Accueil » SECURITY AUTHENTICATION FOR BROKER-INSURER DATA EXCHANGE NATIONAL POSITION PAPER

Advert

Accueil » SECURITY AUTHENTICATION FOR BROKER-INSURER DATA EXCHANGE NATIONAL POSITION PAPER

SECURITY AUTHENTICATION FOR BROKER-INSURER DATA EXCHANGE NATIONAL POSITION PAPER

January 10, 2025

Brokers and Insurers can deliver information to one another far more efficiently using electronic means than by traditional methods. The business purposes behind these exchanges, however, and the roles of the correspondents, have never changed; the distinct roles and separate responsibilities of broker and underwriter still persist. It follows, then, that the rules and security conventions for electronic data exchange must reflect the business model they serve.

Brokerage principals control their own operations, and are ultimately accountable for their employees’ actions. Insurers grant binding authority on a brokerage-by-brokerage basis; indeed, Broker-Insurer contracts are abundantly clear that brokerages are responsible for errors or omissions, or infringement of binding authority, by their staff. 

Traditionally, brokers have communicated with Insurers via various tools such as written memorandums, telephones, or more recently, email and EDI. Insurers have not determined a particular employee’s authority to correspond with underwriters or relay client instructions; that duty has always rested squarely on the brokerage principals’ shoulders.

Delivering information to Insurers electronically through web services does not alter that responsibility; brokerages still govern the training and actions of their own staff and have accountability for individual actions performed on behalf of the brokerage. That supervision includes the security of internal brokerage networks and BMS’s, which make use of centrally controlled individual user names and passwords. Once a user name is deleted or disabled, all access is also removed, including to all other dependent application(s) accessed through the broker’s own central system.

Dangerous risks are created, however, when individuals can access Insurer systems directly without routing through an identified brokerage’s system. Where the only prerequisite is an internet connection, persons recalling their usernames and passwords can access Insurer systems from anywhere. When an employee leaves the firm, brokerage principals must react immediately to cancel each and every Insurer password assigned to that person, but must frequently rely on various back-logged Insurer administrators to complete the task.

Aside from this high potential exposure, the programming complexity and ongoing maintenance needed to manage individual passwords for each brokerage employee, for multiple Insurers, adds untold expense both for brokers and especially for Insurers.

On the other hand, an authentication method using a single brokerage-level password reduces the potential for outside abuse by individuals, and eliminates multiple layers of unnecessary complexity and cost. The Insurer system verifies that the incoming message is indeed from an approved brokerage and that the information received is therefore sanctioned by that firm.

Of course, the sender of a communication, whether brokerage or Insurer staff, must still be identifiable for audit purposes. Further, brokerages must be diligent in ensuring that all userlevel passwords are kept secure and confidential, and that access to internal broker systems is terminated immediately should an individual leave their employment.

IBAC reaffirms brokers’ authority over their own operations and their staff. In the interests of all industry stakeholders, IBAC is committed to promoting the most effective use of technology in order to best serve consumers, moving away from portal-based communications models. IBAC urges Insurers to consider the following when designing and building electronic interfaces with their broker partners.

IBAC Security Model Principles

  • Brokerages, not individuals, contract with Insurers.
  • Brokerages take responsibility for the training and actions of their staff, for the authority given to them, and for their access to network and communication resources.
  • Electronic communications do not alter the traditional Broker-Insurer business model.
  • Authentication for conveying information electronically to Insurers can be most securely controlled by brokerages when based at a system-level (i.e., brokerage system to insurer system).
  • System-based authentication eliminates the additional expense, complexity, and the inefficiency inherent in individual username-password requirements.
  • Individual correspondents must be identifiable but do not require additional authentication.

 

Download The PDF version

Leave a Reply

Your email address will not be published. Required fields are marked *

Become a Part of the Community.

Subscribe today and Stay Updated! Get the latest updates, news, and exclusive content straight to your inbox.

By submitting this form, you are consenting to receive marketing emails from: My WordPress. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

© 2025, Insurance Brokers Association of Canada

Aligning with Regulatory Frameworks and Standards

Principles will align with international AI guidelines (e.g., ISO 42001, OECD frameworks) and industry-specific regulations (e.g., RIBO, OSFI, AMF) upheld by stakeholders. Adherence to legal standards will help organizations navigate jurisdictional requirements, promote sustainable practices, and prevent misuse of AI data

Encouraging Responsible Al Innovation

Principles will encourage the broker community to innovate responsibly by developing AI systems that prioritize consumer well-being, inclusivity, and fairness, while also assessing the societal, environmental, and economic impacts of their AI solutions

Promoting Accountability in AI Oversight

AI principles will reinforce accountability across all levels of organizations and third-party collaborators. By defining roles, ensure human oversight in AI processes, this enhances traceability, enables informed decision-making, and embeds mechanisms for ethical redress when errors or adverse outcomes occur

Ensuring Consumer Trust and Fairness

AI governance principles support commitment to transparency, fairness, and accountability. By requiring explainable outcomes and proactive consumer communication, it fosters trust among the broader broker community, their clients, and external stakeholders

Supporting Ethical Standards and Stakeholder Collaboration

By incorporating AI governance principles, broker members can align with its mission of fostering an ethical culture among its stakeholders Address biases, safeguard consumer protection, and promote inclusivity, which will reinforce commitment to ethical AI practices in collaboration with industry stakeholders, regulators, and third-party solution providers

PoC Use Case Overview: Al-Assisted Coverage Discovery & Gap Analysis

Technical Requirements

AI models with context on industry benchmarks and policy structures to interpret existing policy terms, endorsements, and clauses.

Integration with BMS to retrieve client profiles, exposure information, and historical policy data.

Data ingestion and continuous updates to ensure alignment with typical coverage patterns and industry guidance.

Data security and compliance features to protect client information.

Functional Scope

Analyze client-submitted data, including exposures, business context, and other relevant information.

Extract and interpret existing policy terms (e.g., endorsements, exclusions, clauses).

Benchmark against typical coverage patterns and industry guidance to identify coverage gaps.

Prioritize identified coverage gaps and provide rationale based on considerations such as industry standards and risk.

Recommend relevant products and coverage options tailored to the client profile, and generate summaries for client discussions.

AI-Powered Client Onboarding & Data Intake – Overview:
Proof of Concept (PoC) Use Case

Technical Requirements

BMS Integration: Integration with BMS for secure data capture and storage.

Applied ARS Integration: Integration with Applied ARS to enable automated quote generation.

Dedicated Parsers for Renewal: Document parsing capability for 5–6 carrier renewal documents with high accuracy.

Extensibility Framework: Modular architecture to support future enhancements and additional automation.

Functional Scope

AI Chatbot for Client Onboarding: Collect client information, answer onboarding questions, and guide users through the onboarding process.

Data Collection & Storage: Capture and store collected data directly in the broker’s BMS.

Document Processing: Enable clients to upload renewal documents and extract key data to accelerate the onboarding process.

Quotes Generation: Generate quotes based on collected information.