On July 11, 2024, the New York State Department of Financial Services (NYSDFS) adopted a final circular about the "Use of Artificial Intelligence ("AI") Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing" (the "Circular").

This Circular was issued as guidance to the insurance industry and imposes significant obligations on insurers using artificial intelligence systems ("AIS" or "AI systems") or external consumer data and information sources ("ECDIS") for underwriting and pricing. The Circular signals NYSDFS’ enforcement priorities.

Who Does the Circular Apply to?

The Circular applies to ECDIS, AIS, and other predictive models used in connection with the underwriting and pricing of insurance policies and annuity contracts issued by:

• Insurers that are authorized to write insurance in New York;
• Article 43 corporations;
• Health maintenance organizations (HMOs);
• Licensed fraternal benefit societies (FBSs); and the
• New York Insurance Fund.

Why Was the Circular Issued?

NYSDFS appreciates that ECDIS and AIS can benefit insurers and consumers by simplifying and expediting insurance underwriting and pricing processes. However, NYSDFS expressed concern about the potential for unfair adverse effects or discriminatory decision-making from the use of ECDIS and AIS, including the use of third-party vendors.

They are particularly worried about the manner in which ECDIS and AIS could disproportionately affect vulnerable communities and individuals or otherwise undermine the insurance marketplace in New York.

What Systems Does this Circular Apply to?

AIS is defined in the Circular as "any machine-based system designed to perform functions normally associated with human intelligence, such as reasoning, learning, and self-improvement, that is used–in whole or in part–to supplement traditional health, life, property or casualty underwriting or pricing, as a proxy for traditional health, life, property or casualty underwriting or pricing, or to identify 'lifestyle indicators' that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage."

ECDIS is defined in the Circular as "data or information used–in whole or in part–to supplement traditional medical, property or casualty underwriting or pricing, as a proxy for traditional medical, property or casualty underwriting or pricing, or to identify ‘lifestyle indicators’ that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage. ECDIS does not include an MIB Group, Inc. member information exchange services, motor vehicle reports, prescription drug data, or criminal history searches."

How Can Subject Companies Comply?

1. Maintain Existing Practices

Companies can comply primarily by using ECDIS and AIS in compliance with all local, state and federal laws. An insurer should have processes already in place to use ECDIS or AIS in underwriting or pricing unless the insurer has determined that the ECDIS or AIS does not collect or use criteria that would constitute unfair or unlawful discrimination or an unfair trade practice.

2. Establish a Corporate Governance Framework

Insurers are required to establish a corporate governance framework that is appropriate for the nature, scale, and complexity of the insurer, ensuring compliance with legal and regulatory requirements.

This governance requires establishing adequate formal written policies and procedures, assigning competent staff, overseeing model risk management, ensuring effective challenge and independent risk assessment, reviewing audit findings, instituting AI training, and taking prompt remedial action when necessary.

3. Have Board and Senior Management Oversight

As part of this corporate governance framework, insurers are required to have board oversight and senior management responsible for ECDIS and AIS systems. Senior management is responsible for the day-to-day implementation of the insurer’s development and management of ECDIS and AIS, consistent with the strategic vision and risk analysis of the board or other governing body.

4. Implement Adequate Written Assessments, Documentation, and Testing of ECDIS and AIS

An insurer should not use ECDIS or AIS in underwriting or pricing unless they can establish through a comprehensive assessment, documentation, and testing that the underwriting or pricing guidelines are not unfairly or unlawfully discriminatory in violation of the NYS Insurance Law.

5. Implement a Third-Party Vendor Review Program

Insurers retain responsibility for understanding any tools, ECDIS, or AIS used in underwriting and pricing for insurance that were developed or deployed by third-party vendors. They must also ensure such tools, ECDIS, or AIS comply with all applicable laws, rules, and regulations, including discrimination.

To reduce third-party risk and ensure appropriate oversight of third-party vendors, insurers should develop:

(i) written standards, policies, procedures, and protocols for the acquisition, use of, or reliance on ECDIS and AIS developed or deployed by a third-party vendor for pricing or underwriting; and

(ii) include applicable AI terms in their vendor contracts.

6. Be Transparent with Customers

Where an insurer is using ECDIS or AIS, the notice to the insured or potential insured, or medical professional designee should disclose:

(i) whether the insurer uses AIS in its underwriting or pricing process;

(ii) whether the insurer uses data about the person obtained from external vendors; and

(iii) that such person has the right to request information about the specific data that resulted in the underwriting or pricing decision, including contact information for making such request.

A failure to make these disclosures may constitute an unfair trade practice, according to the NYSDFS.

Other State Actions

Insurers must comply with other AI-applicable legal requirements, which may vary by state. The NYSDFS circular follows the Colorado Division of Insurance release of its Algorithm and Predictive Model Governance Regulation (AI regulation) governing life insurance; the California Insurance Commissioner’s Bulletin 2022-5 on Allegations of Racial and Unfair Discrimination in Marketing, Rating, Underwriting and Claims Practice by the Insurance Industry; and the Texas Department of Insurance Commissioner’s Bulletin #B-0036-20 entitled "Insurer’s use of third-party data."

An additional fifteen states have adopted the NAIC Model Bulletin entitled "Use of Artificial Intelligence Systems by Insurers," issued in December 2023. This means insurers regulated by these states must comply with the terms of the model bulletin under the state’s authority to prevent unfair trade practices as to its own developed models and third-party models.

The requirements of the model bulletin require:

• minimally instituting a robust, written AI governance structure documenting the use of AI systems through the insurance life cycle from product development through implementation to claim administration;
• ongoing monitoring and updating;
• ensuring that there are no discriminatory, excessive, or inadequate insurance rates through the use of AI and machine learning;
• adopting controls to mitigate AI risk of adverse consumer outcomes; and
• developing testing and verification of AI models.

The Bulletin asserts that third-party AI system use will also be investigated. Insurers are required to complete due diligence on providers and have comprehensive contracts in place regarding data security, data usage, data sourcing, auditing, and testing.

Enforcement

Insurers should expect that regulators may ask them to demonstrate compliance with the above requirements through any regulatory audit, investigation, examination, or enforcement action.