Jamie Bigayer and Ann Young Black | Carlton Fields
On July 6, 2021, the governor of Colorado signed Senate Bill 21-169 prohibiting insurers’ use of external consumer data and information sources (external data), as well as algorithms and predictive models using external data (technology) in a way that unfairly discriminates based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression (protected status). Bill 21-169 notes that while these tools may simplify and expedite certain insurance practices, “the accuracy and reliability of external consumer data and information sources can vary greatly, and some algorithms and predictive models may lack a sufficient rationale for use in insurance practices.” New section 10-3-1104.9 becomes effective on September 6, 2021, and any rules adopted by the insurance commissioner may not be effective before January 1, 2023.
Section 10-3-1104.9 requires the commissioner to adopt rules based on the different insurance types and insurance practices, which is defined as “marketing, underwriting, pricing, utilization management, reimbursement methodologies, and claims management in the transaction of insurance.” To do so, the commissioner is required to call on stakeholders and to consider factors and processes relevant to each type of insurance.
This means insurers must start their homework early so they can be ready to explain to the commissioner what data they use; from whom the data is obtained; how it is used, including whether it is used as part of an algorithm or predictive model; and whether the use of the data results in unfair discrimination as defined in section 10-3-1104.9(8)(e).
Required Rulemaking Under Section 10-3-1104.9
From the stakeholder information, the commissioner is required to adopt rules imposing reporting and governance obligations on insurers.
- Reporting Rules – These rules must seek information on (i) an insurer’s use of external data in the development and implementation of technology; (ii) the manner in which the insurer uses external data; and (iii) the manner in which the insurer uses technology. The information is to be reported by type of insurance and insurance practice.
- Governance Rules – These rules must require insurers to (i) establish and maintain a risk management framework reasonably designed to determine, to the extent practicable, whether the insurer’s use of external data and technology unfairly discriminates against a protected status; (ii) assess the risk management framework; and (iii) obtain officer attestations as to the implementation of the risk management framework.
In adopting the required rules, the commissioner must (i) consider the impact of any rules on the solvency of insurers; (ii) provide a reasonable time for insurers to remedy any unfair discrimination impact of any employed technology; and (iii) provide a means by which insurers can use external data and technology that the insurance division has found not to be unfairly discriminatory.
Questions Raised by Section 10-3-1104.9
As part of the rulemaking process, insurers may want to raise their hands to ask questions on section 10-3-1104.9. Some questions include:
What is unfair discrimination?
In response to industry concerns regarding the definition of unfair discrimination, section 10-3-1104.9(8)(e) imposes a three-prong test:
- The use of external data or technology has a correlation to a protected status;
- The correlation results in a disproportionately negative outcome for such protected status; and
- The negative outcome exceeds the reasonable correlation to the underlying insurance practice, including losses and costs for underwriting.
To better understand this three-prong test, insurers at the stakeholder meetings should seek clarification. For example:
- How is the correlation between the use of the external data or technology and the protected status determined?
- How can an insurer test for the correlation, when section 10-3-1104.9(7)(a) makes clear that insurers are not required to collect information regarding protected status from applicants or policyholders? At the NAIC Special (EX) Committee on Race and Insurance during the 2021 NAIC Summer National Meeting, Colorado Commissioner Michael Conway noted that insurers do not need to collect specific data on race to be able to test for discriminatory outcomes, and Colorado will expect insurers to do such testing.
- How is a negative outcome on protected status determined and then quantified to determine if it exceeds a reasonable correlation?
- What is a reasonable correlation to determine what exceeds such correlation?
What is “to the extent practicable”?
An insurer’s risk management framework will be required to be reasonably designed to determine, to the extent practicable, whether the insurer’s use of external data and technology unfairly discriminates against a protected status.
The terminology “to the extent practicable” was added in response to insurer concerns that they may not have the tools available to design the risk management framework. As the commissioner considers rulemaking, insurers may wish to ask whether “to the extent practicable” will take into account:
- The size of the insurer or the amount of business for a particular type of insurance that the insurer conducts.
- The fact that the insurer does not have the information to assess whether third-party vendor technology uses external data. And what happens if the third- party vendors refuse to share the information.
What is meant by algorithm?
Section 10-3-1104.9(8)(a) defines an algorithm as “a computational or machine learning process that informs human decision making in insurance practices.” However, this broad definition leaves insurers to wonder whether “algorithm” would be interpreted to include even the use of simple computational programs such as Excel or other automation tools in connection with traditional underwriting. How far does the definition go?
What is external data?
Section 10-3-1104.9(8)(b)(I) defines external data as “a data or an information source that is used by an insurer to supplement traditional underwriting or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” Section (8)(b)(I) gives the following examples: credit scores, social media habits, locations, purchasing habits, homeownership, educational attainment, occupation, licensures, civil judgments, and court records. However, many of these data points and other “lifestyle indicators” are obtained directly from the consumer as part of the application. Before the final exam, insurers might want to attend office hours to understand:
- Is information acquired in an application considered external data?
- Does such information become external data if it is used in an algorithm or predictive model?
What is meant by traditional underwriting?
Section 10-3-1104.9(7)(b)(II) and (IV) note that insurers are not required to test “traditional underwriting factors being used for the exclusive purpose of determining insurable interest or eligibility for coverage” or “longstanding and well-established common industry practices in settling claims or traditional underwriting practices” unless they are included in the insurer’s testing of its use of technology. But the following questions remain:
- What is meant by traditional underwriting factors and traditional underwriting practices? Are traditional factors and practices in an electronic medium or process now considered nontraditional?
- If traditional underwriting factors and practices are lumped in with an insurer’s use of technology, what is really exempt from having to be tested?
How Insurers Can Start Preparing for Class
- Begin to inventory what data is used, from whom the data is obtained, and how it is used, including whether it is used as part of an algorithm or predictive model, for each type of insurance the insurer issues and for each insurance practice where data is used. This includes seeking information from the insurer’s marketing, product design, underwriting, administrative services, claims, and fraud units. Insurers should take a broad view of data, algorithms, and predictive models to ensure everything that might be scrutinized by Colorado is considered.
- Inform the insurer’s marketing, product design, underwriting, administrative services, claims, and fraud units that subject matter experts from different business units will be needed for consultation as the Colorado insurance department holds stakeholder meetings and in developing governance around the use of data, algorithms, and predictive models.
- Review third-party contracts to determine what rights the insurer has (i) to obtain information about the data being used and the construction and operation of any algorithms and predictive models and (ii) to require the cooperation of the third party in the face of a regulatory review. Additionally, these rights and obligations should be incorporated into any new third-party contracts.
- Begin to outline a plan for satisfying the reporting and governance rules outlined above. This includes determining how the various business units will coordinate to compile the required information to be reported, as well as how each business unit will participate in and be responsible for the ongoing requirements of the risk management framework to be developed.