CO Division of Insurance Finalizes AI, Data Regulations Impacting Insurers
In August 2023, the Colorado Division of Insurance conducted a hearing to finalize regulations impacting life insurers. These rules focus on how life insurance companies leverage external data and cutting-edge technologies, including artificial intelligence (AI), to make informed decisions. These regulations are tailored for life insurers operating in Colorado and encompass the utilization of external data sources, computer algorithms and predictive models in various life insurance processes, extending beyond traditional underwriting. Even when life insurers source this data and technology from third parties, strict compliance with these rules is obligatory. The finalized regulations were published on Sept. 22, 2023, and can be accessed on the Colorado Division of Insurance’s website.
Framework Requirements
The regulations mandate a comprehensive governance and risk management framework to ensure that life insurers using external consumer data and information sources (ECDIS), as well as algorithms and predictive models that employ ECDIS, maintain robust compliance practices. ECDIS refers to data or information sources used by life insurers to augment or replace conventional underwriting factors and other insurance practices. This encompasses a wide array of external data and information used by insurers in their insurance processes, including: credit scores, social media behaviors, location data, purchase patterns, homeownership status, educational qualifications, licensures, civil judgments, court records and more. It also encompasses consumer-generated Internet of Things (IoT) data, biometric data and any insurance risk scores generated from these data sources.
The governance and risk management framework will need to be built on principles that emphasize effective oversight and management, with a specific focus on preventing unfair discrimination in insurance practices. The framework also requires clear governance structures overseen by the board of directors or designated committees, senior management responsibilities, cross-functional governance groups and documented policies, processes and procedures for the development, testing, deployment and ongoing monitoring of ECDIS and related technologies. Furthermore, insurers are required to address consumer complaints, prioritize risks, maintain inventories of utilized ECDIS and models, and conduct ongoing assessments to detect and rectify any unfair discrimination.
Compliance Timeline
In light of these significant regulatory developments, it’s crucial for life insurers to grasp the nuances of these rules and their implications. The compliance timeline below details key milestones and requirements that life insurers must adhere to. This timeline ensures that life insurers, whether currently using external data and technology or planning to do so, are well prepared to meet the new standards set forth by the Colorado Division of Insurance. Please note that this compliance timeline is based on the information provided in the current draft of the regulation, varies by the insurers use of data or ECDIS, and is subject to any updates or changes made by the Colorado Division of Insurance.
For Life Insurers Using ECDIS, Algorithms or Predictive Models:
- By June 1, 2024: Submit a narrative report summarizing progress toward complying with the regulation’s requirements. This report should identify areas still under development, any challenges encountered, and the expected completion date.
- By Dec. 1, 2024, and annually thereafter: Submit a narrative report summarizing compliance with the regulation's requirements.
For Life Insurers Not Using ECDIS or Related Technologies:
- Within one month of the effective date (Dec. 14, 2023), and annually thereafter: Submit an attestation signed by an officer indicating that the insurer does not use ECDIS, algorithms or predictive models that use ECDIS.
For Life Insurers Transitioning to Use of ECDIS, Algorithms or Predictive Models:
- Submit a narrative report summarizing compliance with the governance and risk management framework and the title and qualifications of each individual responsible for ensuring compliance with the governance and risk framework.
Conclusion
These regulations provide a new framework for how life insurers employ certain external data and technology. While the deadlines and framework components have remained relatively consistent with the draft version, it is imperative for life insurers to fully understand and adhere to these rules. The Colorado Division of Insurance continues to refine details, and we will keep you updated on further developments.
Should you have any questions or concerns regarding these regulations, please reach out to your regular AT lawyer or one of the listed authors.