On July 17, 2023, the Innovation, Cybersecurity and Technology (H) Committee of the National Association of Insurance Commissioners (NAIC) released for comment a highly anticipated model bulletin (Model Bulletin) on regulatory expectations for the use of artificial intelligence¹ systems (AI Systems)² by insurers. The Model Bulletin encourages insurers to implement and maintain a board-approved written AI Systems Program (AIS Program) that addresses governance, risk management controls, internal audit functions and third-party AI systems. The goal of the AIS Program is to mitigate the risks of harm to consumers thru decisions made or supported by AI Systems, including third-party AI systems, that are arbitrary or capricious, unfairly discriminatory, or otherwise violate unfair trade practice laws or other legal standards, or that include data vulnerabilities.

The Bulletin also advises insurers of the information and documentation that insurance regulators may request during exams and investigations of the insurer’s AI Systems, including third-party AI Systems.

1. Compliance with Applicable Laws and Guidance

The Model Bulletin recognizes the Principles of Artificial Intelligence (Principles) adopted by the NAIC in 2020 as an important source of guidance for insurers to use in their continuing development of an AIS Program. It also explains how the regulatory expectations outlined in the Model Bulletin are rooted in existing law, including model laws on unfair practices, corporate governance, market conduct and property and casualty ratings. 

2. AIS Program Guidelines

Under the Model Bulletin, insurers are encouraged to maintain a written AIS Program that governs the use of AI Systems in order to mitigate the risk that use of such AI Systems, when making or supporting decisions that impact consumers, will result in decisions that are arbitrary or capricious, unfairly discriminatory, or otherwise violate unfair trade practice laws or other applicable law.

1. Governance

 With regarding to governance, the AIS Program should:

• be approved by the insurer’s board or appropriate committee of the board; 
• vest senior management reporting to the Board or a committee of the Board with responsibility for developing, implementing, monitoring and overseeing the AI System;
• include an assessment of the risks posed by the AI System and the nature and degree of potential harm to consumers arising from errors or unfair bias caused by the AI System;
• be tailored and proportionate to the insurer’s use and reliance on AI and AI Systems and address all phases of the AI System’s life cycle;
• address all of the insurer’s AI Systems used to make decisions that impact consumers, whether developed by the insurer or a third party, and whether used by the insurer or by an authorized agent or representative of the insurer;
• prioritize transparency, fairness and accountability in the governance framework for AI Systems;
• at each stage in the life of an AI System, consider having a centralized or federated committee comprised of representatives from all disciplines and units within the insurer;
• identify key personnel charged with implementing the AIS Program, including a description of such person’s roles, responsibilities, qualifications and scope of authority;
• identify escalation procedures and ongoing training and supervision of personnel;
• document the monitoring, auditing and reporting protocols and functions within the AI Program; and
• for predictive models, include a description of methods used to detect and address errors or unfair discrimination resulting from the model.

2. Risk Management

 With regard to risk management and internal controls, the AIS Program should document and address:

• the oversight and approval process for the development, adoption and acquisition of AI Systems;
• data practices and accountability procedures, including data lineage, quality, integrity, bias analysis and minimization, among other items;
• management and oversight of algorithms³ and predictive models, including:
  • inventories
  • detailed documentation of use
  • measurements such as interpretability, repeatability, reproducibility and auditability of these measurements, and
  • evaluation for drift;
• validation, testing and auditing of data, algorithms and predictive models; 
• data and record retention policies regarding the AI Systems; and
• protection of non-public information, including unauthorized access to the algorithms or models themselves.

3. Third-Party AI Systems

 Each AIS Program should address the insurer’s standards for acquiring, use and reliance on AI Systems developed or deployed by a third- party, including:

• the extent and scope of the insurer’s reliance on third-party data;
• appropriate due diligence to assess the third party, its AI Systems, and its AI governance and risk management protocols in order to make sure that the third-party AI Systems that are used to make or support decisions impacting consumers meet legal standards;
• terms in the contract with third parties that:
  • require third-party data and model vendors and AI System developers to have and maintain an AI Systems program commensurate with the standards expected of the insurer;
  • entitle the insurer to audit the third-party vendor;
  • entitle the insurer to receive audit reports by qualified auditors confirming the third-party’s compliance with standards; and
  • require the third-party to cooperate with regulatory inquiries and investigations by state insurance departments; and
• performance of audits to permit the insurer to appropriately monitor any third-party vendors for compliance with applicable law.

3. Regulatory Oversight and Requests for Information

Under the Model Bulletin, the applicable state regulator has the authority to request from the insurer information and documentation relating to the insurer’s AI Systems (as well as information and documentation developed by third parties that are relied upon by the insurer or its agent) as part of their market conduct examinations and as otherwise necessary to monitor the insurer’s compliance with the law. Such information and documentation include: 

• the AIS Program and related documentation, including policies and procedures related to the management and oversight of algorithms and predictive models;
• inventories and descriptions of algorithms, predictive models, and AI Systems; 
• information and documentation related to validation, testing and auditing of AI Systems;
• information and documentation related to the protection of non-public information, including unauthorized access to the algorithms or models;
• due diligence materials relating to the third-party AI Systems; 
• contracts with third-party AI System vendors; and
• audits and confirmation processes of third-party compliance with contractual and regulatory obligations.

Issues related to the draft Model Bulletin include the definitions of AI Systems and algorithms; the extent of the governance and risk management controls expected; and the expectation that third-party vendors of AI Systems will agree to be subject to inspection and inquiry by 50 state insurance departments, including market conduct exams.

4. Comment Period

Comments on the Model Bulletin are due to the NAIC’s (H) Committee by September 5, 2023 and should be submitted to Miguel Romero (maromero@naic.org). The (H) Committee will hear comments from in-person attendees at the NAIC’s Summer National Meeting on Sunday, August 13, 2023 at 2:00 p.m.

________

[View source.]