On November 14, 2023, Colorado’s Insurance Commissioner officially passed a legally binding regulation that requires life insurers operating in the state to establish a governance and risk framework for their usage of both external consumer data and information sources (ECDIS) or artificial intelligence (AI) and predictive models trained on ECDIS.

The new law, Regulation 10–1–1, defines ECDIS as data used by a life insurer to “supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” Examples of ECDIS include “credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, licensures, civil judgments, court records, occupation that does not have a direct relationship to mortality, morbidity or longevity risk, consumer-generated Internet of Things data, biometric data, and any insurance risk scores.”

Regulation 10–1–1 mandates all life insurance companies in Colorado that use ECDIS or algorithms trained on ECDIS to submit a detailed report demonstrating compliance with the legislation’s requirements by December 1, 2024, and annually after that. Before that deadline, however, life insurers must first submit by June 1, 2024 a progress report detailing the efforts made thus far to construct an AI governance and risk management program. Life insurers that fail to do so may face a wide variety of sanctions imposed by the State of Colorado, including civil penalties, cease and desist orders, and/or business license suspensions or revocations.

The report due by December 2024 must address each of the 13 components of the governance and risk management framework. One component orders applicable life insurers in Colorado to document an “up-to-date inventory, including version control, of all utilized ECDIS, as well as algorithms and predictive models that use ECDIS,” while another calls for conducting tests on their AI models to “detect unfair discrimination in insurance practices.” Other components entail cross-functional collaboration on “the design, development, testing, deployment, use, and ongoing monitoring” of data and models.

This is where BreezeML comes in. BreezeML can help life insurers in Colorado satisfy the aforementioned regulatory demands in the following ways (see Appendix below for full details). First, BreezeML enables companies to maintain an updated inventory of their data and AI models by integrating with common MLOps tools and data stores to track end-to-end model data and operations. Second, BreezeML allows enterprises to detect and mitigate potential bias in their model training data by offering fairness testing services provided by its network of industry-leading partners. Third, BreezeML simplifies and facilitates cross-functional collaboration by enabling compliance teams to effortlessly specify and continually monitor governance policies over every AI workflow in their organization without relying on manual and tedious coordination with data science teams, reducing the reluctance from the data science team to incorporate compliance-related checks.

While Regulation 10–1–1 represents Colorado’s first-ever attempt at regulating the use of AI in the insurance sector, it is most definitely not the last. Indeed, the Colorado Division of Insurance intends to release a complementary draft testing regulation for life insurers in the state and expand the scope of its AI governance regulations to other categories of insurance, such as auto insurance. With Colorado at the helm of regulating the use of AI, it is only a matter of time before other states follow in passing similar legislation that applies not only to the insurance industry, but also to other industries such as financial services, healthcare and medical devices, and digital advertising and marketing. Regardless of how AI regulations evolve at the state and federal levels in the U.S., one thing will remain clear: due to its flexible “governance by construction” design that enables it to dynamically adapt to the ever-changing AI regulatory landscape, BreezeML will continue to be the most ideal AI governance, risk, and control partner for enterprises utilizing machine learning models.

For more information about BreezeML, please visit our website or contact us at info@breezeml.ai. You can also request a demo of our product here.

Appendix

Section 5.A.1: Documented governing principles outlining the values and objectives of the insurer that provide the guidance necessary for ensuring that:

A. ECDIS, and algorithms and predictive models that use ECDIS are designed, developed, used, and monitored in a manner that achieves effective oversight and management; and

• BreezeML enables clients to establish and document governing principles that align with widely used AI regulation frameworks such as NIST AI Risk Management. The BreezeML solution provides alignment to specific requirements outlined in sections 1.3 and 1.4 of the NAIC model guidelines, as published on 12/2/23.

B. The use of ECDIS, and the algorithms and predictive models that use ECDIS are reasonably designed to prevent unfair discrimination.

• BreezeML allows customers to define and set custom rules to ensure that their use of ECDIS and their algorithms and predictive models that use ECDIS are anti-discriminatory.

Section 5.A.2: The governance structure and risk management framework must be overseen by the board of directors or a committee of the board.

• With BreezeML’s user permissions management feature, enterprise organizations can enable their board of directors to have oversight over their AI governance and risk management frameworks.

Section 5.A.3: Senior management responsibility and accountability for setting and monitoring the overall strategy and providing direction governing the use of ECDIS, and algorithms and predictive models that use ECDIS. This includes establishing clear lines of communication and delegated decision-making authority, and regular reporting to senior management on the performance and potential risks of using ECDIS, and the algorithms and predictive models that use ECDIS.

