Skip to Content

Colorado DOI Fast-Tracks Big Data Governance Rulemaking

On August 31, 2023, the Colorado Division of Insurance will hold a virtual rulemaking hearing for its proposed regulation on governance and risk management framework requirements for life insurers using external consumer data and information sources, as well as certain algorithms and predictive models (Life Governance Rule). The notice of hearing, issued July 31, included an updated Life Governance Rule previously released on May 26 as part of the DOI’s statutorily mandated stakeholder process.

The proposed Life Governance Rule, which would take effect on October 30, 2023, applies to all life insurers doing business in Colorado and applies to all use of external consumer data and information sources, as well as algorithms and predictive models that use external consumer data and information sources (ECDIS/AI/PM), in any insurance practice, not just underwriting. It also applies to ECDIS/AI/PM provided by a third party to a life insurer.

Rule Timing

To achieve an effective date of October 30, the DOI must adopt the final Life Governance Rule by September 10 after its August 31 hearing and the September 6 comment due date. This short timeline suggests the adopted rule is unlikely to include major changes.

Compliance Deadlines

The proposed Life Governance Rule requires each life insurer that uses ECDIS/AI/PM to:

  • By June 1, 2024, submit a narrative report summarizing its progress toward complying with the Life Governance Rule’s governance and risk management framework requirements, areas under development, any difficulties encountered, and expected completion date.
  • By December 1, 2024, be in compliance with the Life Governance Rule’s governance and risk management framework requirements.
  • By December 1, 2024, and annually thereafter, submit a narrative report of not more than 10 pages summarizing compliance with Life Governance Rule’s governance and risk management framework requirements and the title of, and qualifications for, each individual responsible for the specific governance and risk management framework requirements.

A life insurer not using ECDIS/AI/PM as of the Life Governance Rule’s effective date is required under the proposed rule to:

  • Submit within one month of the effective date (i.e., by November 30, 2023) an attestation signed by an officer that the insurer does not use ECDIS/AI/PM.
  • Submit by December 1 each year thereafter a similar attestation.

If a life insurer subsequently desires to use ECDIS/AI/PM, before doing so, it must submit the same narrative report that is required annually by insurers using ECDIS/AI/PM.

Overview of Required Governance and Risk Management Framework

1.   Scope of the Required Framework

Under the Life Governance Rule, life insurers using ECDIS/AI/PM must establish a “risk-based” governance and risk management framework that addresses any insurance practices — i.e., the requirement is not limited to underwriting practices — and mandates that the framework include certain components. By including “risk-based,” the DOI acknowledged that the frameworks adopted by insurers would vary based on the ECDIS/AI/PM used or anticipated to be used by insurers and the potential risk that such use may result in unfair discrimination “with respect to race.”

2.   Framework Required Components

A.   Framework Principles

The required principles must set forth the insurer’s values embodied in, and objectives of, the insurer’s framework with the intent of conveying the foundation for how the insurer will approach and make decisions regarding ECDIS/AI/PM. The principles must address:

i.    Effective oversight and management.

ii.   The need to prevent unfair discrimination.

B.   Governance

The required governance must set forth who within the insurer is responsible for the insurer’s use of ECDIS/AI/PM and their roles and responsibilities (including decision-making) and lines of communication between the various committees, governance groups, and individuals:

i.    The insurer’s board or a specified board committee must oversee the framework.

ii.   Senior management must set and monitor overall strategy and direction.

iii.   A cross-functional team must serve as the insurer’s governance group and consist of individuals from legal, compliance, risk management, product development, underwriting, actuarial, data science, marketing, and customer service, as applicable.

While the individuals that are assigned different roles in the governance structure need not be named, the title and the qualifications of the individuals are required as part of the 10-page summary reports due on December 1 beginning in 2024, and each year thereafter.

C.  Policies, Processes, and Procedures

The required policies, processes, and procedures must address:

i.    The deployment, use, and ongoing monitoring of the insurer’s ECDIS/AI/PM. This must address how the insurer (i) assesses and prioritizes risks associated with tests and (ii) validates the insurer’s ECDIS/AI/PM before deployment and as part of the ongoing monitoring. As further discussed below, for each ECDIS/AI/PM, documentation of the foregoing must be kept.

ii.   Training relevant personnel on the responsible and compliant use of ECDIS/AI/PM.

iii.   Addressing consumer complaints and inquiries about the insurer’s ECDIS/AI/PM, including how the insurer will ensure that consumers are provided with the information necessary to take meaningful action in the event of an adverse decision.

iv.  To the extent that unfairly discriminatory outcomes are found, how the insurer will address and remediate such outcomes.

D.  Required Documentation

The documentation required is:

i.    An inventory of the insurer’s ECDIS/AI/PM, which also includes the purpose, description, output, and versions of the insurer’s ECDIS/AI/PM. For material changes of any of the insurer’s ECDIS/AI/PM, the rationale for the changes.

ii.   The insurer’s steps taken around its deployment, use, and ongoing monitoring of the insurer’s ECDIS/AI/PM. This means for every ECDIS/AI/PM deployed and used:

  • The assessment of its risk, which may take into consideration the insurance practice for which it is used.
  • The tests and validations conducted on it, including the methodology, assumptions, results, and steps taken to address unfairly discriminatory outcomes.
  • The ongoing monitoring to account for model drift.

Responsibility for Third-Party Vendors

The proposed rule continues to state that the insurer must have a process for selecting third-party vendors of ECDIS/AI/PM and is responsible for ensuring the framework requirements are met even when the insurer’s ECDIS/AI/PM is provided by a third-party vendor.

Other Notable Items

1.   IOT Definition

In its May 26 draft of the Life Governance Rule, the DOI revised the rule’s definition of “external consumer data and information source” to include “consumer-generated Internet of Things data” but did not include a definition of the term “Internet of Things.” The proposed rule remedies this omission by defining the term to mean “networks of physical objects embedded with sensors, software, and other technologies for the purposes of collecting, transmitting, and exchanging data over the Internet.” The definition, however, excludes “devices that require direct human intervention for data collection and exchange.” This exclusion would appear to apply to devices such as an Apple Watch, which requires human authorization to permit an application to collect and exchange data with another party.

2.   Required Testing

Consumer representatives and industry stakeholders urged the DOI to set forth its testing expectations in a testing rule that would be completed simultaneously with the Life Governance Rule. While the DOI indicated proposed testing rules were forthcoming, none has yet to be publicly released.

In addition, the proposed rule does not signal whether the DOI has determined whether testing would be limited to race, or could apply to the other individual characteristics listed in Colorado Statutes section 10-3-1104.9.

We will attend the August 31 hearing and continue to monitor the DOI’s rulemaking activities and stakeholder meetings.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.