Network management and data security
Christoph Ullrich of ADAC discusses how regulatory requirements are changing how insurance and assistance providers must approach data security
A handshake, two-page contracts, checklists with 20 questions ... over and done with. At least, that was how it used to be to bring a provider into an insurer’s network. Following the financial crisis in 2009, though, more and more regulatory processes have impacted the travel insurance sector and the service providers with which it is associated. Alongside securing the liquidity of banks and insurance providers, the topic of risk management has also increasingly shifted into focus.
A new approach to risk management and data security
For ADAC Versicherung AG, a first-class insurance group (including travel, motor and legal expenses insurance) and part of the ARC Europe Medical Assistance Network, this has had a considerable impact on the structural set-up. Above all, this new risk-based approach has had an impact on network management and procurement, because the assistance services, network management and procurement for ADAC policyholders are rendered by units that are integrated in ADAC Versicherung AG, and therefore fully subject to the above-mentioned regulations of the German financial supervisory authority (Bafin) as well as Solvency II. On top of this, there are data protection regulations in force within the European Union (EU) that have resulted in a very narrow scope for data protection with the European General Data Protection Regulation of 2018, especially in the case of particularly sensitive data (as is used almost exclusively in the travel insurance, assistance and air ambulance sectors).
Then there is the ruling issued by the EU Court of Justice in 2020 on the lawsuit of a young man from Austria, Maximilian Schrems. Schrems successfully brought proceedings against Facebook Ireland, and the EU Court of Justice overturned the contractual foundations for data transfer between the EU and the US that had been valid until then – namely Safe Harbour and Privacy Shield. This is also where the nickname of the data protection regulation now in force comes from – ‘Schrems II’, which has been valid in the EU since July 2020.
Following the financial crisis in 2009, though, more and more regulatory processes have impacted the travel insurance sector and the service providers with which it is associated
An essential part of travel assistance is patient information
An elementary parameter in the processes of travel insurance, assistance and air ambulance involves exchanging personal data to clarify the insurance claim, as well as exchanging particularly sensitive data such as the health of the insured person. Generally, this involves several participants such as the insurance company, assistance firm, hospital, cost containment provider, and claims team. In multi-insurance cases, data on cost sharing is necessary. And our customers rightly wonder whether their data is also treated and exchanged confidentially.
The issue of data protection comes into even sharper focus as apps are integrated into the assistance process. ADAC itself launched an innovative support tool for its members in 2021 with the introduction of its Medical App. Other assistance providers have also started making use of technical gimmicks such as real-time insights into the cases of their customers for live information on their status – which is great in terms of transparency and the optimisation of communication processes – but this is only possible if the appropriate framework conditions are established and adhered to in terms of data protection on both sides.
Consumer protection and security with respect to the provision and sustainability of services purchased through travel insurance is another very important aspect from the customer's point of view. There have been several notorious examples of data leaks in the financial and insurance sector – particularly since the Lehman Brothers’ bankruptcy in 2009 – that have not helped to build trust, especially when it comes to insurance.
Meet legal requirements and have satisfied customers
The aim of all insurers and assistance providers is to meet regulatory challenges while at the same time creating real added value for the customer by maintaining an efficient and reliable top-quality medical network.
The aim of all insurers and assistance providers is to meet regulatory challenges while at the same time creating real added value for the customer
To do this, the network management team of ADAC and the ARC Europe Medical Assistance Network have developed an auditing process that is used both for the initial selection of a partner and for regular re-evaluation. This involves not only economic and formal data on the company, but also information on data protection, emergency plans, process descriptions, insurance, ethics, and compliance guidelines, among others. The data referred to above is made up of absolutely necessary data (which makes it impossible to select or cooperate with a partner if certain criteria are lacking or not met) as well as data that is not essential, but may be decisive for the overall evaluation when selecting a partner, for example, in the context of a tender.
It's hard work, but it pays off
This sounds like a heavy bureaucratic and paperwork-led process, of course – and to be honest, it is! But ... once it has been jointly processed, filled in and transparently discussed with each other, the process outlined above helps to improve mutual understanding, smooth processes in the operational business as well as the billing and regulation processes – on both sides.
The audit process takes place in two stages for a first-time audit. The audit form is first sent out, which should be returned as completely as possible within three to six weeks. It is vital we take into account the respective company's circumstances and capacities, such as whether we are dealing with a corporate or family business. This is followed as soon as possible by a partner visit on site with a random check of the completed form followed by a joint discussion of the results. Any open points are discussed with one another in a transparent manner and a solution/settlement is agreed with a time frame.
The routine mentioned above, in particular the on-site audits, was completely shattered by the Covid-19 pandemic and the massive travel restrictions it brought with it, which is currently the subject of new discussions in the ADAC. The possibility of conducting a live video audit also comes into play here – a combination of a written form, an on-site visit and a live video audit seems to offer good options for the future. An elementary matter for purely virtual and mixed audits is the issue of documentation – for example, should you ensure telephone and/or video recordings have a date and time stamp; who holds the data protection image and sound rights? Furthermore, the storage of data – explicit confidentiality agreements or contractual clauses – must be formulated and concluded at this point without fail. It must also be specified explicitly to which group of people the collected data (documents, images, audio documents) may be made accessible, since the data often contains sensitive information such as the ownership structure of aircraft, and medical data on the flight and medical crew.
The most important foundation for a sustainable and successful implementation for both sides is transparency, mutual respect and a transparent joint discussion of the results, so that ultimately, we can jointly ensure the best possible customer experience.
The impact of the planned new EU directive on supply chain law (and all other legal reforms in the future) on the auditing process remains to be seen. What remains true, however, is that a strong network defies all challenges!