P2P Insurance at its most basic level

Which features are essential for eliminating fraud and why?

True peer-to-peer insurance has blockchain in its DNA

Don’t just reduce fraud, eliminate it

If you wanted to create an insurance policy with zero fraud could you do it? If you think this is impossible, why is it impossible? If you could radically redefine insurance and start from scratch with only one goal, the elimination of fraud, what would it look like? What is remarkable is that if we choose the right architecture we not only get a system which is free of fraud, but this benefit comes at no additional cost to the participants.

Simplest concept of insurance is a rainy day fund

1 in 3 of GoFundMe campaigns are used to pay for medical bills. This is how families and individuals attempt to bridge the gap between insurance and reality. GoFundMe isn’t insurance, but instead a way to raise charitable contributions for a cause. 1/3 of the time this cause just happens to be the coverage of what insurance won’t pay for.

But what if you could use GoFundMe for insurance simply by paying up front and awarding a claim later? Imagine a GoFundMe campaign for 20 friends where funds are raised first and only awarded later if someone experiences a loss. This concept is very different from traditional insurance but it is the type of radical approach that I believe could work to eliminate fraud.

These factors require insurance to be more institutionalized

This is what I believe we need to eliminate from our architecture:

  • Larger group sizes, larger risk pools
  • Policies which place detached strangers into the same coverage pool
  • Architectures which make personal relationships unnecessary
  • Larger amounts for claim awards which create incentives for fraud
  • Greater complexity of policies requiring complex underwriting
  • Greater complexity of claims requiring complex verification / oracles

The fundamental way peer-to-peer insurance should differentiate itself from centralized insurance providers is as follows:

  1. From being discretionary to being non-discretionary.
  2. From measuring pure loss to more parametric architectures.
  3. From large global risk pools of strangers to small local risk pools of communities.
  4. From trust being established by institutions to trust being established by personal relationships among participants.
  5. From pricing that requires actuaries to non-actuarial pricing.
  6. From an investment model with optimal up-front pricing to a rebate model with sub-optimal up-front pricing, yet lower total costs.
  7. From high value claims to lower value supplemental coverage.
  8. From a 3rd party custodian model to a direct pay model where premiums move directly from policyholders to claimants.
  9. From a model requiring reinsurance or a large reserve pool to a model with zero reserves.
  10. From a model with hard and soft fraud to a zero fraud architecture where soft fraud doesn’t exist (parametric policies) and hard fraud is nearly impossible.
  11. From insurance pools which are hard to dissolve to insurance pools which dissolve immediately if any fraud is detected.

The goal of this architecture should be:

  1. Give people greater peace of mind that claims will be paid and not denied.
  2. Make the track record and reasoning of previous claim approvals and denials fully transparent.
  3. Reduce insurance to its simplest possible constituent assuming that this reduction looks like a ROSCA.
  4. Make it easier to predict the likelihood that a policy will pay a claim.
  5. Give local groups full autonomy over their policy:
    - The power to self insure based on a communities own standards.
    - The power to create an authoritative, immutable history.
    - The power to record the communities perspective on historical events.
  6. Elimination of third party custodians:
    - No party ever takes custody of funds that does not belong to them.
    - Eliminating the risk that funds will be misappropriated.
    - Providing policyholders greater protections from institutions.
  7. Reducing the costly burden of regulatory compliance.
  8. Elimination of soft fraud by offering only parametric supplemental policies
  9. Elimination of hard fraud by:
    - Increasing the amount of transparency in the system.
    - Providing policyholders greater protections from bad actors.

Peer-to-peer Architecture Ingredients

  1. Smaller group sizes.
  2. Reduced value of claim awards to disincentivize fraud.
  3. Only offering parametric coverage.
  4. Making claim awards non-discretionary
    - Discretionary awards imply that reserves are rationed for future claims.
  5. Eliminating pricing models that require the policy to hold reserves
    - Using rebate models to price risk removes actuarial pricing.
  6. Using blockchain smart contracts to eliminate third party custodians.
  7. Using blockchain to increase the transparency of funds.
  8. Using blockchain to achieve regulatory arbitrage via direct payments
    - Payments move directly between policyholders and claimants.
  9. Using stablecoins to eliminate the volatility of crypto assets.
  10. Providing greater protections to policyholders by allowing them to defect
    - Policyholders can leave with their premiums if fraud is detected.

Peer-to-peer Architecture Instructions

How to determine participation:

The first step to simplifying the problem is reducing the group size. We should allow groups to form the same way that peer-to-peer lending groups form, borrowing from the concept of a ROSCA.

