January 10, 2024

Navigating the New Normal: Decoding Colorado's Trailblazing AI Regulation (SB 21-169)

In a groundbreaking move, the Colorado Division of Insurance (CDOI) signed Senate Bill (SB) 21-169 into law, aiming to protect Colorado consumers from practices that may result in unfair discrimination, based on a number of criteria such as race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identify, or gender expression.

Moving forward, insurers will be held accountable for their big data models, including algorithms and predictive models. As such, they must take corrective action to ensure their systems are safe to use.

The Division has initiated the stakeholder engagement process concerning the following insurance lines and practices:

  • Life insurance underwriting
    • Current status: Regulation adopted.
  • Private passenger auto insurance underwriting
    • Current status: Stakeholder meeting took place. Informal comments have been submitted.
  • Health insurance
    • Current status: First stakeholder meeting to take place on February 29th, 2024.

With this new legislation, Colorado is making history by being the first state to formally adopt a regulation dedicated to insurance algorithms.

However, it’s not standing alone in this endeavor. Regulators in various states, such as New York,, Connecticut, and Washington, D.C., have issued cautionary warnings and notices, urging carriers to demonstrate the fairness of their models and data.

This regulatory momentum aligns with recent legal challenges faced by insurance industry giants, including entities like State Farm Mutual Automobile Insurance Co., Cigna Group, and UnitedHealth Group Inc. Proposed class actions have alleged unfair practices, particularly concerning minorities and older customers, citing insurers' utilization of automated processes in coverage denial.

The convergence of regulatory initiatives and legal actions underscores the pressing need for robust AI governance and compliance measures within the insurance sector.

Unpacking Colorado’s Adopted AI Regulation for Life Insurers

Pioneering AI regulation 10-1-1 or 3 CCR 702-10, effective from November 14, 2023, sets the stage for a new era in life insurance governance. Life insurers operating in Colorado are granted a compliance window until December 1, 2024, with an initial progress summary due by June 1, 2024.

⚖️ Principles

Clear, documented governing principles are now a mandate, outlining insurer values and objectives. The focus is on ensuring effective oversight of external consumer data and information sources (ECDIS) to prevent fair discrimination.

What is ECDIS?

💡 ECDIS = “External Consumer Data and Information Source” or “ECDIS” means, for the purposes of this regulation, a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices. This term includes credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, consumer-generated Internet of Things data, biometric data, and any insurance risk scores derived by the insurer or third-party from the above listed or similar data and/or information sources.

🤝 People

Ownership and responsibility are non-negotiable, with board oversight and senior management accountability being key elements, put in place to ensure a strategic approach that includes:

  • Setting clear lines of communication
  • Delegated decision making authority
  • Regular reporting on the performance of the potential risks of using ECDIS, as well as algorithms or predictive models using ECDIS

A cross-functional governance group, featuring representatives from legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, is also required by the new legislation, in order to ensure a holistic and inclusive perspective.

⚙️ Processes and Policy

Robust policies, processes, and procedures for the entire lifecycle of ECDIS and related algorithms or predictive models are now prerequisites. Internal supervision and training for personnel, addressing consumer complaints, and a documented risk assessment rubric will be integral to compliance.

The legislation also emphasizes the importance of comprehensive annual reviews, ensuring the governance structure and risk management framework are continually refined.

Here’s an overview of what’s required:

  • Policies, processes and procedures for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS and ECDIS-based algorithms or predictive models.
  • Internal supervision and training for all relevant personnel
  • Processes and protocols for addressing consumer complaints & inquiries
  • Documented rubric for assessing and prioritizing risks associated with the deployment of ECDIS and models using ECDIS
  • Inventory and versioning of all ECDIS and ECDIS-based algorithms or predictive models.
  • Documented description of testing conducted for unfairness, as well as ongoing monitoring of models, including information on model drift
  • Documented description of the processes used for selecting external resources including third-party vendors that supply ECDIS, algorithms, and/or predictive models
  • Comprehensive annual reviews of the governance structure and risk management framework

Important Notes:

💡 Ownership matters: If third-party vendors are in play, insurers bear the responsibility for regulatory compliance.

⌛ Time is of the essence: All components of the governance structure and risk management framework required by the legislation must be available on December 1, 2024, and annually thereafter.

Delving into Reporting Requirements

Insurers Using ECDIS and Algorithms and/or Predictive Models that Employ ECDIS

  • Must submit a progress report by June 1, 2024, highlighting areas that are still under development if this is the case
  • Come December 1st 2024, insurers must submit a comprehensive report summarizing compliance, including the following information:
    • The title and qualifications of each individual responsible for ensuring compliance
    • The section of the regulation that the person is responsible for
  • This report must be signed by an officer in order to attest compliance

Important Note:

🚨 If compliance can’t be attested, insurers must submit a corrective action plan, no longer than 10 pages including an executive summary.

Insurers That Do Not Use ECDIS or Related Models

  • For insurers not utilizing ECDIS or related models, a straightforward attestation, signed by an officer, confirming non-use of such data sources or models is required within one month of the regulation’s effective date and annually thereafter.

Future Implementers

  • Insurers planning to use ECDIS or related models after the legislation comes into effect must submit a detailed report preceding their utilization, outlining their strategies and compliance measures.

Penalties

Failure to comply with this regulation could lead to various penalties outlined in Colorado’s insurance business statutes or other applicable laws. These penalties may involve fines, the issuance of cease and desist orders, or even the suspension or revocation of licenses, all in accordance with the due process requirements. It’s crucial to adhere to these guidelines to avoid potential consequences.

Final Words

In adapting to Regulation 10-1-1, life insurers in Colorado embark on a journey toward enhanced transparency and responsibility. The regulatory landscape has shifted, emphasizing the need for a comprehensive governance and risk management framework.

Navigating the intricacies of AI regulation is no small feat, but with diligence and a proactive approach, insurers can not only meet but exceed the expectations set forth.

Empowering Your Organization with Lumenova AI

Lumenova AI is dedicated to supporting enterprises in all stages of their Responsible AI journey.

If your company finds itself impacted by the recent legislation, our AI Governance, Risk, and Compliance platform stands ready to provide extensive support, ensuring continued compliance while fostering successful business transformation.

We’d love to show you how Lumenova AI works. Get in touch with us for a custom product demo.

Make your AI ethical, transparent, and compliant - with Lumenova AI

Book your demo