NYSDFS Issues Final Circular for Insurers on Artificial Intelligence and External Data Use | Hinshaw & Culbertson

On July 11, 2024, the New York State Department of Financial Services (NYSDFS) adopted a final Circular on the “Use of Artificial Intelligence (“AI”) systems and external consumer data and information sources in the underwriting and pricing of insurance” (the “Circular”).

This circular was issued as guidance to the insurance industry and imposes significant obligations on insurers that use artificial intelligence systems (“AIS” or “AI systems”) or external consumer data and information sources (“ECDIS”) for underwriting and pricing. The circular sets out the NYSDFS’s enforcement priorities.

Who does this circular apply to?

The circular applies to ECDIS, AIS and other forecast models used in connection with the underwriting and pricing of insurance policies and annuity contracts issued by the following companies:

Insurers authorized to write insurance in New York;
Article 43 Capital companies;
Health maintenance organizations (HMOs);
Licensed Fraternal Benefit Societies (FBSs); and the
New York Insurance Fund.

Why was the circular issued?

NYSDFS recognizes that ECDIS and AIS provide benefits to insurers and consumers by simplifying and expediting the insurance underwriting and pricing processes. However, NYSDFS expressed concerns about the potential for unfair adverse impacts or discriminatory decision-making through the use of ECDIS and AIS, including the use of third-party vendors.

They are particularly concerned that ECDIS and AIS could disproportionately impact vulnerable communities and individuals or otherwise harm the insurance market in New York.

To which systems does this circular apply?

AIS is defined in the circular as follows: “Any machine-based system that performs functions normally associated with human intelligence, such as reasoning, learning and self-improvement, and that is used – in whole or in part – to supplement traditional underwriting or pricing in health, life, property or casualty insurance, to serve as a substitute for traditional underwriting or pricing in health, life, property or casualty insurance, or to determine ‘lifestyle indicators’ that can contribute to the underwriting or pricing of an insurance applicant.”

ECDIS is defined in the circular as “data or information used – in whole or in part – as a supplement to traditional insurance, property or casualty underwriting or pricing, as a substitute for traditional insurance, property or casualty underwriting or pricing, or to identify ‘lifestyle indicators’ that can help evaluate an insurance applicant’s underwriting or pricing. ECDIS does not include information exchange services for members of the MIB Group, Inc., motor vehicle reports, prescription drug data, or criminal history searches.”

How can the companies concerned comply with the regulations?

1. Maintain existing practices

Companies can comply primarily by using ECDIS and AIS in accordance with all local, state and federal laws. An insurer should already have processes in place to use ECDIS or AIS in underwriting or pricing unless the insurer has determined that ECDIS or AIS does not collect or use criteria that would constitute unfair or unlawful discrimination or an unfair trade practice.

2. Create a corporate governance framework

Insurers must establish a corporate governance framework that is appropriate to the nature, size and complexity of the insurer and ensures compliance with legal and regulatory requirements.

This governance requires establishing appropriate formal written policies and procedures, assigning competent staff, overseeing model risk management, ensuring effective auditing and independent risk assessment, reviewing audit findings, implementing AI training, and taking prompt remedial action when necessary.

3. Supervision by the Board of Directors and Management

As part of this corporate governance framework, insurers must have a supervisory body and senior management responsible for ECDIS and AIS systems. Senior management is responsible for the day-to-day implementation of the insurer’s development and management of ECDIS and AIS, in line with the strategic vision and risk analysis of the board of directors or other governing body.

4. Implement appropriate written assessments, documentation and testing of ECDIS and AIS

An insurer should not use ECDIS or AIS in underwriting or pricing unless it can demonstrate through comprehensive evaluation, documentation and audit that the underwriting or pricing policies are not unfairly or unlawfully discriminatory in violation of New York State Insurance Law.

5. Implement a third-party verification program

Insurers remain responsible for understanding any tools, ECDIS or AIS used in the underwriting and pricing of insurance that are developed or deployed by third parties and for ensuring that such tools, ECDIS or AIS comply with all applicable laws, rules and regulations, including anti-discrimination provisions.

To reduce third-party risk and ensure appropriate oversight of third-party providers, insurers should develop:

(i) written standards, policies, procedures and protocols for the acquisition, use or reliance on ECDIS and AIS developed or used by a third party pricing or risk assessment provider; and

(ii) incorporating applicable AI terms into their supplier contracts.

6. Be transparent with customers

Where an insurer uses ECDIS or AIS, the communication to the insured or potential insured or to an authorised medical practitioner should include the following information:

(i) whether the insurer uses AIS in its underwriting and pricing process;

(ii) whether the insurer uses data about the person obtained from third party providers; and

(iii) that the person concerned has the right to request information about the specific data that led to the subscription or pricing decision, including the contact details necessary for such a request.

Failure to disclose this information may constitute an unfair trade practice, according to the NYSDFS.

Other government measures

Insurers must comply with other statutory requirements applicable to AI, which may vary by state. The NYSDFS circular follows the Colorado Division of Insurance’s publication of the Algorithm and Predictive Model Governance Regulation (AI Regulation). Regulation of life insurance; the California Insurance Commissioner’s Bulletin 2022-5 on Allegations of Racial and Unfair Discrimination in the Insurance Industry’s Marketing, Rating, Underwriting, and Claims Practices; and the Texas Department of Insurance Bulletin No. B-0036-20 entitled “Use of Third Party Data by Insurers.”

An additional fifteen states have adopted the NAIC Model Bulletin entitled “Use of Artificial Intelligence Systems by Insurers,” published in December 2023. This means that insurers regulated by these states must comply with the terms of the Model Bulletin under the authority of the respective state to prevent unfair trade practices with respect to its own developed models and models of third parties.

The requirements of the model bulletin require:

at least the introduction of a robust, written AI governance structure that documents the use of AI systems throughout the insurance lifecycle, from product development to implementation and claims settlement;
ongoing monitoring and updating;
Ensuring that there are no discriminatory, excessive or inappropriate insurance premiums through the use of AI and machine learning;
Introducing controls to mitigate the risk of negative impacts on consumers from AI; and
Development of tests and verifications of AI models.

The bulletin claims that third-party use of AI systems will also be investigated, with insurers required to carefully vet providers and enter into comprehensive contracts covering data security, data use, data procurement, auditing and testing.

enforcement

Insurers should be aware that regulators may require them to demonstrate compliance with the above requirements in the context of regulatory audits, investigations, examinations or enforcement actions.