AITC Comments on Colorado Draft Regulation regarding use of AI in Life Insurance
March 8, 2023
The Honorable Michael Conway, Commissioner
Colorado Division of Insurance
Colorado Department of Regulatory Agencies
1560 Broadway, Suite 850
Denver, CO 80202
Re: Proposed Draft Regulation Regarding Governance and Risk Management Framework Requirements for Life Insurance Carriers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models
Commissioner Conway:
The American InsurTech Council (AITC) is an independent advocacy organization dedicated to advancing the public interest through the development of ethical, technology-driven innovation in insurance.
We appreciate the opportunity to provide comments to the Proposed Draft Regulation Regarding Governance and Risk Management Framework Requirements for Life Insurance Carriers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (“Draft Proposed Regulation”), being developed pursuant to CO Code §10-3-1104.9 (2021) (the “statute”). We recognize the considerable time and effort that you and your staff have dedicated to this important project throughout the stakeholder process.
AITC strongly supports the development of appropriate regulatory frameworks and standards governing the use of artificial intelligence, machine learning and predictive analytics (collectively, “AI”) by insurance carriers and other licensed entities engaged in the business of insurance in the U.S. We believe that a balanced, risk based approach to insurance carrier use of AI is the most effective way to ensure ethical and appropriate use of AI, protection of important consumer interests, while providing for meaningful regulatory oversight.
Regulatory standards should establish clear guidance and expectations for company use of AI, including the core components of a risk management framework for companies to use in the design and implementation of a program that will be best suited to their particular needs and the various AI use cases being utilized at the time. A governance and risk management framework should be tailored to a company’s specific needs and risk environment that takes into account how that company is utilizing AI, for what purposes, and the risk(s) posed by each specific use case. At the same time, the regulatory framework should be flexible, meaning that it is capable of being applied to new developments in AI use cases as they develop. Care should be taken to avoid overly prescriptive requirements that can never satisfactorily anticipate future development and may impede the development of the sort of robust governance and risk management program that was intended.
Turning to the Draft Regulation, we offer the following comments.
1. The standard of care described in the Draft Regulation appears to be inconsistent with the standard set forth in the statute. In section 3.b.III of the statute, the legislature requires a company utilizing ECDIS to develop and maintain a risk management framework that is “reasonably designed to determine, to the extent practicable, whether the insurer’s use of [ECDIS] …. unfairly discriminates” based upon criteria specified in the law. CO Code §10-3-1104.9 (3)(b)(III).
The standard described in Section 5.A of the Draft Regulation for a company’s risk management framework requires a determination that the use of ECDIS “in any insurance practice does not result in unfair discrimination” (emphasis added). Further, in subsection 5(A)(1)(b), carriers’ governing principles are required to “ensure” that the use of ECDIS do not result in unfair discrimination.
We respectfully suggest that these standards are not the same. The Draft Regulation requires a level of certainty that an insurer’s use of ECDIS does not result in unfair discrimination that does not appear in the statute. We are concerned that the presence of inconsistent standards will lead to unnecessary confusion and interpretive disputes involving whether a company’s actions in a particular situation satisfies (or not) the legislative intent. This can be easily avoided by modifying the language in the Draft Regulation to mirror the standard set forth in the statute.
2. Section 3(c)(I) of the statute requires inclusion of a safe harbor provision in the regulation, permitting carriers a “reasonable period of time … to remedy any unfairly discriminatory impact in an algorithm or predictive model …” We are unable to identify the intended provision in the Draft Regulation. Providing the opportunity for carriers to self-correct errors that involve a discriminatory impact is an essential component of an effective governance and risk management framework for the use of AI and predictive analytics.
3. Maintaining proper documentation is a core component of any governance and risk management program. Several of the requirements contained in Section 6, however, are unclear and/or are unreasonably broad in scope.
a. Section 6(A)(5). A clear description of what is intended by “input and output” of the model would be helpful. Depending upon that clarification, we would ask that consideration be given to whether this request is already covered by one or more of the other items.
a. Section 6(A)(6). Use of the term “any” in this context is highly problematic and inconsistent with the legislature’s intended standard of care discussed above. An insurer should only be held accountable for what can be known following a reasonably diligent inquiry. We request a modification of this section to align with the statute’s intended standard of care.
b. Section 6(A)(12). Requiring documentation of “[A]ll decisions made regarding the use of ECDIS” is extremely broad and raises significant concerns. With respect to any business process, numerous decisions are made on a regular if not daily basis. Some of those decisions are consequential to the end product, while others are not. The legitimate concern for regulators is having the ability to understand the decisions made by the company that had the most consequential impact on the company’s use of ECDIS. Companies also have a clear self interest in ensuring that major decisions and the underlying process supporting those decisions are properly documented. Modifying this section to clarify that the documentation requirements should reflect the company’s decision making process regarding the use of ECDIS would clarify the intent while ensuring that regulators have access to the information needed to conduct appropriate oversight.
Our final comment relates to very significant concerns about protecting the confidentiality and intellectual property of insurance carriers and third party providers including algorithms, predictive models and use of ECDIS. Section 3(d) of the statute specifically provides that all information provided to the commissioner or in the possession of the commissioner related to an insurance carrier’s use of ECDIS shall be recognized as proprietary and containing trade secrets, and not subject to disclosure under the Colorado Open Records Act or any similar provision under Colorado law. We appreciate the legislature’s clear intention to protect the confidentiality of this highly sensitive and proprietary information.
We have every confidence of DORA’s desire to protect the information in its possession. Nonetheless, there are very significant risks to DORA associated with taking physical possession of algorithms, predictive models, and other information including highly detailed descriptions of companies’ use of ECDIS. Cyber risk or theft would be just a couple of examples. Further, it is foreseeable that in some instances DORA will utilize outside experts to analyze information that has been provided. In those cases disclosure of highly sensitive information would almost certainly be made to those third parties, raising additional concerns.
We recognize that state insurance regulators routinely maintain confidential and sensitive financial and other information collected from insurance carriers. We respectfully suggest, however, that much of the information that will be collected under the statute and regulation represents unique risks and value that differ materially from other, routinely collected information. We expect that DORA has also considered these issues and is developing its own risk management program to ensure protection of all information that comes into its possession. We believe that it would be helpful at the appropriate time for DORA to inform licensees and others whose information will be collected how it intends to manage and mitigate those risks.
Thank you again for the opportunity to address our comments.
Respectfully Submitted,
Scott R. Harrison
Co-Founder, American InsurTech Council