Regulatory Developments on Insurer AI Use

This month’s edition of our Insurance Industry Corporate Governance Newsletter focuses on recent and ongoing developments in the regulation of the use of Artificial Intelligence (“AI”) by insurers. Given the rapid rate of AI development and adoption, and its potential impact on consumers, insurance regulators are increasingly signaling their intent to expand or clarify existing requirements for the use of AI—including by passing new regulations or regulatory guidance for insurers.

On October 13, the National Association of Insurance Commissioners (“NAIC”) released a revised exposure draft of its model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “Model Bulletin”), which sets out a draft comprehensive, nonbinding framework for insurer’s AI governance.

In parallel, following the passage of SB-21-159 in Colorado, the Colorado Department of Insurance (“DOI”) recently finalized a regulation that requires life insurance companies to implement AI governance and risk management measures that are reasonably designed to prevent unfair discrimination in the use of external consumer data and information sources (“ECDIS”), as well as algorithms and predictive models that use ECDIS, in insurance practices (the “Colorado Regulation”).

The New York Department of Financial Services (the “NYDFS”) is also expected to issue its own updated guidance on the use of external data in insurance practices by the end of the year.

An Emerging Governance Framework for AI and Insurance

The Model Bulletin and Colorado Regulation provide a good indication of where AI insurance regulation in the U.S. is likely heading. While the NAIC’s Model Bulletin and the Colorado Regulation differ in terms of scope, they contain several similar governance requirements, including

• Inventories: Insurers are expected to maintain an inventory of models that are covered by their rules.
• Monitoring: Insurers should monitor their use of AI, particularly for model drift and other performance issues.
• Cross-functional governance committees: Insurers are expected to establish a governance committee and constitute it with representatives from key functional areas such as legal, compliance risk management, product development, underwriting, actuarial, data science, marketing, and senior management. The committee should be accountable to the board.
• Training: Insurers are expected to provide ongoing training and supervision for relevant personnel on the use of AI.
• Risk rating and assessments: Insurers should maintain a process for identifying, assessing, and prioritizing risks associated with AI.
• Consumer-facing processes: Insurers are expected to provide consumer-facing processes that provide information about uses of AI that affect consumers.
• Vendor risk management: Insurers are expected to establish policies and procedures to oversee vendors that provide them with AI applications.
• Documentation: Insurers should maintain documentation of their AI governance programs, including written policies and procedures.

What Steps Can Insurance Companies Take Now?

Some measures to consider include:

Gap Analysis & Road Map. Insurers should consider conducting a preliminary gap analysis between the requirements in the Model Bulletin—and, if applicable, the Colorado Regulation—and their current AI governance and compliance program, and developing a road map for filling any gaps. For some companies, it may take significant time and resources to implement these requirements, and so they may want to start early.

Risk Assessment. Insurers should consider creating a list of high-risk factors for AI uses and using those factors to identify their highest-risk AI uses for prioritization once the basic elements of the governance program are in place.

Cross-Functional Governance Committee. Insurers should consider starting the process of creating a cross-functional AI governance committee. Determining which representatives from “appropriate disciplines and units” within the company should be in the group, how often the group should meet, what resources it needs, to whom it will report, how it will make decisions, and how its decisions will be implemented, are all complicated considerations that will take time and discussion.

Inventory. Insurers should consider creating an inventory of the AI tools the firm has access to and its AI use cases in production.

Budget. Insurers should consider whether any of their anticipated AI governance enhancements will require a significant increase in their compliance budgets and, if so, begin the process of secure additional resources.

Conclusion

These regulatory developments highlight the increasing importance of implementing governance for insurers that are using AI. Starting that process early, before AI adoption is widespread, may be easier than implementing post hoc compliance, even though the AI regulatory landscape is still evolving.