Tag Archives: financial services

Connected Humans, Version 3.0

Whether you commute to work on public transport to work or fly between busy airports to serve your clients, wherever you go you will see people glued to their phones, tablets or e-readers. More than likely, all these devices are connected to the Internet in real time over a mobile network or capable of connecting via Wi-Fi.

There is so much written on the connected car and the connected (“smart”) home, but we also need to open a discussion about connected humans.

Let me clarify: I have no interest in talking about social networking. I’m more interested in connections from the perspective of tracking health and biometric data to be used by the healthcare and insurance industries for pricing.

A decade ago, we were limited by the technology and the computing power of hand-held devices. Wearables and ingestible devices were nowhere in the ecosystem. It made perfect sense to use historical data to price and sell products based on stale census information.

Technology drivers

Fast forward to the current time. Computing power has scaled exponentially over the last decade. We have devices that can track, store and filter essential lifestyle and health data, and we have predictive analytic capabilities that would make historic rating methods look like the Stone Age.

Market demographics

The growth rate of Millennials earning paychecks is not keeping pace with the growth in the aging population living off savings. If that was not bad enough , buying behaviors of Millennials indicate that insurance is not one of their top priorities. There are numerous surveys you can find online that point to this problem.

We have heard of “gamification” and customer engagement in the context of banking and financial services, to attract Millennials, but insurance and healthcare companies have barely touched the tip of the iceberg on this. The amount of biometric data that can be harvested and used for predictive analytics could include a host of items, including blood pressure, heart rate, vitamin count, sleep patterns, activity metrics and blood sugar, just to name a few. All this information, harvested and analyzed to price and sell a host of new products to new market segments with lifestyle diseases like diabetes or obesity, opens the route to gamification of healthcare apps and much better life insurance pricing. Providers today stop at just providing discounts on the fringes as I see it, not truly revisiting pricing.

With technology evolving at the pace it is and with our ability to get more out of the data through predictive analysis, the healthcare and insurance segment could look very different 10 years from now.

There is a school of thought that says privacy issues will limit the use of biometric data, but, if there is a business model that works for weight watchers and diabetic forums, there is a business case and a market segment to change the way insurance and healthcare products are priced and sold.

Hertz has begun to pitch itself as a used-car sales channel, allowing the consumer to test drive a car for an extended renting period and then buy or not buy the car. In the insurance or healthcare context, if pricing were driven by behavioral patterns and biometric statistics, you could offer an extended free look or evaluation period allowing a skeptical diabetic or obese customer to try devices, see the effects on their health and the corresponding premium discounts and then make a decision on locking into the product.

Insurance and healthcare have not truly embraced the technology and buying behavioral shift of customers. What remains to be seen is who leads the charge. Will it be insurance and healthcare companies? Will it be technology giants like Google, which are already tracking a lot of what people do? Or will it be a company like Tesla and Uber, which have disrupted traditional industry segments where they were never the incumbent.

6 Trends Signaling Major Opportunity

Last year, I decided to pursue a career transition as a full-time occupation. I’ve been out in the market for the past six months, assessing business opportunities as I network with executives in financial services, healthcare, media and retail, as well as with VCs, private equity investors and advisers.

What’s been great is that invariably any role in any organization, however broad, will be framed by the priorities that drive the business, which may be using a short-range lens defined by the annual plan, or one that doesn’t offer much of a peripheral view.  Transition-as-occupation offers full permission to set the aperture and depth of field for insight-gathering and exploration.

What has also been remarkable is not only the generosity of many people at the top of their respective fields to share perspectives, but also how I’ve been able to help others by playing the role of connector among people who may not normally meet up with each other, but who are excited to understand how others are addressing common questions in a complex and changing environment.

