Testing for AI bias: Colorado Division of Insurance proposes first-of-its kind regulation requiring life insurers to test their underwriting process for racial and ethnic bias

Eversheds Sutherland (US) LLP

On September 28, 2023, the Colorado Division of Insurance (CDI) released the first-of-its kind draft proposed regulation (Testing Regulation) for testing the outcomes of certain life insurance underwriting practices for racial and ethnic bias. Only underwriting processes that use external consumer data and information sources (ECDIS), and/or algorithms and predictive models using ECDIS (Models) would be the subjects of the rule. 

The draft regulation would also require life insurers to immediately remediate any outcome that the testing indicates is unfairly discriminatory by taking “reasonable steps developed as a part of the insurer’s risk management framework.”1 These steps include any additional testing “necessary to demonstrate the effectiveness of the remediation.”

The draft Testing Regulation is one of a series of regulations implementing SB 21-169, a law that prohibits Colorado licensed insurers from using, in their “insurance practices,” any ECDIS and Models that “unfairly discriminates.”2 Comments are due on the draft Testing Regulation by October 26, 2023.

Scope. All life insurers authorized to do business in the state of Colorado that employ ECDIS or Models to make or support underwriting decisions would be required to comply with the Testing Regulation. Note that under the Testing Regulation the testing requirements are limited to unfair discrimination with respect to race or ethnicity rather than all of the protected classes covered by SB 21-169. Only underwriting processes, defined as the process of evaluating an individual risk factors and determining their insurability and the premium to be charged, must be tested and only if they use ECDIS or Models.

Lookback for estimating race or ethnicity. Insurers must estimate the race or ethnicity of all proposed insureds that have applied for life insurance on or after the date the insurer initially adopted the use of ECDIS or Models in their underwriting decision-making process, including a third party acting on behalf of the life insurer that used ECDIS or Models in the underwriting process.
This provision raises many questions, including whether there should be a limitation on the lookback period, given the breadth of the definition of ECDIS, which may sweep in many older systems, and whether insurers will have retained the records required to determine when they first adopted the use of ECDIS or Models in their underwriting process. Furthermore, insurers may not have kept the records needed to determine all persons who applied for insurance during this period.

Definition of ECDIS. Under the Testing Regulation, ECDIS is defined more broadly than in SB21-169 to include “a data source or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors...” ECDIS includes, “credit scores, credit history, social media habits, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, consumer-generated Internet of Things data, biometric data and any insurance risk scores derived by the insurer or third-party from the above listed data or similar data and/or information source.” This definition is almost identical to the definition of ECDIS in the final GRM Regulation, which includes “locations”, while the draft Testing Regulation does not.

ECDIS does not include traditional underwriting factors, which is defined for the first time in the Testing Regulation as the following factors:

  1. Information provided by or on behalf of the individual to whom the information relates in response to questions on the application for insurance including medical information, family history, and disability
  2. Occupational information, based on actuarially sound principles, that has a direct relationship to mortality, morbidity or longevity risk
  3. Behavioral information related to a specific individual, including motor vehicle records and criminal history of non-juvenile felony conviction that has a direct relationship to mortality, morbidity or longevity risk
  4. MIB data
  5. Prescription drug history
  6. Income tax, assets, or other elements of a specific person’s financial profile provided on an application for insurance by the applicant
  7. Digitalized or other electronic forms of the information listed above

Estimating Race or Ethnicity: Use of Bayesian Improved First Name Surname Geocoding (BIFSG). The Testing Regulation would require life insurers for the first time to estimate the race or ethnicity of each proposed insured using the BIFSG, which is a statistical method developed by the RAND corporation to estimate the race and ethnicity of an individual based on the individual’s name and residential address. Insurers are to use the insureds’ or proposed insureds’ name and geolocation information included in the application for life insurance when using the BIFSG.

Insurers are to use the following categories when using the BIFSG: Hispanic, Black, Asian Pacific Islander (API) and White.

The initial test must include application data from the date the insurer first used ECDIS or Models in underwriting through December 31, 2023. Thereafter, testing must be performed annually “to include additional application data through December 31st of the previous year,” suggesting that subsequent applicant data is additive onto the original data base.

While BIFSG has not, to our knowledge, been required by any state insurance regulator in the past to infer the race or ethnicity of an individual, some form of this methodology has previously been endorsed by courts in cases involving employment discrimination and Voting Rights Act cases.

However, because life insurers lack experience with using the BIFSG, it would be reasonable for the CDI to give insurers a test period to understand the issues that will arise when they use the BIFSG with their first data set of “all applicants” and to allow insurers time to discuss these issues with the CDI.

Furthermore, application data may span more than one decade. As a result, the insurer’s data should be tested using the BIFSG file that aligns to the census data immediately following the date of the application.

