China: Can Foreign Investors Capitalize On Insurtech's Growth In China?

1. Is China's insurance market worth investing in?

It is no secret that China's insurance industry presents good upside growth opportunities. According to the 2018 Report on Global Insurance and Market Research released by Allianz Group, "Nearly 80% of the total 60 Billion Euros increase in global premiums came from China, and China witnessed a continuously strong growth momentum in life insurance, replacing Japan and becoming the biggest life insurance market in Asia."

That many foreign insurers are bullish on China is also nothing new. Last month, the CFO of Manulife Financial Corp said the company would be "very happy" to increase its 51% stake in the Manulife-Sinochem Life Insurance Company Ltd., their joint venture with Sinochem Finance Co. Ltd. As far back as 2018, Sun Life Chief Executive Dean Connor expressed openness to increasing their 25% stake in their Sunlife Everbright Life Insurance joint venture to 51%.

2. What are the new rules on foreign investment for insurance companies in China?

What has attracted the growing interest of foreign insurers are the regulatory changes permitting greater market access for foreign investors.

As of January 1, 2020, foreign investors are allowed full ownership of Chinese life insurance companies. Additionally, in the China-US Phase One Trade Deal (the "P1 Deal"), China also agreed to remove the foreign equity caps for pension health insurance. China also committed to remove all discriminatory regulatory requirements and processes, and expeditiously review and approve license applications from foreign investor.

That's not to say there's no uncertainty. In the first four months of 2018, premium income at China's Life Insurers tumbled by 13.6 per cent year on year for the first four months of 2018, after the industry regulator (China Banking and Insurance Regulatory Commission, "CBIRC") cracked down on issuing short-term policies it blamed for causing financial instability.

3. What are the growth prospects for Insurtech in China?

"Insurtech" refers to technology used to disrupt or innovate within the insurance sector. One prominent form of Insurtech is Usage Based Insurance (UBI), which relies on algorithms to analyze the insured's data, together with external information, to generate a bespoke risk score. One UBI example, known as "pay-as-you-drive" insurance, collects mileage information through telematics (including the car's "black box") and relays the insured's driving behaviour to the insurer in real-time.

China is one of the fastest growing Insurtech leaders in the world. Thanks to heavy investment from Alibaba, Tencent, and Baidu, the sector now features an e-commerce ecosystem that is 50 times larger than that of the United States. For those who can capitalize on the growth of the Chinese insurance market, the potential for returns are vast.

This is particularly so for insurers who can move into the e-insurance space. Chinese consumers are leapfrogging traditional written insurance policies and going straight to digital policies, many of them hyper-targeted micro-policies supported by big data gathered from e-commerce giants like Tmall.

For instance, one company, ZhongAn launched four years ago as the first China online-only insurer. It provides a micro-premium model through Wechat, a Chinese social messaging platform similar to Facebook Messenger. It has since sold 6 billion policies to nearly 500 million people, and in Q1 of this year it reported net profits of CNY327m ($46m) for the first three months of this year, outperforming the insurance industry at an increase of 15.6% over the corresponding period last year. Yet, it still only has 1 percent of the market. ZhongAn recently launched a joint venture in Hong Kong and received its online insurance license in May.

Combining the huge consumer base with the heavy investment in e-commence sector, there is imaginable space for Insurtech in China's future.

4. Do I need an ICP license to gain access China's Insurtech market?

A commercial Internet content Provider license (an "ICP") allows a company to sell to Chinese consumers through a web domain and house the server within China. It is issued by the Chinese Ministry of Industry and Information Technology (the "MIIT"). An ICP a) ensures compliance with Chinese laws internet laws (i.e., gives the investor peace of mind that the site won't be blocked) and b) allows for faster online service for visitors. Another ICP variant, the Bei'an (filing), also allows foreigners to create a Chinese website, but the Bei'an website may only be used for promotional purposes and does not support online transactions.

As of 2015, foreigners are legally allowed to apply for and hold ICPs through Wholly Foreign Owned Enterprises (WFOEs). See Notice of the Ministry of Industry and Information Technology on Removing the Restrictions on Foreign Equity Ratios in Online Data Processing and Transaction Processing Business (Operating E-commerce) [2015], This means that the Variable Interest Entity (VIE), an oft-used but more complex investment for the Chinese tech industry, is not necessary to obtain an ICP and enter the Chinese Insurtech market.

However, is an ICP truly necessary? Defying the internet laws in China can result in your website being blocked, permanently,  among other serious risks to be avoided.

That said, an ICP isn't strictly necessary to sell insurance products in China. If a foreign insurer wishes to sell insurance products through an existing ecosystem like Wechat, as ZhongAn does, then they may be able to rely on Wechat's ICP. To do so, they would need to first obtain a WFOE,  obtain an insurance permit from CBIRC, and then obtain approval to sell online insurance products from the Insurance Association of China (the "IAC"). Once this permitting process is complete, the foreign insurer can use a commercial Wechat account ("Gongzhonghao" ???), or another ecosystem with an ICP, as a platform to legitimately sell localized insurance products.

However, if a foreign insurer wishes to rely on their own platform, then an ICP will be necessary. Selling insurance policies through a mobile application, or processing transactions locally through a website, will both require an ICP.

5. What other key considerations are there for participating in China's Insurtech market?

Big data is essential to any insurer's Insurtech strategy, and in the China market that means collecting and storing personal information about Chinese citizens. This engages a bevy of compliance obligations for foreign and domestic insurers alike.

