The Australian Securities and Investments Commission's (ASIC) and the Australian Prudential Regulation Authority (APRA) are the two main regulators for the fintech/insurtech industry.

ASIC is Australia’s corporate, markets and financial services regulator. In particular, ASIC's Innovation Hub provides informal guidance and support to eligible start-ups, which helps fintech/insurtech entrants minimize the time and cost required to navigate the regulatory
landscape.

Further, ASIC meets regularly with international regulators, including the Financial Conduct Authority in the United Kingdom and European Securities and Markets Authority, to discuss partnerships opportunities, innovation developments and policy proposals.

The Australian Prudential Regulation Authority (APRA) is another regulator of the Australian financial services industry. It is responsible for regulating authorized deposit-taking institutions (such as banks), insurance companies and other financial institutions it supervises. APRA is actively looking to reduce barriers for new entrants into the banking and insurance sectors.

The Australian Competition and Consumer Commission (ACCC) is Australia's competition regular and, among other things, helps maintain competition in the financial system by ensuring the viability of emerging fintech/insurtech entrants.

The Office of the Australian Information Commissioner regulates data privacy matters.

Companies seeking to provide any financial or insurance products or services are required to hold an Australian Financial Services Licence (AFSL) or a credit license. However, ASIC's regulatory sandbox allows eligible fintech/insurtech businesses to:

• test certain financial and credit services for up to 12 months without needing to apply for a financial services or credit license 
• offer products and services to wholesale clients and a limited number of retail clients (up to 100 retail clients only), with appropriate monetary exposure limits in place

The financial or insurance products or services that are exempt under the regulatory sandbox include:

• dealing in all listed or quoted Australian securities
• all deposit products
• debentures, stocks or bonds issued or proposed to be issued by the Australian government
• simple managed investment schemes (that is, a registered scheme that invests at least 80% of its assets in a bank account where funds can be withdrawn within three months, or in arrangements where the investments can be realized at market value within 10 days)
• home contents insurance products
• personal and domestic insurance products

Due to its success, the Australian government is currently looking to enhance these exemptions. The Australian government is looking to:

• extend the testing time frame to 24 months
• allow businesses to test a broader range of financial products and credit services without a license, including providing more holistic financial advice, issuing consumer credit, offering short-term deposit or payment products, and operating a crowdsourced equity funding intermediary

Further, the Australian government has recently proposed the removal of the “double taxation” treatment for goods and services tax (GST) on digital currencies that will help facilitate further developments or use of digital currency.

The Australian government is supportive of insurtech. Through ASIC's regulatory sandbox, non-insurance tech entrants and insurtech start-ups are exempt from licensing requirements in relation to products that are subject to appropriate monetary exposure limits (AUD 50,000 for retail clients and AUD 5 million for wholesale clients), such as:

• home contents insurance products (for example, household goods and jewelry)
• personal and domestic insurance products (for example, mobile phone insurance)

ASIC may further exempt other regulatory requirements with the use of its waiver (relief) powers on a case-by-case basis when appropriate.

That said, the insurance industry largely feels that insurtech has been somewhat left behind in terms of the fintech agenda in Australia, and sees scope for the Australian government to further reduce regulatory barriers. In particular, the industry has asked the Australian government to support increased flexibility, which in turn supports emerging micro-insurance and quasi-insurance models, which are not easily operated under current models.

The licenses required will depend on the specific activities contemplated. The key licensing and/or regulatory requirements include:

• Financial services or credit licenses – Businesses conducting a financial services business or providing credit require the relevant financial services or credit licensing conditions from ASIC.
• ASIC regulatory sandbox exemption – Businesses that qualify under ASIC's regulatory sandbox may apply to ASIC to have their licensing requirements waived. As discussed (at question 2), eligible start-ups that qualify to operate under ASIC's regulatory sandbox
  may operate for 12 months without needing to apply for a financial services or credit license, provided that products and services are offered to wholesale clients and a limited number of retail clients (up to 100 retail clients only), with appropriate monetary exposure limits in place. ASIC may further use its waiver (relief) powers on a case-by-case basis.
• Authorized deposit-taking institution (ADI) – Institution seeking to be regulated as an ADI will require the relevant licenses with APRA. 
• Equity crowdfunding – Companies looking to facilitate capital raising under the Australian government's latest crowdsourced equity funding framework starting in September 2017 will require a financial services license. Among other things, this allows eligible companies to raise up to AUD 5 million per year if they have less than AUD 25 million in gross asset value.
• Venture capital – Fintech/insurtech investors may apply to Innovation Australia to be structured as a venture capital limited partnership (VCLP), or early-stage venture capital limited partnerships (ESVCLP) under the Venture Capital Act 2002 (Cth) and receive
  more favorable tax treatment for investment.

