Colorado Releases Draft “Algorithm and Predictive Model Governance Regulation”
Summary
The Colorado Division of Insurance released its draft “Algorithm and Predictive Model Governance Regulation," which would require state-licensed life insurance companies to detail their inventory of AI models, create governance principles for those systems and mandate transparency reports disclosing how the models have been tested to limit bias. The comment period for the rules, which are poised to be the first in the nation to govern AI, closed on March 7. Life insurers that use External Consumer Data and Information Source (ECDIS) as well as algorithms and predictive models using ECDIS must establish a governance and risk management framework that facilitates and supports policies, procedures, and systems designed to determine whether the ECDIS are credible in all material respects and their use in any insurance practice does not result in unfair discrimination. If an insurer uses third-party vendors and other external resources with respect to ECDIS as well as algorithms and predictive models that use ECDIS, the insurer remains responsible for ensuring all regulatory requirements are met, including the production of any documents or information that the Division deems necessary to ensure compliance with regulatory requirements, and must establish a process for the selection and oversight of all external resources and third-party vendors. Life insurers must maintain comprehensive documentation for their use of all ECDIS and algorithms and/or predictive models that use ECDIS including all ECDIS, algorithms, and predictive models supplied by third-parties. Insurers must conduct regular reviews and updates to the documentation to ensure accuracy. The documentation must be easily accessible to appropriate insurer personnel and available upon request by the Division. Insurers must submit to the Division a report summarizing the progress made towards complying with the requirements in these process and documentation requirements. Insurers must submit a report demonstrating compliance with these requirements one year following the effective date of this regulation and another report every two years. Insurers that do not use ECDIS or algorithms and/or predictive models using ECDIS are exempt from these requirements and must submit to the Division within one month of the effective date of this regulation and annually thereafter an attestation signed by an officer indicating that the insurer does not use ECDIS or algorithms and/or predictive models using ECDIS. If any provision of this regulation or the application of it to any person or circumstance is for any reason held to be invalid, the remainder of the regulation would not be affected. Noncompliance with this regulation may result in imposition of sanctions made available in Colorado statutes pertaining to the business of insurance or other laws, which include imposition of civil penalties, issuance of cease and desist orders, and/or suspensions or revocations of license.
