Should FAPs be accepting signature-less policy processing

While signature-less processes have been a thing for one or two providers, we now have around half that will process policy changes without the need for signatures in some shape or form.

Tuesday, July 29th 2025, 6:00AM

by Jon-Paul Hale

While signature-less processes have been a thing for one or two providers, we now have around half that will process policy changes without the need for signatures in some shape or form.

Before everyone piles in, I do appreciate I'm probably pissing into a tropical cyclone on this one.

Some things I don't have an issue with; changes to contact details and declines of CPI increases (before renewal), which make sense.

However, the rest of your policy admin as a FAP; it's questionable activity.

One of the most significant issues I have observed from complaints and issues over the last 25 years is the lack of clarity on what has been decided and what has been done, where a signature has been the key to proof in either direction.

Sure, tech has added email and email trails to the mix, but like scanned and emailed signatures, email isn't the bastion of security everyone thinks.

I've said previously that we need to get this signature bit sorted.

Wet signatures scanned and emailed haven't been secure for three decades; I've seen many examples of it not being secure over the years.

When it comes to trusting email, we have one profound assumption that is problematic: the person sending the email is the sole person with access to that email account.

Without two-factor authentication checks, we have no proof that the person behind the email is the person we believe them to be. It could be an unauthorised partner, another family member, or someone completely fraudulent.

The issue here isn't about when things are going well; it's about when they don't, and that should concern FAPs the most.

I know Resolution Life has some real challenges with this in their policy administration. Cases where related family members are attempting to withdraw funds from older people's WOL/Endowment plans without the policy owner knowing.

I've had a case where digital signature fraud, not using external signing services, has resulted in an insurer paying a life claim twice.

The issue here for FAPs sits around vulnerable clients.

Older clients that don't use email well and pass it off to family.
Couples, where one is minister/mistress of finance and the other hasn't a clue.
Trusts and companies where the email address and authorised signatories are different.
Specifically vulnerable with medical conditions deferring to family to assist.
The big one overlooked is the malicious activities of a separating spouse. I have seen a number of these where someone has lost needed coverage without their knowledge.

For most of these, the insurer is too far removed to judge veracity, and advisers don't always know either.

Some will say, 'Where are the examples?' I've mentioned a couple.

To the point, providers are not looking for these issues. Thus, their data doesn't reflect what we, as advisers, see in the real world.

Not to mention, as advisers, if you're not looking for it or aware of the issues, you won't see them either.

Others, why is this a FAP problem?

It is a FAP problem where the FAP's people pass on communications and instructions that are compromised.

The insurers appear quite happy to accept the risk; they have deep pockets and can blame the FAP for allowing it.

Where does that leave the FAP and the unwitting adviser? Not indemnified by the insurer as a starting point!

Issues of lost benefits and redirected claims are the significant concerns.

Is the actual incidence rate low? Yeah, probably. However, we lack scope and data on the exact impact of this because no one is looking or collecting the data.

As they said about Covid, you don't have it if you don't test for it. Same thing with this.

I have examples of it being an issue, but I also can't quantify the industry risk.

A few examples of client situations of concern for FAPs:

One email address shared by couples; I have this with both younger clients through to those well retired.
Email addresses that family manages on behalf of the client. Especially for older clients.
Not that it's an issue yet with email; executors of sole-owned policies that do not have access to the registered email address, but someone else does.

Essentially, they are vulnerable clients, but the run-of-the-mill couple is also part of the risk issue here, as they typically lack the technical understanding of the issues. Frankly, most advisers don't understand this issue either!

I've lost track of the number of clients that have tried to sign for their partner before Covid. Post-Covid, with email, it's likely worse!

I haven't accepted them knowingly, but by the number that have tried it also suggests if I haven't witnessed it, it still possibly slipped through. This is a very significant concern.

You can say, well, he/she knows and allows it, so why is it our problem? Because it's a form of fraud, and any professional should never accept it.

This brings me back to 2FA digital signing systems should be the preferred approach to signatures by FAPs.

Three things FAPs should be doing right now around email address security:

Insisting on verification of email address changes by phone, not just the email received.
Ensure that any change in benefits is signed off, not just via email.
Implement a two-factor (2FA) process for all signing types. Basically, a random code you send via SMS to the individual's mobile that comes back on the document as it is signed. (and enforce it)
When implementing the 2FA approach, also consider a verification process for changes to mobile numbers. You're relying on this to verify the signature. You need to ensure that it has not been compromised or altered by a malicious actor.

At the end of the day, the risk here isn't likely to be hackers; they prefer access to cash in the form of bank accounts and credit cards, not life insurance policies.

The premise of the work advisers do is to ensure that financial support and wishes of the life assured are provided for when they cannot.

Why are we allowing changes to these plans with weakened controls when the client is likely in their most vulnerable position possible?

People in the vulnerable positions I've outlined typically do not want their policies changed, so why are we allowing potential bad actors (family members) to make changes?

I'm pretty sure it's for the convenience of the masses, not in a challenging or vulnerable position, forgetting why we are here in the first place.

Also, keep in mind that vulnerable and deceased clients typically don't complain; they're too busy focused on the life they have, or they're dead.

This means insurers will point to the non-existent issues I've discussed.

Don't be a FAP that takes the easy route; if you're genuinely here to make a difference and serve your clients, not protecting them at their most vulnerable should not be your standard operating process.

Tags: FAP insurance Insurance Advisers Jon-Paul Hale