The key features of the Notifications are as follows:
- “Offering for sale of policies via electronic channel” (Online Sale): An Online Sale is generally understood to be an end-to-end binding of an insurance contract. “Online Sale” is defined under the Notifications as soliciting, inducing, or arranging for customers to enter into an insurance policy by providing descriptions of insurance products through electronic channels, without the personal involvement of an insurance agent, an individual broker, or the insurer’s employees. The customers’ acceptances of their purchases are also made through electronic channels. Online Sale excludes the offering of insurance policies through telemarketing.
Insurers, brokers, and applicable banks (with a broker license) are permitted to conduct Online Sale. Apart from the requirements under the Notifications, Online Sale activities are also subject to requirements under OIC regulations on advertisement and insurance intermediaries’ market conduct.
- Insurer’s authorization and reporting requirement: Brokers and applicable banks, with an insurer’s authorization, may also conduct Online Sales. Insurers are required to withdraw if there is any noncompliance with the Notifications by their intermediaries, and they must report such incident to the OIC within seven days.
- Specific product filing requirement: Insurance product wording, offered through Online Sale, must receive prior approval from the OIC.
- Premium remittance: Electronic payment of premiums must be made to the insurance company’s accounts only. Brokers may not collect premiums and are therefore paid commission directly by the insurer.
- Confirmation calls: Once an Online Sale is made, insurers are required to seek confirmation from the customer through telephone calls or electronic channels, such as email, within seven days from the distribution of the policy.
- Free-look period: When confirmation calls or online confirmations are made, customers must be notified of their right to a free-look period, which is a period of 15 days after they receive their insurance policies during which they may change their mind and cancel the policy. However, this is not applicable to all categories of insurance. For example, compulsory motor insurance and travel insurance are excluded.
- Issuing e-policies: In issuing policies through electronic channels, an e-signature must be placed by the insurer. The e-signature must comply with reliability requirements under the Electronic Transactions Act B.E. 2544 (2001). For group insurance policies, the insurer must issue an insurance certificate along with other required information to each of the insured group members, unless agreed otherwise between the insurer and the group policy holder(s).
- E-claim payments: Insured persons/beneficiaries must be identified through a process arranged by the insurer before any electronic claims compensation is made. Claims payment must only be made to the account of the insured person or the beneficiary, whichever is agreed upon in advance.
- Security measures: Online Sales, using electronic means as part of the sale of policies, issuing policies electronically, and paying compensation for claims must comply with the levels of security measures prescribed under the Electronic Transactions Act and the requirements on IT security systems stipulated in the Notifications (e.g., IT systems for providing such online services must be certified by an independent certification body such as CISA, CISM, CISSP, or ISO 27001 Information Security Management). In addition, the IT systems must be registered with the OIC to conduct any of the activities above.
- Outsourcing: Third-party outsourcing arrangements are subject to the specific requirements stipulated under the Notifications.
Compliance with these Notifications is in addition to existing regulatory requirements under the Electronic Transactions Act and other laws that regulate online business.
In addition, the OIC has announced, for public hearing, a draft subordinating notification on IT security measures certification. The draft sets out greater details on conditions and criteria for certification of IT security measures as required under the Notifications. It is expected that the draft will be implemented in the near future, possibly by the end of 2017.