1 Introduction

This article seeks to contribute to the relevant policy and legal discourse about the digital transformation of financial market governance in the EU focusing on issues of transnational insurance supervision. It explores the minimum steps required to integrate data sharing, data analytics and automated monitoring in EIOPA’s supervision, and the opportunities and challenges that EIOPA is likely to encounter. At a more theoretical level, this article illustrates the explanatory power of current theoretical scholarship on algorithmic regulation in the field of EU insurance regulation. Developments in this specific field of EU law deserve special attention. Quite apart from the significance of a robust insurance market for EU economic growth and prosperity, as this chapter is going to show, the digitalisation of transnational insurance oversight in the EU exhibits a range of challenges that are not present when similar initiatives are confined within the jurisdictional boundaries of a specific sovereign State.

The main thesis of this chapter is that a system of digital reporting is an essential precondition for the implementation of insurance supervisory technology (SupTech) in the EU, but setting it up may prove to be an incredibly challenging project in reality. To substantiate this thesis, Sect. 2 provides a brief overview of EIOPA, its operating environment and how principles of EU administrative law shape its SupTech mission and mandate. Section 3 portrays the Authority’s role in the digital transformation of insurance supervision in the EU and the evolution of its strategy to point to an important blind-spot: the absence of a comprehensive plan of action for the development of a digital system of regulatory reporting in the field of EU insurance supervision. Section 4 proceeds to discuss a series of themes in relation to the setting up and running of a system of digital reporting in anticipation of future challenges, and to briefly outline potential responses to those problems. These relate to the limitations of the technology that will be required for digital reporting given its current and foreseeable degree of sophistication, a series of difficulties with the conversion of regulatory content into code and, lastly, issues of reporting architecture and governance. The chapter concludes with a summary of its main findings.

Our methodology is partly theoretical, partly comparative, and partly diagnostic. On the one hand, it borrows insights from a burgeoning body of interdisciplinary literature in the field of algorithmic regulation to articulate the main tenets of EU supervisory technology in the field of insurance. On the other hand, it compares EU developments with experience in the UK and other jurisdictions to contextualise the discussion and explore potential solutions. For this article, the term algorithmic financial supervision will be understood in its broader possible sense as a decision-making system that undertakes regulatory activities by continuously generating knowledge through computation of real-time data collected from the regulated environment, in order to optimise regulatory processes.Footnote 1 EU public discourse on digital transformation of the governance of the EU Single Market draws a distinction between Fintech and RegTech, and perceives SupTech as an aspect of RegTech. For this chapter, we adopt the same conceptual distinctions.Footnote 2

2 EIOPA, Its Operating Environment and How EU Principles of Administrative Law Shape Its SupTech Mission

EIOPA executes its digital supervision strategy within the legal and institutional framework of the European System of Financial Supervision (ESFS), whose objective is to promote market integration through legal convergence, and also consumer protection and financial stability.Footnote 3 The ESFS shapes and constrains the feasibility of an EU-wide system of digital reporting significantly because it is structured along EU principles of administrative law which act as constitutional and administrative boundaries to the respective mandates of the European Supervisory Authorities (ESAs) including of course that of EIOPA.Footnote 4 For present purposes the following four are of particular relevance: the conferred powers principle, the subsidiarity principle, the proportionality principle, and the Meroni doctrine.

2.1 The Conferred Powers Principle

The principle of conferred powers provides that the EU’s competencies are limited to those conferred on it under EU treaties.Footnote 5 The principle has three dimensions: (i) the EU’s competence to establish an agency; (ii) whether the agency’s powers form part of the EU’s competencies; and (iii) whether the agency has been granted those powers under its founding EU legislation.Footnote 6 For present purposes, the discussion is limited to the last question: whether, under its founding legislation, EIOPA has the competencies to establish EU-level digital reporting. This necessitates an analysis of its objectives, tasks and powers.

EIOPA is an operationally independent Union agency with responsibility over the supervision of the insurance and occupational pensions sector in Europe. In pursuit of its mission, EIOPA undertakes a series of initiatives to promote supervisory convergence, strengthen consumer protection and preserve financial stability. Specifically, the objectives of EIOPA include preventing regulatory arbitrage and promoting competition, regulatory harmonisation and supervisory convergence among national regulators.Footnote 7 It also includes strengthening international supervisory coordination, regulating and supervising risk-taking by regulated entities, enhancing customer and consumer protection, and enhancing supervisory convergence across the internal market.Footnote 8 These objectives ultimately feed into the objective of ensuring the integrity, transparency, efficiency and orderly functioning of the internal market.Footnote 9

EIOPA’s supervisory tasks include the development of draft regulatory and implementing technical standards, guidelines, recommendations, opinions, and other related measures.Footnote 10 In addition, EIOPA is tasked with contributing to the consistent application of legally binding Union acts; organising and conducting peer reviews of National Competent Authorities (NCAs); and undertaking market analysis to inform discharge of the authority’s functions.Footnote 11 Other tasks include protection of insurance sector consumers, beneficiaries, customers, investors; and contributing to consistent and coherent functioning of college of supervisors.Footnote 12 The 2019 amendments have also included a related task in contributing to common regulatory and supervisory standards and practices: developing and maintaining a Union supervisory handbook, which sets out the best practices and high-quality methodologies and processes.Footnote 13 Notably, this mandates EIOPA’s consideration of changing business practices and models, which certainly include digitalisation of the financial sector, and the emergence of Fintech, RegTech and SupTech.

