In July 2021, Colorado passed Senate Bill (SB) 21-169,¹ a first-in-the-nation law meant to protect consumers from insurance practices that result in unfair discrimination. The law addresses insurers’ use of “external consumer data and information sources” in rating algorithms and predictive models, ensuring that such practices do not unfairly discriminate based on an individual's race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.

Prior to becoming effective, the law requires the Colorado insurance commissioner to adopt—through a stakeholder engagement process—the rules and regulations to be applicable for specific types of insurance. That process is still ongoing. In this article, we look at the current state of the implementation of this law and what it could mean for insurers writing business in Colorado.

A phased rollout

While SB21-169 applies to all forms of insurance, the Colorado Division of Insurance (DOI) has been focusing the stakeholder engagement process on individual lines of insurance in phases.

The DOI kicked off the process for life insurance first, in February 2021. That line is the furthest along in its implementation at this point, and in fact has a governance and risk management framework already in effect, as of November 2023—more on that in a bit. However, full implementation of the law for life insurance still has a way to go—in particular, the regulation for quantitative testing of models is not yet finalized. We will take a closer look at the DOI’s proposed methodology for testing later in this article.

Private Passenger Auto (PPA) insurance was next, with a stakeholder meeting process that started in April 2023. Much of the discussion for PPA has focused on applying the frameworks developed for life insurance to PPA. The DOI has also recently begun to tackle health insurance, with the kickoff stakeholder meeting for this line taking place in late February 2024.

While the law identifies a range of protected classes, the DOI discussion and proposals thus far have focused exclusively on race and ethnicity, because a statistical method exists to infer race and ethnicity from commonly available data, as we will discuss. The DOI has not set forth a timeline to address any other protected classes.

Wait, do insurers need to collect data on race now?

No, the DOI has made clear that insurers will not be required to collect data on the race or ethnicity of its policyholders. Rather, the DOI has prescribed that insurers use a statistical method—namely, the Bayesian Improved First Name Surname Geocoding (BIFSG) method—to infer the race of each policyholder or applicant included in the testing. This method yields a probabilistic prediction of the race of an individual based on three pieces of information—the location, first name, and surname—leveraging geodemographic data obtained in the 2010 U.S. Census along with lists of common first names and surnames associated with various races and ethnicities. The method is fairly accurate, but certainly not perfect—indeed, there are many individuals whose race could not be reliably determined from their names and locations, even in theory. However, the DOI determined this method to be good enough for testing insurance models for compliance with the law.

What, exactly, are “external consumer data and information sources”?

The law defines “external consumer data and information source” (ECDIS) as data used “to supplement traditional underwriting or other insurance practices or to establish lifestyle indicators […].” The law goes on to note that this includes “credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, occupation, licensures, civil judgments, and court records,” but gives the commissioner latitude to further clarify the distinction between “traditional” variables versus ECDIS variables for individual lines of business.

As part of the life insurance rollout, the DOI has extended the ECDIS definition applicable to life insurance to include consumer-generated Internet of Things (IoT) data, biometric data, and any insurance risk scores derived from ECDIS data. The DOI further clarified that “occupation” for the purpose of life insurance is considered ECDIS if it “does not have a direct relationship to mortality, morbidity or longevity risk.”

The life insurance governance regulation

The DOI has adopted Regulation 10-1-1,² which sets forth the governance and risk management requirements for life insurers that use ECDIS. It went into effect (applicable to life insurance only) in November 2023.

This regulation mandates that life insurers establish a risk-based governance framework to support procedures, systems, and controls designed to identify and mitigate unfair discrimination in using ECDIS and related algorithms. This includes documented guiding principles, a governance structure overseen by the board or a committee, and senior management's responsibility for strategy and monitoring. It further details the components of the governance framework, including a cross-functional governance group, documented policies for design, development, and monitoring of ECDIS and algorithms, and processes for handling consumer complaints.

It further requires insurers to document the testing conducted to detect any unfair discrimination resulting from the use of ECDIS in their models and algorithms. This documentation must include the methodology used, assumptions made, results obtained, and steps taken to address any outcomes found to be unfairly discriminatory. Insurers must also document their ongoing monitoring procedures to account for model drift, that is, the tendency for a model to be less accurate over time due to changes in the environment such as societal or economic shifts. However, it is important to note that a specific regulation governing the testing procedures is not yet effective as of this writing, potentially leading to uncertainty and challenges in compliance efforts.

The regulation also addresses insurers' responsibilities when using third-party vendors for ECDIS and algorithms, emphasizing that insurers remain responsible for compliance, but third-party vendors may provide documentation and information directly to the DOI on their behalf. Insurers must, however, document the selection and oversight processes for external resources as part of their governance framework.

Lastly, it outlines the reporting obligations. Life insurers utilizing ECDIS are required to submit a narrative report to the DOI by June 1, 2024, detailing their progress toward compliance, including areas still under development, any encountered difficulties, and the anticipated completion date. Furthermore, by December 1, 2024, and annually thereafter, insurers must submit a compliance summary report addressing all the components of the risk management framework. In cases of noncompliance, a corrective action plan is required. Insurers not using ECDIS must also submit attestations, signed by an officer, confirming their nonuse of ECDIS or related algorithms and predictive models.

