Locke Lord QuickStudy: Colorado Insurance Division Adopts ‎Proposed Algorithm and Predictive Model Governance ‎‎Regulation ‎

On September 21, 2023, the Colorado Insurance Division adopted Regulation 10-1-1 entitled “Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models” effective on November 14, 2023. The new regulation applies to all life insurers authorized to do business in Colorado. Insurers must submit a report on June 1, 2024 “summarizing the progress made towards complying with the requirements specified in Section 5 including identifying the areas still under development, any difficulties encountered, and expected completion date.” The new regulation states that:

Life insurers that use ECDIS, as well as algorithms and predictive models that use ECDIS in any insurance practice, must establish a risk-based governance and risk management framework that facilitates and supports policies, procedures, systems, and controls designed to determine whether the use of such ECDIS, algorithms, and predictive models potentially result in unfair discrimination with respect to race and remediate unfair discrimination, if detected.

“External Consumer Data and Information Source” or “ECDIS” means, for the purposes of this regulation, a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices. This term includes credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, consumer-generated Internet of Things data, biometric data, and any insurance risk scores derived by the insurer or third-party from the above listed or similar data and/or information sources.

The regulation details the various components to the risk management framework that must be documented. If an insurer uses third party vendor artificial information systems, then it must ensure that the third party vendor is in compliance with the regulation.

Finally, the insurer also must comply with reporting requirements under the new regulation, including an annual report of its compliance beginning on December 1, 2024 and annually thereafter. However, “Insurers that do not use ECDIS or algorithms and/or predictive models that use ECDIS are exempt” but must submit an officer attestation to that effect on December 1 each year.

All documents disclosed to the Division will be considered confidential under § 10-3-1104.9(3)(d), C.R.S.

Please feel free to contact the authors of this article if you have any questions.