Online sales of insurance products – made directly to consumers or via third-party distribution channels – are increasing. The industry-preferred approach is straight-through online processing, where the application is completed and submitted online without the need for signed documentation or product provider intervention.

While this approach saves time and money, it carries risks. It is important to remember, though, that many of the hazards of online selling and servicing apply offline too. For example, the potential for fraud is essentially no greater than in paper-based applications.

While risk cannot be eliminated, it can be reduced to an acceptable level through relevant contracts with the customer and third-party service providers and through careful attention to and control of the online sales process.

Contracts with customers

The formalities for contracting online and offline are essentially the same, but it is important to get the online sales process right to ensure that the contract is properly formed and enforceable.

As mentioned earlier, the product terms and conditions must be brought to the customer’s attention to ensure their proper incorporation into the contract. The customer must be given the chance to review and indicate acceptance of the terms before conclusion of the contract. Offline acceptance of the terms is indicated by signing the application form; online acceptance may be indicated by checking a box or clicking a button.

The provider must be able to show what terms the customer has accepted. It is essential that it retains a permanent record of the concluded contract, together with the information the customer was given at the time. The Financial Ombudsman Service has indicated that this record need not be a signed application form. However, the provider must be able to demonstrate the integrity of whatever record it has retained; having a secure audit trail is key.

Selling through third parties

When selling directly to a customer, the product provider maintains control of what is presented to an applicant on the screen and when. Where a third party is involved, there is a greater risk of non-disclosure of material facts and of the customer’s attention not being drawn to the policy terms. A provider may have difficulties relying on contractual exclusion clauses if the sales process was inadequate.

Popular online distribution channels include intermediary extranets, portals, content aggregators and ‘white-labelled’ sites such as those run by supermarkets and other corporate partners.

In each case, the contract between the insurance company and the service provider must clearly define the parties’ respective roles and responsibilities. While specific terms and conditions will differ, there will be common themes. The main ones are:

- Data. Who is responsible for collecting customer data? What if the wrong data are collected? What if data are corrupted or modified during transmission?

- Intellectual property rights. What rights does each party have to use the data and the branding and web content of the other? Are these rights restricted to online activities? How will competitors’ brands be displayed together (eg on content aggregator sites)?

- System and sales process. Who is responsible for the marketing and selling activities? Who will verify and authenticate users (see below)? Whose terms and conditions will be presented to the user? Will the sales process be specified by the product provider or dictated by the thirdparty service provider? Are there minimum security and system standards to ensure secure storage and transmission of data?

- Compliance. Who is responsible for ensuring that the website and sales process comply with FSA regulations and the law?

Online servicing

In addition to selling insurance products online, companies often provide online facilities for servicing policies, eg for tracking the progress of customer applications. While these facilities might be offered to customers directly, they are more commonly provided first to intermediaries on provider extranets or through portal sites.

Use of a portal site involves the introduction of a trusted third party to the relationship between the product provider and the intermediary. In most cases, the third party will be responsible for authenticating the parties (ie the product provider and intermediary) and transferring data between them. Careful consideration must be given to the contractual arrangements with the third party, to protect both the provider and intermediary. Online servicing will involve the use of personal data on customers and confidential data on policies and therefore has data-protection implications (see below). Many providers insist on the use of Origo Standards for the transfer of electronic data to and from intermediaries. These are industry technical standards, developed by the UK life assurance and pensions industry body Origo Services Ltd and used for the secure transfer of data between an intermediary and a product provider directly or via a trusted third party. For certain provider services (including tracking, commission and contract enquiry) the provider and intermediary can choose to adopt Origo’s standard legal framework.

Proving the identity of users

There are several regulatory reasons why it is essential to verify someone’s identity. These include preventing the sale of inappropriate goods to minors and ensuring the consumer is based in a country where the product provider is authorised.

There are commercial reasons, too. Establishing identity will:

- ensure that the party has the capacity to contract;

- prevent the party later claiming that they are not bound by the contract; - assist in tackling fraud.

Once a contract has been entered into, identity will need to be authenticated each time the service is used.

In the ‘real’ or ‘bricks and mortar’ world, verification and authentication are, in theory at least, relatively easy. On opening a new bank account, your identity is verified when you appear in person at the bank and present your passport and a utility bill. Your identity is authenticated by use of a PIN number at an automated teller machine. Online, alternative methods must be sought.

Establishing identity

To be satisfied that the person you are dealing with exists and they are who they say they are, you may need to verify the person’s information against evidence from another source, such as a credit-reference agency. If the provider chooses to carry out identity checks online (eg by using commercially available solutions such as Experian) it must have a process for retaining the evidence gathered.

The process of verification should be sufficiently rigorous for the products and services being sold. It should reflect the risks involved – not least the damage that could be caused by misuse of identity.

Authentication of identity

The means of authentication could be:

- something that only the person knows, such as a password;

- something that only the person possesses, such as a digital certificate or key fob;

- something that is a physical feature unique to the person, such as a fingerprint or retinal scan.

The more sophisticated the means, the greater the security but the higher the cost. It is important that a business carefully considers the degree of certainty actually required and selects a method of authentication right for the nature of the products and services being supplied online.

In reaching its decision, it will need to consider the data-protection implications of the particular method and the accessibility of the method.

Username and password are the most common form of authentication for selling and servicing products online. However, they are not the most secure. A complex password using different characters is more difficult to crack, but there is no guarantee that a user will keep their password safe. In the financial services industry, digital certificates are increasingly used as an alternative to usernames and passwords. Sometimes described as electronic passports, these use cryptography to give users a unique identity. Importantly, they can improve security by removing the need for multiple usernames and passwords. For example, Unipass digital certificates, offered by Origo Secure Internet Services (OSIS), give intermediaries access across provider extranets and portals.