• BreezeML enables clients to establish governance policies over their AI models and translate them into queries for continuous monitoring throughout the model development process. Non-compliant actions in model development are flagged and sent to the MLOps team, which can respond to and mitigate such issues. BreezeML also supports generating automated compliance reports on clients’ models and training data for the review of senior management and third-party auditors.

Section 5.A.4: Documented cross-functional ECDIS, algorithm, and predictive model governance group composed of representatives from key functional areas including legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, as applicable.

• An inherently cross-functional platform that bridges compliance/legal teams with engineering teams at enterprise organizations, BreezeML permits customers to add to the platform multiple users with various functional roles, from legal and compliance to product and data science. It also allows customers to create custom user groups by function and custom reports and dashboards.

Section 5.A.5: Documented policies, processes, and procedures, including assigned roles and responsibilities, for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS and algorithms and predictive models that use ECDIS, and processes to ensure that they are documented, tested, and validated. Such policies and processes must include an ongoing internal supervision and training program for relevant personnel on the responsible and compliant use of ECDIS, and the algorithms and predictive models that use ECDIS.

• On BreezeML’s platform, companies can create policies, processes, and procedures and assign roles and responsibilities for the design, development, testing, deployment, use, and ongoing monitoring of ECDIS and algorithms and predictive models that use ECDIS. In addition, companies can utilize BreezeML’s architecture to implement internal supervision and training for relevant personnel, which promotes the fair and ethical use of ECDIS and predictive models using ECDIS. Finally, BreezeML’s solution can be featured in training courses as a tool that enables and simplifies the responsible and compliant use of AI.

Section 5.A.6: Documented processes and protocols in place for addressing consumer complaints and inquiries about the use of ECDIS, as well as algorithms, and predictive models that use ECDIS.

• On BreezeML’s platform, clients can document their processes and protocols for addressing consumer complaints and inquiries about the use of ECDIS and models that use it.

Section 5.A.7: Documented rubric for assessing and prioritizing risks associated with the deployment of ECDIS, as well as algorithms and predictive models that use ECDIS, in insurance in practices with reasonable consideration given to insurance practices’ consumer impact(s).

• BreezeML’s customers can create rubrics for assessing and prioritizing risks associated with the deployment of ECDIS and algorithms that use ECDIS based on industry-standard risk assessment templates available on the BreezeML platform, such as those stipulated in the NIST Risk Management Framework.

Section 5.A.8: Documented up-to-date inventory, including version control, of all utilized ECDIS, as well as algorithms and predictive models that use ECDIS, including a detailed description of each ECDIS, algorithm, and predictive model, their clearly stated purpose(s), and the outputs generated through their use.

• BreezeML enables enterprises to maintain an updated inventory, including version control, of all utilized ECDIS and models that use ECDIS by integrating with common MLOps tools and data stores to track end-to-end model data and operations.

Section 5.A.9: Documented explanation of any material change(s) in the inventory of all ECDIS, as well as all algorithms and predictive models that use ECDIS, and the rationale for the change(s).

• BreezeML’s platform records any material change(s) in the inventory of all ECDIS and models that use ECDIS. For each material change, clients can specify a reason in each model card.

Section 5.A.10: Documented description of testing conducted to detect unfair discrimination in insurance practices resulting from the use of ECDIS, as well as algorithms and predictive models that use ECDIS, including the methodology, assumptions, results, and steps taken to address unfairly discriminatory outcomes.

• BreezeML enables enterprise organizations to define and implement custom rules that identify bias and unfair discrimination in insurance models, documenting the methodology, assumptions, results, and steps taken to address such issues. In addition, BreezeML and its third-party partners offer bias and fairness testing services.

Section 5.A.11: Documented description of ongoing monitoring regarding the performance of algorithms and predictive models that use ECDIS including accounting for model drift.

• In each model card on BreezeML, customers can describe how they are continuously monitoring the performance of the algorithm that uses ECIDS.

Section 5.A.12: Documented description of the process used for selecting external resources including third-party vendors that supply ECDIS, algorithms, and/or predictive models that use ECDIS including the intended use of the ECDIS, algorithm(s), and/or predictive model(s).

• BreezeML allows clients to describe the process used for selecting external resources in each model card (for third-party algorithms) and in each dataset card (for third-party datasets).

Section 5.A.13: Documented comprehensive annual reviews of the governance structure and risk management framework and updates to the required documentation to ensure its continued accuracy and relevance.

• At any time on BreezeML’s platform, companies can edit and customize existing governance structures and risk management frameworks or create new ones to fit their individual needs.

‍