The 2019 amendments have strengthened EIOPA’s legal jurisdiction in relation to SupTech. EIOPA is required to monitor and assess market developments, including in innovative financial services.Footnote 14 In addition, it is tasked with contributing to the establishment of a common Union financial data strategy.Footnote 15 As discussed further below, data strategy is an essential precondition for digital regulatory reporting. More importantly, when carrying out all its tasks under the Regulation, EIOPA is also required to consider technological innovation, innovative sustainable business models, and the integration of ESG factors.Footnote 16 It is worth noting that before the 2019 amendments, the treaty and legislative provisions empowering EIOPA, ESMA and the EBA were broadly interpreted to include the consideration of developments in technological innovation.Footnote 17 Nevertheless, the EU law makers considered it essential to be explicit in the legislative text, demonstrating the necessity of a SupTech strategy for ESAs in the evolving digital insurance ecosystem.Footnote 18

EIOPA’s powers under Article 8(2) largely mirror its roles enumerated under Articles 8 (1) and (1a), and include the powers to: develop draft regulatory and implementing technical standards; issue guidelines and recommendations; issue warnings relating to financial stability, take individual decisions addressed to NCAs; take individual decisions addressed to financial institutions in specific cases concerning directly applicable union law; issue opinions to the European Parliament, the Council and the EC. Other powers include: collecting from the NCAs (rather than regulated entities) the necessary information concerning financial institutions;Footnote 19 developing common methodologies for assessing the effect of product characteristics and distribution processes on the financial position of institutions and on consumer protection; and providing a centrally accessible database of registered financial institutions.Footnote 20

2.2 The Subsidiarity Principle

The subsidiarity principle restricts EU action only to what is strictly necessary for EU governance needs.Footnote 21 It is evident in the composition of the ESFS, which consists of the three European Supervisory Authorities (EIOPA, ESMA and the EBA) a joint committee of the ESAs, the European Systemic Risk Board (ESRB), and NCAs.Footnote 22 Despite their designation as ‘supervisory authorities’, ESAs act largely as conveners of a technocratic transnational network of regulatory governance consisting of the so-called NCAs, which retain direct supervisory powers over market actors in their respective national jurisdictions.Footnote 23 Prima facie, ESAs enjoy indirect regulatory powers over regulated entities, in the form of supervision of national regulators. However, ESAs also enjoy last-resort powers to adopt individual decisions addressed to financial institutions, in three instances: in the event of a breach of EU law, in an emergency and, last but not least, to settle a dispute between two or more NCAs in a cross-border situation.Footnote 24 The main function of ESAs is therefore the convergence of NCAs’ supervisory practices, in accordance with the subsidiarity principle.Footnote 25 However, the supervisory autonomy of NCAs has been critiqued as an impediment to the achievement of legal convergence and a capital markets union.Footnote 26 It can be argued that it may similarly stand as a potential obstacle to the digitalisation of regulatory reporting at the EU level, as EIOPA lacks the direct supervisory powers to access insurance market data directly from regulated entities.Footnote 27

Nevertheless, in recent years there seems to be a steady albeit nuanced departure from the delegation of indirect supervisory powers to ESAs. The evolution of ESMA testifies to this trend.Footnote 28 Thanks to legal reform, ESMA enjoys direct supervisory powers over credit rating agencies (CRAs), and trade repositories.Footnote 29 In 2019, the European Commission (EC) successfully pushed for the amendment of the ESAs’ supervisory powers, further expanding the ambit of ESMA’s direct supervision to include third country central counter-parties (CCPs).Footnote 30 The 2019 legislative process signalled the EC’s ill-fated but notable ambition to convert ESMA into a single, centralised, capital markets supervisor.Footnote 31

This development is of special relevance in the case under examination. If the asymmetry between the supervisory powers of ESAs continues to grow, the SupTech strategies of the Authorities will also reflect this asymmetry. For example, on the one hand, ESMA makes clear that its leadership and strategy on EU-wide access to reporting data is driven by its expanding direct supervisory competencies, and the importance of the availability of high-quality data on a pan-European basis for supervision.Footnote 32 EIOPA’s strategy, on the other hand, is shaped by its indirect supervisory mandate, and the allocation of direct supervisory powers to the national regulators. Consequently, it collects data (primarily from Solvency II templates) from national regulators rather than directly from regulated entities. In the past, national regulators have not easily given access to their data.Footnote 33 This ultimately creates SupTech implementation challenges in relation to the design of the technological architecture of the digitalised ESFS, the feasibility of a centralised data service provider, and the governance of the reporting framework.

2.3 The Proportionality Principle

The proportionality principle means that ‘the content and form of Union action shall not exceed what is necessary to achieve the objectives of the Treaties’.Footnote 34 In Ex parte Fedesa, the European Court of Justice (ECJ) formulated a three-part proportionality test for an EU measure: whether it is suitable to achieve a legitimate aim, necessary to achieve that aim, and does not have an excessive impact on an applicant’s interests.Footnote 35 In addition, the 2019 amendments to the EIOPA Regulation emphasise EIOPA’s duty, in accordance with the principle of proportionality, to consider specific differences within the insurance sector, relating to the nature, scale and complexity of risks, to business models and practice as well as to the size of financial institutions and of markets to the extent that such factors are relevant to the rules considered.Footnote 36

An implication of this principle is that both the digitalisation of the Capital Markets Union and the adoption of a system of EU algorithmic oversight are subject to the proportionality test, and relevant measures must be suitable, necessary and not excessive or disproportionate to the objectives sought. To the extent that uniform reporting requirements are essential for unlocking the full potential of digital reporting and EU algorithmic oversight,Footnote 37 the proportionality principle requires consideration of the costs implications of digitalisation to both small and large size insurance firms.Footnote 38 The principle is also relevant in determining the allocation of powers between EIOPA and NCAs as further progress with the integration of the latest technology into the EU system of financial supervision will most certainly require a rethink of their existing roles, powers and terms of interaction. Consequently, the proportionality principle will require a very nuanced exercise of the powers of EIOPA as regards initiatives for the development of a harmonised system of digital reporting.

