On September 21, 2023, the Colorado Division of Insurance (the "CDI") adopted a first-of-its-kind regulation (the "Regulation") in the US establishing governance and risk management requirements for life insurers that use external consumer data and information sources ("ECDIS") or algorithms or predictive models that use ECDIS.1 The Regulation will become effective on November 14, 2023, and life insurers will have until December 1, 2024 to establish the governance structure and risk management framework required by the Regulation; however, an interim progress report must be provided by life insurers to the CDI by June 1, 2024.
Focus on Governance and Risk Management Framework
The Regulation requires life insurers authorized to do business in Colorado to establish and maintain a risk-based governance structure and risk management framework to (1) oversee whether the life insurers' use of ECDIS and algorithms and predictive models that use ECDIS potentially result in unfair discrimination with respect to race, and (2) remediate such unfair discrimination if detected. The requirements for the governance structure and risk management framework focus heavily on creating documented policies, procedures, systems, and controls to detect and address unfair discrimination. For example, life insurers are required to maintain an up-to-date inventory of all ECDIS and algorithms and predictive models that use ECDIS. The inventory must include a detailed description of each ECDIS, algorithm or predictive model, its stated purpose, and the outputs generated through its use.
Multiple Levels of Organizational Oversight
The Regulation tasks various internal stakeholders with implementing and overseeing the governance structure and risk framework for a life insurer. Senior management is responsible for setting and monitoring the overall strategy for the use of ECDIS and algorithms and predictive models that use ECDIS. A cross-functional governance group composed of representatives from key functional areas must be established to support implementation. Finally, the governance structure and risk management framework must ultimately be overseen by a life insurer's board of directors or a committee thereof.
Oversight of Use of Third-Party Vendors
The Regulation also addresses life insurers' use of third-party vendors and other external resources for ECDIS and algorithms and predictive models that use ECDIS by providing that life insurers remain responsible for ensuring compliance with their established governance structure and risk management framework, which must include a process for the selection and oversight of all external resources and third-party vendors.
Reporting
Life insurers using ECDIS or algorithms or predictive models that use ECDIS must file an annual report with the CDI by December 1 (beginning in 2024) that summarizes their compliance with their governance structure and risk management framework, including listing the title and qualifications of each individual responsible for ensuring such compliance along with the specific requirements of the governance structure and risk management framework for which that individual is responsible. In advance of that date, such life insurers using ECDIS or algorithms or predictive models that use ECDIS will need to file a report with the CDI by June 1, 2024 describing their progress towards setting up the governance and risk management framework and identifying any difficulties encountered and expected completion date. Life insurers that do not use ECDIS or algorithms or predictive models that use ECDIS must attest to that fact by December 14, 2023 and annually by December 1 thereafter; however, such life insurers will need to submit a report to the CDI in advance of beginning to use ECDIS or algorithms or predictive models that use ECDIS.
Documents or materials disclosed by a life insurer to the CDI under the Regulation will be entitled to confidential treatment under Colorado's insurance law.
Additional Comments
The final Regulation resulted from a rulemaking process conducted by the CDI over the course of 2023. The first draft of the Regulation had a broader scope and more extensive requirements. Based on feedback from the relevant constituencies including industry members and groups, the final Regulation has a more focused scope than what was initially proposed with a clear focus on unfair discrimination based on race.
As the Regulation applies to all life insurers authorized to do business in Colorado, its requirements are expected to apply to a broad swath of the US life insurance industry. The Regulation is expected to be followed by similar regulations in Colorado for other lines of business. In addition, other US states are also considering potential new laws, regulations and regulatory guidance on the use of artificial intelligence by insurers.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
