Banking on Change
If there is one thing the pundits can agree upon about crypto currencies it’s that they’re risky. And where there’s risk, there’s an opportunity for insurance against that risk. And where there’s a need for insurance there’s an opportunity for a captive.
One other thing upon which almost all are agreed – is that crypto currencies, or at least the algorithms and blockchain technology which create them, are here to stay. In its simplest form: a blockchain is a distributed ledger of transactions which have occurred in a network which securely transmits any type of information without the control of a central authority or intermediary. To date all such transactions are considered immutable and impervious to fraud. In which case, what exactly are some of the risks associated with issuing, owning and storing digital currencies?
Well, these can range from privacy, reputational and financial risks to recovery risks. Although the Bitcoin blockchain is deemed unhacked as of this date, bitcoin users and investors in other crypto currencies need to be aware of the vulnerabilities which predominantly exist at the entry and exit points of the blockchain, often referred to as on-ramps and off-ramps. Also vulnerable to hackers are the crypto currency exchanges (Bitfinex and Coinbase have both been targeted – Bitfinex’s exchange platform breach caused losses to users of $72 million in users’ Bitcoins), ICO’s and the digital wallets frequently used to store crypto currencies. It is recommended that crypto currencies be held in a virtual wallet if one wishes to try and safeguard this online asset. Wallets are available in a range of prices with varying abilities. Are any of them truly impregnable? No. Hackers have on multiple occasions exposed weaknesses in the Signaling System 7 (SS7) which has allowed them to breach the two-factor authentication on the wallets in which Coinbase customers hold assets, for example. And while cold storage (holding the asset off-line rather than on-line) is considered safest, this also has its owns dangers. Matters are further complicated by DAO’s (decentralised autonomous organizations) providing legal difficulties when determining liability since they are, by definition, stateless and lacking corporate structure.
To date there are few viable options for insuring the potentially significant losses resulting from these breeches in the traditional insurance market. This has led many of those affected, from businesses accepting transactions in Bitcoin to crypto currency exchanges, to explore the benefits of captives as a viable alternative to what can appear to be an unwelcoming commercial market.
In addition we are seeing a number of insurance related examples of companies developing distributed ledger technology (DLT) in the search for the more cost-effective business model their customers are demanding, with ‘real-time’ efficiencies and the profits they hope will accompany such Proofs of Concept (POC) once brought to market. From Maersk and XL Catlin’s collaboration on a blockchain based marine insurance platform to the news that Allianz is testing the introduction of its own cryptocurrency to assist with reducing foreign exchange risks.
Blockchain in its current incarnation is still a cumbersome data base and has yet to reveal proof of its transformative abilities – although developments such as Ethereum’s proposed Caspar protocol and blockchain sharding reinforce that we are still in the early stages of a new technology which is changing rapidly as it understands, and then reacts to, consequences as they become apparent.
However blockchain, DLT and crypto currencies are not the only forms of oft-named ‘disruptive’ technologies impacting the insurance market. Other emerging technologies range from the Internet of Things (IoT) automating the process of claim settlements, to drones being used to assess catastrophe claims long before human teams are able to gain access. From AI to bots, the insurance industry is embracing and experimenting with the latest advances in transformative ways.
As of June 30, 2018 CIMA had issued licences to a total of 698 Class B, C and D insurance companies, with 14 of these licences being issued during the previous three months. This reinforces the Cayman Islands’ dominance as the second largest captive domicile worldwide (where Bermuda is the largest and Vermont the third largest). As a leading domicile we must therefore expect interest from those seeking to use captives as a way of providing the coverage which should be considered part of an effective crypto currency insurance program and which is currently either unavailable, prohibitive in terms of cost or rendered ineffective due to restrictive exclusions and sub-limits. Those looking to establish such an insurance program will probably be seeking to obtain coverages ranging from cyberliability for both first party losses and third party liability as part of an effective network security and privacy liability insurance policy, ensuring they have adequate, tailored coverage under both their professional liability errors and omissions insurance and their directors’ and officers’ liability insurance as well as considering commercial crime insurance and possibly fiduciary bonds.