2.4 The Meroni Doctrine

The Meroni doctrine also restricts the ESAs’ rule making duties and powers to technical rather than policy issues with a wide margin of appreciation.Footnote 39 Under the Lamfalussy legislative process, the ESAs have the mandate to promote legal convergence and market integration in two ways.Footnote 40 First, they draft Level 2 delegated Acts and Implementing procedures, which are then considered and adopted by the EC.Footnote 41 The Delegated Acts (which elaborate on the substantive content of Level 1 legislation) and implementing procedures of Level 1 legislation, ensure harmonisation of the implementation and application across Member States.Footnote 42 Second, ESAs formulate Level 3 non-binding (but ‘comply or explain’) guidelines and recommendations to establish consistent, efficient and effective supervisory practices in the Member States to achieve a uniform interpretation of the legislation.Footnote 43 The European Commission approves draft technical standards.Footnote 44

The convoluted institutional design of the ESFS and the Lamfalussy procedure make it difficult to identify which institution should have the authority over the process of translating financial services legislation into machine readable and executable code. While it may be tempting to vest this authority on the Commission, this type of task (and relevant decision making) seems to have a strong technocratic component. In view of the intertwined co-existence of technical and public policymaking domains, especially in complex areas such as financial regulation, one possibility is to delegate this task to EIOPA under the approval of the European Commission.Footnote 45

3 The EIOPA’s Recent Initiatives for the Digital Transformation of Insurance Supervision: An Incomplete Agenda?

3.1 Introduction

The purpose of this section is to offer a critical overview of the EIOPA’s strategic plan for the digital transformation of EU insurance supervision. Specifically, it considers the origins, subject matter and objectives of EIOPA’s plan of action, its compatibility with parallel initiatives from the other two ESAs and it assesses its completeness.

3.2 Origins of EIOPA’s SupTech Strategy

EIOPA’s SupTech strategy emanates from an over-arching policy framework of the EU. First is the EC’s 2015 Action Plan on Building a Capital Markets Union (CMU), which aims to further integrate the capital markets, to ensure the free flow of capital within the Union.Footnote 46 Recognising the role of technology in an increasingly digitalised EU financial market, the EC in 2018 launched the Fintech Action Plan, as part of a wider strategy to create and strengthen a digital single market and the Capital Markets Union.Footnote 47 These two action plans strengthened the imperative for SupTech adoption by ESAs as a key factor in legal convergence within the CMU. The EC consequently launched a 2018 Fitness Check of EU Supervisory Reporting Requirements project, aimed at not only cutting the costs of regulatory compliance, but also securing data standardisation, a key pillar for the integration of SupTech into the model of EU financial markets governance.Footnote 48 The EC also recognised that establishing the CMU depended on ESAs’ promotion of supervisory convergence among national regulators, with specific attention to innovation and technologies.Footnote 49 Consequently, in 2018, the EC launched a legislative proposal to further integrate supervision of EU financial markets, by granting more roles and powers to the ESAs.Footnote 50 The European Parliament and Council enacted the Regulation amending the ESA Regulations in December 2019, which clarified and strengthened the existing powers of the ESAs, and granted additional powers to ESMA and the EBA.Footnote 51 ESMA received additional direct supervisory powers over critical benchmarks and third country benchmarks, while the EBA was granted a coordinating role over money laundering and terrorism financing issues.Footnote 52

As outlined in Sect. 2 above, the roles of the ESAs (including EIOPA) were amended to include the monitoring and assessment of innovative financial services and also contributing to the establishment of a common Union financial data strategy.Footnote 53 In addition, the ESAs were mandated to consider technological innovation, as well as innovative and sustainable business models, when carrying out their tasks under the respective founding legislations.Footnote 54 These amendments placed the ESAs in strong legal footing to make SupTech policy without straying into policymaking roles.

In 2018, the EC also established the Expert Group on Regulatory Obstacles to Financial Innovation (ROFIEG), whose 2019 report recommended the development and implementation of ‘a comprehensive and ambitious agenda to support the adoption of advanced RegTech and SupTech by the financial sector’ by the EC, ESAs and international standard setters.Footnote 55 This prompted the EC’s 2020 launch of the Consultation on a New Digital Finance Strategy for Europe, in which the EC endorsed an EU SupTech framework driven by machine-learning technology, and machine-readable and machine-executable technology.Footnote 56

In addition to the EU’s policy framework, other notable programmatic activities by EIOPA also foregrounded its SupTech Strategy. One is the industry-led Open Insurance initiative (OPIN). This refers to the accessing and sharing of consumers’ insurance services-related data between insurers, intermediaries or third parties via Application Programming Interfaces (APIs), to enable faster and easier development of InsurTech.Footnote 57 EIOPA has identified this initiative as a catalyst for the uptake of SupTech, as Open Insurance may require real-time access to insurance services data by supervisors, to allow for automated monitoring and reporting, for regulatory compliance purposes.Footnote 58

Second, EIOPA has rolled out specific EU-level regulatory initiatives in response to the challenges of InsurTech. These include the 2018 InsurTech Task Force, which brings together national supervisors for multidisciplinary backgrounds; the InsurTech Roundables, which facilitate dialogue with insurance stakeholders; and the European Forum for Innovation Facilitators.Footnote 59 EIOPA has also established the Expert Group on Digital Ethics in Insurance (DGE), a total of 40 stakeholders from the insurance industry, consumer representatives and academics that are working to develop a set of principles of digital responsibility in insurance.Footnote 60

Against this backdrop of developments, EIOPA adopted two milestone plans of action in early 2020. The first one is the Supervisory Convergence Plan for 2020, while the second one is its 2020 Supervisory Technology Strategy.

