Colorado Division of Insurance Expands AI-Related Governance and Risk Management Obligations for Insurers

At a Glance

• The Colorado Division of Insurance has formally adopted amended Regulation 10-1-1 (governance and risk management requirements for use of external consumer data and information sources, algorithms and predictive models), which expands the regulation’s overall reach to include private passenger auto and health benefit plan insurers.
• Private passenger auto and health benefit plan insurers are required to submit an interim compliance progress report to the Division by December 1, 2025.
• Compliance with the Amended Regulation is required by July 1, 2026, and a compliance report is due to the Division by that date (and annually thereafter).
• The requirements will likely involve a significant compliance lift under a relatively brief timeline.

The Colorado Division of Insurance (the Division) has adopted Amended Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers’, Private Passenger Automobile Insurers’, and Health Benefit Plan Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the Amendment). The Amendment (effective October 15, 2025) expands the reach of current Regulation 10-1-1 (effective November 14, 2023), which established governance and risk management requirements for life insurers that write individual life insurance in Colorado and use external consumer data and information sources (ECDIS) — including algorithms and predictive models using ECDIS* — in their insurance practices. The comprehensive requirements will now apply to private passenger auto and health benefit plan insurers. The Division’s adoption of the Amendment stems from developments that included the release of earlier drafts, stakeholder meetings and written comments and formal rulemaking proceedings. We previously discussed the prior developments here.

* Shorthand references to ‘ECDIS’ throughout the rest of this alert refer to external consumer data and information sources and algorithms and predictive models using ECDIS.

Private Passenger Auto and Health Benefit Plan Insurers Must Establish Governance and Risk Management Frameworks

The Amendment extends the reach of Regulation 10-1-1 to private passenger auto and health benefit insurers who now face comprehensive ECDIS governance and risk management obligations. The requirements include, among other things:

• Establishment of a risk-based governance and risk management framework to determine whether the use of ECDIS and related algorithms and predictive models in any insurance practice results in unfair discrimination with respect to race and remediate any unfair discrimination detected through quantitative testing.
• Oversight of the risk management framework by an insurer’s board of directors or appropriate board committee.
• Senior management responsibility and accountability.
• A cross-functional governance group with representatives from key functional areas, including legal and compliance.
• Written policies, processes and procedures — including assigned roles and responsibilities — for the design, development, testing, deployment, use and ongoing monitoring of ECDIS, and processes to ensure they are documented, tested and validated.
• Documented processes and protocols to address consumer complaints and inquiries about the use of ECDIS which must provide consumers with information necessary to take meaningful action in the event of an adverse decision based on the use of ECDIS.
• An up-to-date inventory of all used ECDIS, including a detailed description of each, clearly stated purpose of each, generated outputs, material changes in the inventory and version control.
• A description of the testing conducted to detect unfair discrimination in insurance practices resulting from the use of ECDIS, including the methodology, assumptions, and results and the steps taken to address unfairly discriminatory outcomes.
• Ongoing monitoring of the performance of algorithms and predictive models that use ECDIS, including accounting for model drift.
• A documented process for selecting third-party vendors that supply ECDIS.
• A documented comprehensive annual review of the governance structure and risk management framework and necessary updates to the documentation.
• The Amendment includes a shift from a risk “rubric” to documented policies, procedures and processes for assessing and prioritizing risks associated with deploying ECDIS. Life insurers who previously stood up governance and risk management frameworks with a risk rubric may want to evaluate their programs for potential updates.
• The Amendment also includes a new requirement (applicable only to health benefit plan insurers) to ensure that providers working on behalf of the insurer are ultimately responsible for decisions made using ECDIS to inform decisions to modify or deny requests by a covered person for authorization prior to or concurrent with the provision of health care services.

Other Proposed Modifications and Additional Obligations Introduced in Earlier Drafts Did Not Survive

Earlier drafts of the amended regulation sought to alter existing governance and risk management requirements while also imposing additional requirements. The proposed modified and new obligations would have applied to life insurers writing individual life insurance, private passenger auto insurers and health benefit plan insurers. Proposals not ultimately adopted in the Amendment include:

• A broadening of the unfair discrimination that the governance and risk management framework must address. The earlier proposal removed language in the current regulation that limits the framework’s scope to detecting unfair discrimination with respect to race. Had the language been removed, the regulation would have captured other forms of unfair discrimination, including on the basis of color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. The Amendment retains the language limiting the applicability to race.
• A new requirement for the governing principles. In addition to providing guidance necessary to ensure ECDIS are designed, developed, used and monitored to achieve effective oversight and management, and the use is reasonably designed to prevent unfair discrimination, the earlier proposal stated that the principles must also be designed to ensure reasonable safeguards have been implemented to prevent unfair discrimination. The Amendment does not include the proposed new requirement.
• Additional requirements for the processes and protocols to address consumer complaints and inquiries about the use of ECDIS (beyond the meaningful action requirement discussed above), including providing consumers a clear explanation of an adverse decision and how ECDIS was used in making the decision, and the process for correcting information in the event of an adverse decision. The additional proposed requirements are not included in the Amendment.
• A documented evaluation of ECDIS for statistical bias, statistical representativeness, data quality, data validity and appropriateness for the intended purpose, as well as the steps taken to address these data quality issues.

Compliance Timeline

The Amendment (effective October 15, 2025) establishes the following deadlines and reporting requirements:

• Private passenger auto and health benefit plan insurers must have all components of the required governance structure and risk management framework available to the Division on request by July 1, 2026.
• An interim progress report is due by December 1, 2025, and a compliance report is due by July 1, 2026 (and annually thereafter).

In Conclusion

The Amendment imposes significant AI-related compliance requirements on private passenger auto and health benefit insurers and a short timeframe to achieve compliance.

For More Information

For further information, you may contact the authors or Faegre Drinker’s artificial intelligence, algorithmic decision-making and big data team.