It is imperative that, in such an environment, insurance managers in Cayman educate themselves on the implications for the Cayman captive industry. This includes maintaining an open dialogue with the Cayman Islands Monetary Authority (CIMA) regarding the challenges inherent in developing InsurTech and FinTech opportunities and seeking solutions, either within the Cayman community or with regulators in other jurisdictions which may be facing a different timeline in the products and business propositions which they are being asked to evaluate by prospective captive owners.
When speaking with CIMA it is clear they are aware that, in order to maintain Cayman’s well-deserved reputation as a responsive and responsible domicile, their biggest challenge will be keeping ahead of the myriad of changes InsurTech will bring, and ensuring captives domiciled in the Cayman Islands understand any new risks they are taking on in this space. In this respect CIMA is looking into reviewing its regulatory framework, as appropriate, to be in a position to identify the risks and challenges posed by InsurTech as well as the potential benefits. CIMA is also aware that private sector bodies within Cayman Islands have established committees and sub-committees to look at the opportunities and challenges within the financial technology space.
While CIMA has not yet approved licences for any captives or insurers which it considers InsurTech captives, they have seen approximately twelve captives add cyber liability to their lines of coverage - all of which were established as Segregated Portfolio Companies (SPCs).
CIMA has received one enquiry relating to coverage for crypto currency loss, although this enquiry has yet to materialise into a formal business plan. When discussing with CIMA the vulnerabilities faced by investors and users of crypto currencies, and the resulting implications for an insurance program, we touched on currency exchange differences and storage. Aware that currency volatility means that a policy in fiat currency may become inadequate in the event that the crypto currency for which the policy is providing coverage fluctuates wildly in value, CIMA acknowledges they will need to consider the capital requirements for a captive providing such coverage to ensure they are adequate.
To date CIMA have not received applications from any captives proposing coverage for more exotic niche areas of InsurTech such as driverless vehicles. Or social engineering fraud - although one can expect that eventually such applications will be made. While companies are understandably coy about making such data public, some FBI estimates suggest that since January 2015 over $3 billion has been lost by companies due to the latter. To date most policies in the traditional market do not cover these types of loss - and courts in the US have hitherto largely supported the insurers’ position. Clearly a need exists for adequate insurance wherever there is a potential for loss, allowing companies to transfer risk and remove liabilities from their balance sheets to allow them to grow, even in an extreme case to avoid potential, yet completely unpredictable and unpreventable, financial disaster. However, should an application be submitted to establish a captive seeking to provide such coverage, CIMA cautions that it would be very risky to approve any business where the risk and exposure is unquantifiable.
I asked what CIMA would like to see from the actuaries being asked to price these new technology risks for feasibility studies - given the lack of data, uncertainty and immaturity of the market. Feasibility studies that are robust and that have considered all the plausible pros and cons, said CIMA. How will you review and assess such feasibility studies? ‘With caution’ was the reply.
CIMA did highlight that, on the funds side, CIMA has already seen around sixty Segregated Portfolio Companies (SPCs) formed, where the Segregated Portfolios themselves are sub-funds related to blockchain funds and other digital wealth opportunities such as Bitcoin. Clearly there is strong communication between the different arms of the Monetary Authority with a sharing of knowledge and experience gained. When considering the sort of training which will need to be provided for CIMA employees to allow them to properly and comprehensively evaluate InsurTech submissions CIMA confirms that a number of staff have attended InsurTech, FinTech and RegTech Conferences and webinars. CIMA employees are also active members of the International Association of Insurance Supervisors (IAIS) and are kept abreast of all IAIS papers on InsurTech. To date CIMA has not felt the need to out-source any of these expertise.
Delaware recently awarded a contract to IBM to build a blockchain based corporate filing system, building their own blockchain in which they can automate the filling of paperwork from businesses – starting with SPV’s. In the summer of 2018 Vermont announced they were engaging software engineers to create a blockchain to record the incorporation documents for captives. Vermont, like Delaware, hopes this approach will lead to efficiencies. They also hope this will help attract those involved in any aspect of the blockchain industry to choosing their state as a domicile when considering a captive.
