On May 26, 2023, the Colorado Division of Insurance (CDI) exposed, for public review and comment, a significantly revised draft of its proposed regulation (the Revised Draft Reg.) addressing the governance and risk management (GRM) framework requirements for life insurers1 using external consumer data and information sources (ECDIS), or algorithms and predictive models using ECDIS. The GRM framework is intended to help ensure that insurers do not unfairly discriminate against certain protected classes.2
Changes reflected in the Revised Draft Reg. were made in response to feedback the CDI received from stakeholders regarding the initial release of the Draft Reg. dated February 1, 2023. On June 8, 2023, CDI held another stakeholder meeting to explain the recent changes and solicit comments on the Revised Draft Reg.
As requested by industry, the revised version adopts a less detailed and more principles-based framework than what was contained in the initial draft. Importantly, Section 5.A. of the Revised Draft Reg. limits the scope of the risk-based GRM framework to a determination of unfair discrimination with respect to race only, and not to the other protected classes listed in S.B. 21-169. However, in response to questions at the June 8th meeting, Commissioner Conway indicated that limiting the GRM framework regulation to race may be an unnecessary limitation on the framework that the department would reconsider.
The Revised Draft Reg. continues to apply to all Insurance Practices, a term defined in S.B.21-169 to include marketing, underwriting, pricing, utilization management, reimbursement methodologies, and claims management in the transaction of insurance. When some in the industry commented that insurers may have difficulty applying the GRM framework to all insurance practices, Commissioner Conway explained that having different GMR frameworks for different insurance practices would be “unwieldy” and “a nightmare,” and that CDI wants the framework to be broadly applicable. Insurers must “break out of the mindset” that the GRM framework only applies to underwriting, he noted.
The Revised Draft Reg. continues to require insurers to be responsible for third-party vendors and other external resources used with respect to ECDIS as well as algorithms and predictive models that use ECDIS.
The Revised Draft Reg. no longer contains the following requirements:
Documentation. The current Revised Draft Reg. no longer contains the requirement that life insurers maintain comprehensive documentation regarding their use of ECDIS, or algorithms or predictive models that use ECDIS. Specific documentation that life insurers are no longer required to maintain includes (but is not limited to): (i) a system for tracking and managing changes to ECDIS, algorithms, and predictive models using ECDIS over time and (ii) descriptions of any inputs, outputs, model assumptions, limitations, training data sets, prediction processes and potential risks regarding the use of ECDIS, as well as algorithms and predictive models using ECDIS.
Reporting. Insurers using ECDIS or algorithms or predictive models using ECDIS must still submit an annual report to CDI that is due six months after the regulation’s effective date, providing a narrative summary of their compliance with the Revised Draft Reg. However, there is no longer any specific information that must be included in the annual report (such as detailed descriptions of responsible senior managers, training program, processes and protocols, datasets, algorithms, etc.). Insurers are required to submit a follow-up narrative report at one year and annually thereafter that must be signed by an officer attesting to compliance with the regulation. If the insurer is unable to attest to compliance, the insurer must submit to CDI a corrective action plan.
Unauthorized Access. The new Revised Draft Reg. does not contain a requirement that the insurer implement controls to prevent unauthorized access of algorithms or predictive models.
Key Personnel. The Revised Draft Reg. no longer contains a requirement that the insurer have clearly assigned and documented roles and responsibilities for key personnel involved in the design, development, use, and oversight of ECDIS and algorithms or predictive models that use ECDIS. However, the annual compliance report must give the title of each individual responsible for ensuring compliance, along with the specific requirements for which the individual is responsible.
Board Oversight. Under the Revised Draft Reg., the Board of the life insurer is still responsible for oversight of the risk management framework, but it no longer shares responsibility with the senior executive officers of the insurer for setting and monitoring the overall AI strategy for the company.
Outside Experts. Insurers would no longer be required to engage outside experts “where internal resources are insufficient.”
Definitions. Definitions, such as the definition of “Traditional Underwriting Factors,” and of “Disproportionately Negative Outcomes,” were removed from the current draft because they are better placed in the new testing regulation due out in late June, Commissioner Conway explained. The Commissioner also previewed that further tweaking of the definition of “ECDIS” will appear in the new testing regulation.
Comments on the Revised Draft Reg. are due to CDI on June 23rd.
What’s Ahead
- Expect the final regulation on the GRM framework for life insurers to be formally proposed shortly after the June 23rd deadline for comments on the Revised Draft Reg.
- Expect the draft regulation on testing for life insurers to be issued in late June. The industry asked that the GRM framework and the testing regulations be effective concurrently given that the two regulations are intertwined.
We will continue to follow developments related to S.B.21-169 and other laws and regulations affecting insurers using algorithms, predictive models, autonomous decision making systems and artificial intelligence.
________
1 When asked if the Revised Draft Reg. applied to annuities, CDI Commissioner Conway replied that the current draft only applies to life insurance, not annuities, but he would give the question further consideration.
2 The Revised Draft Reg. is intended to implement Colorado’s SB. 21-169, Restrict Insurers’ Use Of External Consumer Data: Concerning Protecting Consumers from Unfair Discrimination in Insurance Practices (the “Colorado AI Law”), which prohibits Colorado licensed insurer’s use of ECDIS, as well as algorithms and predictive models that use ECDIS in “insurance practices,” that “unfairly discriminate” based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.
[View source.]