The Supervisory Convergence Plan for 2020 seeks to achieve a high, effective and consistent level of supervision across Europe. Its goal is to further improve the functioning of the internal market, by preventing supervisory arbitrage and guaranteeing a level playing field.Footnote 61 Supervisory convergence, according to the Plan, ‘should be built on a common interpretation of law and regulations, and without prejudice to the application of supervisory judgment or the proportionality principle’.Footnote 62 The Plan identifies SupTech as one pillar of supervisory convergence, with the aim of ‘joint development by EIOPA and NCAs of innovative and efficient supervisory solutions that will support a more flexible and responsive supervisory system’.Footnote 63 Examined in the context of the ESFS, the Plan is key to EIOPA’s overall SupTech strategy in at least two ways. First, the Plan sets as an outcome the development of supervisory convergence tools, including EIOPA Guidelines, Supervisory Handbook, Supervisory Statements.Footnote 64 These supervisory tools will create the administrative and operational structures that will be subject to digitalisation by SupTech. Second, it entrenches the EU administrative law principles of subsidiarity and proportionality, which are key to the legality of the SupTech adopted by EIOPA.Footnote 65 Notably, the Convergence Plan neither engages with SupTech in detail, nor pre-empts the emerging issues of digitalised regulatory supervision. These include the technologies required, the limits of encoding EU regulations, and the architecture of regulatory reporting and related governance issues, discussed in Sect. 4.

In its turn, the Supervisory Technology Strategy seeks to establish ‘a …coordinated plan for SupTech development which will deliver supervisory tools or processes, considering EIOPA’s strategic objectives and the Supervisory Convergence Plan’.Footnote 66 This overarching goal is also reflected and further articulated in the four objectives of EIOPA’s SupTech Strategy. These are the following: (a) Promotion of knowledge and experience; (b) improving cooperation and exchange of information; (c) improving data collection through the standardisation and efficiency of reporting framework; and (d) improving data analytics. The technologies identified in the StrategyFootnote 67 include the Internet of Things (IoT),Footnote 68 Distributed Ledger Technology (DLT),Footnote 69 Artificial Intelligence (AI),Footnote 70 Machine Learning Technology (MLT),Footnote 71 and Natural Language Processing (NLP).Footnote 72 The supervisory functions EIOPA aims to digitalise include prudential and Conduct of Business (COBS). This entails digitising operational functions such as data sharing, data analytics (e.g. in common risk assessment frameworks), and market monitoring.Footnote 73

As a result of the operating environment of the ESFS and the EU principles of conferred powers, subsidiarity, proportionality, and the Meroni doctrine, areas impacted by specific national administrative law (e.g. organisational changes and the enhancement of different processes) fall outside the scope of the SupTech Strategy of the Authority. Instead, EIOPA’s SupTech Strategy focuses on areas where EIOPA and the NCAs can collaborate (e.g. improvement of supervisory processes and use of data). Further, it is noteworthy that (as the four strategic objectives bring beyond doubt) EIOPA intends to explore how technology could help improve regulatory reporting. This should not come as a surprise. Without a robust system of regulatory reporting that benefits from the latest predictive and communication technology, it is simply not possible for EIOPA (or ESMA and the EBA) to improve its business intelligence capability, enhance its analytical framework, risk reports and the publication of statistics.

While the EU’s over-arching policy framework has indeed provided impetus for the adoption of the SupTech strategy, EIOPA has also (separately) outlined key rationales that necessitate its engagement. For example, in its response to the EC’s 2020 Digital Finance Strategy Consultation, EIOPA identifies barriers to RegTech adoption within the Single Market, including lack of harmonisation of EU rules, and lack of harmonised approach to RegTech within the EU.Footnote 74 These rationales put into perspective the role EIOPA has shaped for itself in the SupTech Strategy: to coordinate common work (at national level) by implementing a platform of on-going exchange of knowledge and experience, and organising and endorsing the analysis of potential developments of tools (e.g. by promoting proof of concepts).Footnote 75 These roles are fully compatible with EIOPA’s current, supervisory role, including the development of draft Implementing Technical Standards on public disclosure and supervisory reporting of insurance and reinsurance undertakings, provision of XBRL taxonomies, as well assurance of data standardisation and data quality.Footnote 76

3.3 Summary

EIOPA’s strategic plan for the digital transformation of insurance supervision in the EU single market covers a lot of ground but takes a piecemeal, cautious and fragmented approach. Instead of implementing a general plan of action for regulatory technology, it focuses on the use of technology for supervisory purposes (SupTech) and in priority for the execution of reporting requirements. This cautious and rather tentative approach is in the right direction, but it leaves a lot to be desired. Digital reporting is clearly on the agenda and rightly so, but there is no systematic thinking about what course of action would be required for the development of such system in the future.Footnote 77 Although this could be partly explained by the fact that it is too early (for example, Member States are in different levels of digital transition; the harmonisation of EU law on all aspects of data privacy and other crucial governance aspects of technology is still incomplete etc), it is equally true that it is never too early to think about a roadmap of action in anticipation of future challenges and potential responses to those challenges. Some of those challenges are considered below.

4 A Reality Check: What Would It Take to Set Up a Digital System of Regulatory Reporting?

The recognition of the need for a system of digital reporting in EIOPA’s agenda is a welcome development but the absence of any comprehensive plan of action is an important blind-spot in the Authority’s strategy for the digital transformation of EU insurance supervision. In this section, we discuss a series of themes that emerge in relation to the development and implementation of a system of digital reporting in the field of EU insurance supervision in anticipation of problems and potential responses to those problems. Where appropriate we draw on recent experience from other jurisdictions.

