Key Takeaways:

With the Amended Regulation set to take effect on October 15, 2025, covered insurers should begin preparing now to meet the new governance, risk management, and reporting requirements:

• Conduct a gap analysis. Compare existing governance and risk management frameworks against the Amended Regulation’s requirements, focusing on annual review processes, board oversight, and documentation.
• Engage the board and senior management. Ensure directors and senior executives are prepared to oversee ECDIS and Model use, with clear lines of accountability and reporting.
• Plan for quantitative testing. Monitor forthcoming guidance from the Colorado Division of Insurance on testing requirements and evaluate whether current internal testing practices can be adapted to satisfy Division standards.

On August 20, 2025, Colorado’s Division of Insurance (the “Division”) adopted final amendments to its regulation on the Governance and Risk Management Framework Requirements for certain insurers that use external consumer data and information sources (“ECDIS”), algorithms, and predictive models that use ECDIS (“Models”) (the “Amended Regulation”). The Amended Regulation builds on the 2023 rule that directed governance, risk management, and reporting obligations to insurers that sell life insurance products (“Life Insurers”) that use ECDIS (the “Current Regulation”) and extends those obligations to private passenger automobile insurers (“Auto Insurers”) and health benefit plan insurers (“Health Benefit Plan Insurers”) that use ECDIS.

The Division finalized the Amended Regulation after initially proposing draft amendments on December 6, 2024 (the “Draft Amendments”), which we wrote about here. The Amended Regulation takes effect on October 15, 2025.

With the Amended Regulation finalized, Colorado continues to refine its approach to regulating the use and implementation of AI in the insurance industry. Below, we summarize the key changes in the Amended Regulation from the Draft Amendments involving (1) the definitions of ECDIS, (2) the possibility of quantitative testing, (3) governance and risk management requirements, and (4) compliance and reporting timelines. As explained further below, overall, the Amended Regulation did not materially expand on proposed language in the Draft Amendments, and in a few instances walked back proposed expansions to maintain the Current Regulation’s requirements.

Definitions of ECDIS

The Amended Regulation’s definition of ECDIS for the three insurance lines was largely unchanged but adds key distinctions on examples of ECDIS for Auto Insurers and for Health Benefit Plan Insurers.

• Same baseline definition. For all three lines of insurance, ECDIS is defined as “a data or an information source that is used by the insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.”

• Additional example of ECDIS for Auto Insurers. For Auto Insurers, the definition of ECDIS expressly includes telematics data—remotely collected vehicle data such as location, speed, and engine performance—which will scope-in Auto Insurers that use driving behavior data for auto insurance underwriting.

• Exemption for Health Benefit Plan Insurers. For Health Benefit Plan Insurers, the Amended Regulation scopes out “an individual’s medical records” from the definition of ECDIS.

Quantitative Testing

The Amended Regulation augments the requirement to remediate unfair discrimination that potentially results from the use of ECDIS by specifically requiring remediation if unfair discrimination is “detected through quantitative testing requirements established by the Division.” The Amended Regulation further requires a “documented description of quantitative testing conducted pursuant to requirements established by the Division to detect unfair discrimination in insurance practices resulting from the use of ECDIS.”

The Division previously released a draft regulation on quantitative testing of ECDIS and AI on September 28, 2023 but there has been no update since. The Division’s renewed focus on quantitative testing indicates the possibility of further rulemaking in this area.

As we wrote previously, prescribing a quantitative testing methodology, particularly one that would require estimating the race and ethnicity of all insurance applicants using Bayesian Improved First Name Surname Geocoding (“BIFSG”), introduces a significant error rate into the analysis. It is unclear if the Division intends to move forward with prescriptive statistical measures for quantitative testing such as BIFSG.

Governance and Risk Management Framework Requirements

Like the Draft Amendments, many of the existing governance requirements from the Current Regulation will apply to Auto Insurers and Health Benefit Plan Insurers without substantial modification. However, the Amended Regulation proposes some alterations, additions, and removals of certain requirements. Most of these changes apply to all three types of insurers, with just one specifically applying to Health Benefit Plan Insurers.

• Board oversight (all three lines). The Amended Regulation maintains the Current Regulation’s requirement that the governance and risk management framework be “overseen by the board.”

• Policies, processes, and procedures (all three lines). The Amended Regulation retains the Current Regulation’s existing requirement to have policies, processes, and procedures, including assigned roles and responsibilities, for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS and the Models that utilize ECDIS, as well as processes to ensure that they are documented, tested, and validated. The Amended Regulation adds that such policies and procedures must “ensure the ECDIS is credible, relevant, and appropriate for its intended purpose or the intended purpose of the algorithm or predictive model.”