The draft quantitative testing regulation

As noted above, the governance regulation requires testing of models and algorithms that include ECDIS, both initially and on an ongoing basis. To that end, the DOI has promulgated a draft regulation concerning the quantitative testing of models for unfairly discriminatory outcomes.³However, this regulation is not yet effective as it is still subject to the stakeholder engagement process.

The document prescribes a statistical testing methodology to detect unfair discrimination arising from ECDIS in approval/disapproval of applications and premium rates charged, which is as follows.

First, insurers would estimate the race or ethnicity of their insureds and applicants, using the BIFSG model, which, as noted above, yields an estimate of race or ethnicity based on the insured’s name and geolocation.⁴

Insurers would then build statistical models to model the outcomes of underwriting or pricing decisions. For underwriting models, where the outcome is a binary approve/disapprove decision, insurers are directed to use a logistic regression model, a method well-suited for modeling probabilities (in this case, the probability that an application would be accepted). For pricing, where the outcome is a rate charged, a linear regression, which is better suited for modeling continuous numerical outcomes, would be used.

The models are to include variables representing the races of the insureds (as estimated by the BIFSG method), as well as control variables—i.e., underwriting factors that are not ECDIS, and are included to isolate the effect of race after these factors are accounted for. The DOI has identified the following control variables that should be included when applying this procedure for life insurance policies: policy type, face amount, age, gender, and tobacco use.

The insurers would then fit these models on their historical underwriting or rate data. If the model determines that there is a statistically significant difference of more than 5% in approval rates or premium rates for any race or ethnicity, then the model is subject to further testing (using a procedure further outlined to isolate the ECDIS variables driving the difference) and remedial measures.

This draft is still subject to DOI and stakeholder review before becoming effective. Several industry groups, such as the American Academy of Actuaries (AAA), have expressed concern that the testing procedure set forth by the DOI is too prescriptive, and have called for more flexibility in testing requirements, to account for changing practices and technology. Other comments have pointed out technical issues related to this methodology, such as limitations in the regression models prescribed and their indicators of statistical significance, or have expressed concern that limiting the race estimation to the BIFSG method may preclude use of better methods in the future. Some commenters have proposed alternative methods. The final form of the testing requirements remains to be seen.

What about auto insurance?

The governance regulation and draft testing regulations described above are applicable only to life insurance. The DOI is in the process of stakeholder engagement for regulations concerning PPA, with a focus on building off the work done for life insurance. Consumer groups such as the Consumer Federation of America and the Center for Economic Justice have called for the DOI to apply the life insurance governance and risk management framework to PPA with virtually no modification.

However, several insurance industry groups, such as AAA and the American Property Casualty Insurance Association (APCIA), have expressed concern with this proposal, noting that PPA is quite different from life insurance. For one thing, PPA tends to include many "traditional" variables that might be considered ECDIS for other lines of business, such as traffic violations, garaging location, and others that have longstanding acceptance as being in accordance with nondiscriminatory rating and underwriting. Furthermore, PPA has more varied, complex coverages compared to life insurance, as it includes liability, property, medical uninsured, and other coverages rather than being a monoline coverage such as life insurance. Other commenters have noted that the property and casualty (P&C) rate filing and approval process is slow compared to life insurance, and thus the potential for further potential slowdowns is a concern. Commenters have also called for the DOI to coordinate the rollout of the governance and testing regulations to avoid putting in place a testing mandate without guidance.

What’s next?

While the regulations surrounding SB21-169 are yet to be finalized, it is the law of the land, and insurers will eventually be required to follow it. The governance and testing regulations the DOI has put forth thus far have given indication of where the DOI is heading with respect to the specifics of how the law will be carried out. Furthermore, several other states have proposed similar laws or regulation⁵ and are watching the Colorado rollout as a potential model for their own implementation of antidiscrimination laws in insurance.

Insurers would be wise to get ahead of the requirements by taking stock of their underwriting and pricing models that may involve ECDIS variables, testing them for potential unfair discrimination, and ensuring that a risk management and model governance framework is in place to maintain bias-free models in all aspects of their insurance operations. As the law’s implementation continues to unfold, it is important for insurers to stay informed and proactive in ensuring compliance and promoting fair practices for all consumers.

¹ The full text of SB21-169 is available at https://leg.colorado.gov/bills/sb21-169.

² The full text of Regulation 10-1-1 is available at https://drive.google.com/file/d/1dlPKJCDo76iHfJZDopQEhTDCmKbuYnNI.

³ DOI. Unfair Discrimination: Draft Proposed New Regulation 10-2-xx. Retrieved March 12, 2024 from https://drive.google.com/file/d/1BMFuRKbh39Q7YckPqrhrCRuWp29vJ44O/view?usp=drive_link.

⁴ While the BIFSG method allows for six categories, for the purpose of this regulation only the Hispanic, Black, Asian/Pacific Islander (API), and White categories are used. Furthermore, while the BIFSG model outputs probabilities (i.e., for each category, the probability of the individual being a member that category) it is not clear whether the probabilities themselves, or the most likely category, should be used for testing (something several commenters have pointed out).

⁵ See, e.g., New Jersey S1402; New York Proposed Circular on the use of AI and ECDIS in Insurance Underwriting and Pricing; California Bulletin 2022-5.