Insurance companies will be able to add the names of "individuals who have been detected acting fraudulently towards insurers" to the IFR. The companies would be able to search the database and are free to elect not to enter into insurance contracts with those people listed.
The IFR was launched after trade body the Association of British Insurers (ABI), which is sponsoring the Register, announced that insurance companies had saved nearly £1 billion last year by spotting 139,000 "bogus or exaggerated insurance claims". The ABI has partnered with the Insurance Fraud Bureau in order to administer the new Register.
"The IFR will help insurers to identify whether individuals have committed insurance fraud so that they may take appropriate action," according to a description of the IFR by the ABI and IFB. "The information may be used at any point in the lifecycle of the product from point of sale, at renewal or when a claim is made and at any other point. However, the IFR is not an automated decision-making tool, but rather will form a key piece of insurers' investigative package."
"It is up to each individual insurer to decide how the information on the register is used; there is no common approach agreed across the industry; each insurer is at liberty to adopt its own approach. Insurers may wish to apply special terms to proven fraudsters, decline to accept them as new customers or decline to invite renewal of a product. Proven insurance fraudsters will find it harder to buy new products and to renew their existing products. They may also find it more difficult to obtain other financial services, including loans and mortgages," the statement said.
Individuals whose details are stored on the IFR will be able to challenge their listing. Insurance companies will have to "justify their action and to remove the entry if it is shown to have been incorrect."
"The Insurance Fraud Register underlines the industry's continuing commitment to reducing fraud and protecting honest customers," Richard Davies of the ABI's Financial Crime Committee, said in a statement. "The Register will make it easier for insurers to prevent fraud by making details of known fraudsters available to insurers through a secure protocol. It gives the clearest signal yet that we are more determined than ever to clampdown on insurance fraud. Those that defraud insurers and their honest customers face real and tangible consequences for their actions."
The ABI said it had "engaged" with the UK's data protection watchdog – the Information Commissioner's Office – among others, over the new IFR.
The Data Protection Act (DPA) requires that all personal data is processed fairly and lawfully, in accordance with certain criteria, such as if individuals have consented to the processing or if the processing is "necessary for the purposes of legitimate interests pursued by the data controller ... except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."
Under the DPA there are stricter requirements governing processing of individuals' sensitive personal data. That information can refer, among other things, to details about "the commission or alleged commission ... of any offence" by an individual.
Under the DPA organisations cannot generally process sensitive personal data without the "explicit consent" of individuals to whom the information relates. However, an exception to this rule applies if the processing involves the disclosure of sensitive personal data by an anti-fraud organisation "or otherwise in accordance with any arrangements made by such an organisation". Additionally, processing of sensitive personal data that has been disclosed in line with those rules is also legitimate without consent if it is "necessary for the purposes of preventing fraud or a particular kind of fraud."
Organisations must also ensure that all personal data they process is accurate and kept up to date.
Individuals who feel they have suffered damage or damage and distress because of a failure by an organisation to comply with a part of the DPA can claim compensation from that firm. However, organisations can defend themselves against liability for compensation if they can show that they "had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]."