Here are six connected trends on the collective mind of the leaders with whom I’ve met. They represent a snapshot of what I am hearing. Within them are opportunities to be realized across this industry:

  • Customer-centricity – is it talk or walk? C-suiters certainly verbalize that “customer-centricity” matters, but few teams demonstrate that empathizing with the customer is bedrock for viable, win/win relationships, growth and profit improvement. The phrase has as many definitions as (or more than) the number of people defining it. Most significantly, the connection to concrete, quantifiable business priorities is generally missing. For those who get beyond the buzzwords, there is tremendous tangible value, even disruptive opportunity, in being a customer-focused player in this sector.
  • Old norms don’t work…digital and innovation are essential. Businesses are faced with redesigning processes, structures and metrics, recruiting more agile learners who are also able to deliver and overcoming legacy infrastructure to adopt new technologies. This level of change in the way businesses operate is not for the faint-hearted. The companies that take on these real implementation requirements will gain ground.
  • Yes, technology truly is changing everything. Even with greater efficiency, there is no growth without compelling offerings that meet big market needs. For companies engineered to serve baby boomers, serving the millennial generation requires profound change, not just a digital coat of paint. The implications go way beyond having a social media presence, cool apps and clever advertising. The millennial generation is inheriting a different world, re-shaped in good and bad ways by prior generations.  The starting point for progress is to be truly insight-led, and not presume you know what people want and need.
  • The marketing bar is being raised. This discipline has been disrupted, and more is being demanded. Traditionally viewed as “support” people, marketers are now being held to results that require a different seat at the table, a different talent profile, processes and resources and an entirely new set of connections with colleagues and external partners. Begin by redefining relationships, especially with product, IT and sales internally, and with the advertising and media agencies as key outside partners.
  • Two tales are playing out within financial services. Legacy institutions remain heavily focused on regulation, compliance, expense reduction and cyber security…while fin tech is hot, with capital flowing into payments, wealth management, consumer lending and related start-ups pursuing market disruption and reshaping the industry. Start-ups are doing great things in this sector and will keep incumbents on their toes, as well as representing potential acquisition opportunities as a strategy to modernize. Alignment around a clear strategy and a collaborative culture are at the foundation of leading change vs. playing defense.
  • Healthcare disruption is creating opportunities, but the pace is slow. Payers and providers are aiming to address Affordable Care Act and other government, employer and consumer-driven impacts.  Using electronic medical records, controlling employer healthcare expenses and enabling patient accountability for medical care decisions are just three of many big and complex challenges. The road to change will be long and slow given the sheer complexity and fragmentation of healthcare delivery. As in financial services, new entrants are leading innovation with solutions that address elements of the ecosystem. As in financial services, there is room for incumbents to realize opportunity with the right strategic and cultural conditions.

How HR Can Stop Insider Data Theft

After Edward Snowden’s escapades, how could any company fail to take simple measures to reduce its exposure to insider data theft?

Yet large enterprises remain all too vulnerable to insider threats, as evidenced by the Morgan Stanley breach. And many small and medium-sized businesses continue to view insider data theft as just another nuisance piled on to a long list of operational challenges.

“I suspect too many companies are fixated on outsider threats, like malware infections and external hacking, to the extent that insider threats get overlooked,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET.

More: 3 steps for figuring out if your business is secure

A low-level Morgan Stanley financial adviser with sticky fingers allegedly tapped into account records, including passwords, for six million of the Wall Street giant’s clients. He got caught allegedly attempting to peddle the stolen records on Pastebin, a popular website for storing and sharing text files.

The financial services sector has long been very proactive defending against all forms of data breaches for obvious reasons, and Morgan Stanley was able to nip this particular caper early on. Big banks and investment houses typically have highly trained teams, using a variety of detection tools and monitoring regimes designed to flush out any indication of a breach.

“Often you have analysts in a security operations center hunting for abnormal activity,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “They can often spot suspicious data movement based on quantity, destination or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”

Organizations outside of the financial services industry, however, are still on the lower end of the curve understanding this exposure, much less taking even basic steps to reduce it.

Given the nature of the exposure, security and privacy experts say human resource officials need to be on the front lines of mitigating insider data theft. In particular, HR department heads should be integrally involved in working with a company’s tech and security teams to define and deploy access rights to sensitive company data.

