The Colorado Division of Insurance (CDI) adopted a new regulation on September 21, 2023 (Final Regulation) establishing requirements governing the use of external consumer data and information sources (ECDIS), as well as algorithms and predictive models using ECDIS (Models), by Colorado-licensed life insurers in order to help ensure that life insurers who use ECDIS and Models are not engaging in unfair discrimination with respect to race. The Final Regulation will go into effect on November 14, 2023. All life insurers authorized to do business in Colorado will be required to submit a progress report regarding compliance with the Final Regulation on June 1, 2024 and must submit a report attesting that they are in full compliance with the Final Regulation on December 1, 2024 and annually thereafter.
The Final Regulation is set forth in 3 CCR 702-10 of the Colorado Code of Regulations, and requires that life insurers adopt a governance and risk management (GRM) framework with respect to their use of ECDIS and Models. The Final Regulation implements, in part, S.B. 21-169, which prohibits Colorado licensed insurer’s use of ECDIS and Models in “insurance practices,” that “unfairly discriminate” based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. An initial draft of the Regulation was first proposed on February 1, 2023 (Initial Draft Regulation) and a revised draft (Revised Draft Regulation) was exposed on May 26, 2023.
The GRM framework must provide for testing to detect unfair discrimination. The CDI just released a separate proposed regulation that establishes the requirements for the quantitative testing of life insurer’s ECDIS and Models that will be described in greater detail in a separate alert.
Overview of Regulation
Scope. The Final Regulation applies to all life insurers authorized to do business in Colorado and defines ECDIS very broadly to include “a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” ECDIS includes credit scores, social media habits, purchasing habits, locations, educational or occupational background, Internet of Things data, biometric data and any insurance risk scores derived from such data. However, under the Final Regulation the GRM framework requirements are limited to unfair discrimination with respect to race rather than all of the protected classes covered by S.B. 21-169.
Governance and Risk Management Framework. Section 5.A of the Final Regulation requires that insurers adopt a GRM framework that establishes procedures, systems and controls to identify any areas where the use of ECDIS and/or Models would potentially result in unfair discrimination with respect to race and remediate such discrimination. The insurer is also responsible for ensuring that any third-party vendor complies with the GRM framework requirements set forth in Section 5.A. The GRM framework requirements set forth in Section 5.A include, among other things:
- Documented governing principles regarding the use of ECDIS and Models;
- Board oversight of the GRM framework;
- Senior management responsibility and accountability for monitoring the use of ECDIS and Models;
- Establishment of a cross-functional ECDIS and AI Model governance group;
- Documented policies and procedures regarding the use and monitoring of ECDIS and Models;
- Protocols for addressing consumer complaints;
- Implementation of a training program for relevant personnel on the responsible and compliant use of ECDIS and Models;
- A documented rubric for assessing and prioritizing risk associated with the deployment of ECDIS and Models;
- Documented up-to-date inventory, including version control, of all utilized ECDIS and Models and an explanation of any material changes in the inventory;
- A description of testing conducted to detect unfair discrimination resulting from the use of ECDIS and Models;
- A description of ongoing monitoring of the performance of the Models, including accounting for model drift;
- A description of the process used for selecting third-party vendors that provide ECDIS and Models; and
- The annual review and update of the GRM framework to ensure continued accuracy and relevance.
Reporting Requirements. Pursuant to Section 6 of the Final Regulation, insurers using ECDIS or Models are required to submit a report due June 1, 2024 summarizing progress made in complying the with the GRM framework. Insurers must then submit an annual report, due December 1, 2024 and each year thereafter, that is signed by an officer attesting to compliance with the Final Regulation, which includes the title and qualifications of the personnel responsible for ensuring compliance. If the insurer is unable to attest to compliance, the insurer must submit to CDI a corrective action plan. Insurers that do not use ECDIS and/or Models must on December 14, 2023, and on December 1 annually thereafter, submit an attestation signed by an officer of the company that the insurer does not use ECDIS or Models.
Confidentiality. Under Section 7 of the Final Regulation any documents or materials disclosed to CDI will be treated as confidential.
Enforcement. Noncompliance with the Final Regulation may result in the imposition of penalties available in the business of insurance laws or other laws under Section 9 of the Final Regulation. Potential penalties including civil penalties, cease-and-desist orders, and license suspension or revocation.
Changes from Prior Draft
The Final Regulation contains a few material changes from the Revised Draft Regulation that are listed below:
- Scope of GRM Framework. Under the Final Regulation the scope of the GRM framework was expanded to identify not only instances where the use of ECDIS and Models result in unfair discrimination with respect to race but also instances that might potentially result in unfair discrimination.
- Remediation. Under the Final Regulation, the GRM framework now explicitly must address remediation of unfair discrimination in the use of ECDIS and Models if detected.
- Vendors. Insurers are only responsible for ensuring that third party vendors comply with the GRM framework in Section 5.A of the Final Regulation rather than ensuring that all regulatory requirements regarding the use of ECDIS and Models are met. Third party vendors are now explicitly permitted to provide any requested documents under the Final Regulation directly to CDI.
- Key Personnel. Insurers are now required not only to provide the title of each individual responsible for ensuring compliance with the Final Regulation in their annual compliance report but also their qualification. They are not required, but are permitted, to provide the names of the individuals in the report.
- Model Drift. Under the Final Regulation, the GRM framework’s procedures for monitoring the performance of algorithms and predictive models that use ECDIS are explicitly required to account for model drift.
- Annual Review of GRM Framework. The GRM framework now must be reviewed and updated as necessary annually whereas under the Revised Regulation that insurer was required to conduct a less specific “regular” review of the GRM framework.
- Biometric Data. The definition of “ECDIS” under the Final Regulation now explicitly includes biometric data.
In order to implement the requirements under S.B.21-169 restricting the use ECDIS and Models to prevent unfair discrimination, CDI intends to issue the following separate set of regulations:
- A regulation on Models testing for life insurers for which, as described above, an initial draft of the proposed regulation was exposed by CDI on September 28, 2023. The industry previously requested that the Final Regulation and testing regulations be effective concurrently given that the two regulations are intertwined, but the implementation of the Final Regulation is not subject to the adoption of the testing regulation.
- Regulations implementing a framework for property-casualty insurers to be released by CDI. The CDI held a public meeting for stakeholders in August and has previously suggested that GRM framework for other property-casualty insurance would not look very different from the regulations for life insurers.
We will continue to follow developments related to S.B.21-169 and other laws and regulations affecting insurers using algorithms, predictive models, autonomous decision making systems and artificial intelligence.