There are no specific regulations for the use of biometrics on its own. Biometric data is regulated by the Privacy Act 1988 (Cth). The Australian Law Reform Commission (ALRC) has also recently recommended that certain biometric information be labelled as sensitive information to afford consumers greater protection.

The Intelligent Access Program (IAP), is a national program developed in partnership with all Australian road agencies, and is the first road regulatory use of telematics in Australia. The IAP relies on certified telematics providers (IAP service providers) and their approved GPSbased
telematics devices and systems (approved intelligent transport systems) to offer road authorities a compliance solution when it comes to allowing operators of certain vehicles access or enhanced access to the public road network.

There is no specific regulation drawing a distinction between institutions that are "too big to fail" versus "too small to care."

However, as big institutions carry higher risks to the relevant financial systems, and any failures or non-compliance can significantly impact market or investor confidence, they often receive closer attention from the relevant authorities. On the other hand, new emerging fintech/insurtech companies enjoy certain regulatory exceptions (as discussed above) in circumstances where they represent a limited prudential and lower level of consumer risk.

While not a strict legal requirement, APRA has released Practice Guides on the management of security risk in information and information technology that is applicable to insurance companies. Topics addressed include: the importance of an overarching framework, systematic IT asset life-cycle management, effective monitoring processes and robust IT security reporting and assurance mechanisms.

OAIC guidelines and APRA Prudential Practice Guides also indicate the importance of adequate disaster recovery processes as part of an organization's robust IT, cybersecurity and management systems.

From a personal data privacy perspective, insurance companies must take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information. An insurance company that holds personal
information must:

• take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorized access, modification or disclosure
• take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs

The Privacy Act 1998 (Cth) governs the collection, use, storage, disclosure and transfer of personal data. The Privacy Act applies to companies with an annual turnover of more than AUD 3 million (APP entity).

An APP entity handling personal information should follow the Australian Privacy Principles (APPs) below:

• Open and transparent management of personal information – All entities subject to the Privacy Act must have an APP Privacy Policy.
• Anonymity and pseudonymity – Individuals should have an option of not identifying themselves when dealing with an organization, unless this is impracticable or the organization is required by law to deal with an individual on an identified basis.
• Collection of solicited personal information – An organization must not collect personal information unless reasonably necessary for one or more of the entity's functions or activities.
• Dealing with unsolicited information – An organization must take specific steps if it obtains personal information that it did not specifically solicit.
• Notification – Individuals must be provided with a collection statement before or at the time their information is collected.
• Disclosure for a primary purpose – Use or disclosure of personal information is not permitted for purposes other than the primary purpose for which it was collected.
• Direct marketing – Subject to exceptions, use or disclosure of personal information for direct marketing purposes is not permitted without consent.
• Cross-border disclosure of personal information – Entities are required to take reasonable steps to ensure that an overseas recipient of Australian personal information does not breach the APPs, and such entity will remain liable for any misuse by the overseas
  recipient.
• Integrity of personal information – An organization may not adopt a government-related identifier (such as a tax file number) as its own identifier.
• Quality of personal information – An organization must take reasonable steps to ensure that personal information it collects, uses or discloses is accurate, up to date and complete.
• Security of personal information – An organization must take reasonable steps to protect personal information it holds from misuse, interference and loss as well as from unauthorized access, modification or disclosure.
• Access to personal information – Individuals have a right to access their personal information on request.
• Correction of personal information – Organizations must take reasonable steps to correct personal information on request by an individual.

To the extent that the insurance company has an annual turnover of more than AUD 3 million per year, its activities and usage of insurtech remains subject to the Privacy Act and the requirements of the APPs as set out in response to question 3(a) above.