“With this collaboration and the right tool sets, companies can apply access controls that restrict employees to just the information they need to perform their jobs,” says Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. (Full disclosure: IDT911 sponsors ThirdCertainty.)

It’s a balancing act, of course. Quick and flexible access to company records drives productivity gains. At the same time, it creates fresh opportunities for granting unnecessary access privileges — and for theft.

“Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage,” says Steve Hultquist, chief evangelist at security analytics firm RedSeal. “Using automation to analyze and ensure compliance with a security policy is essential for protecting customer and corporate data assets.”

There should also be a structured process for communicating changes quickly to ensure that a terminated employee or departed contractor does not retain access privileges, Coffman says.

“Many of the inside attacks are IT employees with elevated privileges and little oversight on how and when those privileges are used,” Coffman says. “The use of privileged accounts should be monitored and logged. Separation of duties should be required on certain functions, and an annual outside review is a good idea.”

Cutting off terminated employees and partners should be swift and sure. Better safe than sorry.

“Too often, organizations don’t have a complete picture of what access each employee has, particularly if they have been there a while,” ESET’s Cobb says. “Getting employee departures right involves a coordinated effort from HR, IT and legal.”

A disgruntled employee, who’s not planning on going anywhere, is another type of exposure that should be addressed. American Banker is now reporting that the alleged perpetrator of the Morgan Stanley breach was promoted to financial adviser from sales assistant about a year ago and gained access to records by manipulating the bank’s wealth management software. The lawyer representing the accused adviser insists in the American Banker report that his client did not post any of Morgan Stanley’s data on Pastebin.

“All managers need to be aware of morale among reports, and there needs to be a process for taking concerns to HR in a discreet way while increasing monitoring of use of IT resources,” Cobb says.

The Traps Hiding in Catastrophe Models

Catastrophe models from third-party vendors have established themselves as essential tools in the armory of risk managers and other practitioners wanting to understand insurance risk relating to natural catastrophes. This is a welcome trend. Catastrophe models are perhaps the best way of understanding the risks posed by natural perils—they use a huge amount of information to link extreme or systemic external  events to an economic loss and, in turn, to an insured (or reinsured) loss. But no model is perfect, and a certain kind of overreliance on the output from catastrophe models can have egregious effects.

This article provides a brief overview of the kinds of traps and pitfalls associated with catastrophe modeling. We expect that this list is already familiar to most catastrophe modelers. It is by no means intended to be exhaustive. The pitfalls could be categorized in many different ways, but this list might trigger internal lines of inquiry that lead to improved risk processes. In the brave new world of enterprise risk management, and ever-increasing scrutiny from stakeholders, that can only be a good thing.

1. Understand what the model is modeling…and what it is not modeling!

This is probably not a surprising “No. 1” issue. In recent years, the number and variety of loss-generating natural catastrophes around the world has reminded companies and their risk committees that catastrophe models do not, and probably never will, capture the entire universe of natural perils; far from it. This is no criticism of modeling companies, simply a statement of fact that needs to remain at the front of every risk-taker’s mind.

The usual suspects—such as U.S. wind, European wind and Japanese earthquake—are “bread and butter” peril/territory combinations. However, other combinations are either modeled to a far more limited extent, or not at all. European flood models, for example, remain limited in territorial scope (although certain imminent releases from third-party vendors may well rectify this). Tsunami risk, too, may not be modeled even though it tends to go hand-in-hand with earthquake risk (as evidenced by the devastating 2011 Tohoku earthquake and tsunami in Japan).

Underwriters often refer to natural peril “hot” and “cold” spots, where a hot spot means a type of natural catastrophe that is particularly severe in terms of insurance loss and is (relatively) frequent. This focus of modeling companies on the hot spots is right and proper but means that cold spots are potentially somewhat overlooked. Indeed, the worldwide experience in 2011 and 2012 (including, among other events, a Thailand flood, an Australian flood and a New Zealand earthquake) reminded companies that so-called cold spots are very capable of aggregating up to some significant levels of insured loss. The severity of the recurrent earthquakes in Christchurch, and associated insurance losses, demonstrates the uncertainty and subjectivity associated with the cold spot/ hot spot distinction.