4.1 Mapping the Extent of Sophistication of the Technology That Will Be Required for a System of Digital Reporting

At a minimum, a digital system of regulatory reporting requires a digital network providing the necessary infrastructure for the interconnection of the various users, and advanced predictive and communication technology for the generation, collection, storage and processing of high volumes of different types of data coming from different sources ideally in real time. Digital Ledger Technology (DLT), Machine Learning Technology (MLT) and Natural Language Processing (NLP) are essential components of this digital infrastructure.Footnote 78

Originally, DLT came into being for BitcoinFootnote 79 and its function was to enable peer-to-peer transfers of money without using banks. For Bitcoin transactions, DLT works as follows. Participating individuals are identified by a number (the ‘public key’) and are given a passcode (a ‘private key’) to access their own money. Each time they transact, a shared public record of the transaction is created and an identical copy of the entire record of the transaction (the ‘distributed ledger’) is kept on their personal computer and updated by the consensus of all the participants.Footnote 80 DLT is typically combined with a ‘smart contract’, a distinctive feature of which is its self-executing nature. Specifically, the terms of the smart contract are written into code, run on a distributed ledger and are executed automatically on the occurrence of a specified event.Footnote 81

Since its first appearance, the application of DLT has expanded to IT compliance solutions amongst others. In the UK, Codra was the first DLT-enabled regulatory technology. It was initiated by the industry to match legal agreements between parties and operated according to a basic distributed consensus.Footnote 82 Being designed to complement the existing legal structures, Codra mandated its users to acknowledge explicitly the supremacy of the rules of the regulatory law for compliance purposes.Footnote 83 Furthermore, its running had a positive impact on the detection of money laundering, fraud or other illegal activity. DLT is very promising in providing the necessary digital network for the operation of a system of digital reporting. Pending further improvements, DLT could be used by the financial industry for the record-keeping and execution of a wide spectrum of financial transactions.Footnote 84 This is of particular relevance in the case under examination because, if this were to happen, it would be the first decisive step to connect financial authorities like EIOPA directly with all other users of this digital network and, hence, to open the way to an era of almost real-time financial reporting and oversight.Footnote 85

MLT is a further component of a digital network of regulatory reporting. This is a type of artificial intelligence that can allow real time analysis of vast volumes of information for supervisory purposes.Footnote 86 Machines with learning capabilities excel humans in the identification of unusual patterns of activities and in spotting previously unnoticed correlations indicating the emergence of risks. Furthermore, when combined with NLP, it could be used for the processing, analysis and understanding of oral and written human communication. This would be particularly helpful for reporting purposes. Specifically, it could enable machines to read regulatory content and then process relevant data for the execution of reporting tasks as, for instance, the collection or submission of specific data. Currently, NLP supports the operations of Alexa, Siri and Google Translate.Footnote 87 Furthermore, it is increasingly becoming a useful tool for financial regulators like EIOPA. For instance, EIOPA itself is already exploring the benefits of this technology to extract information from packaged retail and insurance-based investment products’ (PRIIPs) key information documents (KIDs) for supervisory purposes.Footnote 88

For the enthusiastic advocates of digitalisation, the capabilities of these technologies are impressive, however, it is important to have a realistic sense of their current and projected potential. Recent experiments with digital reporting in the UK, for example, have established the feasibility of real time regulatory reporting in relation to highly detailed technical requirements from the computer science point of view but, at the same time, have also brought onto the surface several challenges.Footnote 89

Although it is possible for the industry to use DLT, the UK regulators have concluded that for the time being this technology is not sufficiently advanced to become fully integrated into a system of digital reporting. Similarly, the use of MLT is growing but it is not problem free. One of the thorniest issues is that the software that enables machines to engage in learning raises serious questions of ethics, fair use and privacy because of its conspicuous complexity, lack of transparency and inexplicability.Footnote 90 A further difficulty is that its use is not scaleable given its present and foreseeable development. Nevertheless, the future looks promising. The more access machines have to data, the smarter the machines become.Footnote 91 In this respect, the advent of quantum computing and the convergence of technologies like Advanced Software, Big Data and Big Compute is expected to enhance cloud storage and improve accessibility of data kept in large-scale storage, while Big Data will improve the machines’ ability to analyse vast pools of data, detect patterns and generate insights.Footnote 92 Finally, NLP is at an early stage of development. According to the latest experiments with this technology, NPL is not sophisticated enough to cope with social context and the linguistic nuance of the content of regulatory law.Footnote 93 To be sure, it is desirable to integrate NLP and other semantic technologies into digital regulatory reporting but, by everyone’s admission, the design and implementation of these technologies require further investigation.Footnote 94

4.2 The Limited Translatability of the EU Legal Content Into Instructions that Can Be Read and Executed by Machines

EIOPA takes the view that machine readable and executable reporting requirements could prove beneficial for regulators and the insurance industry alike. It further projects that a future of regulatory compliance will be largely ‘algorithm/code based’ as the relevant technology promises to reduce compliance costs, eliminate the need for human interpretation and speed up the time that is otherwise required for regulators to identify emerging risks.Footnote 95 Transforming the legal requirements into code is technically challenging, however. Algorithms are the only language that machines can process. To ensure that the content of the EIOPA rulebook becomes machine readable and machine executable, it is necessary to convert it into its algorithmic version in order to enable machines to communicate with other machines in the same network for the automated execution of a series of regulatory tasks (e.g. data collection).

Machines of specialised intelligence do not process equally well all types of data.Footnote 96 To be at the peak of their performance, they need to be fed with highly structured data, namely data capturing a piece of information of a narrowly defined meaning. This is not to say that machines cannot cope at all with semi-structured or unstructured data namely data, the meaning of which is more open-ended and far less clearly pre-defined. They do, but the less structured the data, the more difficult it is for machines to engage in decision-making where meaning is to be inferred. The machines’ need for highly structured data sets a crucial challenge to the conversion of regulatory content into algorithms.Footnote 97 Ultimately, this depends on how feasible it is to break down regulatory content into granular instructions, and then convert those instructions into micro-directives communicated in algorithmic language.

