Be honest — Does the term “cryptography” make your eyes cross?
The science of secret codes may be more associated with spycraft than actuarial science, but the advanced branch of mathematics has never been more relevant to insurers.
Specific forms of cryptography called privacy enhancing techniques may hold the key to battling insurance fraud by delivering the benefits of data collaboration without the risks of data sharing.
Using cryptography effectively, however, requires carriers to challenge long-held orthodoxies about data privacy and security or to fundamentally rethink the way the industry approaches information management.
The need is urgent. Insurers are, after all, awash in data – but a portion of this information is false. This poses a problem not only for insurers but also consumers, who see those expenses passed on to them in the form of higher premiums. The U.S. Federal Bureau of Investigation (FBI) estimates fraudulent claims payouts may exceed $40 billion per year (excluding health insurance).1 And threat from fraudsters has only magnified as insurers digitalize and reliance on data grows.
Carriers seeking to detect fraud confront a troubling irony: The very techniques that could do the most to minimize fraud, such as pooling data from applicants throughout the industry, may maximize other risks. Regulatory frameworks prohibit such data sharing for good reason. Aggregating data in a single location, even via a trusted third party, creates a honeypot for hackers and once data is shared, insurers cannot always ensure that it will be used only for intended fraud-busting purposes. Plus, what insurer is willing to reveal sensitive trade secrets, such as information on in-force policies, to direct competitors?
Given such steep barriers, it should be unsurprising that insurers have pursued two primary strategies to combat fraud, and neither has proven particularly effective. The first is to squeeze as much insight as possible out of applicant information in each company’s database, and the second involves purchasing third-party evidence such as credit data or prescription information.
Both methods fail to reveal the most prevalent forms of fraud. Consider churning. With this type, the agent/broker replaces an existing policy with a new one from another company to generate additional commission revenue. To any insurer, a churned application may seem indistinguishable from a sale or a cancellation. It takes data from other insurers to reveal a pattern of abuse. But of course, the fraudster is counting on the fact that carriers do not share the sensitive information freely. Similarly, policy stacking, jumbo violations, medical fraud, and financial misrepresentation could all be more discoverable if these transactions across multiple carriers could be visible and cross-checked.
But what about enlisting a trusted third party as a clearinghouse? There are successful examples, but none are global for good reason. Data aggregation creates its own risk. Even the U.S. Treasury, which collects suspicious activity reports industrywide on financial crime, money laundering, and other illegal acts, has been unable to absolutely secure this sensitive data. Within the last three years, over 200,000 transaction records leaked from the Treasury’s central database. The larger and more comprehensive the database, the bigger the target.
Big Data, Smart Data, or No Data?
Advanced cryptography offers an answer. Never in history have more people had access to more advanced encryption in their homes, offices, and pockets. Most online transactions are encrypted in transit, and are undecipherable without proper keys or mathematical values that are unlocked via an encryption algorithm.
This same science can enable collaboration between businesses while still ensuring data privacy, data security, and data ownership.
How? Let’s return to the example of churning. If insurers had access to all the data in the world, detecting churning would be simple: Search for a policy that was canceled and then another policy from another carrier that was issued around the same time for the same person on similar terms. But how can insurers accomplish this without sharing information? Take the content within policies and employ encrypted hashmarks that cannot be reversed or revealed, as well as a technique called multiparty computation, to convert the encrypted hashes. So, the hash of the name “John” from Carrier A is the same as the hash of the name “John” from Carrier B, enabling the industry to detect that the first name on policy one matches the first name on policy two, but without knowing that first name. We look for other matches across other fields, such as date and face amount, all without revealing this private information. Neither side learns anything about the data set, yet the industry can still reveal a pattern of fraud.
A similar technique, called polymorphic encryption, could be used to spot policy stacking, which occurs when a policyholder is insured over multiple policy periods with multiple policies and applies the policy limit of each policy to a claim. Insurers can perform calculations on encrypted data without seeing the input data, adding up the encrypted values from multiple policies to arrive at an encrypted sum that could be returned to multiple carriers and be de-encrypted. In case of stacking, multiple carriers can learn that an insured has three policies and could identify a total in-force amount without knowing the full values of each policy.
In this age of big data, insurers have a big problem: Carriers are not doing nearly enough to encourage and enable sharing, analysis, and interpretation of vast swaths of transaction information – and this continues to provide an opening for fraud.
It is time for fresh ideas. The World Economic Forum recently noted that cryptography allows for the exploration of previously unimaginable opportunities.2 It is now possible to get all the benefits of data collaboration in addressing fraud, while preserving data privacy and security.
But it will take an innovation mindset and partnership to truly address this billion-dollar problem. To meet this need, innovation and risk experts from RGAX partner with pioneers like QEDIT, a secure data collaboration platform that enables companies to share intelligence derived from external sources without revealing confidential business information.