Don’t just reduce fraud, eliminate it
If you wanted to create an insurance policy with zero fraud could you do it? If you think this is impossible, why is it impossible? If you could radically redefine insurance and start from scratch with only one goal, the elimination of fraud, what would it look like? What is remarkable is that if we choose the right architecture we not only get a system which is free of fraud, but this benefit comes at no additional cost to the participants.
Simplest concept of insurance is a rainy day fund
1 in 3 of GoFundMe campaigns are used to pay for medical bills. This is how families and individuals attempt to bridge the gap between insurance and reality. GoFundMe isn’t insurance, but instead a way to raise charitable contributions for a cause. 1/3 of the time this cause just happens to be the coverage of what insurance won’t pay for.
But what if you could use GoFundMe for insurance simply by paying up front and awarding a claim later? Imagine a GoFundMe campaign for 20 friends where funds are raised first and only awarded later if someone experiences a loss. This concept is very different from traditional insurance but it is the type of radical approach that I believe could work to eliminate fraud.
These factors require insurance to be more institutionalized
This is what I believe we need to eliminate from our architecture:
- Larger group sizes, larger risk pools
- Policies which place detached strangers into the same coverage pool
- Architectures which make personal relationships unnecessary
- Larger amounts for claim awards which create incentives for fraud
- Greater complexity of policies requiring complex underwriting
- Greater complexity of claims requiring complex verification / oracles
The fundamental way peer-to-peer insurance should differentiate itself from centralized insurance providers is as follows:
- From being discretionary to being non-discretionary.
- From measuring pure loss to more parametric architectures.
- From large global risk pools of strangers to small local risk pools of communities.
- From trust being established by institutions to trust being established by personal relationships among participants.
- From pricing that requires actuaries to non-actuarial pricing.
- From an investment model with optimal up-front pricing to a rebate model with sub-optimal up-front pricing, yet lower total costs.
- From high value claims to lower value supplemental coverage.
- From a 3rd party custodian model to a direct pay model, where premiums move directly from policyholders to claimants.
- From a model requiring reinsurance or a large reserve pool to a model with zero reserves.
- From a model with hard and soft fraud to a zero fraud architecture, where soft fraud doesn’t exist (parametric policies) and hard fraud is nearly impossible (policyholders can defect).
- From insurance pools which are hard to dissolve to insurance pools which dissolve immediately if any fraud is detected.
The goal of this architecture should be:
- Give people greater peace of mind that claims will be paid and not denied.
- Make the track record and reasoning of previous claim approvals and denials fully transparent.
- Reduce insurance to its simplest possible constituent assuming that this reduction looks like a ROSCA.
- Make it easier to predict the likelihood that a policy will pay a claim.
- Give local groups full autonomy over their policy:
- The power to self insure based on a communities own standards.
- The power to create an authoritative, immutable history.
- The power to record the communities perspective on historical events.
- Elimination of third party custodians:
- No party ever takes custody of funds that does not belong to them.
- Eliminating the risk that funds will be misappropriated.
- Providing policyholders greater protections from institutions.
- Reducing the costly burden of regulatory compliance.
- Elimination of soft fraud by offering only parametric supplemental policies
- Elimination of hard fraud by:
- Increasing the amount of transparency in the system.
- Providing policyholders greater protections from bad actors.
Peer-to-peer Architecture Ingredients
- Smaller group sizes.
- Reduced value of claim awards to disincentivize fraud.
- Only offering parametric coverage.
- Making claim awards non-discretionary
- Discretionary awards imply that reserves are rationed for future claims.
- Eliminating pricing models that require the policy to hold reserves
- Using rebate models to price risk removes actuarial pricing.
- Using blockchain smart contracts to eliminate third party custodians.
- Using blockchain to increase the transparency of funds.
- Using blockchain to achieve regulatory arbitrage via direct payments
- Payments move directly between policyholders and claimants.
- Using stablecoins to eliminate the volatility of crypto assets.
- Providing greater protections to policyholders by allowing them to defect
- Policyholders can leave with their premiums if fraud is detected.
Peer-to-peer Architecture Instructions
How to determine group size:
The first step to simplifying the problem is reducing the group size. We should allow groups to form the same way that peer-to-peer lending groups form, borrowing from the concept of a ROSCA.
