Colorado Division of Insurance Takes Next Steps to Expand AI-Related Governance and Risk Management Obligations for Insurers

Stakeholders’ Meeting on June 2; Written Comments Due by June 5, 2025

Download

Authors: Lionel Weaver , Scott M. Kosnoff

At a Glance

The Colorado Division of Insurance has commenced formal rulemaking to amend Regulation 10-1-1 (governance and risk management requirements for use of external consumer data and information sources, algorithms and predictive models).
The proposed amendment expands the regulation’s overall reach to private passenger auto and health benefit plan insurers while modifying and adding requirements that will also impact life insurers writing individual life insurance.
Interested parties have an opportunity to participate in a stakeholders’ meeting on June 2, 2025, and may submit written comments until June 5.
The requirements will likely involve a significant compliance lift under a relatively brief timeline.

The complex and evolving AI regulatory landscape for insurers is again on the move. The Colorado Division of Insurance (the Division) has commenced the formal rulemaking process to amend and expand the reach of current Regulation 10-1-1 (effective November 14, 2023), which established governance and risk management requirements for life insurers that write individual life insurance in Colorado and use external consumer data and information sources (ECDIS), including algorithms and predictive models using ECDIS, in their insurance practices.

On April 22, 2025, the Division released draft proposed amended Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers’, Private Passenger Automobile Insurers’, and Health Benefit Plan Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the Proposed Amendment). (This follows the Division’s release of an earlier draft and receipt of written comments from interested parties, both in December 2024). If adopted, the Proposed Amendment will revise existing ECDIS governance and risk management requirements applicable to life insurers and expand the reach of the obligations to private passenger auto and health benefit plan insurers.

The Division has scheduled a virtual permanent rulemaking hearing on June 2, 2025, at 11:00 a.m. MDT. Interested parties can register for the hearing and present comments orally on the Proposed Amendment. Written comments may also be submitted to the Division by email until June 5, 2025, at 5 p.m. MDT.

Private Passenger Auto and Health Benefit Plan Insurers Must Establish Governance and Risk Management Frameworks

The Proposed Amendment extends the reach of Regulation 10-1-1 to auto and health benefit insurers who will face comprehensive ECDIS governance and risk management obligations. The requirements include, among other things:

Establishing a risk-based governance and risk management framework for determining whether the use of ECDIS and related algorithms and predictive models in any insurance practice result in unfair discrimination.
Oversight of the risk management framework by an insurer’s board of directors or appropriate board committee.
Senior management responsibility and accountability.
A cross-functional governance group with representatives from key functional areas, including legal and compliance.
Written policies, processes and procedures, including assigned roles and responsibilities, for the design, development, testing, deployment, use and ongoing monitoring of ECDIS (and algorithms and predictive models using ECDIS), and processes to ensure they are documented, tested and validated.
An up-to-date inventory of all used ECDIS (and algorithms and predictive models using ECDIS), including a detailed description of each, clearly stated purpose of each, generated outputs, material changes in the inventory and version control.
A description of the testing conducted to detect unfair discrimination in insurance practices resulting from the use of ECDIS, including the methodology, assumptions, and results and the steps taken to address unfairly discriminatory outcomes.
Ongoing monitoring of the performance of algorithms and predictive models that use ECDIS, including accounting for model drift.
A documented process for selecting third-party vendors that supply ECDIS (including algorithms and predictive models using ECDIS).
A documented comprehensive annual review of the governance structure and risk management framework and necessary updates to the documentation.

Modifications and Additional Obligations Applicable to Life, Private Passenger Auto and Health Benefit Plan Insurers

The Proposed Amendment alters existing governance and risk management requirements while also imposing additional requirements. The modified and new obligations will apply to life insurers writing individual life insurance, private passenger auto insurers and health benefit plan insurers, and include:

A broadening of the unfair discrimination that the governance and risk management framework must address: The Proposed Amendment removes language limiting the framework’s scope to detecting unfair discrimination with respect to race, and therefore captures other forms of unfair discrimination, including on the basis of color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identify or gender expression. (Note that this broadening would apply only in the governance context; the Division has not signaled a similar approach in the testing context).
A new requirement for the governing principles: In addition to providing guidance necessary to ensure ECDIS (and algorithms and predictive models using ECDIS) are designed, developed, used and monitored to achieve effective oversight and management, and the use is reasonably designed to prevent unfair discrimination, the principles must also be designed to ensure reasonable safeguards have been implemented to prevent unfair discrimination.
Additional requirements for the processes to address consumer complaints and inquiries about the use of ECDIS, which include providing consumers a clear explanation of an adverse decision and how ECDIS (or an algorithm or predictive model using ECDIS) was used in making the decision, and the process for correcting information in the event of an adverse decision.
A shift from a risk “rubric” to documented policies, procedures and processes for assessing and prioritizing risks associated with deploying ECDIS (and algorithms and predictive models using ECDIS).
A documented evaluation of ECDIS for statistical bias, statistical representativeness, data quality, data validity and appropriateness for the intended purpose, as well as the steps taken to address these data quality issues.
A new requirement (applicable only to health benefit plan insurers) to ensure that providers working on behalf of the insurer are ultimately responsible for decisions made using ECDIS (and algorithms and predictive models using ECDIS) to inform decisions to approve, modify or deny requests by a covered person for authorization prior to or concurrent with the provision of health care services.

Compliance Timeline

The Proposed Amendment establishes the following deadlines and reporting requirements:

Private passenger auto and health benefit plan insurers must have all components of the required governance structure and risk management framework available to the Division on request by December 1, 2025. An interim progress report is due by September 1, 2025, and a compliance report is due by December 1, 2025 (and annually thereafter).
The Proposed Amendment does not specify a deadline for life insurers to complete any necessary changes to an existing governance structure and risk management. It also does not impose any obligation for life insurers to submit a new interim progress report.

In Conclusion

If adopted, the Proposed Amendment will impose significant compliance requirements for private passenger auto and health benefit insurers and a short timeframe to achieve compliance. Life insurers subject to the Regulation will also need to evaluate their programs for potential updates.