On July 17, the Innovation, Cybersecurity, and Technology (H) Committee of the National Association of Insurance Commissioners released its exposure draft of the NAIC’s model bulletin on insurers’ use of algorithms, predictive models, and artificial intelligence systems. The draft model bulletin takes a principles-based approach to how insurers should govern the development, acquisition, and use of artificial intelligence and big data-related resources (AI systems) in making or supporting decisions impacting consumers. It also advises insurers on what regulators may request during an investigation or examination. The committee’s exposure coincides with Colorado’s development of a proposed regulation on governance and risk management framework requirements for life insurers using external consumer data and information sources, algorithms, and predictive models (CO Life Governance Rule).
In contrast to the NAIC draft model bulletin, which sets forth regulator expectations and provides guidance to insurers, the CO Life Governance Rule bets on a more prescriptive approach to consumer protection.
Below are some of the key similarities and differences between the NAIC draft model bulletin and the CO Life Governance Rule:
CO LIFE GOVERNANCE RULE
All life insurers doing business in Colorado.
All insurers doing business in the state where the bulletin is issued using AI systems to make or support decisions impacting consumers.
Life insurers using external consumer data and information sources, as well as algorithms and predictive models that use external consumer data and information sources (ECDIS/AI/PM), must establish a “risk-based” governance and risk management framework that addresses any insurance practices.
Insurers are encouraged to develop, implement, and maintain a written program for the use of AI systems (AIS program). An AIS program should be reflective of, and commensurate with, the insurer’s assessment of the risk posed by its use of an AI system.
The governance framework that facilitates and supports policies, procedures, systems, and controls must be designed to determine whether the use of such ECDIS, algorithms, and predictive models potentially results in unfair discrimination with respect to race and to remediate unfair discrimination, if detected.
The AIS program should be designed to mitigate the risk that the AI systems will result in decisions that are arbitrary or capricious, unfairly discriminatory, or that otherwise violate unfair trade practice laws.
The risk management framework must include governing principles outlining the values and objectives of the insurer.
The Principles of Artificial Intelligence should guide insurers in their development and use of AI systems.
The risk management framework must be overseen by the board or a specified board committee.
The AIS program should vest responsibility with senior management reporting to the board or an appropriate committee of the board.
The required governance must set forth who within the insurer is responsible for the insurer’s use of ECDIS/AI/PM, and it must:
The AIS program should address defined roles and responsibilities for key personnel charged with carrying out the AIS program generally and at each stage of an AI system life cycle, and should consider:
Policies, Processes, and Procedures
The required policies, processes, and procedures must address:
The AIS program should address policies, processes, and procedures:
The framework must include documented up-to-date inventory of all utilized ECDIS/AI/PM, including version control. The inventory must also describe all utilized ECDIS/AI/PM, as well as their stated purpose(s) and the outputs generated through their use.
Insurers must be prepared to provide regulators with inventories and descriptions of algorithms, predictive models, and AI systems.
The required policies, processes, and procedures must include an ongoing training program.
The AIS program should consider the development and implementation of ongoing training.
Requires insurers to have a process for selecting third-party vendors of ECDIS/AI/PM and places responsibility on insurers for ensuring the framework requirements are met even when the insurer’s ECDIS/AI/PM is provided by a third-party vendor.
The AIS program should address the insurer’s standards for the acquisition, use of, or reliance on AI systems developed or deployed by a third party, including policies and procedures related to:
Each insurer using ECDIS/AI/ML must submit:
Colorado is looking to close the betting line on October 30, the proposed effective date for the CO Life Governance Rule. On August 31, the Colorado Division of Insurance held a hearing on the CO Life Governance Rule. According to the notice of hearing, stakeholders had until September 6 to submit written comments.
Sportsbooks still have time to set the betting line for the NAIC draft model bulletin. At the Summer National Meeting, the H Committee briefly heard comments on the NAIC draft model bulletin. A second draft of the model bulletin is expected at the end of September.