- Reducing the group size:
- A community risk pool is 25 to 125 people (optimally 50 to 60).
- Increasing personal relationships among participants.
- Groups must be fully autonomous.
How to underwrite participation by policyholders:
- Require invitation by the secretary:
- Leaders of groups must exercise discernment in who they should invite.
- If they exercise poor discernment they risk alienating members of the community.
- Individuals that deviate too much from the group’s social norms are unsuitable.
- Members that respect and obey the group’s social norms are ideal.
- Leaders are rewarded by the group in their ability to identify ideal members and reject unsuitable members.
- Utilize subgroups:
- Individuals are not eligible to obtain coverage from the community.
- After being invited to participate, members are required to form a team.
- A team is composed of 4–7 members.
- Once formed into a team the members are eligible to obtain coverage.
- This process allows members to approve one another for participation.
- Members will likely approve others for coverage who have a similar risk profile to themselves.
- If a member cannot form a subgroup with others this reflects that:
Their risk profile is perceived to be higher than average or their ability to establish social bonds with others is lower than average.
- 2–3 members are not a valid subgroup
- Individuals and invalid subgroups cannot pay premiums to obtain coverage.
How to underwrite events that trigger claims:
The second step to simplifying the problem is reducing the size and complexity of claims. This strategy allows for more modest security architectures. Payment of larger claims (claims > $2000) requires robust security. Smaller claims can operate using architectures with far less protocol security.
- Reducing the value of claim awards:
- Ideal value of a claim somewhere between $500 to $1000 (US based).
- Weekly median personal income is $865 for US citizens.
- Claim awards should never exceed the equivalent value of 2 weeks salary.
- Goal is to match a low cost premium with a meaningful claim award.
- Only suitable for supplemental coverage.
- Fewer incentives to commit fraud given a claims size.
- Coverage still valuable enough that people want to participate.
- Limiting the complexity of claim awards using parametric policies:
- Policies pay every claim the same value.
- This value is the same for all participants.
- Claim amounts do not account for any circumstantial factors.
- This eliminates any requirements that loss be measured to award a claim.
- Policies make payments upon the occurrence of a triggering event.
- Simplifies the evaluation of claims.
- Allows anyone to calculate how many claims a policy can pay per period.
- Allows anyone to calculate the odds that a policy will pay their claim in full or if they should expect a partial claim payment (see example).
How to pay for premiums and claims:
The third step to simplifying the problem is removing the volatility associated with cryptocurrencies. Without using a cryptocurrency capable of holding a stable value you cannot create insurance products capable of reaching a mainstream consumer marketplace. Premiums placed in smart contracts must maintain a stable value over the course of one month to avoid exposing claimants to volatility risks.
- Smart contracts are required to eliminate third party custodians:
- Smart contracts allow us to provide new financial services to consumers.
- These new services eliminate the liability of third party custodians.
- Smart contracts in this context can be thought of as a community safe.
- Locking up funds in smart contracts previously required individuals to be highly technical and risk-tolerant.
- Cryptocurrency is too volatile to use for paying premiums and claims:
- P2P insurance requires funds to be locked for a minimum of one month.
- Only cryptocurrency such as Ethereum can be locked in a smart contract.
- Locking up volatile capital for one month exposes policyholders to risk.
- This makes paying premiums in ETH impractical for consumers.
- Using smart contracts + stablecoins to pay premiums and claims:
- Prior to 2018 price stable cryptocurrency did not exist.*
- Stablecoins such as MakerDAO’s DAI eliminate the risk of volatility.
- You can pay premiums in DAI to a smart contract instead of using ETH.
- Using stablecoins with smart contracts eliminates the risk of volatility.
- Now new financial services can be provided to mainstream consumers.
How to award claims:
The fourth step to simplifying the problem is removing the need for human judgement as much as possible. The less discretion exists within the architecture that awards claims, the less need there is for creating a dispute resolution mechanism (i.e. governance) which adds unneeded complexity.
- Making claim awards non-discretionary:
- Removal of human judgement as much as possible.
- Strategy of awarding claims that everyone agrees is fair.
- The protocol enforces fairness rather than relying on human institutions.
- Value of claims predetermined by a policy’s underwriting.
