woman working at computer

Navigating Colorado’s SB21-169 new and revised algorithm and predictive model governance regulation for life insurers

The recent, rapid expansion of big data has transformed the insurance industry and has shown that it has the potential to increase efficiencies and benefit insurers and consumers alike. However, the unchecked use of big data can unintentionally result in harm to protected groups. To combat this, Colorado has introduced the Senate Bill (SB) 21-169, which aims to protect consumers from insurance practices that result in unfair discrimination on the basis of race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity or gender expression. Insurers in the state may soon be held accountable for testing their big data systems to ensure they are not unfairly discriminating against consumers on the basis of a protected class, and are required to address any concerns as they arise.

What is the regulation, status and who does it apply to?

The Division of Insurance at Colorado’s Department of Regulatory Agencies recently introduced a revised version of the proposed Algorithm and Predictive Model Governance Regulation that significantly impacts the governance and risk management requirements for life insurers. This regulation specifically targets insurers that utilize external consumer data and information sources (ECDIS), as well as algorithms and predictive models that incorporate ECDIS.

The regulation, which applies to all life insurers authorized to operate in Colorado, mandates the establishment of a risk-based governance and risk management framework. This framework is designed to ensure that the use of ECDIS, algorithms and predictive models does not result in unfair discrimination, particularly with respect to race.

The governance and risk management framework outlined in the regulation mandates life insurers using ECDIS, algorithms and predictive models to:

  1. Formulate governing principles: Document guiding principles to prevent unfair discrimination in the use of ECDIS, algorithms and predictive models.
  2. Ensure oversight: The board of directors or a suitable committee should oversee the risk management framework, with senior management responsible for setting strategy and monitoring performance.
  3. Create a cross-functional team: Establish a team from key functional areas to oversee the use of these tools.
  4. Develop policies and training: Create written policies for the design, use and monitoring of these tools, including a training program for relevant personnel.
  5. Handle consumer complaints: Implement processes to address consumer complaints and inquiries about the use of these tools.
  6. Assess risks: Develop a system for assessing and prioritizing risks associated with these tools, considering consumer impacts.
  7. Maintain an inventory: Keep an updated inventory of all used ECDIS, algorithms and predictive models, documenting any changes.
  8. Conduct testing and monitoring: Document testing conducted to detect unfair discrimination and monitor the performance of algorithms and predictive models.
  9. Manage external resources: Document the process used for selecting third-party vendors supplying ECDIS, algorithms and/or predictive models, and ensure compliance with all regulatory requirements.
  10. Review regularly: Conduct regular reviews of the governance structure and risk management framework, updating documentation as needed.
What has changed since the initial draft regulation in February 2023?

The updated draft regulation for life insurers has been paired down from the initial version released in February. Most notably, the updated draft no longer emphasizes "disproportionately negative outcomes," which would have included results or effects that "adversely impact a group" with protected characteristics "even after considering factors that define similarly situated consumers." Instead of this term, the updated draft pivots to necessitating "risk-based" governance and management frameworks. This shift is substantial – it not only brings the updated draft in line with conventional insurance regulation, but also signifies a pragmatic, progressive advancement for such regulation.

However, despite being less demanding than the initial draft, the updated version still imposes significant obligations on life insurers. These include mandates for life insurers to set up risk-based frameworks for the utilization of ECDIS in any insurance practice including claims, ratemaking and pricing. Furthermore, the regulation necessitates the execution of these frameworks concerning any algorithms and predictive models that use or depend on ECDIS.

What kind of documentation and reporting is required?

The regulation outlines comprehensive reporting requirements. Insurers using ECDIS, algorithms and predictive models must submit a narrative report to the Division, summarizing their progress towards compliance with the regulation's requirements. Conversely, insurers that do not use ECDIS or algorithms and predictive models are exempt from these requirements but must submit an attestation to that effect.

What happens in the event of noncompliance?

The regulation stipulates that sanctions may be imposed, including civil penalties, cease and desist orders, and/or suspensions or revocations of license, subject to the requirements of due process.

What is the current status of the regulation?

The regulation is still in draft and proposed status. The Division has released a revised version of the DRAFT PROPOSED Algorithm and Predictive Model Governance Regulation (Version 5/26/23), and was seeking information comments prior to its recent June 8, 2023 meeting. Information can be found here: SB21-169 - Protecting Consumers from Unfair Discrimination in Insurance Practices | DORA Division of Insurance (colorado.gov)

  1. Understand the regulation: Familiarize yourself with the definitions and requirements of the regulation. Understand what constitutes ECDIS, algorithms, and predictive models, and how they are used in your organization.
  2. Establish a governance and risk management framework: Develop a comprehensive framework that includes principles, responsibilities, a cross-functional committee, roles and responsibilities, policies and processes, training, controls, protocols for consumer complaints, a plan for unintended consequences, and the use of external audits.
  3. Maintain comprehensive documentation: Keep detailed records of all ECDIS, algorithms, and predictive models in use, including those supplied by third-parties. This should include an inventory, results of annual reviews, a system for tracking changes, descriptions of testing, limitations, ongoing monitoring, datasets used, how predictions are made, potential risks and impacts, the process for selecting external resources, and all decisions made regarding the use of ECDIS and algorithms.
  4. Prepare for reporting requirements: Plan for the submission of reports to the Division summarizing your progress towards compliance with the requirements specified in the regulation. These reports are due six months following the effective date of the regulation and annually thereafter.
  5. Plan for potential noncompliance: Understand the potential consequences of noncompliance, including civil penalties, cease and desist orders, and/or suspensions or revocations of license. Ensure that your organization has a plan in place to address any potential noncompliance issues.

Is your insurance organization properly equipped to effectively and efficiently capitalize on the mountains of data available to you? At Baker Tilly Digital, we help our clients derive new value from their data, whether it’s through advanced machine learning, data visualization or working to implement new data processes. Access a wealth of information on data solutions provided by Baker Tilly’s digital and financial services specialists.

John Romano
zero trust security model verify
Next up

Never trust, always verify. But how?