China's data privacy laws initially followed the US' more lax approach to privacy protection, but more recently have changed to more closely mirror Europe's more stringent GDPR rules, and now include strict provisions on privacy, security, and data localization. Under Article 37 of China's Cybersecurity Law (2017, the "CSL", English text), Chinese citizens' personal data, together with critical business data collected during operations in China, must be stored within mainland China, and companies must undergo a security assessment before exporting such data across the border. Also since 2017, rules for the protection of personal data, and responsibility for data protection, are now included within the Chinese Civil Code (Article 111).

There are severe penalties for failure to comply with the CSL. Public security organizations ( police) may levy fines of up to RMB1,000,000 Yuan when service providers infringe on users' personal data in violation of CSL Articles 22 (malware and remedial measures), or 41-43 (data consent, notice on use and purpose of collection, mandatory breach notifications, and the user's right to delete or amend personal data on request). Violating CSL Article 27 by "engaging in activities harming cybersecurity" or aiding and abetting the commission thereof results in an equally serious fine. For comparison, the GDPR imposes fines as high as 4 percent of a company's turnover from the previous year. Personal data privacy and security are increasingly prominent features of digital data compliance regulations around the world, and as we can see, China is no exception.

Recently, additional rules were introduced under the CSL. As of June 1, new rules came into effect (in accordance with the CSL together with the PRC's National Security Law) in the form of the 2020 Measures on Cybersecurity Review (the "Measures"). Under the Measures, companies buying networking products and services that could affect national security, Critical Information Infrastructure ("CII") operators, must undergo cybersecurity evaluations for vulnerabilities.

It is unclear which kinds of companies will be designated as CII operators, but companies in the financial and insurance sectors will in all likelihood be affected (and may have their procurements monitored directly by the People's Bank of China). This is because according to Article 20 of the Measures, products and services that can be reviewed include a wide range of equipment and programs that are essential to providing Insurtech services :

• core network equipment (核心网络设备),
• high-performance computers and servers (高性能计算机和服务器),
• mass storage equipment (大容量存储设备),
• large scale databases and applications (大型数据库和应用软件),
• network security equipment (网络安全设备),
• cloud computing services (云计算服务), and
• other network products that may have an impact on CII (以及其他对关键信息基础设施安全有重要影响的网络产品和服务). 

The Cyber Security Office, located within the National Internet Information Office, is to review cybersecurity filings and may review and set other standards and regulations in accordance with the law. Of concern to foreign Insurtech investors, one factor it is allowed to consider in reviewing filings is the "risk of supply disruption due to political, diplomatic, and trade factors" (the Measures, para 9(3)).

Moreover, additional rules are already scheduled for implementation. On October 1, 2020, the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) (the "PI Specification") comes into effect and replaces the November 2017 version (GB/T 35273-2017). Under the PI Specification, the definition of "Personal Sensitive Information ("PSI") is expanded to include information created by the Personal Information Controller ("PI Controller" which is the organization that decides the purpose and ways to process Personal Information, "PI") which, if leaked or mismanaged, may harm the security, personal reputation, or health of the PI subject (3.2). The definition of "Consent" is narrowed to require clear authorization expressed through an affirmative act, unless implied consent is given (3.6). Importantly for Insurtech investors, User Profiling ("UP") may not result in discrimination based on ethnicity, race, religion, disability, or disease. PI Controllers also must ensure that their UP does not endanger "national security, honor or interests, incite subversion of state power, instigate secessionist activities, or disseminate terrorism, radicalism, ethnic hatred, violence or obscenity" (7.4). When providing their business functions, PI Controllers must also give users the ability to control the degree and extent of "Personalized Display": the display of information and search results for products or services based on the individual's PI, such as their internet browsing history (3.16). PI Controllers with more than 200 employees or the PI of more than 1 million individuals must nominate PI Protection Personnel (PPP) and establish a PI Protection Department (11.1). These rules are not exhaustive, and there are other regulations on PI processing, collecting and storing personal biometric information, third-party connection management, and bundled consent for multiple business functions.

Conclusion

China's Insurtech market continues to grow at breakneck speed. Foreign insurers are currently underrepresented in this market, even as former market barriers to entry continue to fall. This market presents great potential for foreign insurers, and Western insurers in particular have centuries of experience to share with their Chinese counterparts.

While investing in China is never simple for foreign companies, in light of the 2020 foreign investment reforms it is now without a doubt more practical than ever. A WFOE, the requisite insurance permits, and a Gongzhonghao are now enough for a foreign insurer to get started in China's Insurtech market. No ICP is necessary; neither is a complex VIE investment vehicle headquartered in the Cayman Islands.

However, in leveraging big data to support their Insurtech operations, foreign investors must take great care to adhere to China's CSL. Data localization, security review requirements, and increased protections for Chinese citizens' personal and data privacy together present compliance challenges more commonly seen in Europe with the GDPR. These rules, especially the new rules coming into force on October 1, 2020, may disproportionately affect Insurtech and other investors that rely the most on big data.

Still, sustainable growth, social benefits, and increased competitiveness lie ahead for those willing to seize the opportunities presented by China's Insurtech market. Organizations that are slow to embrace these new opportunities may later find it harder to enter the Chinese market due to increased competition. As home grown Chinese Insurtech companies expand abroad, established insurers who overlook the Chinese market may also find it harder to compete and retain their existing prominence in the global market.