- Representative authority whitelists valid claims.
- All policyholders have the opportunity to approve whitelisted claims.
- Policyholders are never required to pay invalid or fraudulent claims.
- Increasing transparency of claim awards by using blockchain:
- Greater ability to audit a policy’s prior track record.
- Inability to deny claims without making the reason public.
- Makes it easier to reach consensus about the fairness of awards.
- Makes it easier for groups to agree about who owns which funds.
- Reducing regulatory liability by eliminating third party custodians:
- Funds move directly between policyholders and claimants.
- Smart contracts do not play a custodial role (see caveat**).
- Smart contracts function similarly to a vault with safe deposit boxes.
- Each policyholder has their own key to their own box.
- Each box holds an individual policyholder’s premium separately.
- Premiums are held by smart contracts until claims can be whitelisted.
- Each user decides individually to send funds to a whitelisted claimant.
- Relinquishing custody of funds is absolutely voluntary.
- Only a individual policyholder is authorized to finalize a premium.
- Policyholders are never required to pay claims they think are fraudulent.
- Funds are never pooled together until they are received by the claimant.
How to price risk:
The fifth step to simplifying the problem is to eliminate actuarial models for pricing risk. Actuarial models concern themselves with how to price risk by predicting the future. The goal of these models is to charge premiums so that there is an excess which is saved for future claims. They need to price risk such that a policy holds sufficient reserves to pay for future losses. More specifically, these models should provide sufficient reserves when the cumulative value of claims in a given future month is very high. If holding reserves was a requirement then this would transform our smart contracts into custodians. As soon as any part of our architecture becomes a custodian of funds this adds unnecessary complexity and liability. Eliminating the liability associated with 3rd party custodians is a requirement, therefore we cannot use this mechanism to price risk.
This is not the only way to price risk, it just is the most efficient way to provide up-front pricing. Monthly premiums using rebate pricing can be 2x to 8x more expensive depending on how good the coverage is. This doesn’t mean that the policy is 2x to 8x more costly just that the upfront expense of the policy is 2x to 8x greater. Later once it is determined how many claims occurred in the past, rebate pricing performs an accounting and returns the remainder back to policyholders. This remainder is called a rebate and it allows the policy to price risk retroactively. This type of risk pricing enables us to reconcile all accounts to a zero balance at the end of each month. The result is our architecture is never required to hold any funds in reserves or carry premium funds forward from one month to the next.
To sum up, the difference between these two models is as follows:
- Actuarial models attempt to predict the value of claims in the future to price premiums. They require policies to hold reserves.
- Rebate models can perfectly calculate the value of claims in the past to price premiums. Because the premiums can be 2x to 8x larger, these types of policies are not required to hold reserves.
Full rebate models use a zero-reserve architecture which:
- Does not hold funds for a given period greater than one month.
- Does not carry a balance of funds forward to future periods.
- All funds are paid out as either claims or rebates at the end of every month.
- Reconciles all accounts to a zero balance at the end of each period.
Trade-offs when using zero-reserve architecture:
- Coverage scales with the size of premiums the community is willing to pay.
- The less the community trusts each other the weaker the coverage becomes.
- Contrastingly, more trust results in stronger coverage for the community.
- This architecture provides the greatest fraud protections for policyholders.
- At face value this provides weak guarantees for claimants.
- In reality it allows for coverage to scale relative to the degree of trust between participants (accounts for premiums being 2x to 8x greater).
- Since refunds are guaranteed, higher premiums provide more actual coverage for zero actual cost.
The benefits of zero-reserve architectures are that they:
- Do not require compensating actuaries for correctly pricing risk.
- Do not require punishing actuaries for mispricing risk.
- Never require the smart contracts to act as a 3rd party custodian of funds.
- Allow funds to move directly from policyholders to claimants.
- Enables an architecture where no funds are ever owned by an institution.
- Enables individuals to always remain in possession of their own funds.
- Do not require the creation of architectures needed to invest premiums.
- Allow authorities to whitelist claims while permitting users to approve them.
- Create strong incentives for users to withhold premiums if fraud is detected.
- Provide strong disincentives to authorities who would whitelist fraudulent claims.
