What is the Colorado AI Insurance Law? A Detailed Guide to SB21-169

High-Level Summary

Colorado’s “Protecting Consumers from Unfair Discrimination in Insurance Practices” (SB21-169) aims to prevent unfair discrimination in insurance practices through the use of external consumer data and information sources (ECDIS), algorithms, and predictive models.

The core concepts of this legislation are:

1. Prohibition of Unfair Discrimination: Insurers are prohibited from engaging in unfair discrimination based on protected characteristics such as race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. This ensures insurance practices do not disproportionately harm individuals based on these attributes.

2. Implementation of Governance and Risk Management Frameworks: Insurers must develop comprehensive governance programs that include policies for the usage, testing, evaluation, and oversight of ECDIS and algorithms. This framework aims to ensure transparency and accountability in managing the risk of unfair discrimination.

3. Reporting and Compliance Requirements: Insurers must regularly report their use of ECDIS and algorithms to the state’s Insurance Commissioner and demonstrate compliance with the law. This includes submitting progress and compliance reports by specified deadlines.

4. Quantitative Testing Requirements: Insurers must conduct quantitative testing to detect any unfair discrimination in their algorithms and predictive models. The Division of Insurance prescribes methods to infer race and ethnicity for testing purposes without directly collecting racial data from policyholders.

As AI quickly integrates into various aspects of life and business, the need for comprehensive frameworks to manage its use, deployment, and implications becomes increasingly critical.

FairNow is honored to play a crucial role in preparing companies for this future, ensuring they’re compliant today and ready for tomorrow’s regulatory landscapes.

Colorado SB21-169 Scope

The law applies to insurers who sell to Colorado residents and use external data sources. The law does not apply to title insurance, bonds issued by qualified surety companies, or insurers issuing commercial insurance policies (except for those issuing business owners’ policies with premiums of $10,000 per year or more).

The law defines “external data sources” as a data or an information source that is used by an insurer to supplement or supplant traditional underwriting factors or other insurance practices.

The law defines “algorithms” as a computational or machine learning process that informs human decision making.

Compliance Requirements of SB21-169

The law imposes several compliance requirements:

Note: The requirements will be developed for each class of insurance in a stakeholder engagement process (including insurers and consumer representatives). The requirements will lay out what is required for that class of insurance to demonstrate that its use of external data sources and algorithms using external data sources is not unfairly discriminatory.

Generally, however, insurers are subject to the following requirements:

• Insurers are prohibited from unfair discrimination on the basis of race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.
• Insurers must declare to the state’s Insurance Commissioner what sources of external consumer data are used in their algorithms and how the data is used.
• Insurers must develop a risk management framework to determine to what extent their external data sources and algorithms discriminate against consumers.
• Insurers must comply with additional requirements for information if the Commissioner chooses to investigate the insurer’s use of algorithms and external data sources.

Unfair discrimination happens when similar risks are treated differently and premiums are based not on relative risk but on factors like race.

For example, auto insurers can set higher rates for younger drivers than older but only if they are able to demonstrate the former group is truly higher risk.

Specific Requirements for Life Insurance Underwriting

The rules for Life Insurance Underwriting (Regulation 10-1-1) have been adopted and will go into effect November 14, 2023 and companies will have until December 1st, 2024 to build out their governance program.

In addition to the requirements listed above, life insurers using external data sources must:

1) Develop a governance program and risk management structure overseen by the board of director that covers:

• Policies related to the companies usage, testing, evaluation and oversight of external data sources and downstream algorithms and how the company tests for unfair discrimination
• The development of a cross-functional governance group
• A rubric by which risks associated with external data sources and downstream algorithms can be assessed and prioritized
• An inventory of all external data sources and their usage, including previous versions of the data source
• How the company assesses and vets third party data providers
• An annual evaluation of the governance structure, making adjustments where warranted

2) Submit to the Insurance Commissioner a report stating the company’s progress in meeting these requirements by June 1st, 2024, and a report summarizing compliance with the law by December 1st, 2024.

3) Conduct quantitative testing for unfair discrimination of their algorithms according to requirements defined by the state. (Note: These requirements are currently being drafted and have not yet been finalized.)

Given that none of the above requirements specifically relate to life insurance, the requirements for other insurance classes may be similar.

Non-Compliance Penalties

Failure to comply with this regulation can result in penalties, including the imposition of civil penalties, issuance of cease and desist orders, and/or suspensions or revocations of the insurer’s license.

Status

The bill was signed in July 2021. Requirements will be rolled out for all different classes of insurance as they are defined and approved.

The requirements for Life Insurance Underwriting have been adopted; companies are expected to have submitted a progress update to the state Division of Insurance by June 1st, 2024 and will be required to demonstrate compliance of their governance program by December 1st, 2024. 

Colorado is currently working to define requirements for private passenger auto insurance and has started stakeholder meetings regarding health insurance.

How Can Companies Ensure Compliance with SB21-169?

Drawing from our work in AI governance and compliance, we’ve observed how leading insurance companies are adapting to SB21-169.