On July 11, 2024, the New York State Department of Financial Services (NYSDFS) final Circular on “The Use of Artificial Intelligence (“AI”) Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing” (the “Circular”).
This Notice was issued as guidance to the insurance industry and imposes significant obligations on insurers that use artificial intelligence systems (“AIS” or “AI systems”) or external consumer data and information sources (“ECDIS”) in underwriting and pricing. The Notice outlines the enforcement priorities of the NYSDFS.
To whom does this notice apply?
This Circular applies to ECDIS, AIS, and other predictive models used in connection with the underwriting and pricing of insurance policies and annuity contracts issued by:
- An insurance company licensed to sell insurance in the State of New York.
- Article 43 Corporations
- Health Maintenance Organizations (HMOs)
- Accredited Fraternal Bodies (FBS) and
- New York Insurance Fund.
Why was this circular issued?
NYSDFS appreciates that ECDIS and AIS benefit insurers and consumers by simplifying and speeding up the underwriting and pricing process. However, NYSDFS expressed concerns about the potential for unfair adverse effects and discriminatory decision-making resulting from the use of ECDIS and AIS, including the use of third-party vendors.
They are particularly concerned that ECDIS and AIS could disproportionately impact vulnerable communities and individuals and undermine New York’s insurance market.
What systems does this notice apply to?
Australia The notice defines a smart insurance policy as “a machine-based system designed to perform functions typically associated with human intelligence, such as reasoning, learning and self-improvement, and which is used, in whole or in part, as a proxy for, or to complement, traditional health, life, property or casualty insurance underwriting or pricing, or to identify ‘lifestyle indicators’ that may contribute to the underwriting or pricing evaluation of an applicant for insurance.”
ECDIS The Notice defines ECDIS as “data or information used, in whole or in part, to supplement traditional health, property or casualty insurance underwriting or pricing, as a proxy for traditional health, property or casualty insurance underwriting or pricing, or to identify ‘lifestyle indicators’ that may contribute to the underwriting or pricing evaluation of an applicant for insurance.'” ECDIS does not include MIB Group, Inc.’s Member Information Exchange Service, motor vehicle reports, prescription drug data, or criminal history searches.”
How can covered businesses comply?
1. Maintain existing practices
Companies can primarily use ECDIS and AIS to comply with all local, state and federal laws. Insurers should already have processes in place for using ECDIS or AIS for underwriting or pricing, unless they determine that the ECDIS or AIS does not collect or use criteria that constitute unjust or unlawful discrimination or unfair trade practices.
2. Establishment of a corporate governance system
Insurers need to establish a corporate governance framework appropriate to the nature, size and complexity of the insurer while ensuring compliance with legal and regulatory requirements.
This governance requires establishing appropriate formal written policies and procedures, allocating competent staff, overseeing model risk management, ensuring effective challenges and independent risk assessments, reviewing audit findings, conducting AI training, and taking prompt corrective action where necessary.
3. Board and Senior Management Oversight
As part of this corporate governance framework, insurers are required to have board oversight and senior management with responsibility for their ECDIS and AIS systems. Senior management is responsible for the day-to-day development and management of the insurer’s ECDIS and AIS in line with the strategic vision and risk analysis of the board or other governing body.
4. Carry out appropriate written assessments, documentation and testing of ECDIS and AIS
Insurers should not use ECDIS or AIS for underwriting or pricing unless they can demonstrate through comprehensive evaluation, documentation, and testing that the underwriting or pricing guidelines are not unfairly or unlawfully discriminatory in violation of New York State Insurance Law.
5. Implement a third-party vendor review program
Insurers are responsible for understanding any tools, ECDIS, or AIS developed or implemented by third-party vendors that are used in underwriting and pricing insurance, and must also ensure that such tools, ECDIS, or AIS comply with all applicable laws, rules, and regulations, including discrimination.
To mitigate third-party risks and ensure proper oversight of third-party vendors, insurers should develop the following:
(i) Written standards, policies, procedures and protocols regarding the acquisition, use or reliance on ECDIS and AIS developed or implemented by third party vendors for pricing or underwriting purposes.
(ii) Include applicable AI terms in vendor contracts.
6. Be transparent with your customers
If an insurer uses ECDIS or AIS, the notice to the insured, potential insured or medical professional nominee must disclose:
(i) Whether the insurer uses AIS in its underwriting or pricing process
(ii) Whether the insurer uses data about individuals obtained from external parties
(iii) You have the right to request information regarding the specific data that led to your underwriting or pricing decisions, including contact information to make such a request.
According to the NYSDFS, failure to make such disclosures may constitute an unfair trade practice.
Other State Actions
Insurers must comply with other legal requirements applicable to AI, which may vary by state. The NYSDFS circular follows the publication of the Colorado Department of Insurance’s Algorithmic and Predictive Model Governance Regulations (AI Regulations). Life Insurance Regulation; California Insurance Commissioner’s Notice 2022-5 regarding allegations of racial and unfair discrimination in marketing, rating, underwriting and claims practices by the insurance industry, and Texas Insurance Commissioner’s Notice #B-0036-20 entitled “Insurers’ Use of Third-Party Data.”
An additional 15 states have adopted the NAIC Model Public Notice entitled “Use of Artificial Intelligence Systems by Insurance Companies,” issued in December 2023. This means that insurers regulated by these states must follow the terms of the Model Public Notice under their state authority to prevent unfair trade practices with respect to their own developed and third-party models.
The requirements for a model bulletin are:
- At a minimum, put in place a robust documented AI governance structure that documents the use of AI systems throughout the insurance lifecycle, from insurance product development to implementation and claims management.
- Continuous monitoring and updates.
- Using AI and machine learning to ensure there are no discriminatory, excessive or inappropriate insurance rates.
- Implement controls to mitigate the risk of adverse consumer impacts from AI.
- Developing testing and validation of AI models.
The bulletin claims that the use of third-party AI systems will also be investigated, with insurers required to complete due diligence on providers and enter into comprehensive agreements covering data security, data use, data sources, audits and testing.
Execution
Insurers should anticipate that regulators may require them to demonstrate compliance with the above requirements through regulatory audits, investigations, inspections or enforcement actions.
