Colorado DOI Summer Reading for Life Insurers
On May 26 — just ahead of the Memorial Day weekend — the Colorado Division of Insurance (DOI) issued for public comment a second draft of its proposed “Governance and Risk Management Framework Requirements for Life Insurance Carriers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models.” The second draft is part of the DOI’s directive under Senate Bill 21-169 to adopt rules by which an insurer may demonstrate that it has tested its use of external consumer data and information sources, algorithms, and predictive data to ensure that it is not unfairly discriminating against consumers on the basis of a protected class.
The DOI held a call with stakeholders on June 8 to discuss the changes reflected in the second draft, receive stakeholders’ preliminary comments, and hear about the DOI’s proposed next steps.
Changes Reflected in the Second Draft
The second draft deleted two definitions and revised another.
Notably, the definitions of “disproportionately negative outcome” and “traditional underwriting factors” were deleted. However, the DOI made clear that those terms have merely been placed in the shade for the time being and would reappear in the life underwriting testing rule.
The “external consumer data and information source” definition was updated:
- By adding back “or other insurance practices” to clarify that the second draft applies to all practices, not just underwriting practices.
- By adding back “location” as it was inadvertently deleted.
- By including “consumer-generated Internet of Things data.” The DOI made this addition based on a comment and recognition that there are many devices that collect data on consumers’ daily activities, which could be used by insurers for a variety of insurance practices.
- Governance and Risk Management Framework
The second draft includes a number of changes to the proposed rule’s governance and risk management framework provisions. In particular, the second draft:
- Permits insurers to use a risk-based approach for their frameworks.
- Focuses on whether the use of external consumer data and information sources, algorithms, and predictive models results in unfair discrimination “with respect to race.” While acknowledging that the focus on race is due to the limitations in addressing the other protected classes set forth in SB 21-169, the DOI said that it is still considering whether the rule should be so limited.
- Incorporates documentation into the required governance and risk management framework components. With this change, the second draft eliminates the comprehensive documentation requirements contained in the earlier draft. Nevertheless, the second draft continues to require:
- A detailed description of all utilized external consumer data and information sources, and algorithms and predictive models that use external consumer data and information sources, as well as material changes and monitoring of the foregoing. While the second draft does not set forth what would be sufficient for the detailed description, the list of required documentation from the earlier draft may be reflective of what the DOI would expect.
- Testing to detect unfair discrimination in insurance practices resulting from the use of external consumer data and information sources. Notably, the second draft removes one thorn by requiring the insurer to take steps to address "unfairly discriminatory outcomes” rather than "disproportionate negative outcomes” as required by the earlier draft.
- A process for selecting third-party vendors.
Also eliminated from the second draft is the requirement to document all decisions made regarding the use of external consumer data and information sources, algorithms, and predictive models.
- Reporting Requirements
While the second draft maintains the six-month and yearly reporting requirements for life insurers currently using external consumer data and information sources, algorithms, and predictive models, it simplifies the reports by requiring only a “summary” narrative report of their progress toward complying, and thereafter of their compliance, with the rule’s governance and risk management framework. The annual report must be signed by an officer attesting to compliance with the rule or, if no attestation is provided, a corrective action plan.
In response to numerous comments, the second draft makes clear that documents or materials provided to the DOI will be subject to the confidentiality provisions of SB 21-169.
The DOI announced a June 23 deadline for written comments. It appears that the DOI will seek to notice a draft rule to begin the formal rulemaking process so that the rule becomes effective sometime in 2023, as reflected in section 10 of the second draft.
The DOI also announced a goal of releasing the life underwriting testing rule by the end of June. If true, life insurers may spend another holiday reading draft proposed rules from the DOI. Hopefully, the draft testing rules won’t result in any fireworks over the July Fourth weekend.