CIMA is keeping a watchful eye on these projects. CIMA has, to a large extent, gone digital, and the Regulatory Enhanced Electronic Forms Submission (REEFS) system means that most of the submissions from licensees are done electronically. Will CIMA now consider accepting blockchain corporate records as part of the due diligence submitted by a prospective captive? Maybe, if they consider there to be a justifiable need in the future and they implement such technology. I asked if CIMA is considering, or has already initiated enquiries to determine the feasibility of, a similar enterprise to those embarked upon by Delaware and Vermont, and the cost savings and efficiencies which establishing its own blockchain may offer. CIMA’s reply made it clear that for such a project to be a success they will first need to perform a cost v benefit analysis. Presently, they have not seen the demand for, or use of, blockchain that would warrant and justify such steps.
In 2017 Arizona enacted legislation recognizing signatures through blockchain. Although CIMA no longer requires ‘wet’ signatures (stating that records may be kept in a form other than a paper-based document or copy of a document, as long as the integrity of the document remains intact) CIMA does insist that records need to be kept in a manner that allows them to access said records. The same is true where notarized or certified copies of documents are required. I asked if CIMA would allow documents provided by means of DLT such as blockchain as an equivalent, higher form of immutable proof. CIMA reiterated that their Statement of Guidance on ‘Nature, Accessibility and Retention of Records’ states that records should be maintained using an appropriate record management system and in a manner that allows CIMA to access records. Clearly, since the technology to access blockchain data is not yet available to CIMA this currently precludes this format of signature or verified documents from being acceptable.
Eventually there will exist captives with incorporation documents stored on blockchain, providing due diligence documentation such as birth certificates and signatures in blockchain format. It is feasible that such captives may also wish to hold assets in the form of crypto currencies rather than fiat currencies; and that is a scenario which raises a whole new series of questions for CIMA to consider.
I asked if CIMA would allow a captive holding crypto currency to include these balances as admissible assets in their solvency margin calculations and, if so, would they consider allowing some crypto currencies (such as bitcoin, ripple or ether) and not others (such as monero or Zcash). Cryptocurrency does not currently come under any of the 8 admissible asset classes as defined by the Insurance (Capital and Solvency)(Classes B, C and D Insurers) Regulations (2018 Revision) and is therefore currently an inadmissible asset. However CIMA highlights that they use the word ‘currently’ as CIMA does have the discretion to approve other assets.
Clearly if this policy is to change and CIMA recognises crypto currencies as admissible assets there are a number of questions which would then need to be considered and answered. For example: if CIMA allows captives to be capitalized with crypto currencies, how would they require balances to be verified? What sorts of statements or assurances would CIMA insist upon and would these be required from either the owners or the insurance managers of the captive or the custodian of the crypto currency(ies)? Would CIMA consider imposing any limitations as to how the capital is held? For example, would they insist the assets could only be held with a Cayman Islands registered custodial service? Would CIMA only recognise custodial services offering cold storage? Would CIMA require a percentage of the entity’s capital be held in fiat currency and a maximum percentage in crypto currencies? Where funds are required to be held locally, would crypto currencies be able to satisfy that requirement? How could this be achieved?
CIMA issued a publication on its website earlier in the year stating it does not accept crypto currency as payment. Unless that changes, any captive which held solely crypto currencies would be unable to make direct payments to CIMA for annual fees and assorted expenses, requiring that any payments be made through an intermediary, such as its insurance manager, in fiat currency.
In these circumstances what requirements will CIMA introduce for ’source of wealth’ due diligence? Would a copy of the relevant blockchain be sufficient for example? Would CIMA consider engaging an agency such as Chainalysis - which includes US Drug Enforcement Administration, IRS, FBI and Immigration and Customs, Europe and more than half the police forces in Europe as clients (see USAspending.gov) or similar company such as BlockSeer or Elliptic to screen submissions? While the onus is not on CIMA to verify the source of wealth, but on the licensee or prospect licensee to provide proof or evidence of same, some guidance will be needed.
For further information on crypto currencies, please contact Tania Davies.