Consequences of using zero-reserve architecture + non-discretionary claims:
- Authorities are never incentivized to ration premiums for future claims.
- This type of architecture may underpay claims because of low liquidity.
- Even if claims are discounted all claimants must be treated equally.
- No valid claims will ever be paid nothing.
- The protocol enforces equality rather than relying on human institutions.
- In a given month every claim must be paid an identical amount.
- Checking that all claims were treated fairly is trivial.
How to mitigate fraud:
The sixth step to simplifying the problem is designing a governance system that prevents delegated authorities from abusing their power. All previous steps sought to place constraints on what a group policy could do. These constraints makes it easier to determine if a claim is valid. If a policyholder cannot easily determine if a claim is valid, they cannot participate in an up or down vote which approves a claim for payment. If policyholders cannot participate in the claims approval process, they have no way to mitigate insurance fraud.
The goal is that no group should be able to continue to operate after approving a fraudulent claim. Given this goal, allowing policyholders to defect is effectively giving them the right to veto any invalid or fraudulent claim. To defect is to permit a policyholder to walk away with their premium for the purpose of denying an invalid claim a payment. This dynamic is described in detail in this blog post, how it is used to protect policyholders from fraud and abuse is described in this blog post.
- Replacement of voting with rules allowing policyholders to defect:
- If fraud occurs the group is easily allowed to terminate.
- Defecting allows policyholders to reclaim their monthly premium.
- Zero-reserve architecture enables everyone to exit with their funds.
- A policies underwriting can require policyholders to act by disbanding.
- Users can be required to leave the group if they believe fraud is occurring.
- Whitelisting an invalid claim results in users defecting.
- The protocol is optimized to incentivize participants to disband if someone is treated unfairly.
- The easier it is for a group to disband (terminate) the more authorities will take actions that match the group’s standard for fairness.
- Delegated authorities are strongly incentivized to act honestly.
- Thus the protocol is able to enforce the previously agreed upon cultural norms of the community.
TandaPay’s architecture is composed of a number of counter-intuitive assumptions which govern the way the protocol works. It is optimized to create groups which are capable of collapsing when invalid claims are submitted for payment. This apparent fragility keeps the group and its leader honest and should in theory create more cohesion among groups which last beyond a certain period of time.
The protocol can be summarized as follows:
In TandaPay’s zero-reserve architecture policyholders delegate authority to a single entity who can whitelist valid claims. This delegated authority (the secretary) acts as an oracle telling the smart contract which claims are valid. The power of policyholders to defect is the only thing which prevents the secretary from acting corruptly when they decide which claims to approve or deny. Defections only work because TandaPay’s architecture is unique in these four specific ways:
- Supplemental coverage only: Claim values are much lower thus the security model needed to guard against fraudulent activity is much simpler.
- Parametric coverage only: no indemnification of pure loss. No measurement of loss is required which simplifies the problem of determining if a claim is valid.
- Zero-reserve architecture: all accounts are reconciled to zero every month. Every premium dollar paid into the fund is paid out or returned as a rebate each month. The maximum value of a single month’s premiums determine the maximum value of a single month’s claims.
- Subgroups and overpayments: This is discussed in another blog post. These features are used as a method to guard against scumbag policyholders, who would defect against valid claims.
This results in both types of insurance fraud being eliminated, as a review the two types of insurance fraud are:
- Soft fraud is the claimant’s exaggeration of the size of a loss for a valid claim.
- Hard fraud is when a claimant lies by attempting to submit a claim for a loss that never occurred or one that doesn’t qualify for a payment.
Parametric policies clearly define triggering events. Triggering events pay out predetermined claim awards, which eliminates soft fraud completely. The ability to defect allows a policyholder to approve or reject every claim that will be paid with their premiums, this removes any possibility of hard fraud. This is why permitting defections can create a unique type of architecture where there should be zero insurance fraud. This demonstrates how the right design can provide policyholders with perfect fraud protections.
* Tether cannot be put into a smart contract (on the bitcoin network) and thus could not function to pay insurance premiums or claims prior to 2018.
** Caveat: In some architectures smart contracts can still function as third party custodians. The only way to remove this liability is to make sure that all accounts are reconciled at the end of each policy period. Only zero-reserve architecture is capable of mitigating third party liability in this way.