The recent, rapid expansion of Big Data has transformed the insurance industry and has shown that it has the potential to increase efficiencies and benefit both insurers and consumers. However, the unchecked use of Big Data can unintentionally result in harm to protected groups. To combat this, Colorado has introduced the Senate Bill (SB) 21-169, which aims to protect consumers from insurance practices that result in unfair discrimination on the basis of race, color, national, or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. Insurers in the State will soon be held accountable for testing their Big Data systems to ensure they are not unfairly discriminating against consumers on the basis of a protected class and be required to address any concerns as they arise.

What is the Regulation status and who does it apply to?

On September 21, 2023, the Division of Insurance at Colorado's Department of Regulatory Agencies (the Division) adopted Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers' Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the Regulation). The Regulation establishes requirements for life insurers that utilize External Consumer Data and Information Sources (ECDIS), as well as algorithms and predictive models that incorporate ECDIS.

Effective on November 14, 2023, the Regulation, which applies to all life insurers authorized to operate in Colorado, mandates the establishment of a risk-based governance and risk management framework. The framework is designed to ensure that the use of ECDIS, algorithms, and predictive models does not result or potentially result in unfair discrimination, particularly with respect to race, and provides a method to remediate unfair discrimination.

What are some key aspects of the governance framework?

The governance and risk management framework outlined in the Regulation mandates life insurers use ECDIS, algorithms, and predictive models to:

• formulate governing principles: Document guiding principles to prevent unfair discrimination in the use of ECDIS, algorithms, and predictive models;
• ensure oversight: The board of directors or a suitable committee should oversee the risk management framework, with senior management responsible for setting strategy and monitoring performance;
• create a cross-functional team: Establish a team from key functional areas to oversee the use of these tools;
• develop policies and training: Create written policies for the design, use, and monitoring of these tools, including a training program for relevant personnel;
• handle consumer complaints: Implement processes to address consumer complaints and inquiries about the use of these tools;
• assess risks: Develop a system for assessing and prioritizing risks associated with these tools, considering consumer impacts;
• maintain an inventory: Keep an updated inventory of all used ECDIS, algorithms, and predictive models, documenting any material changes;
• conduct testing and monitoring: Document testing is conducted to detect unfair discrimination and monitor the performance of algorithms and predictive models;
• manage external resources: Document the process used for selecting third-party vendors supplying ECDIS, algorithms, and/or predictive models, and ensure compliance with all regulatory requirements; and
• review regularly: Document annual reviews of the governance structure and risk management framework, updating documentation as needed.

What has changed since the initial draft Regulation in February 2023?

The adopted Regulation for life insurers has been pared down from the initial version released in February 2023. Most notably, the adopted Regulation no longer emphasizes 'disproportionately negative outcomes,' which would have included results or effects that 'adversely impact a group' with protected characteristics 'even after considering factors that define similarly situated consumers.' Instead of this term, the adopted Regulation pivots to necessitating 'risk-based' governance and management frameworks. This shift is substantial - it not only brings the adopted Regulation in line with conventional insurance regulation but also signifies a pragmatic, progressive advancement for such regulation.

The adopted version specifies that life insurers must have a governance and risk management framework that identifies potential unfair discrimination with respect to race. Additionally, if unfair, or potentially unfair, discrimination is detected, life insurers must provide a framework for remediation. The definition of ECDIS, in the adopted version, includes biometric data.   

Other changes of note include the requirement of documented comprehensive annual reviews, instead of the proposed regular reviews. The adopted Regulation also states that the ongoing testing and monitoring must include the accounting for model drift. In order to satisfy documentation requests, insurers can have their third-party vendor provide documentation directly to the Division.    

Despite being less demanding than the initial draft, the adopted Regulation still imposes significant obligations on life insurers. These include mandates for life insurers to set up risk-based frameworks for the utilization of ECDIS in any insurance practice including claims, ratemaking, and pricing. Furthermore, the Regulation necessitates the execution of these frameworks concerning any algorithms and predictive models that use or depend on ECDIS.

What kind of documentation and reporting is required?