• Information on adverse decisions (all three lines). The Draft Amendments required documented processes and protocols to provide consumers “with a clear explanation of an adverse decision and how ECDIS, or an algorithm or predictive model that used ECDIS, was used in making the decision.” The Amended Regulation removes this requirement and instead retains the requirement from the Draft Amendments to provide consumers “with information necessary to take meaningful action in the event of an adverse decision made based on the use of ECDIS, and the [Models] that use ECDIS.” Additionally, the Amended Regulation explicitly provides that insurers “may use existing procedures for grievances and appeals.” This is more flexible than the Circular Letter 7 requirement which mandates that the insured be provided with “details about all information upon which the insurer based any declination, limitation, rate differential, or other adverse underwriting decision, including the source of the specific information upon which the insurer based its adverse underwriting or pricing decision.”

• Evaluation for bias (all three lines). The Amended Regulation removes the requirement from the Draft Amendments to have a documented evaluation of “ECDIS for bias, disparities representativeness, data quality, data validity and appropriateness for the intended purpose and steps taken to address and correct any data quality issues.”

• Annual governance and risk review cadence (all three lines). The Draft Amendments proposed to replace the comprehensive annual reviews of the governance structure and risk management framework with reviews “when there are any material changes to the governance structure and risk management framework or any new use of ECDIS, or [the Models] that use ECDIS.” The Amended Regulation reinstates the annual review requirement and removes the requirement to conduct a review when material changes occur.

• Third–party oversight (all three lines). The Amended Regulation removes the proposal from the Draft Amendments to require that the documentation of third-party oversight include an evaluation of adherence to the intended use of ECDIS, as well as any Models that utilize ECDIS.

• Health care provider responsibility (Health Benefit Plan Insurers only). The Amended Regulation retains much of the Draft Amendments’ requirement for Health Benefit Plan Insurers to make sure that providers working on their behalf are responsible for decisions made using ECDIS and the Models that utilize ECDIS. However, the Amended Regulation removes this requirement when ECDIS or the Models that use ECDIS are used to approve requests by a covered person for prior authorization.

In sum, the Amended Regulation primarily extends the Current Regulation to cover Auto Insurers and Health Benefit Plan Insurers, as the Division rolled back several proposed changes from the Draft Amendments. As such, Life Insurers that are already subject to the Current Regulation will likely find that little additional work is required to comply with the Amended Regulation.

Compliance and Reporting Timelines

Compliance: The Amended Regulation provides the following compliance timelines:

• Auto Insurers and Health Benefit Plan Insurers must have all components of their governance structure and risk management framework available upon the Division’s request by July 1, 2026.

• Life Insurers are currently required to have the existing components under the Current Regulation available upon the Division’s request. The Amended Regulation does not specify when Life Insurers would need to have the adjusted components described above in place.

Reporting: The Amended Regulation provides the following reporting timelines:

• Auto Insurers and Health Benefit Plan Insurers must submit an interim progress report on compliance with applicable governance requirements by December 1, 2025, and submit annual compliance reports beginning July 1, 2026.

• Life Insurers were required to submit an interim progress report on compliance with the existing governance and risk management requirements described above in June 2024 and an annual compliance report beginning in December 2024. The Amended Regulation indicates that Life Insurers will continue with the annual reporting deadline of December 1.

Additionally, the Amended Regulation also removes the descriptor “narrative” from the annual compliance reports, although it does not substantively adjust the technical requirements for those reports.

What Insurers Should Do Now

With the Amended Regulation set to take effect on October 15, 2025, insurers should begin preparing now to meet the new governance, risk management, and reporting requirements:

• Conduct a gap analysis. Compare existing governance and risk management frameworks against the Amended Regulation’s requirements, focusing on annual review processes, board oversight, and documentation.

• Engage the board and senior management. Ensure directors and senior executives are prepared to oversee ECDIS and Model use, with clear lines of accountability and reporting.

• Plan for quantitative testing. Monitor forthcoming guidance from the Division on testing requirements and evaluate whether current internal testing practices can be adapted to satisfy Division standards.

• Review vendor relationships. Assess contracts and oversight mechanisms for third-party providers of ECDIS or models, even though the Amended Regulation scaled back documentation requirements for vendor adherence.

• Streamline consumer-facing processes. Confirm that existing grievance and appeals procedures can handle adverse decision inquiries related to ECDIS or models, and train staff accordingly.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.