On September 21, 2023, the Colorado Division of Insurance adopted a Final Regulation implementing S.B. 21-169, the 2021 law governing Colorado-licensed insurers’ use of external consumer data and information sources (ECDIS), as well as algorithms and predictive models using ECDIS (Models). The Final Regulation is slated to become effective on November 14, 2023, mandating life insurers that are licensed in Colorado to furnish a progress report regarding compliance by June 1, 2024, and provide an attestation affirming full compliance by December 1, 2024, and annually thereafter.

By way of background, consumers and regulators have been concerned for some time about discriminatory outcomes associated with the use of AI tools in hiring and lending practices. While the Colorado regulation marks a distinctive development in the insurance sector, it is also likely a precursor to an impending wave of similar regulations. The National Association of Insurance Commissioners (NAIC) is actively formulating a model bulletin rooted in NAIC’s AI principles, laying out regulatory expectations regarding the use of models, governance, risk management, and third-party AI systems. Until the NAIC guidelines materialize, the Colorado regulation is likely to provide the most accurate preview of the regulatory landscape to come.

Under the Final Regulation, ECDIS is broadly defined as “a data or information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” 3 CCR 702-10(4)(C). These include credit scores, social media habits, purchasing habits, homeownership, education, licensures, biometric data, court records, occupations, and any insurance risk scores derived from this data. Jason Lapham, Director of Big Data and AI Policy at the Division of the Insurance, has expressed concern about how ECDIS is used by insurers, noting that “[s]ome carriers have fairly little to no governance around use of this information or around use of these AI tools” as reported to Government Technology.

The Final Regulation requires life insurers leveraging ECDIS or algorithms and predictive models using ECDIS to establish governance and risk management (GRM) frameworks to prevent unfair discrimination, provide transparency and accountability, and ensure the veracity of the data used. These GRM frameworks should encompass the following elements:

• Documented governing principles regarding the use of ECDIS and Models;
• Board oversight of the GRM framework;
• Senior management responsibility and accountability for monitoring the use of ECDIS and Models;
• Establishment of a cross-functional ECDIS and AI Model governance group;
• Documented policies and procedures regarding the use and monitoring of ECDIS and Models;
• Protocols for addressing consumer complaints;
• Implementation of a training program for relevant personnel on the responsible and compliant use of ECDIS and Models;
• A documented rubric for assessing and prioritizing risk associated with the deployment of ECDIS and Models;
• Documented up-to-date inventory, including version control, of all utilized ECDIS and Models and an explanation of any material changes in the inventory;
• A description of testing conducted to detect unfair discrimination resulting from the use of ECDIS and Models;
• A description of ongoing monitoring of the performance of the Models, including accounting for model drift (the degradation of model performance over time);
• A description of the process used for selecting third-party vendors that provide ECDIS and Models; and
• The annual review and update of the GRM framework to ensure continued accuracy and relevance.

It is important to note that Colorado's rule focuses specifically on the concept of "unfair" discrimination. Consequently, insurance companies are indeed permitted to take into account certain aspects of a consumer's profile when determining pricing and assessing risk, provided that these considerations possess a “direct relationship” to the consumer’s “mortality, morbidity, or longevity risk.” 3 CCR 702-10(4)(C).  

Colorado has outlined plans to introduce additional regulations. These forthcoming regulations will encompass predictive model testing for life insurers, and guidelines for property-casualty insurers who use ECDIS or Models.

Insurers who do not comply with the Final Regulation expose themselves to a range of penalties, including civil penalties, cease and desist orders, and potential license suspension or revocation.  The implementation of these requirements could be a substantial undertaking for insurers, depending upon their existing reliance on ECDIS. Consequently, insurers should develop a roadmap for compliance including these preliminary steps:

• Initiate a thorough review of all utilized ECDIS and Models, including the data types and sources involved;
• Form a cross-functional ECDIS and Model governance group to address key aspects of the GRM Framework such as policies and procedures regarding the use and monitoring of ECDIS and Models, complaint resolution, and the performance of risk assessments; and
• Identify any potential areas of concern related to unfair discrimination.

We will continue to monitor developments related to this Regulation, and the broader regulatory landscape of AI, automated decision making, and predictive models. For up-to-date information on AI legislation at the state level, please see our 2023 state-by-state AI legislation snapshot.

[View source.]