How Self-Sovereign Identity Can Revolutionize Insurance
How a better approach to identity management can empower customers, enable compliance and cut down costs
By Arjun Govind and Victor Boardman
This piece is the fourth installment of a series on digital identity. This series aims to explore the evolution of digital identity, the state of self-sovereign identity today, and its use cases.
Check out previous installments here:
Part 1: The Evolution of Digital Identity
Part 2: Self-Sovereign Identity: Under the Hood
Part 3: Is Self-Sovereign Identity the Answer to GDPR Compliance?
InsurTech has come a long way over the past decade — just think about the hassle of filing a claim a decade ago versus now. What was once mountains of paperwork and hours on the phone is now reduced to as little as a few taps on your insurer’s app. However, as far as the technology has come today, the insurance industry’s — and most industries’ — approach to digital identity simply hasn’t kept pace with the great strides made in other technology domains. In this article, we aim to break down the benefits that SSI can deliver to both insurers and policyholders, and what we at R3 are building to enable SSI on Corda.
For a refresher on how self-sovereign identity works, check out my article here:
Identity and the Insurance Lifecycle
Philosophically, why does insurance need a revamped approach to identity? The simple fact is that verifying information is an extremely labor-intensive, cumbersome and expensive process. By having information that’s presented to you in a verifiable-by-default format, the cost of painstakingly going over paper documents to ensure that one person actually got in a car accident, for instance, is all but eliminated.
Prospecting and Onboarding: Prospecting is a costly and cumbersome process for a whole host of reasons. The most obvious reason is that insurers need to collect information about their customers to offer quotes. However, insurers can’t simply take the customers at their word — generating quotes means undertaking a costly process of verifying information the customer provided. However, if the customer information was presented as a verifiable credential, then an insurer could instantaneously check that information. Unlike insurance today, this verification process is the instantaneous regardless of whether the credential is a proof of address, an educational qualification, or a traffic accident record.
If a prospective lead accepts the quote, they must then be onboarded as customers. This involves the three dreaded letters: KYC. For regulatory reasons, insurers need to conduct mandatory background checks to ensure that the prospective customer has no ties to money laundering or other financial crimes. A failure to do so — or an inadequate check — could result in steep fines. We have a forthcoming deep dive on how SSI can specifically help with KYC, but the long and short of it is that in the SSI/VC world, you don’t need to have a compliance associate painfully poring over scanned ID documents and manually verifying them. Instead, if the customer’s information — say their medical history — was presented as a verifiable credential, then it can be verified instantaneously. This does raise the question of how onboarding would work for a customer who doesn’t have such credentials. In this case, they could simply be onboarded the way they are today, and they could be issued a verifiable credential that contains the information the insurer verified. Having this credential would mean that subsequent KYC checks — say for a different division of the insurer — would be able to leverage this credential and avoid duplicative manual verifications.
The bottom line: SSI and VCs mean less money spent verifying customer information, quicker KYC, and ultimately lower compliance costs.
Proof of Insurance: Carrying physical paper-based proofs of insurance is a bad idea for a multitude of reasons. It can be lost or stolen — not to mention the fact that it’s awfully easy to spill coffee on it. By using a credential-based system, people with insurance can use verifiable presentations to offer proof of insurance to healthcare providers or any other party who wants to verify someone’s insurance. The reason a credential-based system is so much better-suited for proof of insurance is because it’s so much easier to verify the proof of insurance in a digital system. Imagine a policeman trying to verify someone’s car insurance at a traffic stop. The officer would have to get the paper credential, read from a years-old paper, punch in a serial number into the database (running the risk of typos) and wait for the information to come back. Contrast that with a credential-based system, where all the officer needs to do is verify the presentation that the driver can generate on their phone.
The bottom line: Customers have proof-of-insurance on their phone, readily verifiable with the scan of a QR code through verifiable presentations.
