Section 1 - Description
Section 2 - Scope
Section 3 - Requirements
Section 4 - Penalties
Section 5 - Status
The bill, signed into law in July 2021, will require insurers to develop governance programs that evaluate their external data sources and algorithms using such data for bias.
The law applies to insurers who sell to Colorado residents and use external data sources. The law does not apply to title insurance, bonds issued by qualified surety companies, or insurers issuing commercial insurance policies (except for those issuing business owners’ policies with premiums of $10,000 per year or more).
The law defines “external data sources” as a data or an information source that is used by an insurer to supplement or supplant traditional underwriting factors or other insurance practices.
The law defines “algorithms” as a computational or machine learning process that informs human decision making.
The requirements will be developed for each class of insurance in a stakeholder engagement process (including insurers and consumer representatives). The requirements will lay out what is required for that class of insurance to demonstrate their use of external data sources and algorithms using external data sources are not unfairly discriminatory.
Generally, however, insurers are subject to the following requirements:
- Insurers are prohibited from unfair discrimination on the basis of race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.
- Insurers must declare to the state’s Insurance Commissioner what sources of external consumer data is used in their algorithms and how the data is used.
- Insurers must develop a risk management framework to determine to what extent their external data sources and algorithms discriminate against consumers
- Insurers must comply with additional requirements for information if the Commissioner chooses to investigate the insurer’s use of algorithms and external data sources.
Unfair discrimination happens when similar risks are treated differently and premiums are based not on relative risk but on factors like race. For example, auto insurers can set higher rates for younger drivers than older but only if they are able to demonstrate the former group is truly higher risk.
The rules for Life Insurance Underwriting have been adopted and will go into effect November 14, 2023 but companies will have until December 2024 to build out their governance program.
In addition to the requirements listed above, life insurers using external data sources must:
- Develop a governance program and risk management structure overseen by the board of directors that covers:
- Policies related to the companies usage, testing, evaluation and oversight of external data sources and downstream algorithms and how the company tests for unfair discrimination
- The development of a cross-functional governance group
- A rubric by which risks associated with external data sources and downstream algorithms can be assessed and prioritized
- An inventory of all external data sources and their usage, including previous versions of the data source
- How the company assesses and vets third party data providers
- An annual evaluation of the governance structure, making adjustments where warranted
- Satisfy the following reporting requirements:
- Submit to the Insurance Commissioner a report stating the company’s progress in meeting these requirements by June 1st, 2024, and a report summarizing compliance with the law by December 1st, 2024.
Given that none of the above requirements specifically relate to life insurance, it’s possible that the requirements for other insurance classes will be similar.
Failure to comply with this regulation can result in penalties including the imposition of civil penalties, issuance of cease and desist orders, and/or suspensions or revocations of the insurer’s license.
The bill was signed in July 2021. Requirements will be rolled out for all different classes of insurance as they are defined and approved. The requirements for Life Insurance Underwriting have been adopted; companies will be required to demonstrate compliance of their governance program by December 2024.