• The Privacy Act governs the security obligations relating to personal information.
• Cybercrime Act 2001 criminalizes various computer activities such as hacking, virus propagation, denial of service attacks, and website vandalism.
• Australian Security Intelligence Organisation (ASIO) Act 1979 governs the conduct of Australia's counter-intelligence and security agency and sets out various investigative powers available to ASIO under warrant, including in relation to suspected cybercrime.
• Telecommunications Act 1997 and Telecommunications (Interception & Access) Act 1979 also permits access to communications content held by carriage service providers and licensed telecommunications carriers for law enforcement and national security purposes under warrant.

ASIC is considering expanding its regulatory sandbox to potentially allow insurtech start-ups to test a greater number of insurance products without the need to obtain a financial license, subject to certain requirements and limitations.

In the last few years, Australia's largest insurance companies have begun launching venture capital funds and partnering with start-ups to increase the technological sophistication of their products. For example:

• Suncorp Insurance is collaborating with Spanish start-up Traity to create a new micro-insurance offering, which uses blockchain to ensure peer-to-peer transactions made online via a chatbot. The platform, which insures online purchases on websites such as
  Gumtree and eBay from fraudulent activity, works by using a number of parameters to assess the reputation of both buyer and seller via a virtual agent named Kevin. If reputations are approved, a time stamp is created on blockchain that proves an agreement of transaction from both parties, and in the event of nefarious activity, claimants are insured up to a value of AUD 100.
• Boundless is an artificial intelligence (AI) health companion designed to inspire a healthy lifestyle via its digital messaging, virtual coaching technology, activity challenges and reward partners. The start-up offers partnerships with health and life insurers to help
  them engage with their customers via the white-label platform, which integrates with over 250 wearables, biosensors and health apps to create a personalized, pro-active coaching tool.
• Insurance Australia Group (IAG) announced that it will launch an insurtech innovation hub in Singapore. The hub, which will be called Firemark Labs, acts as an incubator for IAG to work with start-up, research and technology partners to co-create new products to improve customer experience across Australia, New Zealand and Asia.
• QBE Insurance Group Limited, which is Australia's largest global insurer, is looking to invest up to AUD 50 million in early-stage startups and tech ventures to build disruptive solutions in the insurance industry in 2017.

There have been no specific cases in relation to fintech/insurtech cases to date.A

• The high costs of development and innovation – While there is high demand from insurers looking for new technologies to improve customer service and transform operational models, there are still many insurance companies that do not have a budget allocated for innovation, or someone actually responsible for innovation. See KPMG's insurtech research at: https://home.kpmg.com/au/en/home/
  insights/2017/03/insurtech-dilemma-insurance-technology.html.
• Regulation – High levels of regulation from ASIC and APRA present a significant barrier to entry. Industry groups are seeking support form the Australian government for increased flexibility to support emerging micro-insurance and quasi-insurance models (for
  example, self‑funded excess and peer‑to‑peer insurance), which are not readily facilitated by current models. See https://fintech.treasury.gov.au/australias-fintech-priorities/

Fintech/insurtech has been, and will continue to be, a key enabler in designing better and more efficient work processes and creating new business models that will deliver higher growth, cost savings and better services for industry participants.

We can expect to see a rise in insurance companies acquiring or teaming up with tech-focused companies (including digital insurance start-ups or telematics-related companies) in order to deliver new products and better price risk. The three main trends or disruptions include:

• Increase in collaboration between start-ups and incumbents: high barriers to entry to the insurance industry could restrict a wave of new stand-alone e-insurance brokers, which would need to work with traditional insurance companies.
• Insurance telematics: with insurance telematics, insurers can have better information and can expect a rise in usage-based insurance and dynamically adjusted premiums, moving away from conventional static premiums. Further, insurance telematics can help improve risk management, drive cost down for claims process, enhance customer loyalty through creating opportunities for regular contact and potentially open up new possibilities for sales channels and revenue-generating services in partnership with businesses from other sectors.
• Improved data analytics: With improved data analytics, the old-fashioned actuarial tables of insurance companies can be enhanced with real-time data and dynamic pricing. Wearable tech and telematics also give companies more personalized data.