What Colorado's New Data Regulations Could Mean for Insurers, Agents

Conversation September 28, 2023 at 02:31 PM
Share & Print

The Colorado Division of Insurance last week adopted major regulations that will govern life insurers' use of any "external consumer data and information source," or ECDIS.

That definition appears to include traditional data streams and analytical systems as well as artificial intelligence-based systems.

What could this mean for life insurers, clients and financial professionals?

Scott M. Kosnoff, a partner at Faegre Drinker, answered questions about the Colorado regulations via email. The answers have been edited.

THINKADVISOR: How does Colorado's regulation compare with other jurisdictions?

SCOTT KOSNOFF: Colorado's statute and regulation make it unique in this area.

The National Association of Insurance Commissioners is working on a model bulletin that builds upon the NAIC's AI principles, which were adopted in 2020, and lays out regulatory expectations, including with respect to governance; risk management and internal controls; and third-party AI systems.

Once the NAIC finalizes and adopts the bulletin, individual states will consider whether they want to adopt the bulletin and, if so, whether to make any changes.

The California Department of Insurance issued a bulletin concerning the use of AI, algorithms, Big Data and the need to avoid unfair discrimination against protected classes. It also held a workshop examining bias and discrimination in September 2022.

The New York Department of Financial Services retained an outside consultant to conduct interviews regarding use of AI and machine learning by life insurers. 

Connecticut issued notice concerning use of Big Data and avoidance of discriminatory practices and requires a certification from domestic insurers.

The District of Columbia is investigating potential "unintentional bias," beginning with private passenger auto, and it conducted a data call earlier this year.

How is Colorado's approach different from typical states?

Colorado's statute adopts a definition of unfair discrimination that departs from the way the term historically has been understood.

Colorado's statute focuses on the use of external consumer data and information sources, and not expressly on AI.

Colorado will require insurers to test for unfair discrimination, adopt a risk management and governance framework and submit reports to the regulators.

What implications could the Colorado regulation have for products other than life insurance?

The division will likely take a similar approach to other lines of business, including annuities.

I expect that subsequent regulations for other lines of business may cover the full range of insurance practices identified in the statute, such as marketing, underwriting, pricing, utilization management, reimbursement methodologies and claims management.

By the way: The life insurance regulation applies to the full range of insurance practices, not just underwriting.

Have regulators provided what clients will need to comply?

The Colorado regulation and NAIC bulletin give insurers enough guidance to get started, even though the NAIC bulletin will undoubtedly undergo some revisions. (Note: Life insurers are already on the clock in terms of complying with the Colorado regulation; they'll need to submit a preliminary report on their compliance efforts by June 1, 2024.)

To the extent further guidance is needed, I would look to the National Institute of Standards and Technology framework and playbook.

It's important to recognize that AI risk management is a journey with no real finish line. Insurers will need to reevaluate their governance and risk-management frameworks periodically in light of evolving regulatory developments and best practices.

Could the Colorado data rules have noticeable effects on life and annuity agents?

Agents and brokers may notice if insurers impose additional restrictions on their marketing strategies.

Could agents and advisors face "business associate" responsibilities for consumer data antidiscrimination rules that are comparable to what they face for Health Insurance Portability and Accountability Act health data privacy rules?

Under the draft NAIC bulletin, an insurer's governance program should address all of the AI systems used by or on behalf of the insurer to make decisions that impact consumers.

This would include AI systems used by an authorized agent or representative of the insurer.

What should clients know about AI risk management?

Risk-management efforts should be proportional to the potential harm and its likelihood of occurring. There's no one-size-fits-all approach.

The goal should be to have a good story to tell, one that demonstrates the organization understands the risks associated with AI and is making reasonable efforts to mitigate them.

Scott Kosnoff. Credit: Faegre Drinker

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center