Making Claims: Filing a claim can be a painfully bureaucratic procedure which usually comes at a time when people need assistance the most, such as following property damage or hospitalization. Self-sovereign identity can make the data collection and verification process easier for both the users and insurers. Consider the case of health insurance. If someone has been admitted to the hospital, the hospital could issue a credential to certify that this individual has indeed been treated for a certain condition. The user could then issue a verifiable presentation to the insurer, who can accordingly process the claim. The advantages are clear — the user doesn’t need to fill out lengthy forms to submit a claim, and more importantly the insurer doesn’t need to struggle to verify the information, as the information came in a verifiable credential which can be verified instantly.
The bottom line: Insurers spend less time spent verifying claim data, customers enjoy a quicker and less paper-based claim application process.
On GDPR Compliance and Data Breaches
A somewhat unseen dimension of the identity lifecycle is thinking about how the company stores its customers’ information. As I’ve written about in more detail in this article, regulatory changes like GDPR have compelled companies — at the risk of 4% of their annual revenues — to hold personally-identifiable information (PII) in a manner that is secure (so as not to risk a data breach) and easily removable if the company receives a delete request. Current approaches to PII storage tend to be database-driven, and when companies have copies of customer data across offices that potentially span several continents, managing a GDPR deletion request can be a challenging and costly affair. With SSI, companies no longer need to store every last portion of customer information in a database. Sensitive information, say Social Security Numbers or financial information, could be held in a verifiable credential issued to the user instead of somewhere in a database.
However, to say that SSI would completely eliminate information held in company databases would be flatly incorrect. After all, there may be some information that the insurance companies want to collect and store about their users to help personalize service or for analytics. The value of SSI lies in the fact that the information that a malicious actor may want to get hold of — SSNs, banking information and the like — aren’t held in a single centralized place. In other words, if you were a hacker, you’d be a lot more interested in a database of SSNs than a database of the time each user spent in the app. This means that there’s a substantially mitigated risk of the steep penalties and reputational damage that come with a data breach. Moreover, this data minimization could make it much easier to handle a GDPR data erasure request, cutting compliance-related costs.
Ultimately, this means that SSI has the potential to let insurance companies decide what data they want to store, avoid costly data breaches and reduce the risk of penalties associated with GDPR.
How Can SSI be Implemented in Insurance?
The “Minimum Viable Ecosystem”
Clearly, the value of an SSI solution is maximized when everyone is a part of the same ecosystem. This would mean all of us having credential-based driver’s licenses and passports from the government, credentials for each insurance we have, the police being willing to issue a credential if a car is in an accident, maybe even universities issuing credential-based degrees! In practice we’re a long way away from having every single party in the identity system using self-sovereign identity. So that begs the question — what’s the minimum viable ecosystem we need for self-sovereign identity?
The answer is that it depends on what services you want SSI to cover.
Perhaps the starting point — or the “minimum viable ecosystem” — would be an internal SSI solution. Insurers, much like other financial institutions, can be vastly complex organizations with information often siloed between branches and divisions. An internal SSI solution would mean that individuals can hold their information (say their personal details and what insurance they have) in a digital wallet, and if another branch or division wants to use their information to run a compliance check or to process a claim, then they can simply send a notification to the user asking for approval (i.e. a request) to access the verifiable credential information. An extension of this could be “bankassurance”, where insurance products are sold through a bank. The advantage here would be that the bank can share their KYC file with the insurance underwriter with the user’s permission, meaning less money spent on compliance checks for the insurer and fewer delays for the end user.
The Corda Advantage
We at R3 view identity as an integral layer in any solution in the financial services space. While some past use cases involving identity on Corda have been geared towards KYC, we recognize the tremendous opportunity presented by self-sovereign identity. As such, our product focus has been geared towards building out interoperability with large open-source networks for decentralized identity. This is exemplified by Cordentity, a CorDapp that enables interoperability between the Corda network and Hyperledger Indy. Our push towards interoperability will allow your solution to leverage Corda’s core strengths — smart contracts and instantaneous cash movement for instance — while enjoying the great benefits of SSI and VCs.
Learn more about what we’re doing in digital identity and insurance.