  • Reducing the group size:
    - A community risk pool is 25 to 125 people (optimally 50 to 60).
    - Increasing personal relationships among participants.
    - Groups must be fully autonomous.

How to underwrite policies:

The second step to simplifying the problem is reducing the size of claims to allow for simpler security architectures. Larger claims require more robust security architectures. Smaller claims can operate using architectures with far less protocol security.

  • Reducing the value of claim awards:
    - Ideal value of a claim somewhere between $500 to $1000 (US based).
    - Weekly median personal income is $865 for US citizens.
    - Claim awards should never exceed the equivalent value of 2 weeks salary.
    - Goal is to match a low cost premium with a meaningful claim award.
    - Only suitable for supplemental coverage.
    - Fewer incentives to commit fraud given a claims size.
    - Coverage still valuable enough to participate.
  • Limiting the complexity of claim awards using parametric policies:
    - Policies pay every claim the same value.
    - This value is the same for all participants.
    - Claim amounts do not account for any circumstantial factors.
    - This eliminates any requirements that loss be measured to award a claim.
    - Policies make payments upon the occurrence of a triggering event.
    - Simplifies the evaluation of claims.
    - Allows anyone to calculate how many claims a policy can pay per period.
    - Allows anyone to calculate the odds that a policy will pay their claim.

How to pay for premiums and claims:

The third step to simplifying the problem is removing the volatility associated with cryptocurrencies to enable products to reach a mainstream consumer marketplace. Premiums placed in smart contracts must maintain a stable value over the course of one month to avoid exposing claimants to volatility risks.

  • Smart contracts are required to eliminate third party custodians:
    - Smart contracts allow us to provide new financial services to consumers. 
    - These new services eliminate the liability of third party custodians.
    - Smart contracts in this context can be thought of as a community safe.
    - Locking up funds in smart contracts previously required individuals to be highly technical and risk-tolerant.
  • Cryptocurrency is too volatile to use for paying premiums and claims:
    - P2P insurance requires funds to be locked for a minimum of one month.
    - Only cryptocurrency such as Ethereum can be locked in a smart contract.
    - Locking up volatile capital for one month exposes policyholders to risk.
    - This makes paying premiums in ETH impractical for consumers.
  • Using smart contracts + stablecoins to pay premiums and claims:
    - Prior to 2018 price stable cryptocurrency did not exist.*
    - Stablecoins such as MakerDAO’s DAI eliminate the risk of volatility.
    - You can pay premiums in DAI to a smart contract instead of using ETH.
    - Using stablecoins with smart contracts eliminates the risk of volatility.
    - Now new financial services can be provided to mainstream consumers.

How to award claims:

The fourth step to simplifying the problem is removing the need for human judgement, which would make paying an insurance claim a discretionary action. The less discretion exists within the architecture that awards claims the less need there is for creating a dispute resolution mechanism (i.e. governance) which adds unneeded complexity.

  • Making claim awards non-discretionary:
    - Removal of human judgement as much as possible.
    - Strategy of awarding claims that everyone agrees is fair.
    - The protocol enforces fairness rather than relying on human institutions.
    - Value of claims predetermined by a policy’s underwriting.
    - Representative authority whitelists valid claims.
    - All policyholders have the opportunity to approve whitelisted claims.
    - Policyholders are never required to pay invalid or fraudulent claims.
  • Increasing transparency of claim awards by using blockchain:
    - Greater ability to audit a policy’s prior track record.
    - Inability to deny claims without making the reason public.
    - Makes it easier to reach consensus about the fairness of awards.
    - Makes it easier for groups to agree about who owns which funds.
  • Reducing regulatory liability by eliminating third party custodians:
    - Funds move directly between policyholders and claimants.
    - Smart contracts do not play a custodial role (see caveat**).
    - Smart contracts function similarly to a vault with safe deposit boxes.
    - Each policyholder has their own key to their own box.
    - Each box holds an individual policyholder’s premium separately.
    - Premiums are held by smart contracts until claims can be whitelisted.
    - Each user decides individually to send funds to a whitelisted claimant.
    - Relinquishing custody of funds is absolutely voluntary.
    - Only a individual policyholder is authorized to finalize a premium.
    - Policyholders are never required to pay claims they think are fraudulent.
    - Funds are never pooled together until they are received by the claimant.

How to price risk:

The fifth step to simplifying the problem is to eliminate actuarial models for pricing risk. Actuarial models concern themselves with how to price risk by predicting the future. The goal of these models is to charge premiums so that there is an excess which is saved for future claims. They need to price risk such that a policy holds sufficient reserves to pay for future losses when the cumulative value of claims in a given month is very high. If holding reserves was a requirement then this would transform our smart contracts into custodians. As soon as any part of our architecture becomes a custodian of funds this adds unnecessary complexity and liability. Eliminating the liability associated with 3rd party custodians is a requirement, therefore we cannot use this mechanism to price risk.