There are all sorts of alternative ways of managing the natural focus of catastrophe models on hot spots (exclusions, named perils within policy wordings, maximum total exposure, etc.) but so-called cold spots do need to remain on insurance companies’ risk radars, and insurers also need to remain aware of the possibility, and possible impact, of other, non-modeled risks.

2. Remember that the model is only a fuzzy version of the truth.

It is human nature to take the path of least resistance; that is, to rely on model output and assume that the model is getting you pretty close to the right answer. After all, we have the best people and modelers in the business! But even were that to be true, there can be a kind of vicious circle in which model output is treated with most suspicion by the modeler, with rather less concern by the next layer of management and so on, until summarized output reaches the board and is deemed absolute truth.

We are all very aware that data is never complete, and there can be surprising variations of data completeness across territories. For example, there may not be a defined post or zip code system for identifying locations, or original insured values may not be captured within the data. The building codes assigned to a particular risk may also be quite subjective, and there can be a number of “heroic” assumptions made during the modeling process in classifying and preparing the modeling data set. At the very least, these assumptions should be articulated and challenged. There can also be a “key person” risk, where data preparation has traditionally resided with one critical data processor, or a small team.  If knowledge is not shared, then there is clear vulnerability to that person or team leaving. But there is also a risk of undue and unquestioning reliance being placed upon that individual or team, reliance that might be due more to their unique position than to any proven expertise.

What kind of model has been run? A detailed, risk-by-risk model or an aggregate model? Certain people in the decision-making chain may not even understand that this could be an issue and simply consider that “a model is a model.”

It is worth highlighting how this fuzzy version of the truth has emerged both retrospectively and prospectively. Retrospectively, actual loss levels have on occasion far exceeded modeled loss levels: the breaching of the levies protecting New Orleans, for example, during Hurricane Katrina in 2005. Prospectively, new releases or revisions of catastrophe models have caused modeled results to move, sometimes materially, even when there is no change to the actual underlying insurance portfolio.

3. Employ additional risk monitoring tools beyond the catastrophe model(s). 

Catastrophe models are a great tool, but it is dangerous to rely on them as the only source of risk management information, even when an insurer has access to more than one proprietary modelling package.

Other risk management tools and techniques available include:

  • Monitoring total sum insured (TSI) by peril and territory
  • Stress and scenario testing
  • Simple internal validation models
  • Experience analysis

Stress and scenario testing, in particular, can be very instructive because a scenario yields intuitive and understandable insight into how a given portfolio might respond to a specific event (or small group of events). It enjoys, therefore, a natural complementarity with the hundreds of thousands of events underlying a catastrophe model. Furthermore, it is possible to construct scenarios to investigate areas where the catastrophe model may be especially weak, such as consideration of cross-class clash risk.

Experience analysis might, at first glance, appear to be an inferior tool for assessing catastrophe loss. Indeed, at the most extreme end of the scale, it will normally provide only limited insight. But catastrophe models are themselves built and given parameters from historical data and historical events. This means that a quick assessment of how a portfolio has performed against the usual suspects, such as, for U.S. exposures, hurricanes Ivan (2004), Katrina (2005), Rita (2005), Wilma (2005), Ike (2008) and Sandy (2012), can provide some very interesting independent views on the shape of the modeled distribution. In this regard, it is essential to tap into the underwriting expertise and qualitative insight that the property underwriters can bring to risk assessment.

4. Communicate the modeling uncertainty.

In light of the inherent uncertainties that exist around modeled risk, it is always worth discussing how to load explicitly for model and parameter risk when reporting return-period exposures, and their movements, to senior management. Pointing out the need for model risk buffers, and highlighting that they are material, can trigger helpful discussions in the relevant decision-making forums. Indeed, finding the most effective way of communicating the weaknesses of catastrophe modeling, without losing the headline messages in the detail and complexity of the modeling steps, and without senior management dismissing the models as too flawed to be of any use, is sometimes as important for the business as the original modeling process.

