Source@RPC - October 2023

Published on 31 October 2023

The aim of Source@RPC is to provide lawyers, procurement professionals and CIOs/CTOs (amongst others) with a regular update on the legal implications and risks (and how best to manage them) of sourcing and utilising technology and outsourced technology-enabled services, as they affect businesses operating in the insurance and financial services sector.

Technology continues to play an ever more important role in the insurance and wider financial services market. Cloud based services are being adopted at an increasing rate and across more business-critical applications, replacing traditional "on premise" arrangements. Businesses are in the midst of trying to understand the benefits and risks of AI. Cyber risks are prevalent and the potential harm they can cause to those that use and rely on data are significant. At the same time regulation, relating to how technology and data is procured and used, continually looks to keep up with the pace of change but rarely makes things simpler.

AI Safety and Anticipated Regulation

UK Government to hold world's first AI safety summit amid anticipated regulatory guidance

The UK Government will host the world's first international summit on safety in artificial intelligence for two days from 1 November 2023.  The event will see leading AI companies and experts come together to discuss the risks associated with AI and the possible mitigations. The Government is aiming for the summit to spark coordinated international action, whilst also showcasing the UK as a global leader in the AI space.

This autumn has also brought, and is expected to bring, several important updates on the future of AI regulation in the UK.

Key points to note:

  • The Government has remained firm in its non-statutory regulatory approach (first outlined in its AI White Paper in March this year), doubling-down on its position that heavy regulation of AI at this early stage is not appropriate and not conducive to encouraging innovation.
  • The results of the CMA's review into AI foundation models are expected to be published shortly (originally scheduled for September).
  • The House of Lords Communications and Digital Committee's inquiry into the risks and opportunities posed by large language models, with input from the ICO and Ofcom, closed for evidence in September and the findings are due in the coming weeks and months.
  • Businesses with questions about the future role of AI in their organisations will welcome clarity from the Government and regulators on the future of AI in the UK, and should keep a watching brief as more information becomes available.

To find out more about the UK's approach to AI, click here. See also the updated guidance from the ICO, covered under the Data section.

EU – AI Act

AI Act (2024)

The EU is due to introduce its new Artificial Intelligence Act (AI Act), which will establish a range of regulatory obligations which will apply to developers, deployers and users of AI.

The obligations imposed will vary depending on the risk profile of the AI solution in question. This has sparked debate among key political groups around how the law classifies AI systems as "high risk", as many are keen to ensure that only "true" high risk cases are captured by the most onerous regulation.

Key points to note:

  • The AI Act will likely come into effect in 2024.
  • Financial services and insurance sector businesses intending to implement AI into their supply chains or outsourced operations should consider whether any customers in the EU will be impacted by the system in question. If so, stringent compliance obligations may apply. Those obligations will be in addition to the obligations imposed by UK government or regulators.

To find out more about the EU's AI Act, click here.

To find out more about the progress of the Bill, click here.


ICO updates its guidance on AI and data protection

All businesses including those in the financial services and insurance sectors considering incorporating AI into their products or service offerings should review their proposed activities against updated guidance from the Information Commissioner's Office (ICO) on "AI and data protection" to ensure compliance. This update seems to have been prompted by the ICO's recent commitment to assisting businesses in their implementation of new technologies, and industry concerns around the uses of generative AI.

For all businesses which are considering incorporating AI technology into their product or service offerings  the updated guidance clearly sets out  the measures which they need to implement to ensure that they process personal data in a lawful, fair, and transparent manner. Businesses should note that, by following and implementing the recommendations detailed by the ICO, they can mitigate the risk that their use of AI technology will become the subject of an ICO enforcement action in the future.

Key points to note:

  • The updated guidance provides businesses with a clear methodology for evaluating the risks presented by AI applications.
  • For a practical, step-by-step guide on how organisations can reduce the risk of enforcement action being taken against their products and services, the ICO has developed an "AI and data protection risk toolkit". This toolkit, when viewed together with the ICO’s AI guidance, provides a template can assist you with  comparing your organisations  internal AI design and development processes. 

To find out more about the ICO's latest guidance on AI, click here.

