal injury claims fraud in Scotland.

Under the Act, the Secretary of State can pass regulations banning pension-related cold calling, which would be enforced by the Information Commissioner’s Office. The Secretary of State must also keep under review (with advice from the SFGB) whether a wider ban in respect of financial product cold-calling is required.

Complaints handling will transfer from the Legal Ombudsman to the Financial Ombudsman Service, giving it jurisdiction to investigate and determine consumer complaints about the service provided by CMCs.


Insurance Distribution Directive 

The application date of the Insurance Distribution Directive (IDD) has been delayed from 23 February 2018 to 1 October 2018.

The IDD is a minimum harmonisation directive, meaning that member states can set higher standards provided there is no conflict with the IDD. Key changes include mandatory pre-contractual disclosure in respect of non-life products in a standardised form using an Insurance Product Information Document. Distributors will also need to disclose remuneration. For intermediaries, this means disclosure of the nature and source of any remuneration and, where a fee is paid, the amount of the fee, in addition to any post-contractual payments. For insurers, this means disclosure of the nature of remuneration received by employees.

Introducers who do no more than pass details of potential insureds to insurers or other intermediaries will be out of scope. This should reduce the regulatory and contractual burden on insurers and intermediaries who, to date, may have appointed such introducers as introducer appointed representatives.

The Financial Conduct Authority has consulted on changes to its rules to implement the IDD and its final rules were published on 25 May 2018.


Network and Information Systems Regulations 2018 

These Regulations came into force on 10 May 2018 and implement the EU’s Directive on Security of Network and Information Systems. They aim to prepare the UK for cyber- attacks on vital infrastructure, boost cyber security and resilience, and encourage cross-border co-operation with other EU nations through the exchange of information.

Under the new regime, Operators of Essential Services (OES), such as energy, transport, health, food and water, and Relevant Digital Service Providers (RDSP), such as cloud computing service providers, online marketplaces and search engines, must implement technical and organisational security compliance standards and comply with reporting obligations in relation to security incidents.

Different ‘competent authorities’, such as government departments for transport, gas and electricity and the Information Commissioner’s Office, are responsible for monitoring compliance and enforcement of these standards

for their sectors. They are empowered to issue fines of up to £17 million for contraventions. Organisations that breach both the new legislation and other legislation, such as data protection or safety legislation, could potentially be issued with fines by different regulators for different aspects of wrongdoing in relation to the same underlying security breach.

The WannaCry ransomware virus that crippled the NHS in May 2017 exposed some of the vulnerabilities to cyber- attack that exists in the UK’s infrastructure. OES and RDSP and their insurers will want to prevent similar attacks and avoid significant fines by adopting appropriate security measures to manage risks to their IT systems.


Senior Managers and Certification Regime 

The Senior Insurance Managers Regime came into force in 2016, replacing the approved person regime for certain senior individuals within insurance companies.

A similar regime, the Senior Managers and Certification Regime (SM&CR) were put into place in 2016 for banks and some investment firms. The SM&CR is now being extended to all authorised firms (including insurance brokers). Significant changes are also being proposed for insurers.

There are three key parts to the regime:

  • Senior Managers Regime: senior managers who perform key roles will require regulatory approval before starting their roles. Each senior manager will have a statement of responsibilities set out what they are responsible and accountable for.
  • Certification Regime: firms will need to check and confirm that certain individuals (those whose role means it is possible for them to cause significant harm to the firm or its customers) are fit and proper.
  • New conduct rules will apply to almost all employees in a firm. The SM&CR will commence for insurers on 10 December 2018. For solo-regulated firms (such as brokers) the regime will commence on 9 December 2019.

The SM&CR will commence for insurers on 10 December 2018. For solo-regulated firms (such as brokers) the regime will commence on 9 December 2019.