Many existing provisions of the EIOPA rulebook are not suitable for algorithmic conversion chiefly because it is difficult to interpret the content of those legal provisions into exhaustively precise terms without changing or losing part of their meaning. This task of translation is not as straightforward as it seems because it is impossible to fix the meaning of a word prior to its use. Take the example of the word ‘sales’. To paraphrase Ludwig Wittgenstein, no meaning of the word ‘sales’ can include everything that is a sale and exclude everything that is not a sale.Footnote 98 The relationship between the various uses of the word ‘sale’ is like the relationship between various members of a family. A resemblance exists but it is not possible to give this resemblance any rigid definition ex-ante. Accordingly, the algorithmic conversion of legal rules of relative specificity is much more complex than, say, the identification and submission of the reference number of a specific product provider.

Consider for instance the Commission Delegated Regulation (EU) 2017/653 supplementing Regulation (EU) No 1286/2014 on key information documents (KIDs) for packaged retail and insurance-based investment products (PRIIPs).Footnote 99 This is a Level 2 regulation that lays down the regulatory technical standards for fulfilling the disclosure of KIDs. Annex 1 provides the template for the KID, which specifies in detail the data fields that must be completed. The substantive provisions of the Regulation outline in great detail how to populate the data template. For example, Art. 12 section 1(a) provides that in the section on risks and returns, PRIIP manufacturers shall specify ‘the range of risk classes of all underlying investment options offered within the PRIIP by using a summary risk indicator having a numerical scale from 1 to 7, as set out in Annex III’. This provision can be relatively easily encoded into machine-readable language, as the numerical values are amenable to rephrasing into a set of more concrete instructions. On the other hand, section 1(c) requires PRIIP manufacturers to specify ‘a brief description on how the performance of the PRIIP as a whole depends on the underlying investment options’. It is much more difficult to generate granular instructions for an open-ended data field like section 1(c). For example, it is not clear how brief the description will have to be and what should be the criterion for assessing the relevance of underlying investment options. The application of section 1(c) calls for a system of decision-making that displays normative reasoning and sensitivity to social context and the nuances of human language namely capabilities in which humans overperform machines of specialist intelligence.Footnote 100

An additional limitation here is the following: although it is possible to convert the semantic content of legal rules into algorithmic language, it is not possible to capture the context within which these rules are meant to apply. Legal rules are also subject to change and so it does the regulatory content that is to be converted into algorithmic language. Consequently, the relevant computer programming that supports machine readability and machine executability will also need constant updates. Finally, an additional source of complication stems from the fact that quite often regulatory content comes from legal rules that have been made by different regulators with distinctive mandates and potentially conflicting agendas. As a result, the ex-ante standardisation of those rules and correspondent agreed definitions may simply not be feasible or it may be unsuitable.

At least in part, the challenges described above may be addressed by ensuring that data is subject to constant validation through human input and oversight, so that it is kept accurate and reliable; and by regulating those professionals that undertake to do this job. For instance, regulators like EIOPA can take the following measures amongst other things: (a) Draft and constantly update explanatory guidance for software developers and others professionals with the responsibility of overseeing machines and of validating machine outputs, (b) provide training or at least have some control over the training of software developers and other professionals; and (c) supervise them to ensure compliance with best practice.Footnote 101 However, multiple checks, verifications and updates complicate the governance of algorithmic financial supervision, increase the cost of its administration and management and over-stretch the mandate of insurance regulators.Footnote 102

To be sure, progress with the current on-going efforts to improve the consistency of definitions, formats and processes as well as the standardisation of data is expected to improve data quality in the context of digital reporting and, more generally, to make the governance of algorithmic financial supervision much more manageable.Footnote 103 However, this would not be enough. Law and code are not just two different normative domains of governance.Footnote 104 They are mutually exclusive forms of communication.Footnote 105 While natural language requires a degree of linguistic ‘open-texture’, algorithmic language leans towards granular precision. Conflict between the two is inevitable and it is paramount that it is resolved in a manner compatible with the rule of law.

A potential solution to the mutual exclusiveness of natural language and algorithmic language as forms of communication would be the following. First, to confine algorithmic conversion only to Level 3 legislation of the EIOPA rulebook since its extremely detailed content seems to better fit the picture of regulatory content eligible for coding albeit not without difficulties.Footnote 106 The next step would be to draft Level 3 legislation as two-tiered legal instrument so that its content is expressed in both forms of communication to accommodate both human decision making and algorithmic decision making. Finally, resolve potential conflict between the two by giving priority to human interpretation as a recognition of the fact that human language is the only form of communication that is capable of realising fundamental principles of the rule of law.Footnote 107 A future EIOPA rulebook of that sort would of course confine the use of digital reporting to a smaller fraction of insurance regulatory requirements, but it would make the digital transformation of EU insurance supervision compatible with the rule of law, safer and more manageable.

4.3 The Architecture of Regulatory Reporting and Issues of Governance

Broadly speaking, the debates on the architecture of regulatory reporting draw a conceptual distinction between two models of data collection: On the one hand the ‘push model’ of data reporting and, on the other hand, the ‘pull model’ of data reporting.Footnote 108 The push model is the traditional process of reporting in which regulated individuals have the obligation to submit certain information in compliance with the relevant regulatory law. The pull model stands at the opposite side of the spectrum in that the regulators are assumed to be able to pull data themselves instead of requiring members of the industry to submit data while keeping an eye on them to ensure that they will conform with the specific reporting instruction. Until recently, and as it is evident from the architecture of the existing legal design of reporting requirements, only the implementation of the push model was feasible. However, the advent of regulatory technology bears the potential of moving to a pull model of regulatory reporting.

EIOPA has already in place a common database for Solvency II reporting, but it is at an early stage of development.Footnote 109 Accordingly, it is worth asking whether the pull model or a variant of it would be an appealing proposition for EIOPA more generally. A notable advantage of a pull mechanism, at least on paper, is that it would make possible for EIOPA to collect the data it needs, in almost real time and at a minimum cost, as it will not have to store and handle large datasets. For the same reason, it would become easier for the Authority to ensure compliance with data security and personal data rules.