Case Law – Termination of a Software Agreement (failure to meet timelines)

Rolls-Royce entitled to hit the brakes in dispute over termination of a software services agreement (Topalsson v Rolls-Royce)

In Topalsson GmbH v Rolls-Royce Motor Cars Limited [2023] EWHC 1765 (TCC) the High Court has provided useful guidance on how to determine whether a software implementation timeline agreed by the parties is binding, when implementation is considered complete and in what circumstances a failure to complete implementation by the contractual deadlines entitles the customer to terminate the contract.

In Topalsson, the High Court held that the defendant (Rolls Royce) had validly terminated a software agreement with the claimant and awarded damages in Rolls-Royce's favour.

Key points to note:

  • Make sure your contractually binding milestones and any key requirements are clearly recorded in the contract (or that it provides clear mechanisms for agreeing them later) to avoid subsequent confusion and disputes arising as to whether deadlines are binding and when they have been achieved.
  • Consider whether time is expressed to be "of the essence" in the contract (whether in general or, more likely, in relation to specific, key milestones). If time is of the essence, this must be clearly drafted in your agreement and the provision must be consistent with the termination clause.
  • Ensure you seek appropriate legal advice when drafting a termination notice and/or receiving a termination notice. Parties seeking to terminate for repudiatory breach or based on a contractual right should, in the notice of termination, take care to rely on valid legal and factual bases to do so, or else risk being in repudiatory breach themselves.

To read more about Topalsson v Rolls-Royce and the key points to note from this case, click here.

EU Data Act and the Cloud

The EU Data Act and its impact on Cloud

The European Parliament and Council reached political agreement on the EU Data Act (the Act) on 27 June 2023, and the Act now awaits formal approval. The Act seeks to help to increase the ability to use and access non-personal, industrial data in the region and will also establish interoperability requirements to make it easier for users of cloud solutions to move between providers and to also utilise the products of different providers concurrently.

The Act will seek to achieve this by introducing the following:

  • measures to limit the charges cloud providers can apply to users seeking to switch to another cloud provider to improve competition;
  • new contractual obligations on cloud providers, including a termination right requirement in favour of cloud customers;
  • a new standardisation framework to facilitate interoperability to remove barriers to the sharing of data across platforms; and
  • safeguards against unlawful data transfers by cloud providers to enhance user trust.

Although cloud services can positively impact data access and business operations, as well as reduce costs, there are risks inherent in moving to (or within) the cloud (especially for more business critical applications) which firms in the financial services and insurance sectors should consider.

Risks include: service downtime and inability to access data; supplier suspension rights; adequacy of cloud provider security and privacy measures; integration complexity with existing systems; and compliance issues (such as the relative loss of control over the underlying cloud infrastructure, application and data in the case of supplier failure).

One of the often perceived benefits of the cloud is the ability to change providers.  In practice, however, migration from one cloud provider to another and can carry both operational and commercial risks (such as prohibitive exit fees).   

Key points to note:

  • After its adoption, the Act will enter into force on the 20th day following publication in the Official Journal. It will then apply 20 months after entry into force. Cloud providers will be preparing to incorporate the new contractual requirements set out in the Act into their terms and other practical methods to comply with the proposed requirements. Customers will be keen to see how the changes work their way through for their benefit.
  • The Act is expected to have extra-territorial effect, which means that products and services supplied into the EU will also be within scope.
  • In addition to this, UK-domestic changes could be on the horizon as Ofcom is currently conducting a consultation into the supply of cloud services in the UK, which also covers research into barriers to interoperability and portability to ascertain whether regulatory action is required.


Regulatory change - a potential driver for investment in tech (RegTech) and new systems and controls

Recent years have seen a significant amount of regulatory change for the financial services market culminating in the Consumer Duty this summer which could be one of the most significant changes since financial market regulation began. See our blog earlier this year on the regulatory pipeline of initiatives for 2023 and beyond.

Technology that assists or facilitates compliance with regulatory requirements in a more efficient and effective manner than existing capabilities is referred to as "RegTech". RegTech is becoming increasingly prevalent in the financial services market and a report by Thomson Reuters earlier this year suggested that in 2022 over half of respondents asked in the financial services market have used a RegTech solution for regulatory compliance purposes.

One of the key areas of the Consumer Duty where technology may be particularly useful is in respect of the collection and use of management information. The Consumer Duty requires firms to take a proactive approach to assessing and evidencing their on-going compliance with the Consumer Duty and performance against delivering good "Customer Outcomes" and avoiding "Customer Harm".

