On July 6, 2021, the Governor of Colorado signed Senate Bill 21-169 prohibiting insurers from using external consumer data and information sources (external data), as well as algorithms and models. predictive using external data (technology) in a way that unfairly discriminates on the basis of race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity or gender expression (protected status). Bill 21-169 notes that while these tools may simplify and speed up certain insurance practices, “the accuracy and reliability of external consumer data and information sources can vary widely, and some algorithms and predictive models may not be sufficiently justified to be used in insurance practices. “The new article 10-3-1104.9 comes into force on September 6, 2021 and the rules adopted by the Insurance Commissioner may not come into force before January 1, 2023.
Article 10-3-1104.9 requires the commissioner to adopt rules based on the different types of insurance and insurance practices, which is defined as “marketing, underwriting, pricing, management of use , reimbursement methodologies and claims management in the insurance transaction ”. To do this, the Commissioner is required to engage stakeholders and consider the factors and processes relevant to each type of insurance.
This means that insurers need to start their homework early so they can be ready to explain to the commissioner what data they are using; from whom the data is obtained; how it is used, including whether it is used as part of an algorithm or predictive model; and if the use of the data results in unfair discrimination as defined in article 10-3-1104.9 (8) (e).
Regulations required under article 10-3-1104.9
Based on information from stakeholders, the statutory auditor is required to adopt rules imposing reporting and governance obligations on insurers.
- Reporting rules – These rules should seek information on (i) the use by an insurer of external data in the development and implementation of the technology; (ii) how the insurer uses external data; and (iii) how the insurer uses the technology. Information must be reported by type of insurance and insurance practice.
- Governance rules – These rules should require insurers to (i) establish and maintain a reasonably designed risk management framework to determine, to the extent possible, whether the insurer’s use of external data and technology unfairly discriminates against a protected status; (ii) assess the risk management framework; and (iii) obtain certificates from agents regarding the implementation of the risk management framework.
In adopting the required rules, the statutory auditor must (i) consider the impact of any rule on the solvency of insurers; (ii) allow a reasonable period of time for insurers to remedy any impact of unfair discrimination of any technology employed; and (iii) provide a means by which insurers can use external data and technologies that the insurance division has found to be not unfairly discriminatory.
Questions raised by section 10-3-1104.9
As part of the rule-making process, insurers may want to raise a hand to ask questions about 10-3-1104.9. Some questions include:
What is unjust discrimination?
In response to industry concerns about the definition of unfair discrimination, Article 10-3-1104.9 (8) (e) imposes a three-part test:
The use of external data or technology correlates with protected status;
The correlation results in a disproportionately negative result for such protected status; and
The negative result exceeds the reasonable correlation with the underlying insurance practice, including losses and underwriting costs.
To better understand this three-pronged test, insurers attending stakeholder meetings should seek clarification. For example:
How is the correlation between the use of external data or technology and protected status determined?
How can an insurer test for correlation when Article 10-3-1104.9 (7) (a) makes it clear that insurers are not required to collect information regarding protected status from claimants or policyholders? During the NAIC (EX) Special Committee on Race and Insurance at the NAIC 2021 National Summer Meeting, Colorado Commissioner Michael Conway noted that insurers do not need to collect data. specific race to be able to test for discriminatory results, and Colorado will expect insurers to do such tests.
How is a negative protected status score determined and then quantified to determine if it exceeds a reasonable correlation?
What is a reasonable correlation to determine what exceeds such a correlation?
What is “to the extent possible”?
An insurer’s risk management framework should be reasonably designed to determine, to the extent possible, whether the insurer’s use of external data and technology unfairly discriminates against protected status.
The terminology “to the extent possible” has been added in response to concerns from insurers that they may not have the tools to design the risk management framework. As the Commissioner considers rule-making, insurers may wish to ask whether “to the extent possible” will take into account:
The size of the insurer or the amount of business for a particular type of insurance that the insurer carries out.
The fact that the insurer does not have the information necessary to assess whether a third-party vendor’s technology uses external data. And what if the third party vendors refuse to share the information.
What do we mean by algorithm?
Article 10-3-1104.9 (8) (a) defines an algorithm as “a process of calculation or machine learning which informs human decision-making in insurance practices”. However, this broad definition leaves insurers wondering if the term “algorithm” would be interpreted to even include the use of simple computer programs such as Excel or other automation tools in connection with traditional underwriting. How far does the definition go?
What is external data?
Section 10-3-1104.9 (8) (b) (I) defines external data as “data or a source of information that is used by an insurer to supplement traditional underwriting or other underwriting practices. insurance or to establish lifestyle indicators that are used in insurance practices. “Section (8) (b) (I) gives the following examples: credit scores, social media habits, locations, social media habits, purchase, property, education, occupation, license to practice, civil judgments and court records. However, many of these data points and other “lifestyle indicators” are obtained directly from the consumer as part of the process. Before the final exam, insurers may wish to attend office hours to understand:
What do we mean by traditional subscription?
Sections 10-3-1104.9 (7) (b) (II) and (IV) state that insurers are not required to test “traditional underwriting factors used for the sole purpose of determining insurable interest or eligibility. coverage ”or“ long-standing and well-established industry standard claims settlement practices or traditional underwriting practices ”, unless they are included in the tests performed by the insurer on its use of technology. But the following questions remain:
What are traditional underwriting factors and traditional underwriting practices? Are traditional factors and practices in an electronic medium or process now considered non-traditional?
If traditional underwriting factors and practices are bundled with an insurer’s use of technology, what is really exempt from having to be tested?
How insurers can start preparing for class
Start listing the data used, from whom the data is obtained and how it is used, including whether it is used as part of an algorithm or predictive model, for each type of insurance issued by the insurer and for each insurance practice for which the data is used. This includes seeking information from the insurer’s marketing, product design, underwriting, administrative, claims and fraud units. Insurers need to have a bird’s eye view of the data, algorithms, and predictive models to make sure anything that might be looked at by Colorado is taken into account.
Notify insurer’s Marketing, Product Design, Underwriting, Administrative Services, Claims and Fraud units that subject matter experts from different business units will be required for consultation as the Colorado Department of Insurance arranges meetings with stakeholders and develop governance around the use of data, algorithms, and predictive models.
Examine third party contracts to determine the rights of the insurer (i) to obtain information about the data used and the construction and operation of any algorithms and predictive models and (ii) to require the cooperation of the third party in the face of regulatory review. In addition, these rights and obligations should be incorporated into any new contract with third parties.
Start defining a plan to meet the reporting and governance rules described above. This includes determining how the different business units will coordinate to compile the information required to report, as well as how each business unit will participate and be accountable for the ongoing requirements of the risk management framework to be developed.