A potential candidate for EIOPA would be to opt for an architecture of digital regulatory reporting similar to the one that has been adopted by the National Bank of Rwanda (NBR).Footnote 110

The NBR has in place a granular data extraction model (a pull mechanism like for example an API) connecting the NBR with reporting firms. This pull mechanism facilitates the submission of information on the request of the NBR. It operates based on pre-defined set of templates with guidelines, which are shared with all reporting institutions and make possible for the NBR to pull data from the firms’ core systems.Footnote 111

Despite its obvious benefits when compared to the traditional push model of regulatory reporting, the pull model would most probably not work equally well for all types of data collection. For example, its application would be problematic for the collection of fluctuating figures (e.g. data on aggregate financing). In that latter case, the traditional push model of data collection would be preferable. Projections about the net benefits of the pull model are also bound to be an imprecise science.Footnote 112 Ultimately, the efficiency of this model will depend on how its costs compare to the costs of generating and sending files manually, the number of data requests and other uncertain factors.

The implementation of a pull model would also require massive changes to data governance. Under the existing push model, reporting rules specify things like the time of data submission and content of the data submitted. However, if a pull model is to be implemented, then these rules would have to be replaced with a different set of rules as it would be necessary to specify when and how often firms must make data available, when and how often EIOPA could pull data, and under what circumstances data resubmissions might be allowed.

An alternative to the Rwandan model would exhibit a more centralised outlook. A distinctive feature of this model would be the presence of a central service provider (‘central utility’) which would carry out a variety of tasks and reporting processes as, for example, the collection of granular data, the interpretation of reporting instructions, and the transformation of firm source data into the data that is required for reports.Footnote 113 The reporting model of the Central Bank of Austria is an example of this more centralised variant of the pull model.Footnote 114 At the heart of this system of reporting lies the AuRep. The latter is a central utility co-owned by seven of the largest Austrian banking groups. AuRep serves as a reporting platform and works as follows: Reporting banks enter granular data into a standardised input layer. This data is then sent to AuRep, which processes it into regulatory data that meets different reporting requirements. Acting on behalf of the reporting banks, AutRep then reports directly to the Austrian Central Bank.Footnote 115 Currently, AuRep covers almost all statistical reporting of banks and financial stability reports, but the plan is to expand in the future.

One of the advantages of implementing an Austrian type of data collection for digital reporting is cost reduction though the avoidance of duplication. A further advantage is the increase of the quality of reported data, since several crucial functions—notably, the standardisation of the transformation of data, the interpretation of reporting instructions and their execution—will be carried out in one place. An additional advantage is that the collected standardised data could be used to feed valuable information back to regulated insurers taken individually, hence, providing value to the industry and policy analysts amongst others. Furthermore, the publication of a subset data in a central and easily accessible database could become instrumental to the improvement of public disclosures.Footnote 116

The perceived benefits need to be weighed against the costs of running the centralised service provider. Again, this type of architecture may not be suitable for all types of data. Statistics reports consisting of aggregations of granular source data will probably be easiest to provide centrally. The opposite holds for data which requires firm-specific judgment. In that latter case, it would be desirable to ensure a degree of human involvement at firm level so that those legally responsible for any data omissions and inaccuracies have the opportunity to check the data that they are submitting.Footnote 117 The preservation of human input is crucial here because the purpose of centralisation of the various reporting functions is not to discharge firms from the responsibility to comply with the various reporting rules but to help them comply in a cost-efficient fashion. From the legal point of view, reporting firms need to continue to be legally responsible and accountable for the quantity and quality of the data that they submit. A further issue of concern is that any data errors are bound to affect the entire industry with potential systemic implications for as long as they remain undetected.

Not unlike the decentralised model, the implementation of an Austrian type of reporting architecture EU-wide in the context of insurance would also require crucial changes to the existing governance arrangements. For example, extra measures would have to be taken to respond to data security and other operational risks with clear lines of responsibility for decision-making and action. In addition, it would be necessary to change the reporting rules to respond to the emerging data architecture, while a separate set of rules might be needed to provide responses to errors or various other contingencies.

The Integrated Reporting Framework (IReF) of the European System of Central Banks (ESCB) which is currently under consultation, is very similar to the Austrian model and offers a hint of how the Austrian reporting architecture might look like at the EU level.Footnote 118 The aim of the IReF is to integrate a wide range of existing statistical reporting requirements of the various NCAs into a single reporting model. It is envisaged that the IReF would define a sufficiently granular set of requirements for reporting purposes and that its operations would benefit from the existing Bank’s Integrated Reporting Dictionary (BIRD).Footnote 119 The BIRD provides a harmonised data model which specifies the data which should be extracted from the internal IT systems of the reporting firms (the so-called ‘input layer’). Furthermore, it contains a set of rules which govern the transformation of the extracted data into a specific final regulatory figure (the so-called ‘transformation rules’).

An interesting question to ask is whether EIOPA should undertake the role as central service provider or whether instead this role should be entrusted to a separate EU agency which will be designed specifically for that role. EIOPA is primarily an EU-supervisory agency with nuanced range of powers to perform regulatory functions specific to its insurance mandate. Prima facie, it is not a technology or data services provider. As discussed above, EIOPA perceives its role as focusing on the promotion of the development of a common SupTech framework and strategy in the field of insurance. In pursuit of this role, EIOPA has been particularly active in the coordination of common work with NCAs, the facilitation of experience sharing and the organisation and endorsement of analysis for the potential development of tools (e.g. by promoting proof of concepts). Historically, the management of large quantities of data is not its core specialism. If it were to be entrusted with the additional role of central service provider, this would also generate significant reputational risks to the EIOPA in relation to data quality assurance failures, data security and other operational risks. A further issue of concern is that, if EIOPA were to take up additional powers and responsibilities in pursuit to its new role, the desirability of calibrating the powers and responsibilities of the other two ESAs would have to be considered too, hence, potentially opening the floodgate of far-reaching and for that reason more time-consuming reforms of the current ESFS.