The Regulation outlines comprehensive reporting requirements. Insurers using ECDIS, algorithms, and predictive models, as of the effective date of the Regulation, November 14, 2023, must submit the following to the Division: 

• a narrative report summarizing their progress towards compliance with the Regulation's requirements by June 1, 2024; and 
• a report, no more than 10 pages in length, on December 1, 2024, and annually going forward, summarizing compliance with the Regulation. 

Conversely, insurers that do not use ECDIS or algorithms and predictive models are exempt from these requirements but are required to submit to the Division the following:

• an attestation, signed by an officer, stating that the insurer does not use ECDIS or algorithms and predictive models, on December 1, 2024, and annually thereafter; and 
• if an insurer plans to use ECDIS or algorithms and predictive models, they must submit a narrative report to the Division, summarizing compliance with the Regulation prior to implementation.

What happens in the event of non-compliance?

The Regulation stipulates that sanctions may be imposed, including civil penalties, cease and desist orders, and/or suspensions or revocations of license, subject to the requirements of due process.

What is the current status of related regulations?

Beginning in April 2023, and continuing through 2024, the Division has hosted stakeholder meetings for private passenger auto insurance underwriting. The purpose of the stakeholder meetings is to discuss the applicability of the adopted Regulation. Materials from those stakeholder meetings can be found here: Private Passenger Auto Insurance Underwriting Stakeholder Meeting Materials. 

On February 29, 2024, the Division held a stakeholder meeting to discuss unfair discrimination insurance practices focusing on health insurance as part of the Division's implementation of SB21-169.

This Division released a draft regulation, which can be found here: Concerning Quantitative Testing of External Consumer Data and Information Sources, Algorithms, and Predictive Models Used for Life Insurance Underwriting for Unfairly Discriminatory Outcomes, for comments to be received by October 26, 2023. The draft regulation seeks to establish requirements for life insurers' quantitative testing of ECDIS, algorithms, and predictive models to ensure unfair discrimination does not occur. 

The draft regulation would require life insurers to use ECDIS, algorithms, and predictive models to test application data through December 31, 2023, and annually thereafter, utilizing the Bayesian Improved First Name Surname Geocoding (BIFSG), the insured's name and geolocation information to estimate race and ethnicity of each insured. The insured would then be required to calculate the following:

• disapprovals: assess whether there are statistical differences in disapproval rates among applicants based on  various demographic factors; and     
• premium rates: examine if policies issued to insured individuals from different demographic backgrounds exhibit statistically significant differences in premium rates, per $1,000 of face amount.

The draft regulation contains specific testing requirements, reporting requirements as well as actions that insurers must take if unfair discrimination is detected.   

Key takeaways and action items for insurance companies

• Understand the Regulation: Familiarize yourself with the definitions and requirements of the Regulation. Understand what constitutes ECDIS, algorithms, and predictive models, and how they are used in your organization.
• Establish a governance and risk management framework: Develop a comprehensive framework that includes principles, responsibilities, a cross-functional committee, roles and responsibilities, policies and processes, training, controls, protocols for consumer complaints, a plan for unintended consequences, and the use of external audits.
• Maintain comprehensive documentation: Keep detailed records of all ECDIS, algorithms, and predictive models in use, including those supplied by third parties. This should include an inventory, results of annual reviews, a system for tracking changes, descriptions of testing, limitations, ongoing monitoring, datasets used, how predictions are made, potential risks and impacts, the process for selecting external resources, and all decisions made regarding the use of ECDIS and algorithms.
• Prepare for reporting requirements: Plan for the submission of reports to the Division summarizing your progress toward compliance with the requirements specified in the Regulation. These reports are due by June 1, 2024, and December 1, 2024, and annually thereafter. 
• Plan for potential non-compliance: Understand the potential consequences of non-compliance, including civil penalties, cease and desist orders, and/or suspensions or revocations of license. Ensure that your organization has a plan in place to address potential non-compliance issues.

John Romano Partner
[email protected]
Jessie Adamson Consultant
[email protected]
Baker Tilly US, LLP, Colorado