On November 20, 2023, the Division of Insurance of the Colorado Department of Regulatory Agencies (“DORA”), published for a 9 day public comment period two proposed bulletins which would provide clarifying guidance on the implementation of Colorado Insurance Regulation 10-1-1: Governance of Risk Management Framework Requirements for Life Insurer’s Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models, which was adopted in September 2023 pursuant to SB21-169. The proposed bulletins specify DORA’s current policy that the scope of the regulation is limited at this time[1] to individual life policies, thus excluding group life and annuities, as well as guidance on the form of attestation from companies attesting that they do not use any external consumer data and information sources (“ECDIS”)[2] or algorithm[3] or predictive model[4] that uses ECDIS. The comment period closes Wednesday November 29, 2023, at 5:00pm MST. Written comments are to be submitted to: DORA_INS@[email protected].

Background

In July 2021, Governor Jared Polis signed SB21-169 which prohibits unfair discrimination[5] via the use of external consumer data. The act requires insurers to develop and maintain a Risk Management Framework, continuing governance oversight pertaining to external consumer data, and attestation by an insurer’s chief risk officer. The act tasks DORA with adopting rules on a business line basis that implement the act.[6] Pursuant to the act, after a public comment period, DORA adopted the final life regulation on September 21, 2023, which became effective November 14, 2023. DORA published these back-to-back proposed bulletins in response to public inquiries. SB21-169 requires DORA to adopt similar rules pertaining to other business lines; thus, additional regulations applicable to other business lines, such as property & casualty, are ‎anticipated in the near future.‎

Bulletin No. B-10.001

DORA published this proposed guidance in response to “inquiries from life insurers requesting guidance regarding the manner and format of the attestation required by Colorado Insurance Regulation 10-1-1 when an insurer does not use [ECDIS], or algorithms or predictive models that use ECDIS, in any insurance practice.”[7] DORA has not prescribed a specific format for the attestation. However, DORA has established two minimum requirements:

  1. The attestation must be signed by an officer of the insurer; and
  2. “[U]nambiguously state the insurer does not use any ECDIS, or any algorithm or predictive model that uses ECDIS, with any insurance practice.”

The attestation should be submitted by e-mail directly to Jason Lapham, Director Big Data and AI Policy, Division of Insurance, at [email protected].

Bulletin No. B-10.002

DORA published this proposed guidance in response to “inquiries from life insurers requesting clarification regarding the applicability of Colorado Insurance Regulation 10-1-1 to annuity contracts and group life insurance policies.” DORA specifies that the Bulletin applies to “all life insurers authorized to do business in the State of Colorado” and that it is the opinion of the Division of Insurance that the regulation “does not apply to either group life insurance policies or annuity contracts,” but that its “applicability may be extended to group life insurance policies and annuities in the future.” The proposed bulletin exempts ERISA qualified employee benefits and surplus lines policies.

Locke Lord will continue to monitor developments as DORA continues to implement SB21-169. If you have any questions, please reach out to the author or your Locke Lord ‎partner.‎

For more Locke Lord commentary on SB21-169 and implementing regulations please see:

Locke Lord QuickStudy: Colorado Exposes Draft Life Insurance AI Data Testing Regulations for Unfair Discrimination by Paige D. Waters and Stephanie O’Neill Macro, October 9, 2023

Locke Lord QuickStudy: Colorado Insurance Division Adopts Proposed Algorithm and Predictive Model Governance Regulation by Paige D. Waters and Stephanie O’Neill Macro, September 22, 2023

New Privacy Laws from Coast to Coast: Comparing California, Virginia and Colorado by Theodore P. Augustinos and Alexander R. Cox, Fall 2021

[1] The regulation’s “applicability may be extended to group life insurance policies and annuities in the future.”

[2] ““External Consumer Data and Information Source” or “ECDIS” means, for the purposes of this regulation, a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices. This term includes credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, consumer-generated Internet of Things data, biometric data, and any insurance risk scores derived by the insurer or third-party from the above listed or similar data and/or information sources.” 3 Colo. Code Regs. § 702-10.

[3] “Algorithm” is defined in the act as “a computational or machine learning process that informs human decision making in insurance practices.” Colo. Rev. Stat. § 10-3-1104.9(8)(a).

[4] “Predictive model” means “a process of using mathematical and computational methods that examine current and historical data sets for underlying patterns and calculate the probability of an outcome.” Colo. Rev. Stat. § 10-3-1104.9(8)(d).

[5] “Unfair discrimination” is defined in the act as the use of ECDIS “that have a correlation to race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression, and that uses results in a disproportionately negative outcome for such classification or classifications, which negative outcome exceeds the reasonable correlation to the underlying insurance practice, including losses and costs for underwriting.” (emphasis added)  Colo. Rev. Stat. § 10-3-1104.9(8)(e).

[6] Title insurance, bonds executed by qualified surety companies, and insurers of exempt commercial policyholders are exempt from the act.

[7] “Insurance practice” means “marketing, underwriting, pricing, utilization management, reimbursement methodologies, and claims management in the transaction of insurance.” Colo. Rev. Stat. § 10-3-1104.9(8)(c).