While the above considerations militate against the idea of expanding the existing mandate of EIOPA and turning it in effect into a central service provider for reporting purposes in the field of EU insurance, a host of other issues point to the opposite direction. Consider, for example, the use of MLT. A key feature of machine learning is that it is driven by a statistical model, whose design embeds a system of scoring and typically involves impenetrably complex calculations.Footnote 120 The statistical model serves a specific goal in relation to which machines learn to mine data from vast datasets, identify correlations and patterns, infer information, make predictions and produce outputs. This goal may address a legitimate concern as, for example, that of cost efficient reporting and compliance but from that it does not follow that it fully captures the policy objectives of financial regulators, or that it indeed yields correct legal results. To pre-empt this mismatch, EU rule-makers should continue to be the ones to write rules in natural as well as in algorithmic language. Moreover, EU rule-makers should assume responsibility over the regulation of data specifications and the validation of standards (with the cooperation of EU and other NCAs including the European Data Protection Supervisor (EDPS) as well as input from expert software developers, the industry and other stakeholders) so that they will be able to address issues of data quality assurance and other operational risks at source.

This will be easier said than done. The institutional design of the ESFS is complex and additional supervisory responsibilities over the governance of the relevant regulatory technology will most certainly overstretch EIOPA’s current supervisory mandate and powers. To be sure, one does not have the crystal ball to make projections about whether the EU governance of regulatory technology in the field of insurance will provide the impetus for a radical reshuffling of the existing convoluted institutional architecture of the ESFS. This notwithstanding, ignoring the elephant in the room does not help for planning purposes. Given space constraints, it is not possible to explore all possible institutional options taking things forward. One possibility, however, might be to set up a joint central service provider for all three ESAs the task of which would be to coordinate and streamline the administration of digital regulatory reporting for all three sectors of the EU financial systems. This would be consistent with economies of scale and scope and would facilitate cross-sectoral knowledge generation and sharing.

5 Conclusion

In this chapter we sought to offer a reality check of the algorithmic future of insurance supervision in the EU. Specifically, we examined EIOPA, its operating environment, and how principles of EU administrative law shape its SupTech mission and mandate. We then portrayed the Authority’s role in the digital transformation of insurance supervision in the EU and the evolution of its strategy to point to an important blind-spot: the absence of a comprehensive plan of action for the development of a digital system of regulatory reporting in the field of EU insurance supervision. Against this backdrop, we considered a series of themes in relation to the setting up and running a system of digital reporting in anticipation of future challenges and potential responses to those problems. These relate to the limitations of the technology that will be required for digital reporting given its current and foreseeable stage of development, a series of difficulties with the conversion of regulatory content into code and, lastly, issues of reporting architecture and governance.

The analysis makes plain that the EIOPA’s approach to supervision is at a stage of transition and it is fast moving towards a digital model of EU insurance supervision in response to the relevant initiatives of the EU Commission to foster technological innovation and promote the implementation of a digital strategy in all three sectors of the EU financial system. Specifically, three findings emerge from our analysis.

The first finding is that digital reporting is not new to EIOPA. The Authority has in place a digital system for Solvency II reporting. However, its scope is narrow, and the system has faced challenges with data quality and standardisation. Building on the current experience with Solvency II reporting, EIOPA is increasingly assuming a leadership role in coordinating EU-level initiatives, including OPIN, the InsurTech Task Force, InsurTech Roundtables, EFIF and DGE. While these initiatives are welcome, establishing an EU-level system of digital reporting requires an ambitious and detailed strategy, which may over-stretch the Authority’s mandate in the future.

The second finding is that EIOPA perceives its role as a coordinator rather than a centralised data service provider, within the emerging digital ecosystem of reporting. This can be explained by the impact of the EU administrative law principles of proportionality and subsidiarity, the Meroni doctrine, and the concomitant structure of the ESFS on the objectives, tasks and powers of EIOPA. Proportionality requires the adoption of digital reporting by EIOPA to be guided by the suitability, necessity and balancing of any adverse impact of EU action. The Meroni doctrine restricts EIOPA rulemaking to technical rather than policymaking domains. Subsidiarity vests NCAs with direct supervisory powers, which promote national supervisory autonomy but undermine the prospect of an EU-level centralised system of digital reporting. Indeed, it is difficult to strike a satisfactory trade-off between a common supervisory approach and maintaining national supervisory autonomy.

Finally, the third finding is that the setting up and running of an EU wide system of digital reporting in the field of insurance will prove to be particularly challenging due to a series of factors which yet have escaped thorough consideration. These are (a) the degree of current and projected sophistication of the relevant technology that will be required to provide the necessary digital infrastructure; (b) the limited translatability of rulebook content into algorithms to enable machine readability and machine executability, and (c) difficulties with data architecture and governance.

Our findings point to concrete themes that could provide the building blocks for a more comprehensive blueprint for an EU system of digital reporting as an integral aspect of insurance supervision with wider implications given their relevance to the other two European Supervisory Authorities. To be sure, this chapter did not address the full spectrum of themes that are intertwined with digital reporting and the advent of EU algorithmic financial regulation more generally. The impact of EU regulatory technology on the use of administrative discretion both at the EU level as well as at national levels, automation biasFootnote 121 and the concomitant problem of deskilling,Footnote 122 the compatibility of regulatory technology with the principles of EU administrative and constitutional law – to mention a few – are equally important and call for systematic investigation in their own right which, given space constraints, will have to be postponed for another occasion.