This is not the only way to price risk, it just is the most efficient way to provide up-front pricing. Monthly premiums using rebate pricing can be 2x to 8x more expensive depending on how good the coverage is. This doesn’t mean that the policy is 2x to 8x more costly just that the upfront expense of the policy is 2x to 8x greater. Later once it is determined how many claims occurred in the past, rebate pricing performs an accounting and returns the remainder back to policyholders. This remainder is called a rebate and it allows the policy to price risk retroactively. This type of risk pricing enables us to reconcile all accounts to a zero balance at the end of each month. The result is our architecture is never required to hold any funds in reserves or carry premium funds forward from one month to the next.

To sum up, the difference between these two models is as follows:

  • Actuarial models attempt to predict the value of claims in the future to price premiums. They require policies to hold reserves.
  • Rebate models can perfectly calculate the value of claims in the past to price premiums. They retroactively price premiums by providing rebates and do not require policies to hold reserves.

Full rebate models use a zero-reserve architecture which:

- Does not hold funds for a given period greater than one month.
- Does not carry a balance of funds forward to future periods.
- All funds are paid out as either claims or rebates at the end of every month.
- Reconciles all accounts to a zero balance at the end of each period.

Trade-offs when using zero-reserve architecture:

- No actuaries to award for correctly pricing risk.
- No actuaries to punish for mispricing risk.
- Coverage scales with the size of premiums the community is willing to pay.
- The less the community trusts each other the weaker the coverage becomes.
- Contrastingly more trust results in stronger coverage for the community.
- This architecture provides the greatest fraud protections for policyholders.
- At face value this provides weak guarantees for claimants.
- In reality it allows for coverage to scale relative to the degree of trust between participants (accounts for premiums being 2x to 8x greater).
- Since refunds are guaranteed higher premiums provide more actual coverage for zero actual cost.

The benefits of zero-reserve architectures are that they:

- Never require the smart contract to act as a 3rd party custodian of funds.
- Allow funds to move directly from policyholders to claimants.
- Enable an architecture where no funds are ever owned by an institution.
- Funds used to pay premiums & claims are always owned by individuals.
- Does not require the creation of architectures needed to invest premiums.
- Allows authorities to whitelist claims while permitting users to approve them
- Creates strong incentives for users to withhold premiums if fraud is detected.
- Provides strong disincentives to authorities which preclude them from whitelisting fraudulent claims.

Consequences of using zero-reserve architecture + non-discretionary claims:

- Authorities are never incentivized to ration premiums for future claims.
- This type of architecture may underpay claims because of low liquidity.
- Even if claims are discounted all claimants must be treated equally.
- No valid claims will ever be paid nothing.
- The protocol enforces equality rather than relying on human institutions.
- In a given month every claim must be paid an identical amount.
- Checking that all claims were treated fairly is trivial.

How to mitigate fraud:

The sixth step to simplifying the problem is removing the need for complex governance and dispute resolution systems. This is achieved by simplifying other fundamental aspects which determine participation, underwrite policies, award claims and price risk. All other aspects of our architecture are already optimized to minimize fraud and maximize protections for policyholders. Achieving maximum optimization in other parts of the architecture eliminates any need to implement voting based governance to mitigate fraud. By allowing policyholders to defect they are effectively given the right to veto any invalid or fraudulent claim by walking away with their premium payment.

  • Replacement of voting with rules allowing policyholders to defect:
    - If fraud occurs the group is easily allowed to terminate.
    - Defecting allows policyholders to reclaim their monthly premium.
    - Zero-reserve architecture enables everyone to exit with their funds.
    - A policies underwriting can require policyholders to act by disbanding.
    - Users can be required to leave the group if they believe fraud is occurring.
    - Whitelisting an invalid claim results in users defecting.
    - The protocol is optimized to incentivize participants to disband if someone is treated unfairly.
    - The easier it is for a group to disband the more authorities will take actions that match the group’s standard for fairness.
    - Delegated authorities are strongly incentivized to act honestly.
    - Thus the protocol is able to enforce the previously agreed upon cultural norms of the community.


It is possible to eliminate fraud and build new architecture for peer-to-peer insurance.

* Tether cannot be put into a smart contract and thus cannot function to pay insurance premiums or claims.

** Caveat: In some architectures smart contracts can still function as third party custodians. The only way to remove this liability is to make sure that all accounts are reconciled at the end of each policy period. Only zero-reserve architecture is capable of mitigating third party liability in this way.