Regulatory requests are routine in the insurance sector, but they are rarely simple. Requests from regulators such as ASIC, APRA, the ACCC, or even international bodies like the FTC often involve large data volumes, tight deadlines, and strict protocols.
To manage this complexity, legal teams are increasingly leveraging modern eDiscovery tools. Advanced platforms like RelativityOne (with its aiR for Review feature) and Cicero AI help teams swiftly manage and analyse data, enabling more efficient and defensible responses to regulators while maintaining compliance.
Responding to Regulatory Requests: Process Summary
The process of responding to a regulatory request can be broken down into several key phases. The table below outlines each phase with its primary actions and considerations:
1. Scoping the Request
- Clarify the notice (what information is needed and by when).
- Engage early to narrow the scope as much as possible.
- Form a cross-functional team (legal, IT, business leads, outside eDiscovery experts).
- Use past cases and tools to anticipate data volume, costs, and challenges.
2. Identifying & Preserving Data
- Identify all relevant data sources (emails, databases, chat logs, devices, etc.) and issue legal holds immediately to prevent deletion.
- Map data sources and catch overlooked repositories (legacy archives, shared drives).
- If regulators have data from third parties, obtain copies to ensure you see what they see.
- Be ready to adjust as the request’s scope can expand; update your data map and holds accordingly.
3. Collecting & Processing Data
- Collect data from all identified sources in a defensible manner, whilst maintaining a clear chain of custody.
- Process the data by removing duplicates and system-generated junk, and convert files into reviewable formats.
- Leverage eDiscovery software (e.g. RelativityOne) to automate deduplication and filtering – one insurer facing an ASIC inquiry cut the review dataset by nearly 50% this way.
- Efficient processing reduces noise and helps reviewers focus on truly relevant content.
4. Developing a Review Protocol
- Establish clear guidelines for document review.
- Define categories/tags for key issues (e.g. “pricing,” “internal only,” “privileged”) and procedures for flagging sensitive content (such as communications between legal teams and clients, or personal data).
- Ensure all reviewers apply the protocol consistently for a defensible process.
- Consider sharing a high-level summary of the review approach with the regulator (ASIC, ACCC, etc.) to build trust in your thoroughness.
5. Search & Evaluation
- Use advanced search tools to quickly find important documents.
- Apply keyword searches with Boolean logic and filter by metadata (e.g. limit to certain people or date ranges) to narrow results.
- Utilise advanced analytics and AI tools, such as those offered by RelativityOne to group related documents (email threads, clusters) and highlight duplicates.
- Predictive coding can prioritise review of the most relevant files.
- Emerging generative AI tools can also flag subtle cues (for instance, an email saying “let’s discuss offline” that might indicate sensitive discussions).
- Combining traditional search with AI insights helps identify the “hot” documents central to the inquiry faster.
6. Data Analysis & Decision-Making
- Analyse the data to understand the full narrative.
- Build timelines or communication maps to see who knew what and when, and how events unfolded.
- Use AI summarisation (e.g. Cicero AI) to condense large email chains or reports into key points, useful for briefing management or drafting a report to the regulator.
- AI tools can also assist in creating privilege logs by extracting details of documents withheld for legal privilege and suggesting consistent descriptions.
- If there are hints of missing or deleted data, involve forensic experts to retrieve logs or backups (in one case, a company recovered deleted chat messages during an ACCC inquiry to ensure nothing relevant was withheld).
- Thorough analysis of the evidence lets the legal team make informed strategic decisions – whether to challenge the regulator’s assumptions, acknowledge an issue and propose a fix, or proactively self-report additional concerns.
7. Redaction & Production
- Before delivering documents to the regulator, redact sensitive information.
- Remove or black out customer personal details, legally privileged content, and proprietary business information not required for the investigation.
- Use tools like RelativityOne to automatically find and redact common sensitive data (e.g. credit card numbers or addresses) to save time.
- Double-check that all redactions are applied correctly and that no hidden text can be revealed.
- Prepare the production set in the format the regulator requires – Australian regulators like ASIC and ACCC typically expect searchable electronic documents with each item labelled (using Bates numbers or unique IDs) and accompanied by a metadata index.
- Using an eDiscovery platform, export the data in the required format (native files or PDFs plus a spreadsheet of key fields) and conduct quality control checks.
- Once everything is verified, deliver the documents through a secure channel (like a secure portal or encrypted drive) with a cover letter that itemises the production.
8. Documentation & Lessons Learned
- After the request is fulfilled, hold a debrief to capture lessons learned.
- Document which data sources were involved, how long each step took, what tools or techniques proved most useful, and where bottlenecks occurred.
- Track metrics such as total data collected, number of documents reviewed vs. produced, time spent, and cost.
- Analysing these insights can highlight areas to improv -for instance, if a large portion of reviewed documents were irrelevant, next time the team could use tighter collection filters or more aggressive AI triage.
- Update your internal “playbook” for regulatory responses accordingly. Over time, this continuous improvement builds institutional muscle memory, turning what used to be a frantic scramble into a more routine process. It also strengthens information governance practices (for example, knowing that better organisation of archived communications now can ease retrieval under future tight deadlines).
Taking a Proactive Approach to Compliance
Handling regulatory requests will never be trivial, but it doesn’t have to throw the organisation into chaos. By following a structured workflow and leveraging modern eDiscovery technology, legal teams can respond to inquiries from regulators like APRA, ASIC, or the ACCC with speed and confidence.
A combination of well-defined processes and advanced tools (such as RelativityOne and Cicero AI) empowers teams to tame large data sets and meet tight deadlines without sacrificing thoroughness. In fact, each completed inquiry can strengthen readiness for the next one as the team refines its practices and learns from experience.
At Law In Order, we’ve seen that this proactive approach makes a significant difference. We support insurance clients with fully managed, on-demand access to eDiscovery platforms and AI tools, allowing your team to focus on the substantive response while we handle the technical heavy lifting behind the scenes. Regulatory compliance is an ongoing challenge, but with the right preparation and tools, it becomes a manageable part of business as usual.
If you’d like to see how these eDiscovery solutions work in practice, or if you want to discuss ways to bolster your regulatory response strategy, please get in touch for support. We’re here to help you stay compliant with confidence.
