On September 21, 2023, the Colorado Division of Insurance (the “CDI”) adopted a first-of-its-kind regulation (the “Regulation”) in the US establishing governance and risk management requirements for life insurers that use external consumer data and information sources (“ECDIS”) or algorithms or predictive models that use ECDIS.1 The Regulation will become effective on November 14, 2023, and life insurers will have until December 1, 2024 to establish the governance structure and risk management framework required by the Regulation; however, an interim progress report must be provided by life insurers to the CDI by June 1, 2024.
Focus on Governance and Risk Management Framework
The Regulation requires life insurers authorized to do business in Colorado to establish and maintain a risk-based governance structure and risk management framework to (1) oversee whether the life insurers’ use of ECDIS and algorithms and predictive models that use ECDIS potentially result in unfair discrimination with respect to race, and (2) remediate such unfair discrimination if detected. The requirements for the governance structure and risk management framework focus heavily on creating documented policies, procedures, systems, and controls to detect and address unfair discrimination. For example, life insurers are required to maintain an up-to-date inventory of all ECDIS and algorithms and predictive models that use ECDIS. The inventory must include a detailed description of each ECDIS, algorithm or predictive model, its stated purpose, and the outputs generated through its use.
Multiple Levels of Organizational Oversight
The Regulation tasks various internal stakeholders with implementing and overseeing the governance structure and risk framework for a life insurer. Senior management is responsible for setting and monitoring the overall strategy for the use of ECDIS and algorithms and predictive models that use ECDIS. A cross-functional governance group composed of representatives from key functional areas must be established to support implementation. Finally, the governance structure and risk management framework must ultimately be overseen by a life insurer’s board of directors or a committee thereof.
Oversight of Use of Third-Party Vendors
The Regulation also addresses life insurers’ use of third-party vendors and other external resources for ECDIS and algorithms and predictive models that use ECDIS by providing that life insurers remain responsible for ensuring compliance with their established governance structure and risk management framework, which must include a process for the selection and oversight of all external resources and third-party vendors.
Life insurers using ECDIS or algorithms or predictive models that use ECDIS must file an annual report with the CDI by December 1 (beginning in 2024) that summarizes their compliance with their governance structure and risk management framework, including listing the title and qualifications of each individual responsible for ensuring such compliance along with the specific requirements of the governance structure and risk management framework for which that individual is responsible. In advance of that date, such life insurers using ECDIS or algorithms or predictive models that use ECDIS will need to file a report with the CDI by June 1, 2024 describing their progress towards setting up the governance and risk management framework and identifying any difficulties encountered and expected completion date. Life insurers that do not use ECDIS or algorithms or predictive models that use ECDIS must attest to that fact by December 14, 2023 and annually by December 1 thereafter; however, such life insurers will need to submit a report to the CDI in advance of beginning to use ECDIS or algorithms or predictive models that use ECDIS.
Documents or materials disclosed by a life insurer to the CDI under the Regulation will be entitled to confidential treatment under Colorado’s insurance law.
The final Regulation resulted from a rulemaking process conducted by the CDI over the course of 2023. The first draft of the Regulation had a broader scope and more extensive requirements. Based on feedback from the relevant constituencies including industry members and groups, the final Regulation has a more focused scope than what was initially proposed with a clear focus on unfair discrimination based on race.
As the Regulation applies to all life insurers authorized to do business in Colorado, its requirements are expected to apply to a broad swath of the US life insurance industry. The Regulation is expected to be followed by similar regulations in Colorado for other lines of business. In addition, other US states are also considering potential new laws, regulations and regulatory guidance on the use of artificial intelligence by insurers.
1 Colorado Division of Insurance, “Notice of Adoption - New Regulation 10-1-1 Governance and Risk Management Framework Requirements for Life Insurers' Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models,” September 21, 2023.