The decisions that emerge from these internal debates should ultimately protect the risk carrier from surprise or outsize losses. When they happen, such surprises have a tendency to cause rapid loss of credibility from outside analysts, rating agencies or capital providers.

Biometrics and Fraud Prevention: Seeing Eye to Eye

As more consumers opt for the flexibility of serving themselves, it has become essential for businesses to deploy strong systems to authenticate identity. The challenge is how to reduce fraud without frustrating consumers or compromising the customer experience.

Biometric technology has been seen increasingly as a solution in industries such as financial services, but is there a useful place in insurance? As technology becomes more convenient –and more secure — many are saying yes.

What’s What in Biometrics

By identifying individuals through their unique physiological or behavioral patterns, biometrics offers a higher level of security, ensuring that only authorized persons have access to sensitive data. Physiological biometrics include fingerprint, face, iris and hand geometry recognition. Behavioral biometrics identify signature and voice verification, including keystroke kinetics that identify a person’s typing habits.

As consumer-centric channels such as mobile and online applications continue to expand, so will the risk of fraud. And while many industries, including insurance, continue to deploy new technologies to stave off attacks, the reality is that the tools and methods by which professional fraudsters operate are becoming increasingly sophisticated.

“While insurers have applied some preventive measures against fraud, the industry as a whole needs to catch up,” says Steve Cook, director of business development, Facebanx. “They must be forward-thinking and recognize the benefits of biometric technology and how it can help in preventing fraudulent activities.”

Reducing Claim Fraud and Protecting Data

One area where biometrics has begun to take hold is healthcare insurance. A study by the Ponemon Institute found nearly 1.5 million Americans to be victims of medical identity theft. Healthcare fraud is estimated to cost between $70 billion and $255 billion a year, accounting for as much as 10% of total U.S. healthcare costs.

Many insurers are using biometrics to help reduce billing fraud by eliminating the sharing of medical insurance cards between patients, or by making it more difficult for a person to assume another’s identity. For example, as an alternative to paper insurance cards, a biometric iris scan can immediately transport proof of a patient’s physical presence at a healthcare facility.

Biometric technology is also assisting healthcare insurers with compliance and data integrity standards — in particular with those set by the Health Insurance Portability and Accountability Act (HIPAA). For example, in addition to adhering to requirements for automatic logoff and user identification, insurers must implement additional safeguards that include PINs, passwords and some method of biometrics.

Fraud Capabilities in Property and Casualty

According to a report by Aite Group, the war against fraud in property and casualty insurance is also escalating. The group estimates that claim fraud in the U.S. P&C industry alone cost carriers $64 billion in 2012 and will reach $80 billion by 2015. Customer contact centers have been hit particularly hard. While the focus on protecting consumer data has primarily centered on online channels, fraudsters are now targeting the phone channel, as well. Leveraging information obtained through social media networks, thieves are manipulating call center representatives and gathering customer information. 

For this reason, biometrics are being deployed. Representatives can cross-reference incoming calls against a watch list of known fraudsters, identifying unique voice prints. Advanced biometric techniques can also identify fraud patterns based on speech analytics, talk patterns and various “red flag” interactions.

Summary

The insurance industry is just beginning to scratch the surface when it comes to identifying areas of fraud management to which biometric science can be applied. 

“Insurance companies [that] are first to adopt this kind of technology will push the fraudsters over to the competition, because fraudsters don’t want their face or voice on a database that they can’t control,” Cook says.

Making the switch to biometric security measures can mean a substantial investment if done on a large scale. Even so, with the proliferation of online channels, consumer conveniences and ever-shifting tactics of fraudsters, deploying some degree of biometric technology will become a competitive necessity. And, as long as the insurance industry continues to expand consumer services because of e-commerce and m-commerce, no doubt new applications of biometrics will come about.