Technology is likely to feature in a number of ways in relation to management information and the Consumer Duty, for example:

  • In the collection of management information, firms are likely to need to seek feedback from customers during the lifecycle of products and this will probably lead to increased use and investment into tools and widgets, (such as online pop-up widgets asking customers to give feedback on their experience of the insurance product).
  • When using management information and given the breadth of data, this is likely to involve new technologies (possibly involving artificial intelligence) which may be utilised to ingest and analyse data. Technology and forms of automation could also ensure that sources of poor outcomes and harm are identified quickly, and key trends in this regard are detected.
  • The new Consumer Duty rules require firms to evidence their compliance, and this has to be backed up by management information (available to the FCA on request). Here technology could be used to convert data into evidence conveying a firm's adherence to the rules.
  • The Consumer Duty also requires firms to act on management information and technology could automate certain forms of remediation and risk tracking. Where poor outcomes or instances of harm are identified, certain forms of technology could make it quicker to address the issue and or even automate the process of resolving it.

Key points to note:

  • Under the Consumer Duty, firms are expected to take the initiative and do more to monitor customer outcomes and prevent foreseeable harm from occurring.
  • The increased adoption of technology by financial regulators is likely to further drive the proliferation of RegTech. In the FCA's recently published "Regulatory Business Plan for 2023/2024", it highlighted its aim to become a lead data regulator as much as a financial one, by investing further in cloud technology and new digital capabilities.
  • The FCA's ambition to be at the forefront of global AI safety regulation is perhaps best exemplified by its role in the creation of a new "regulatory digital sandbox service" for the testing and development of new AI technologies. Unsurprisingly then, it may be that regulators end up being the chief drivers of change in the RegTech sphere.


The Procurement Bill

The Government is implementing new procurement rules that will substantively amend the rules governing the awarding and monitoring of contracts by public authorities (including the procurement of insurance contracts) The Government's stated intention is to make public procurement "simpler, faster, more transparent and less bureaucratic".  Transparency, in particular, is a theme that runs throughout the Bill.  The Bill is in its final stages before receiving Royal Assent and is now likely to come into force in 2024.  Whilst not yet in final form, the Bill includes the following key elements:

  • Rationalisation - A fundamental aim of this Bill is to amend and restate a number of pieces of relevant legislation into a single Act.  The Bill provides for the continuation of principles such as transparency, equal treatment and non-discrimination and introduces new considerations around value for money, maximising public benefit and integrity.  Contracting Authorities will also be obliged to consider barriers to SMEs and consider what can be done to break down any such barriers.
  • Streamlined, flexible tender processes – the Bill rationalises the procurement process options to: (i) an open process; (ii) a limited tender process (similar to "direct award"), or (iii) a competitive flexible process, essentially allowing the process to be determined by the Contracting Authority (subject to compliance with the Bill).
  • Transparency – as noted, transparency is a key feature of the Bill.  Contracting Authorities will have increased obligations to publish information as to the status of any intended procurement, the procurement process and key steps during the process.  Additional information to be published will include copies of contract themselves, payments, performance (including performance failures), changes and expiry notices.  Transparency extends to the operation of a contract - including requirements that seek to ensure that contracts are appropriately managed (including publishing a supplier's performance against KPIs on an annual basis).
  • Award criteria – the Bill moves from the requirement to award to the "most economically advantageous tender" to the "most advantageous tender". This could enable Contracting Authorities to place greater weighting on general policy matters including ESG criteria and wider policy objectives.

Key points to note:

  • The Bill introduces substantive changes for entities involved in public procurement projects though, arguably, the changes are evolution rather than revolution. 
  • Contracting Authorities will have increased obligations to "open the books" around key decisions both in the procurement process and in the life of the contract. 
  • Disappointed Bidders may have further opportunities (and more publicly available evidence) with which to challenge ineffective processes.
  • Successful contractors will need to be aware that evidence of their performance and the operation of the contract will be made publicly available. 
  • Whilst contracts for certain financial services will remain exempt, the procurement of insurance contracts (of sufficient value) are likely to be covered by the Bill.  Over and above that, those financing and insuring businesses supplying to the public sector and/or publicly financed projects should also be alive to the changes.

Stay connected and subscribe to our latest insights and views 

Subscribe Here