Applicability
|
All life insurers doing business in Colorado.
|
All insurers doing business in the state where the bulletin is issued using AI systems to make or support decisions impacting consumers.
|
Governance
|
Life insurers using external consumer data and information sources, as well as algorithms and predictive models that use external consumer data and information sources (ECDIS/AI/PM), must establish a “risk-based” governance and risk management framework that addresses any insurance practices.
|
Insurers are encouraged to develop, implement, and maintain a written program for the use of AI systems (AIS program). An AIS program should be reflective of, and commensurate with, the insurer’s assessment of the risk posed by its use of an AI system.
|
Objective
|
The governance framework that facilitates and supports policies, procedures, systems, and controls must be designed to determine whether the use of such ECDIS, algorithms, and predictive models potentially results in unfair discrimination with respect to race and to remediate unfair discrimination, if detected.
|
The AIS program should be designed to mitigate the risk that the AI systems will result in decisions that are arbitrary or capricious, unfairly discriminatory, or that otherwise violate unfair trade practice laws.
|
Principles
|
The risk management framework must include governing principles outlining the values and objectives of the insurer.
|
The Principles of Artificial Intelligence should guide insurers in their development and use of AI systems.
|
Responsibility
|
The risk management framework must be overseen by the board or a specified board committee.
|
The AIS program should vest responsibility with senior management reporting to the board or an appropriate committee of the board.
|
Roles
|
The required governance must set forth who within the insurer is responsible for the insurer’s use of ECDIS/AI/PM, and it must:
|
The AIS program should address defined roles and responsibilities for key personnel charged with carrying out the AIS program generally and at each stage of an AI system life cycle, and should consider:
|
- Include a cross-functional group from key functional areas including legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, as applicable.
|
- Including a committee comprised of representatives from all disciplines and units within the insurer, such as business units, product specialists, actuarial, data science and analytics, compliance, and legal.
|
- Set forth the clear lines of communication between the various committees, governance groups, and individuals and require regular reporting to senior management on the performance and potential risks of ECDIS/AI/PM.
|
- Coordination and communication between persons with roles and responsibilities with the committee and among themselves and escalation procedures and requirements.
|
|
- The independence of decision-makers and lines of defense at successive stages of the AI system life cycle.
|
|
- Scope of authority, chains of command, and decisional hierarchies.
|
- While the individuals who are assigned different roles in the governance structure need not be named, the title and the qualifications of the individuals must be reported to the CO Division of Insurance.
|
- The qualifications of the persons serving in the roles identified.
|
Policies, Processes, and Procedures
|
The required policies, processes, and procedures must address:
|
The AIS program should address policies, processes, and procedures:
|
- The design, development, testing, deployment, use, and ongoing monitoring of ECDIS/AI/PM.
|
- For designing, developing, verifying, deploying, using, acquiring, and monitoring predictive models, including: (i) identification of constraints and controls on automation and design and (ii) data governance and controls, any practices related to data lineage, quality, integrity, bias analysis and minimization, suitability, and updating.
|
- Consumer complaints and inquiries about the insurer’s ECDIS/AI/PM, including how the insurer will ensure that consumers are provided with the information necessary to take meaningful action in the event of an adverse decision.
|
|
- A rubric for assessing and prioritizing risks associated with the deployment of ECDIS/AI/PM with reasonable consideration given to insurance practices’ consumer impact(s).
|
- Risk management and internal controls, to be followed at each stage of an AI system life cycle.
|
- Testing to detect unfair discrimination in insurance practices resulting from the use of ECDIS/AI/PM and, to the extent that unfairly discriminatory outcomes are found, how the insurer will address and remediate such outcomes.
|
- Methods used to detect and address errors or unfair discrimination in the insurance practices resulting from the use of the predictive model.
|
- Ongoing monitoring regarding the performance of AI/PM including accounting for model drift.
|
- Management and oversight, including validation, testing, and auditing, including evaluation for drift.
|
Inventories
|
The framework must include documented up-to-date inventory of all utilized ECDIS/AI/PM, including version control. The inventory must also describe all utilized ECDIS/AI/PM, as well as their stated purpose(s) and the outputs generated through their use.
|
Insurers must be prepared to provide regulators with inventories and descriptions of algorithms, predictive models, and AI systems.
|
Training
|
The required policies, processes, and procedures must include an ongoing training program.
|
The AIS program should consider the development and implementation of ongoing training.
|
Third-Party Vendors
|
Requires insurers to have a process for selecting third-party vendors of ECDIS/AI/PM and places responsibility on insurers for ensuring the framework requirements are met even when the insurer’s ECDIS/AI/PM is provided by a third-party vendor.
|
The AIS program should address the insurer’s standards for the acquisition, use of, or reliance on AI systems developed or deployed by a third party, including policies and procedures related to:
- Due diligence to assure that the third-party AI systems are designed to meet the legal standards imposed on the insurer itself.
- Including in its third-party agreements requirements to maintain an AIS program consistent with what is required of the insurer, permit the insurer to audit the third party, provide the insurer with reports of the third party’s compliance with standards, and comply with regulatory inquiries.
|
Reporting Requirements
|
Each insurer using ECDIS/AI/ML must submit:
- By June 1, 2024, a narrative report summarizing its progress toward complying with the CO Life Governance Rule, areas under development, any difficulties encountered, and expected completion date.
- By December 1, 2024, and annually thereafter, a narrative report of not more than 10 pages summarizing compliance with the CO Life Governance Rule.
|
|