Application Approval Decision Testing. Insurers would be required to use logical regression to assess whether there is a statistically significant difference in approval rates of Hispanic, Black and API applicants compared to White applicants, using BIFSG as a method for estimating the race and ethnicity of the insurer’s applicants—information that most insurers will not have. If there is no statistical difference in approval rates (defined by the regulation to be 
a p-value of greater than .05) or if there is a statistical difference but that difference is less than five (5) percentage points, no further testing is required. Policy type (defined as permanent or term life insurance, and if term, the duration of the term), face amount, age, gender, and tobacco use may be used as control variables when determining if there is such a statistical difference.

Premium Rate Testing. Insurers must also determine if there is a statistically significant difference in the premium rate per $1,000 of face amount for policies issued to Hispanic, Black and API insureds relative to White insureds. As with the application approval test, linear regression must be used to determine if there is a significant difference in premium rate per $1,000 of face amount for policies issued to Hispanic, Blacks, or API applicants compared to White applicants. If there is no statistical difference (defined by the regulation to be a p-value of greater than .05) or if there is a statistical difference but that difference is less than five (5) percentage points, no further testing is required. Policy type, face amount, age, gender, and tobacco use may be included as control variables.

Variable Testing. If the difference in approval rates or premium rates under the application approval test or the premium rate test is statistically significant (defined by the regulation to be a p-value of less than .05) and five (5) percentage points or higher, then the life insurer is required to conduct additional statistical testing to identify the variables contributing to the difference and whether there is a relationship between those variables and race and ethnicity.

If any ECDIS variable or Model is deemed to have a direct relationship to a disproportionate negative outcome, it is deemed unfairly discriminatory and the life insurer must take reasonable steps, as provided for in their GRM framework, to remediate any unfair discrimination identified by the variable testing, including additional testing necessary to demonstrate the effectiveness of the remediation.

The insurer must include a description of the remediation steps taken in their report to CDI due April 1, 2024.

Note that the Testing Regulation does not discuss what steps CDI will deem adequate to remediate unfairly discriminatory outcomes and there are no limitations on the types of remediation measures that may be required under the Testing Regulation. Remediation measures are not explicitly limited to prospective measures regarding the use of ECDIS in underwriting on a going forward basis and could conceivably include measures to adjust or refund premium on policies that were underwritten in a discriminatory manner in the past.

Reporting Requirements. The proposed regulation sets out an expectation that life insurers will complete their first testing using the BIFSG for calendar year 2023 and then submit a report to CDI by April 1, 2024 and annually thereafter. The report must include the number of applicants used in the testing, as well as the number of applications received overall for the period beginning with the initial adoption of ECDIS and Models. A detailed summary of the test results from the application approval testing, premium rate testing and variable testing, including remediation steps taken, the timing of the remediation steps and subsequent testing is required.

We do not believe April 1, 2024 is a realistic deadline. Life insurers will need to gather, reformat and prepare their data in order to conduct the tests and may encounter difficulties when using the BIFSG for the first time. Insurers may therefore find it difficult to prepare the data and complete testing by April 1, 2024.

The Interplay of the draft Testing Regulation and the Final GRM Regulation. It is important to keep in mind the interplay between the draft Testing Regulation and the adopted GRM Regulation. Under the GRM Regulation, an insurer’s GRM Framework must include a “documented description” of the testing required by the Testing Regulation, including “the methodology, assumptions, results and steps taken to address unfairly discriminatory outcomes.”

The filing requirements of the two regulations are out of sync. By June 1, 2024, the GRM Regulation requires insurers to file with CDI a narrative report summarizing their progress in complying the regulation, including any difficulties encountered. Final compliance is required by December 1, 2024. Yet, the draft Testing Regulation would require a complete testing report, with remediation, to be filed much earlier—by April 1, 2024—and there is no provision, such as a testing period, to provide for a discussion with CDI of any difficulties insurers may have encountered in using the BIFSG or conducting the tests for the first time.

Implications for property-casualty (P&C) insurers. CDI plans to establish regulations implementing a GRM framework for P&C insurers and has suggested that the framework will not look very different from the framework for life insurers. esting for P&C insurers have common features (such as use of BISFG) but also will vary in some respects (such as traditional underwriting factors).

We will continue to follow developments related to SB21-169 and other laws and regulations affecting insurers using algorithms, predictive models, autonomous decision making systems and artificial intelligence. 


1 The CDI adopted its first regulation under SB 21-169 on September 21, 2023, effective November 14, 2023, It requires Colorado’s life insurers to adopt a governance and risk management (GRM) framework with respect to their use of ECDIS and Models (GRM Regulation) that supports policies and procedures to determine whether use of ECDIS and Models results in unfair discrimination with respect to race and to remediate such discrimination, if detected

2 SB 21-169 prohibits Colorado licensed insurer’s use of ECDIS and Models in “insurance practices (defined in the statute as marketing, underwriting, pricing, utilization management, reimbursement methodologies and claims management) that “unfairly discriminate” based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.”

[View source.]

Written by:

Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide