Key Takeaways:

• On December 6, 2024, the Colorado Division of Insurance released a draft proposed amendment to Regulation 10-1-1, Governance and Risk Management Framework Requirements for Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models.
• The draft amendment would amend existing governance requirements for life insurers and apply those modified obligations to private passenger automobile insurers and health benefit plan insurers.
• Some auto insurers and health benefit plan insurers in Colorado will likely have significant compliance and governance work to do in order to meet these obligations if they are adopted and therefore should consider undertaking a gap analysis and compliance road map, conducting a risk assessment, creating a cross-functional group, and increasing compliance budgets and securing additional resources.

---

On September 21, 2023, the Colorado Division of Insurance (the “Division”) released Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Current Regulation”), which became effective on November 14, 2023, and which we have previous discussed in depth. The Current Regulation established governance and risk management requirements for life insurers that are designed to prevent unfair discrimination in connection with the use of external consumer data and information sources (“ECDIS”) and algorithms and predictive models that use ECDIS (“Models”).

On December 6, 2024, the Division released its draft proposed amendment to the Current Regulation, (the “Draft Amendment”), which would amend its requirements for life insurers and apply those modified obligations to private passenger automobile insurers (“Auto Insurers”) and health benefit plan insurers (“Health Benefit Plan Insurers”).

The Draft Amendment continues the rapidly growing momentum to regulate the insurance industry’s implementation of AI, both in Colorado and elsewhere around the United States.

Definitions of ECDIS, Auto Insurer, and Health Benefit Plan

The Draft Amendment employs the same definition of ECDIS for Auto Insurers and Health Benefit Plan Insurers as for Life Insurers with one exception. For all three insurance lines, ECDIS is defined as “a data or an information source that is used by the insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” However, the list of ECDIS examples is not identical. For all three insurance lines, the list of ECDIS examples includes “credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, consumer-generated Internet of Things data, biometric data, and any insurance risk scores derived by the insurer or third-party from the above listed or similar data and/or information sources.” But, for Life Insurers, the list also includes “occupation that does not have a direct relationship to mortality, morbidity or longevity risk.”

For purposes of the Draft Amendment, Health Benefit Plan means “any hospital or medical expense policy or certificate, hospital or medical service corporation contract, or health maintenance organization subscriber contract or any other similar health contract subject to the jurisdiction of the commissioner available for use, offered, or sold in Colorado.” The Draft Amendment defines Auto Insurer as “an entity authorized and licensed by the commissioner of insurance to sell private passenger automobile insurance products in the state of Colorado.”

Governance and Risk Management Obligations

Under the Draft Amendment, many, but not all, of the existing governance requirements from the Current Regulation would apply to Auto Insurers and Health Benefit Plan Insurers without modification. However, the Draft Amendment proposes some alterations and additions of certain requirements for all three types of insurers. Below, we have sorted the Draft Amendment obligations into three categories: (1) unchanged obligations for Life Insurance that will apply to Auto Insurers and Health Benefit Plan Insurers; (2) altered or modified obligations; and (3) new obligations.

Unchanged Governance and Risk Management Framework Requirements

The Draft Amendment would directly extend many of the governance and risk management requirements that apply to Life Insurers right now to Auto Insurers and Health Benefit Plan Insurers, including:

• Governing principles that provide necessary guidance to ensure that (a) ECDIS, and Models that utilize ECDIS, are designed, developed, used, and monitored in a manner that achieves effective oversight and management; and (b) the use of ECDIS and the Models that utilize ECDIS are reasonably designed to prevent unfair discrimination.

• Senior management responsibility and accountability for setting and monitoring overall strategy for the use of ECDIS and the Models that utilize ECDIS.

• Cross-functional ECDIS and model governance group composed of representatives from key functional areas, including legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, as applicable.

• Policies, processes, and procedures, including assigned roles and responsibilities, for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS and the Models that utilize ECDIS, and processes to ensure that they are documented, tested, and validated.

• Up-to-date inventory and description of material changes in the inventory of all utilized ECDIS and the Models that utilize ECDIS, including a detailed description of each ECDIS and Model that utilizes ECDIS, its clearly stated purpose(s), and the outputs generated through its use.

• Description of testing conducted to detect unfair discrimination in insurance practices resulting from the use of ECDIS, including the methodology, assumptions, results, and steps taken to address unfairly discriminatory outcomes.

• Ongoing monitoring regarding the performance of Models that utilize ECDIS, including accounting for model drift.

• Process used for selecting external resources including third-party vendors that supply ECDIS and the Models that utilize ECDIS.

Altered Governance and Risk Management Framework Requirements

The Draft Amendment changes certain existing governance and risk management obligations and impose these amended requirements on all three insurance lines (Life, Auto, and Health), including:

• Adding a reporting requirement to board oversight. The Current Regulation requires oversight of the governance structure and risk management framework by the board of directors or a committee of the board. Currently, there is no explicit requirement in the Current Regulation to report on the governance and risk management framework to the board, but the Draft Amendment proposes explicitly requiring that the framework be “guided by and reported regularly to the board.”

• Requiring clear explanations of adverse decisions. The Draft Amendment augments the requirement to have documented processes and protocols in place for addressing consumer complaints and inquiries about the use of ECDIS by requiring that such policies and protocols must provide consumers “with a clear explanation of an adverse decision and how ECDIS, or an algorithm or predictive model that used ECDIS, was used in making the decision.”

• Documenting descriptions for assessing risk. The Current Regulation requires a “documented rubric for assessing and prioritizing risks associated with the deployment of ECDIS.” The Draft Amendment revises this provision to require specifically “documented description of policies, procedures, and processes for assessing and prioritizing [such] risks.” (emphasis added)

• Replacing the annual governance and risk review cadence. The Current Regulation requires comprehensive annual reviews of the governance structure and risk management framework. The Draft Amendment no longer requires an annual review cadence but instead requires reviews “when there are any material changes to the governance structure and risk management framework or any new use of ECDIS, or algorithms and predictive models that use ECDIS.”

• Third-party oversight. Under the Current Regulation, the subject insurers remain responsible for ensuring that the governance and risk management framework requirements are met when using third-party vendors and other external resources with respect to ECDIS, including documenting a process for the selection and oversight of all external resources and third-party vendors. The Draft Amendment augments this obligation by also requiring that the documentation of third-party oversight must include an evaluation of adherence to the intended use of ECDIS, as well as any Models that utilize ECDIS. While the Draft Amendment does not specify, we believe that this new requirement is meant to evaluate the third party’s adherence to the insurer’s intended use of ECDIS.

Net New Governance and Risk Management Framework Requirements

The Draft Amendment establishes two new governance requirements: one applicable to insurers from all three insurance lines and the other applicable to Health Benefit Plan Insurers only.

• Evaluation for bias. Under the Draft Amendment, insurers from all three insurance lines are required to have a documented evaluation of “ECDIS for bias, disparities representativeness, data quality, data validity and appropriateness for the intended purpose and steps taken to address and correct any data quality issues.” Whether all three insurance lines will be subject to the same testing requirements that the Division is currently contemplating in the Colorado Draft Testing Regulation remains to be seen. However, it may be impractical to apply the same testing and metrics to all three kinds of insurers without some modifications or additional changes to account for the differing contexts.

• Health care provider responsibility (Health Benefit Plan Insurers only). The Draft Amendment provides that Health Benefit Plan Insurers must make sure that providers working on their behalf are responsible for decisions made using ECDIS and the Models that utilize ECDIS. This requirement applies when such decisions are used to approve, modify or deny requests by a covered person for authorization prior to or concurrent with the provision of health care services. The Draft Amendment adopts the Colorado Health Care Coverage Act’s definitions of “provider,” which “means any physician, dentist, optometrist, anesthesiologist, hospital, X ray, laboratory and ambulance service, or other person who is licensed or otherwise authorized in this state to furnish health-care services” and “covered person,” which “means a person entitled to receive benefits or services under a health coverage plan.”

Timelines

Compliance

The Draft Amendment provides the following compliance timelines:

• Auto Insurers and Health Benefit Plan Insurers must have all components of their governance structure and risk management framework available upon the Division’s request by December 1, 2025.

• Life insurers are currently required to have the existing components under the Current Regulation available upon the Division’s request. The Draft Amendment does not specify when Life Insurers would need to have the adjusted and net new components described above in place.

Reporting

The Draft Amendment requires interim progress and annual compliance reports as follows:

• Auto Insurers and Health Benefit Plan Insurers must submit an interim progress report on compliance with applicable governance requirements on June 1, 2025, and submit annual compliance reports beginning December 1, 2025.
• Life insurers were required to submit an interim progress report on compliance with the existing governance and risk management requirements described above in June 2024 and an annual compliance report beginning in December 2024. The Draft Amendment does not state whether Life Insurers would need to provide an additional interim progress report for any adjusted or net new components.

Next Steps and Takeaways

The Division held an informal comment period for the Draft Amendment through December 13, 2024. We expect the Division to provide additional engagement opportunities, including stakeholder meetings and comment periods as the Draft Amendment progresses.

Some Auto Insurers and Health Benefit Plan Insurers in Colorado will likely have significant compliance and governance work to do in order to meet these obligations if they are adopted, and therefore should consider:

• Undertaking a gap analysis & compliance road map. Insurers who would be subject to the Draft Amendment should consider conducting a gap analysis between its requirements and their current AI and data governance and compliance program. This includes Life Insurers, which, as discussed above, have several new obligations. After the gap analysis, insurers should consider developing a road map to compliance. For some companies that are covered by the Draft Amendment, it may take significant time and resources to fully implement these requirements, and so they may want to start early. And even insurance companies that are not subject to the Draft Amendment may consider conducting a gap analysis in anticipation that these rules, or similar ones, could be adopted by other regulators in the coming years or could come to be considered best practices for AI governance and compliance programs for insurers.

• Conducting a risk assessment. The Draft Amendment requires a documented description of policies, procedures, and processes for assessing and prioritizing risks associated with the deployment of ECDIS. Auto Insurers and Health Benefit Plan Insurers that have not yet engaged in this exercise should consider identifying their highest-risk uses of ECDIS to prioritize for review.

• Creating a cross-functional group. The Draft Amendment calls for the creation of a cross-functional group. Determining which representatives from “key functional areas” should be in the group, how often the group should meet, how it should determine what resources it needs, to whom it should report, how it should make decisions, and how its decisions should be implemented are all complicated considerations that will take time and discussion for those insurers that have not already created such a committee.

• Budget. Many components of obligations in the Draft Amendment could require some companies to significantly increase their compliance budgets and secure additional resources.

 

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.