AITC Comments: Big Data and Artificial Intelligence (H) Working Group Exposure Draft: Workstream #2 Model and Data Regulatory Questions
February 13, 2023
Superintendent Elizabeth Kelleher Dwyer
Chair, Big Data and Artificial Intelligence (H) Working Group
National Association of Insurance Commissioners
1100 Walnut Street, Suite 1500
Kansas City, MO 64105
Commissioner Doug Ommen
Co-Vice Chair, Big Data and Artificial Intelligence (H) Working Group
National Association of Insurance Commissioners
1100 Walnut Street, Suite 1500
Kansas City, MO 64105
Re: Big Data and Artificial Intelligence (H) Working Group Exposure Draft: Workstream #2 Model and Data Regulatory Questions
Superintendent Dwyer & Commissioner Ommen:
The American InsurTech Council (AITC) is an independent advocacy organization dedicated to advancing the public interest through the development of ethical, technology-driven innovation in insurance.
This letter responds to a request for comments to the Big Data and Artificial Intelligence (H) Working Group Exposure Draft: Workstream #2 Model and Data Regulatory Questions (the “Questionnaire”). We appreciate the opportunity to submit these comments.
AITC strongly supports the efforts of state insurance regulators and the National Association of Insurance Commissioners (NAIC) to develop appropriate regulatory frameworks and standards governing the use of artificial intelligence (AI), machine learning and predictive analytics (collectively, “AI”) by insurance carriers and other licensed entities engaged in the business of insurance in the U.S.
We appreciate the considerable work and effort that has already taken place, and look forward to working with the Big Data and Artificial Intelligence (H) Working Group and the NAIC on the development of an appropriate regulatory framework concerning the use of AI in insurance.
AITC agrees that it is important for regulators to increase their understanding of how insurance carriers and other licenses are currently using AI. We believe that deeper familiarity and increased understanding of how AI is being used, as well as how it is not being used, are vital to the development of a balanced regulatory framework that protects consumers while ensuring that the benefits of AI are realized in the near, medium and long term.
AITC believes that a regulatory framework should be balanced and risk-based, marked by key principles, including:
1. Employs clear principles and expectations related to governance, testing and ongoing monitoring of AI.
2. Promotes ethical use of AI that addresses the following priorities for consumer protection:
a. Consumer privacy
b. Surveillance
c. Transparency
d. Bias
e. Automation
3. Utilizes a risk-based approach to AI governance.
4. An insurer’s governance and risk management framework should take into account how the company is utilizing AI and for what purposes, and the risk(s) posed by each specific use case.
5. Regulatory standards, disclosure requirements and regulatory oversight should be calibrated to the risk associated with a particular use case.
6. Highly confidential and proprietary intellectual property should be protected.
7. The framework must be durable, meaning that is capable of being adapted to new developments in digital technology as they occur.
We have a deep appreciation of the complexities associated with developing a governance framework and regulatory standards for insurer use of AI and other emerging technologies. We understand regulators’ concerns about insurer use of AI, and the desire to increase understanding of how AI is currently being used. The use of questionnaires that focus on specific AI use cases can play an important part in improving regulator understanding.
Our comments regarding the Questionnaire are intended to further the dialogue about the most effective approach for regulators to obtain the information they need in a way that is as efficient a way as possible and respects vitally important intellectual property rights. The comments expressed below reflect questions about the particular approach represented here; not the goal or desired end result. At the end of this letter we recommend for consideration an approach that the NAIC has utilized successfully in the past to gather information about how technology is impacting the insurance industry and consumers that was used to develop a framework for regulatory oversight.
1. Our first comment relates to the intended scope of the Questionnaire, which states that it “contains questions that regulators can ask about any models and data used by insurance companies, whether that model or data is developed internally or obtained from external sources” (emphasis added). This statement is not clear and could be read to apply virtually every use case for AI that an insurance carrier might be using, including general business operations, HR, telecommunications, and more. Clarification of the intended scope would be helpful.
2. We recognize that a purpose of the Questionnaire is to facilitate regulators’ study of companies’ AI models and data. It is not clear, however, whether these questions are intended for use by states on a one time basis, an annual basis, or some other schedule. Given the highly detailed nature of many of the questions and the amount of time and effort that companies would be required to expend to prepare responses, clarification on this point would be helpful.
3. We have very significant concerns with requiring insurers to disclosure highly confidential and proprietary information, including the intellectual property of third party vendors, their contractual agreements with third party vendors, and other proprietary information. The Questionnaire does not state the underlying basis for states to request this information from third parties, or planned steps to guarantee strict confidentiality of the information provided. While regulators’ desire for insight into the inner workings of models that companies are currently using is appreciated, mandatory disclosure of proprietary information by third parties raises legitimate legal and other considerations that should also be considered. We note that in other contexts, such as privacy and data security, the NAIC has taken the approach of placing the responsibility of third party compliance on the shoulders of the insurance carrier. We suggest that consideration be given to a similar approach in this instance.
4. Providing meaningful responses to the Questionnaire would require enormous expenditures of time, financial expense and opportunity cost. We question whether smaller and medium sized insurers possess the staffing that would be needed to comply. Similarly, many of the AI development firms are small businesses with very limited staffing. It is not difficult to see how those firms would be overwhelmed by having to produce multiple responses to the Questionnaire for multiple customers/insurers.
5. Even if insurers and their vendors were able to provide comprehensive responses to the Questionnaire, it is not clear how this would provide meaningful insight into company practice across all respondents. Insurance departments also have very limited resources and may lack the technical expertise to conduct a meaningful analysis. Utilizing third parties to review company responses raises an entirely different set of concerns involving exposure of highly confidential intellectual property.
As an alternative to the Questionnaire, AITC recommends considering an approach to improving their understanding of industry use of AI in the same or similar way that was taken several years ago when regulators sought to gain a better understanding of industry cybersecurity risk and more specifically, how those risks varied from company to company. That effort produced meaningful information that regulators used to fast track development of the NAIC’s current approach to monitoring the effectiveness of carrier’s cybersecurity risk management program. We believe that a similar approach could be utilized in this instance. We welcome the opportunity to discuss this in more detail with the Working Group at the appropriate time.
Thank you again for the opportunity to comment.
Respectfully Submitted,
Scott R. Harrison
Co-Founder, American InsurTech Council