On September 21, 2023, the Colorado Department of Insurance adopted a final regulation to implement SB 21-169, the 2021 Act Governing the Use by Colorado Licensed Insurers of External Consumer Data and Information Sources (ECDIS), as well as algorithms and forecast models using ECDIS (models). The Final Regulation is scheduled to take effect on November 14, 2023, requiring life insurers licensed in Colorado to provide a compliance progress report by June 1, 2024, and to provide an attestation confirming full compliance by December 1 2024 and annually thereafter.
By way of background, consumers and regulators have been concerned for some time about the discriminatory outcomes associated with the use of AI tools in hiring and lending practices. While the Colorado regulation marks a distinctive development in the insurance industry, it is also likely a precursor to a wave of similar regulations to come. The National Association of Insurance Commissioners (NAIC) is actively formulating a model bulletin rooted in the NAIC AI Principles, laying out regulatory expectations regarding the use of third-party AI models, governance, risk management, and systems. Until the NAIC guidance materializes, the Colorado regulation will likely provide the most accurate overview of the upcoming regulatory landscape.
According to the Final Regulation, ECDIS is broadly defined as “a source of data or information that is used by a life insurer to supplement or replace traditional underwriting factors or other underwriting practices or to establish lifestyle indicators that are used in underwriting practices. ” 3 CCR 702-10(4)(C). These include credit scores, social media habits, shopping habits, home ownership, education, licenses, biometrics, court records, occupations, and any insurance risk scores derived from that data. Jason Lapham, director of big data and AI policy at the Department of Insurance, expressed concern about how ECDIS is being used by insurers, noting that “[s]some carriers have relatively little or no control over the use of this information or around the use of these artificial intelligence tools,” as reported on Government technology.
The final regulation requires life insurers to use ECDIS or algorithms and predictive models using ECDIS to establish governance and risk management (GRM) frameworks to prevent unfair discrimination, ensure transparency and accountability, and ensure the accuracy of the data used. These GRM frameworks should include the following elements:
- Documented guidelines on the use of ECDIS and models;
- Oversight of the GRM framework board;
- Senior management responsibility and accountability for monitoring the use of ECDIS and models;
- Establishing a cross-functional ECDIS and AI Model management group;
- Documented policies and procedures regarding the use and monitoring of ECDIS and models;
- Protocols for handling consumer complaints;
- Implementation of a training program for relevant personnel on the responsible and compliant use of ECDIS and models;
- Documented risk assessment and prioritization rubric for ECDIS implementation and models;
- A documented up-to-date inventory, including version control, of all ECDIS and models in use and an explanation of any material changes to the inventory;
- Description of the tests carried out to detect unfair discrimination resulting from the use of ECDIS and models;
- Description of ongoing monitoring of model performance, including accounting for model drift (deterioration of model performance over time);
- A description of the process used to select third party suppliers who provide ECDIS and models; and
- The annual review and update of the GRM framework to ensure continued accuracy and relevance.
It is important to note that the Colorado rule focuses specifically on the concept of “unfair” discrimination. Therefore, insurance companies are indeed permitted to take certain aspects of a consumer’s profile into account when determining pricing and assessing risk, provided those considerations have a “direct relationship” to the consumer’s “mortality, morbidity, or longevity risk.” 3 CCR 702-10(4)(C).
Colorado has outlined plans to introduce additional regulations. These upcoming regulations will include predictive model testing for life insurers and guidance for property casualty insurers that use ECDIS or models.
Insurers who fail to comply with the Final Regulation are subject to a range of penalties, including civil penalties, cease and desist orders and potential license suspension or revocation. Implementing these requirements can be a significant undertaking for insurers depending on their existing reliance on ECDIS. Therefore, insurers should develop a compliance roadmap, including these preliminary steps:
- Initiate a thorough review of all ECDIS and models in use, including data types and sources involved;
- Establish a cross-functional ECDIS and Model Management Group to address key aspects of the GRM framework, such as policies and procedures regarding the use and monitoring of ECDIS and models, resolution of complaints and undertaking risk assessments; and
- Identify any potential areas of concern related to unfair discrimination.
