While several U.S. states are considering safeguards for AI’s use in elections, a collection of several states are also considering formal regulations aimed at AI systems used by insurance companies. States like New York, California, Connecticut, and New Jersey have issued warnings or are considering legislation aimed at insurance algorithms. Several government bodies are using Colorado’s path because it was the first state to adopt formal regulations aimed at insurance AI.
It all started back in 2021 when Colorado lawmakers passed Senate Bill 21-169, titled “Concerning Protecting Consumers from Unfair Discrimination in Insurance Practices.” It aims to prohibit unfair discrimination based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression in any insurance practice.
The bill recognizes that insurers increasingly use external consumer data, information sources (ECDIS), algorithms, and predictive models in their insurance rating, underwriting, claims, and other business practices. While these tools can simplify processes, their accuracy and rationale may vary, potentially leading to negative impacts on insurance availability, affordability, and utilization for protected classes.
To ensure fair and equitable access to insurance products, the bill prohibits unfair discrimination based on the protected classes mentioned above. It also prohibits the use of ECDIS, algorithms, and predictive models that unfairly discriminate based on these protected classes.
The bill requires the Commissioner of Insurance to engage in a stakeholder process and adopt rules specific to insurance types and practices. These rules will establish means for insurers to demonstrate that their use of external data, algorithms, and models does not result in unfair discrimination.
The rules must require insurers to provide information on their data sources, explain their use of external data and models, establish risk management frameworks to identify potential unfair discrimination, provide assessments and attestations of these frameworks, and remedy any discriminatory impacts within a reasonable timeframe.
Documents and materials obtained during this process are considered proprietary and confidential. The Commissioner can investigate insurers’ use of external data and models, and insurers must cooperate. The bill includes reporting requirements for the Department of Regulatory Agencies and exemptions for specific insurance types.
The bill clarifies that it does not require insurers to collect protected class information from applicants or prohibit the use of specific individual data for underwriting purposes. It also does not supersede certain existing laws or prohibit long standing industry practices unless they involve external consumer data and models.
Then, in 2023, Colorado adopted more direct legislation that limits how algorithms and predictive models are used in the industry called Regulation 10-1-1, which acts as a governance and risk management framework for life insurers’ use of external consumer data. The regulation aims to promote transparency, fairness, and accountability in the utilization of these tools by insurers.
The regulation emphasizes the importance of establishing a robust governance structure and risk management framework overseen by the board of directors or a board committee. Senior management is tasked with setting and monitoring the overall strategy governing the use of external consumer data and information sources, algorithms, and predictive models. Clear lines of communication, delegated decision-making authority, and regular reporting on performance and potential risks are essential aspects of senior management responsibility.
A key requirement is the establishment of a documented cross-functional governance group comprising representatives from various functional areas such as legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service. This group ensures a holistic approach to governance and risk management related to the use of external consumer data and algorithms.
Insurers are mandated to document policies, processes, and procedures for the design, development, testing, deployment, and ongoing monitoring of algorithms and predictive models that utilize external consumer data. Ongoing monitoring of algorithm performance, accounting for model drift, and annual reviews of the governance structure and risk management framework are essential components to ensure compliance and effectiveness.
If insurers engage third-party vendors for ECDIS, algorithms, or predictive models, they remain responsible for meeting all regulatory requirements. Insurers must establish and document a process for selecting and overseeing external resources and vendors, ensuring compliance with regulatory standards. Insurers may delegate the provision of requested documents or information to third-party vendors, but ultimate responsibility for compliance rests with the insurer.
Reporting requirements include the submission of narrative reports summarizing progress towards compliance with the regulation’s requirements. Insurers using ECDIS, algorithms, or predictive models must submit reports to the Division, detailing areas under development, challenges faced, and expected completion dates. Additionally, annual reports on compliance with governance and risk management requirements must be submitted, signed by an officer attesting to compliance. The regulation also mandates that all components of the governance structure and risk management framework must be available upon request by the Division. Insurers not using ECDIS or related algorithms must submit annual attestations confirming non-use.
If these two bills prove to be successful in the long-term, it wouldn’t be surprising to see more and more states considering AI regulations on a variety of insurance industries. For assistance in navigating compliance, don’t hesitate to contact BABL AI. One of their audit experts can offer valuable guidance and support.
