Expect Focus Life, Annuity, and Retirement Solutions, September 2023

NAIC Innovation, Cybersecurity, and Technology (H) Committee Gets in on the Action

Life, Annuity, and Retirement Solutions   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   September 28, 2023

On July 17, the Innovation, Cybersecurity, and Technology (H) Committee of the National Association of Insurance Commissioners released its exposure draft of the NAIC’s model bulletin on insurers’ use of algorithms, predictive models, and artificial intelligence systems. The draft model bulletin takes a principles-based approach to how insurers should govern the development, acquisition, and use of artificial intelligence and big data-related resources (AI systems) in making or supporting decisions impacting consumers. It also advises insurers on what regulators may request during an investigation or examination. The committee’s exposure coincides with Colorado’s development of a proposed regulation on governance and risk management framework requirements for life insurers using external consumer data and information sources, algorithms, and predictive models (CO Life Governance Rule).

In contrast to the NAIC draft model bulletin, which sets forth regulator expectations and provides guidance to insurers, the CO Life Governance Rule bets on a more prescriptive approach to consumer protection.

Below are some of the key similarities and differences between the NAIC draft model bulletin and the CO Life Governance Rule:





All life insurers doing business in Colorado.

All insurers doing business in the state where the bulletin is issued using AI systems to make or support decisions impacting consumers.


Life insurers using external consumer data and information sources, as well as algorithms and predictive models that use external consumer data and information sources (ECDIS/AI/PM), must establish a “risk-based” governance and risk management framework that addresses any insurance practices.

Insurers are encouraged to develop, implement, and maintain a written program for the use of AI systems (AIS program). An AIS program should be reflective of, and commensurate with, the insurer’s assessment of the risk posed by its use of an AI system.


The governance framework that facilitates and supports policies, procedures, systems, and controls must be designed to determine whether the use of such ECDIS, algorithms, and predictive models potentially results in unfair discrimination with respect to race and to remediate unfair discrimination, if detected.

The AIS program should be designed to mitigate the risk that the AI systems will result in decisions that are arbitrary or capricious, unfairly discriminatory, or that otherwise violate unfair trade practice laws.


The risk management framework must include governing principles outlining the values and objectives of the insurer.

The Principles of Artificial Intelligence should guide insurers in their development and use of AI systems.


The risk management framework must be overseen by the board or a specified board committee.

The AIS program should vest responsibility with senior management reporting to the board or an appropriate committee of the board.


The required governance must set forth who within the insurer is responsible for the insurer’s use of ECDIS/AI/PM, and it must:

The AIS program should address defined roles and responsibilities for key personnel charged with carrying out the AIS program generally and at each stage of an AI system life cycle, and should consider:

  • Include a cross-functional group from key functional areas including legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, as applicable.
  • Including a committee comprised of representatives from all disciplines and units within the insurer, such as business units, product specialists, actuarial, data science and analytics, compliance, and legal.
  • Set forth the clear lines of communication between the various committees, governance groups, and individuals and require regular reporting to senior management on the performance and potential risks of ECDIS/AI/PM.
  • Coordination and communication between persons with roles and responsibilities with the committee and among themselves and escalation procedures and requirements.
  • The independence of decision-makers and lines of defense at successive stages of the AI system life cycle.
  • Scope of authority, chains of command, and decisional hierarchies.
  • While the individuals who are assigned different roles in the governance structure need not be named, the title and the qualifications of the individuals must be reported to the CO Division of Insurance.
  • The qualifications of the persons serving in the roles identified.

Policies, Processes, and Procedures

The required policies, processes, and procedures must address:

The AIS program should address policies, processes, and procedures:

  • The design, development, testing, deployment, use, and ongoing monitoring of ECDIS/AI/PM.
  • For designing, developing, verifying, deploying, using, acquiring, and monitoring predictive models, including: (i) identification of constraints and controls on automation and design and (ii) data governance and controls, any practices related to data lineage, quality, integrity, bias analysis and minimization, suitability, and updating.
  • Consumer complaints and inquiries about the insurer’s ECDIS/AI/PM, including how the insurer will ensure that consumers are provided with the information necessary to take meaningful action in the event of an adverse decision.
  • A rubric for assessing and prioritizing risks associated with the deployment of ECDIS/AI/PM with reasonable consideration given to insurance practices’ consumer impact(s).
  • Risk management and internal controls, to be followed at each stage of an AI system life cycle.
  • Testing to detect unfair discrimination in insurance practices resulting from the use of ECDIS/AI/PM and, to the extent that unfairly discriminatory outcomes are found, how the insurer will address and remediate such outcomes.
  • Methods used to detect and address errors or unfair discrimination in the insurance practices resulting from the use of the predictive model.
  • Ongoing monitoring regarding the performance of AI/PM including accounting for model drift.
  • Management and oversight, including validation, testing, and auditing, including evaluation for drift.


The framework must include documented up-to-date inventory of all utilized ECDIS/AI/PM, including version control. The inventory must also describe all utilized ECDIS/AI/PM, as well as their stated purpose(s) and the outputs generated through their use.

Insurers must be prepared to provide regulators with inventories and descriptions of algorithms, predictive models, and AI systems.


The required policies, processes, and procedures must include an ongoing training program.

The AIS program should consider the development and implementation of ongoing training.

Third-Party Vendors

Requires insurers to have a process for selecting third-party vendors of ECDIS/AI/PM and places responsibility on insurers for ensuring the framework requirements are met even when the insurer’s ECDIS/AI/PM is provided by a third-party vendor.

The AIS program should address the insurer’s standards for the acquisition, use of, or reliance on AI systems developed or deployed by a third party, including policies and procedures related to:

  • Due diligence to assure that the third-party AI systems are designed to meet the legal standards imposed on the insurer itself.
  • Including in its third-party agreements requirements to maintain an AIS program consistent with what is required of the insurer, permit the insurer to audit the third party, provide the insurer with reports of the third party’s compliance with standards, and comply with regulatory inquiries.

Reporting Requirements

Each insurer using ECDIS/AI/ML must submit:

  • By June 1, 2024, a narrative report summarizing its progress toward complying with the CO Life Governance Rule, areas under development, any difficulties encountered, and expected completion date.
  • By December 1, 2024, and annually thereafter, a narrative report of not more than 10 pages summarizing compliance with the CO Life Governance Rule.

Colorado is looking to close the betting line on October 30, the proposed effective date for the CO Life Governance Rule. On August 31, the Colorado Division of Insurance held a hearing on the CO Life Governance Rule. According to the notice of hearing, stakeholders had until September 6 to submit written comments.

Sportsbooks still have time to set the betting line for the NAIC draft model bulletin. At the Summer National Meeting, the H Committee briefly heard comments on the NAIC draft model bulletin. A second draft of the model bulletin is expected at the end of September.


©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.