Wan Jia June 30 2020 Can foreign investors capitalise on insurtech's growth in China? AnJie Law Firm | Insurance - China Wan Jia Insurance Is China's insurance market worth investing in?New rules on foreign investment for insurance companies in ChinaGrowth prospects for insurtech in ChinaAre ICP licences needed to access China's insurtech market?Other key considerations for participating in China's insurtech marketCommentIs China's insurance market worth investing in?It is no secret that China's insurance industry presents good upside growth opportunities. According to the 2018 Report on Global Insurance and Market Research released by the Allianz Group:Nearly 80% of the total 60 Billion Euros increase in global premiums came from China, and China witnessed a continuously strong growth momentum in life insurance, replacing Japan and becoming the biggest life insurance market in Asia.The fact that many foreign insurers are bullish on China is also nothing new. In May 2020, the chief financial officer of Manulife Financial Corp said that the company would be "very happy" to increase its 51% stake in Manulife-Sinochem Life Insurance Company Ltd, its joint venture with Sinochem Finance Co Ltd. As far back as 2018, Sun Life Chief Executive Dean Connor expressed openness to increasing the company's 25% stake in its Sunlife Everbright Life Insurance joint venture to 51%.New rules on foreign investment for insurance companies in ChinaWhat has attracted the growing interest of foreign insurers are the regulatory changes permitting greater market access for foreign investors.As of 1 January 2020, foreign investors are allowed full ownership of Chinese life insurance companies. In addition, in the China-US Phase One Trade Deal, China agreed to remove the foreign equity caps for pension health insurance. China also committed to remove all discriminatory regulatory requirements and processes and expeditiously review and approve licence applications from foreign investors.That is not to say that there is no uncertainty. In the first four months of 2018, premium income at China's life insurers fell by 13.6% year on year, after the industry regulator (the China Banking and Insurance Regulatory Commission (CBIRC)) cracked down on issuing short-term policies that it blamed for causing financial instability.Growth prospects for insurtech in China'Insurtech' refers to technology used to disrupt or innovate within the insurance sector. One prominent form of insurtech is usage-based insurance (UBI), which relies on algorithms to analyse the insured's data, together with external information, to generate a bespoke risk score. One UBI example, known as pay-as-you-drive insurance, collects mileage information through telematics (including a car's black box) and relays the insured's driving behaviour to the insurer in real-time.China is one of the fastest growing insurtech leaders in the world. Thanks to heavy investment from Alibaba, Tencent and Baidu, the sector now features an e-commerce ecosystem that is 50 times larger than that of the United States. For those who can capitalise on the growth of the Chinese insurance market, the potential for returns are vast.This is particularly so for insurers that can move into the e-insurance space. Chinese consumers are leapfrogging traditional written insurance policies and going straight to digital policies, many of them hyper-targeted micro-policies supported by Big Data gathered from e-commerce giants such as Tmall.For instance, ZhongAn launched four years ago as the first China online-only insurer. It provides a micro-premium model through WeChat, a Chinese social messaging platform similar to Facebook Messenger. It has since sold 6 billion policies to nearly 500 million people and in Q1 of 2020 it reported net profits of Rmb327 million (approximately $46 million) for the first three months of 2020, outperforming the insurance industry with a 15.6% increase during the corresponding period in 2019. Yet, it still has only 1% of the market. ZhongAn recently launched a joint venture in Hong Kong and received its online insurance licence in May 2020.Combining the huge consumer base with the heavy investment in the e-commence sector, there is an imaginable space for insurtech in China's future.Are ICP licences needed to access China's insurtech market?A commercial internet content provider licence (ICP) allows companies to sell to Chinese consumers through a web domain and house the server in China. ICPs are issued by the Chinese Ministry of Industry and Information Technology and:ensure compliance with Chinese internet laws (ie, they give investors peace of mind that the site will not be blocked); andallow for faster online service for visitors.Another ICP variant, the Bei'an (filing), also allows foreign parties to create a Chinese website, but the Bei'an website may be used only for promotional purposes and does not support online transactions.As of 2015, foreign parties are legally allowed to apply for and hold ICPs through wholly foreign-owned enterprises (WFOEs).(1) This means that the variable interest entity (VIE), an oft-used but more complex investment for the Chinese tech industry, is not necessary to obtain an ICP and enter the Chinese insurtech market.However, the question remains of whether an ICP is necessary. Defying the internet laws in China can result in a website being blocked permanently among other serious risks to be avoided.That said, an ICP is not strictly necessary to sell insurance products in China. If a foreign insurer wishes to sell insurance products through an existing ecosystem such as WeChat, as ZhongAn does, they may be able to rely on WeChat's ICP. To do so, they must obtain:a WFOE;an insurance permit from the CBIRC; andapproval to sell online insurance products from the Insurance Association of China (IAC).Once this process is complete, the foreign insurer can use a commercial WeChat account (Gongzhonghao) or another ecosystem with an ICP as a platform to legitimately sell localised insurance products.However, if a foreign insurer wishes to rely on their own platform, an ICP will be necessary. Selling insurance policies through a mobile application or processing transactions locally through a website will both require an ICP.Other key considerations for participating in China's insurtech marketBig Data is essential to insurers' insurtech strategies. In the Chinese market, this means collecting and storing personal information about Chinese citizens, which engages a large number of compliance obligations for foreign and domestic insurers alike.China's data privacy laws initially followed the United States' more lax approach to privacy protection. However, they have recently changed to more closely mirror the European Union's more stringent EU General Data Protection Regulation (GDPR) rules and now include strict provisions on privacy, security and data localisation. Under Article 37 of China's Cybersecurity Law (2017),(2) Chinese