On February 1, 2023, the Colorado Division of Insurance (CDI) released a draft of the first of several regulations to implement S.B. 21-169, Colorado’s 2021 law prohibiting insurers from using external consumer data and information sources (ECDIS) that unfairly discriminate against specified protected classes. The proposal covers governance and risk management framework requirements for life insurers and will be followed soon by a separate proposal covering testing.
The law, S.B. 21-169, Restrict Insurers’ Use Of External Consumer Data: Concerning Protecting Consumers from Unfair Discrimination in Insurance Practices, applies to insurers’ use of ECDIS, as well as algorithms and predictive models that use ECDIS in “insurance practices,” that “unfairly discriminate” based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. The law applies to personal lines and business owners’ with annual premiums of less than $10,000.
The law directed the CDI Commissioner to work with stakeholders, including insurance companies and consumers, before adopting rules implementing the statutory requirements. The February 1st draft is the first set of proposed regulations to emerge from this stakeholder process, which consisted of an open comment period and a series of stakeholder meetings over the past year, designed to gather input on optimal implementation of the statutory requirements. Stakeholder feedback emphasized the need for greater clarity concerning the meaning of key statutory terms and identification of acceptable testing methodologies for detecting whether unfair discrimination has occurred.
In its most recent stakeholder meeting, the CDI emphasized its intention to release separate sets of regulations for life and property-casualty insurers. Each set will consist of a risk management framework regulation and a separate regulation concerning the testing for unfair discrimination. The February 1st draft addresses the governance and risk management framework for life insurers. Commissioner Mike Conway strongly suggested the framework for property-casualty will not look very different than the proposal for life.
Scope. The proposed regulation applies to all life insurers authorized to do business in Colorado and defines ECDIS very broadly to include “a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors1 [defined elsewhere in the regulation] or to establish lifestyle indicators that are used in insurance practices.” Said sources include, but are not limited to, credit scores, social media habits, purchasing habits, educational or occupational background, and insurance risk scores derived from such data. It adopts the law’s definition of “insurance practices,” which includes core functional areas in writing and administering insurance policies (marketing, underwriting, pricing, utilization management, reimbursement methodologies and claims management). The proposal adopts the law’s definition of “unfair discrimination.”2
Governance and Risk Management Framework. Section 5 sets forth the required components of the risk management framework which include (i) creation of a cross-disciplinary committee and teams for model governance; (ii) board and senior management oversight of model governance strategy; and (iii) policies and protocols addressing all aspects of model governance including purpose, strategy, design, development, testing, access, employee training, and consumer inquires and complaints. This section also explicitly addresses consumer transparency, stating that an insurer must have policies in place to ensure consumers are provided sufficiently clear information to “take meaningful action in the event of an adverse decision.”
Documentation. Section 6 sets forth the required end-to-end documentation for all aspects of the use of ECDIS, algorithms or predictive models, including those supplied by third parties. Specifically, the proposed required documentation includes: (i) an inventory of such tools in use, including purpose, risks, safeguards, and annual reviews of such inventory; (ii) systems for tracking and managing changes to inventory and use; (iii) descriptions of all aspects of the ECDIS, algorithms or predictive models in use including inputs, outputs, model assumptions, training datasets used, limitations, prediction process, risks of use, personnel in charge, and vendor selection; (iv) descriptions of decisions related to all aspects of the ECDIS, model or algorithm’s life cycle; and (v) descriptions of the tests conducted using ECDIS, algorithms and predictive models and the steps to address “disproportionately negative outcomes”.3
Reporting Requirements. Section 7 specifies the manner and time periods for insurers to comply with the framework and documentation requirements addressed in Sections 5 and 6. Insurers currently using ECDIS, algorithms and models must complete an initial status report within six months of the regulation’s effective date, come into full compliance within one year of the same, and submit follow-up reports every two years thereafter.
Enforcement. Section 9 specifies that noncompliance may result in the imposition of penalties available in the business of insurance laws or other laws, and numerates potential penalties including civil penalties, cease-and-desist orders, and license suspension or revocation.
Some key comments raised during the stakeholder meeting focused on the broad scope of the governance framework and documentation requirements and the limited ability of insurers to collect protected class data. The Commissioner noted that the Bayesian Improved First-name Surname Geocoding methodology (BIFSG) was a viable methodology for inferring race data in the life insurance sphere and that the CDI will evaluate its applicability for other lines of insurance. The Commissioner indicated that CDI will accept written comments through February 28th with some indication that rolling comments may be accepted beyond that date if parties note outstanding issues.
What Does this Mean for Insurers?
The proposed regulation makes clear that insurers will be held accountable, at the board level, for all aspects of their use of ECDIS, algorithms and predictive models. While the regulation is still in the proposal phase, it is critical for insurers to begin fully inventorying the ECDIS, algorithms and predictive models in use and to understand, with depth specificity, why they are using such models and how those models operate. Engaging in a proactive review of both use of ECDIS, algorithms and predictive models and model governance strategy—using the appropriate protections and sound methodology— will ensure that insurers are prepared for the increasingly robust AI regulatory environment.
While the proposed regulation makes certain assumptions about an insurer’s ability to obtain data concerning protected characteristics, the ongoing stakeholder process and the forthcoming proposed testing regulations are likely to further illuminate a proposed methodology for inferring such data.
Though the proposed regulation applies only to Colorado-authorized life insurers, it is clear based on the Commissioner’s comments at the stakeholder meeting, that proposed regulations for property and casualty insurers will likely take a substantively similar form and property-casualty insurers should be guided by the regulation’s requirements, particularly with respect to the risk management framework, to begin assessment of their models as well.
___________
1 Defined elsewhere in the regulation as, “the following factors: (1) Medical information, family history, occupation, disability, or behavioral information related to a specific individual, which information, based on sound actuarial principles, has a direct relationship to mortality, morbidity, or longevity risk; (2) Income, assets, or other elements of a specific person’s financial profile that a life insurer may use to determine insurable interest, suitability or eligibility for coverage; or (3) Digitized or other electronic forms of the information listed above such as electronic medical and prescription drug records.”
2 The statute states “‘Unfairly discriminate’ and ‘unfair discrimination’ include the use of one or more external consumer data and information sources, as well as algorithms or predictive models using external consumer data and information sources, that have a correlation to race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression, and that use results in a disproportionately negative outcome for such classification or classifications, which negative outcome exceeds the reasonable correlation to the underlying insurance practice, including losses and costs for underwriting.”
3 Defined in the regulation to mean, “a result or effect that has been found to have a detrimental impact on a group as defined by race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression, and that impact is material even after accounting for factors that define similarly situated consumers.”
[View source.]
