Landmark Colorado AI Regulation For Insurers

Colorado’s Department of Regulatory Agencies Division of Insurance (“Division”) becomes one of the first state agencies to establish governance and risk management requirements for life insurers that use external consumer data and information sources (ECDIS), as well as algorithms and predictive models that use ECDIS. The final release of the regulation became effective on November 14, 2023, and drastically increases insurer’s responsibility to ensure there is no discrimination in predictive models. Colorado’s law is the first of its kind and is viewed as a model that other states will likely follow as the industry works to regulate new artificial intelligence technologies.

Notable Content

If an insurer or the technology an insurer deploys uses ECDIS, then they must establish a risk-based governance and management framework that facilitates and supports policies, procedures, systems, and controls designed to determine whether the use of ECDIS, algorithms, and predictive models result in unfair discrimination with respect to race. The law’s governance and risk management requirements include:

Summary Requirements List

• Documented governing principles on creation of AI and the use of data, with the goal of preventing discrimination
• Governance structure overseen by the board of directors
• Senior Management direction and overall strategy on monitoring the governance of AI and algorithms associated with customer data, including regular reporting on risks
• Creation of a cross-functional governance group including representatives from all applicable functions involved with data algorithms and predictive modeling
• Documented policies, processes, and procedures including roles and responsibilities for the design, development, testing, deployment, and use of predictive models
  
  • Including ongoing monitoring
  • Training of personnel on compliance to these procedures

• Documented processes and protocols in place for addressing consumer complaints and inquiries about the use of customer data, algorithms, and predictive models
• Documented rubric for assessing and prioritizing risks of algorithms and predictive models
• Documented inventory of all utilized customer data, algorithms, and predictive models
• Documentation of changes to models
• Documentation of testing for discrimination conducted on models as well as the subsequent results
• Documentation of algorithms, and predictive models’ ongoing monitoring practices
• Documentation on the process for selecting third-party vendors
• Annual review of governance and risk management framework

Notes: 
*Insurers that use a third party to manage customer data utilizing predictive models and algorithms remain responsible for the above requirements. 
**All of the requirements listed above must be available on request of the Division.

Summary of Reporting Requirements

• A one-time submission to the Division of a narrative report summarizing the progress made toward complying with the requirements on June 1, 2024.
• Yearly submission to the Division of the title and qualifications of each individual responsible for ensuring compliance signed by the compliance officer, as well as a narrative report summarizing compliance to the above requirements. First due December 1, 2024, and annually thereafter.
• Insurers that do not utilize ECDIS, predictive algorithms, or artificial intelligence models are exempt from the requirements but are still required to annually attest that they do not utilize these technologies. First due to the Division within one month of the effective date of this regulation, and annually thereafter.
• Insurers that plan to utilize these technologies must provide the narrative report mentioned above prior to implementing the ECDIS technologies.
  
  

Key Takeaways

Colorado has taken a significant step by being the first state to define base-level requirements qualifying life insurers must meet. Regulators have proven that AI regulation is a priority. European regulation like the “A.I. Act,” Senate subcommittee hearings on the “Oversite of A.I.,” and the recent Executive Order on AI Enforcement all show an international trend toward greater regulation. While Colorado is the first state to implement statewide regulation on insurers, Guidehouse believes others will follow. Below are a few immediate steps insurance companies can take to meet regulatory scrutiny.

1. Designate a team to inventory all predictive models that could be subject to the Colorado legislation
2. Formally inform and empower executives and boards of directors regarding their responsibilities for overseeing risk management framework responsibilities
3. Inventory the requirements of the Colorado regulation and develop a plan to identify and remediate gaps
4. Assign reporting responsibilities to team members for periodic narrative and summary reporting to Colorado regulatory authorities, first due June 1, 2024
   
   

Guidehouse Service Offering

As firms navigate the implications of the new Colorado regulation, it is beneficial to have a partner who can provide seasoned guidance and support. Guidehouse has a deep understanding of regulated industries and extensive experience in responsible AI.

Guidehouse can support an organization’s efforts to implement regulatory-driven change and maximize the predictive power from automated decision systems while implementing industry standards for data privacy and protection, model monitoring and risk mitigation, and the equitable and responsible use of AI.