citizens' personal data, together with critical business data collected during operations in China, must be stored in mainland China and companies must undergo a security assessment before exporting such data to other jurisdictions. Since 2017, rules on the protection of personal data and responsibility for data protection have been included under Article 111 of the Civil Code.There are severe penalties for failure to comply with the Cybersecurity Law. Public security organisations (eg, the police) may levy fines of up to Rmb1 million when service providers infringe users' personal data in violation of Articles 22 (malware and remedial measures) or 41 to 43 (data consent, notice on use and purpose of collection, mandatory breach notifications and users' right to delete or amend personal data on request) of the Cybersecurity Law. Violating Article 27 of the Cybersecurity Law by "engaging in activities harming cybersecurity" or aiding and abetting the commission thereof may result in an equally serious fine. For comparison, the GDPR imposes fines as high as 4% of a company's turnover from the previous year. Personal data privacy and security are increasingly prominent features of digital data compliance regulations around the world and China is no exception.Recently, additional rules were introduced under the Cybersecurity Law. As of 1 June 2020, new rules came into effect (in accordance with the Cybersecurity Law together with the National Security Law) in the form of the 2020 Measures on Cybersecurity Review. Under the measures, companies that buy networking products and services that could affect national security (ie, critical information infrastructure (CII) operators) must undergo cybersecurity evaluations for vulnerabilities.It is unclear which kinds of company will be designated as CII operators, but companies in the financial and insurance sectors will likely be affected (and may have their procurements monitored directly by the People's Bank of China). This is because according to Article 20 of the measures, products and services that can be reviewed include a wide range of equipment and programmes that are essential to providing insurtech services:core network equipment;high-performance computers and servers;mass storage equipment;large-scale databases and applications;network security equipment;cloud computing services; andother network products that may have an impact on CII.The Cyber Security Office, located in the National Internet Information Office, is to review cybersecurity filings and may review and set other standards and regulations in accordance with the law. Of concern to foreign insurtech investors, one factor that the Cyber Security Office can consider in reviewing filings is the "risk of supply disruption due to political, diplomatic, and trade factors" (Paragraph 9(3) of the measures).Moreover, additional rules are already scheduled for implementation. On 1 October 2020 the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (the PI Specification) comes into effect and replaces the November 2017 version (GB/T 35273-2017). Under the PI Specification, the definition of 'personal sensitive information' ('PSI') is expanded to include information created by the Personal Information Controller, the organisation that decides the purpose and ways to process personal information (PI) which, if leaked or mismanaged, may harm the security, personal reputation or health of the PI subject (3.2). The definition of 'consent' is narrowed to require clear authorisation expressed through an affirmative act, unless implied consent is given (3.6). Importantly for insurtech investors, user profiling (UP) cannot result in discrimination based on ethnicity, race, religion, disability or disease. PI controllers also must ensure that their UP does not endanger "national security, honor or interests, incite subversion of state power, instigate secessionist activities, or disseminate terrorism, radicalism, ethnic hatred, violence or obscenity" (7.4). When providing their business functions, PI controllers must also give users the ability to control the degree and extent of 'personalised display' (ie, the display of information and search results for products or services based on the individual's PI, such as their internet browsing history (3.16)). PI controllers with more than 200 employees or the PI of more than 1 million individuals must nominate PI protection personnel and establish a PI protection department (11.1). These rules are not exhaustive and there are other regulations on PI processing, collecting and storing personal biometric information, third-party connection management and bundled consent for multiple business functions.Comment China's insurtech market continues to grow rapidly. Foreign insurers are currently underrepresented in this market, even as former market barriers to entry continue to fall. This market presents great potential for foreign insurers, and Western insurers in particular have centuries of experience to share with their Chinese counterparts.While investing in China is never simple for foreign companies, in light of the 2020 foreign investment reforms it is now more practical than ever. A WFOE, the requisite insurance permits and a Gongzhonghao are now enough for a foreign insurer to get started in China's insurtech market. No ICP is necessary; neither is a complex VIE investment vehicle headquartered in the Cayman Islands.However, in leveraging Big Data to support their insurtech operations, foreign investors must take great care to adhere to China's Cybersecurity Law. Data localisation, security review requirements and increased protections for Chinese citizens' personal and data privacy present compliance challenges more commonly seen in the European Union with the GDPR. These rules, especially the new ones coming into force on 1 October 2020, may disproportionately affect insurtech and other investors that rely the most on Big Data.However, sustainable growth, social benefits and increased competitiveness lie ahead for those willing to seize the opportunities presented by China's insurtech market. Organisations that are slow to embrace these new opportunities may later find it harder to enter the Chinese market due to increased competition. As homegrown Chinese insurtech companies expand abroad, established insurers that overlook the Chinese market may also find it harder to compete and retain their existing prominence in the global market.For further information on this topic please contact Jia Wan at AnJie Law Firm by telephone (+86 10 8567 5988) or email ([email protected]). The AnJie Law Firm website can be accessed at www.anjielaw.com.Endnotes(1) See Notice of the Ministry of Industry and Information Technology on Removing the Restrictions on Foreign Equity Ratios in Online Data Processing and Transaction Processing Business (Operating E-commerce) .(2) English text.Hannibal El-Mohtar, intern, assisted in the preparation of this article.