NYDFS issues significant guidance on insurers using AI or external data
On January 17, 2024 the New York Department of Financial Services (“NYDFS”) published a Proposed Insurance Circular Letter (“Proposed Circular”) regarding the use of artificial intelligence systems (“AIS”) and external consumer data and information sources (“ECDIS”) in insurance underwriting and pricing. This Proposed Circular does not create or change any legislation, but once finalized, will reflect how NYDFS interprets existing laws and regulations as they relate to AIS and ECDIS and to clarify its expectations of the insurance industry.
Purpose and Background
The Proposed Circular, which applies to all insurers authorized to write insurance in New York State that use ECDIS or AIS, defines AIS as any “machine-based system designed to perform functions normally associated with human intelligence” that are used in connection with insurance underwriting or pricing. It defines ECDIS as data or information used to supplement traditional underwriting or pricing, as a proxy for traditional underwriting or pricing, or to establish “lifestyle indicators” that contribute to underwriting or pricing.1
The Proposed Circular acknowledges the potential benefits of AIS and ECDIS in “simplifying and expediting insurance underwriting and pricing processes,” but acknowledges that they can reflect and reinforce systemic biases and inequalities. It therefore encourages insurers who use such technologies to mitigate potential harm to consumers with a proper governance and risk management framework.
Fairness Principles
The Proposed Circular states that an insurer is obligated under existing laws to establish that its data source or model using ECDIS or AIS for underwriting or pricing would not result in, or permit unfair discrimination. The data source or model also should not use or be based on a protected class. Insurers also must ensure that vendor-supplied ECDIS or AIS complies with anti-discrimination laws, and insurers cannot rely solely on a vendor’s claim of nondiscrimination. The Proposed Circular outlines several ways to abide by these fairness principles.
- Actual Actuarial Validity. An insurer that uses ECDIS should be able to demonstrate that it is “supported by generally accepted actuarial standards of practices and are based on actual or reasonably anticipated experience.” Actual or reasonably anticipated experience includes statistical studies, predictive modeling, and risk assessments. Ensuring actuarial validity also includes the ability to demonstrate that the ECDIS does not “serve as a proxy for any protected classes that may result in unfair or unlawful discrimination.”
- Unfair and Unlawful Discrimination. An insurer should not use ECDIS or AIS in the underwriting or pricing process unless it has determined that it does not collect or use information that would constitute unlawful discrimination or unfair trade practices. This principle applies even where the insurer is not collecting the information itself, but is rather getting it from a third-party vendor. Further, an insurer should not use ECDIS or AIS unless it completes a comprehensive assessment that establishes that the underwriting or pricing guidelines are not unlawfully discriminatory.
- Analyzing for Unfair or Unlawful Discrimination. When determining if ECDIS or AIS unlawfully discriminates, an insurer should appropriately document its analysis. Further, an insurer should conduct unlawful discrimination testing on a regular basis after deploying ECDIS or AIS, and it is encouraged to employ quantitative and qualitive assessments.
Governance and Risk Management
The Proposed Circular outlines that an insurer should have a corporate governance framework, as required by 11 NYCRR § 90.2, that “provides appropriate oversight of the insurer’s use of ECDIS and AIS.” It outlines four ways to ensure compliance.
- Board and Senior Management Oversight. The Proposed Circular suggests that oversight of ECDIS and AIS can be delegated to specific board committees or members of senior management, but it should ensure that proper reporting is in place. Further, insurers should create policies and procedures related to ECDIS and AIS oversight, and all relevant operation areas should be engages in such oversight.
- Policies Procedures and Documentation: The Proposed Circular emphasizes the importance of policies, procedures, and documentation related to AIS and ECDIS. Insurers should create policies and procedures that include “clearly defined roles and responsibilities, as well as monitoring and reporting requirements to senior management,” and that include appropriate training requirements. Further, insurers should maintain comprehensive documentation for their use of AIS and should be prepared to make such documentation available to NYDFS upon request. Finally, insurers should implement a procedure to field complaints and inquiries from consumers regarding its use of AIS or ECDIS.
- Risk Management and Internal Controls. The Proposed Circular discusses that insurers “should manage the relevant risks at each stage of the AIS life cycle,” either within its already established enterprise risk management program, or through an independent program. It also states that the internal audit function that is already required under 11 NYCRR § 89.16 should include assessments of the overall effectiveness of the AIS and ECDIS risk management framework.
Third-Party Vendors
The Proposed Circular discusses the importance of oversight of any third-party vendors that utilize EDCIS or AIS. Insurers should develop written standards, policies, procedures, and protocols to facilitate such oversight. Specifically, the Proposed Circular suggests that insurers should:
- retain responsibility for understanding any tools, EDCIS, or AIS used in underwriting and pricing for insurance that were developed by third-party vendors ensuring compliance with all applicable regulations;
- develop written standards for the use of ECDIS and AIS developed by a third-party vendor;
- implement procedures for reporting any incorrect information to third-party vendors for further investigation and update as necessary; and
- develop procedures to remediate incorrect information from their AIS that the insurer has identified or has been reported to a third party.
Transparency, Notice and Consumer Redress
Existing insurance laws codify the importance of transparency in insurance underwriting and pricing. Therefore, insurers should include details about “all information upon which the insurer based any declination, limitation, rate differential, or other adverse underwriting decisions,” including specific details about ECDIS or AIS, where applicable.
For any adverse underwriting or pricing decision that was based on ECDIS or AIS, the insurer must provide a notice to the insured or potential insured that discloses: (i) whether the insurer uses AIS in its underwriting or pricing process, (ii) whether the insurer uses data about the person obtained from external vendors, and (iii) that such person has the right to request information about the specific data that resulted in the underwriting or pricing decision including contact information for making such request. Insurers should also be prepared to respond to consumer complaints and inquiries about their use of AIS and ECDIS by implementing procedures to receive and address such complaints. Insurers must maintain any records of complaints regarding AIS or ECDIS and be prepared to make such records available to the NYDFS upon request.
Enforcement
The NYDFS may audit and examine an insurer’s use of ECDIS and AIS, including within the scope of regular or targeted examinations pursuant to Insurance Law § 309 or a request for special report pursuant to Insurance Law § 308.
Feedback Request
NYDFS is accepting feedback on all aspects of the Proposed Circular through March 16, 2024. Comments should be submitted to innovation@dfs.ny.gov using the subject line “Proposed Circular on the use of AI and ECDIS in Insurance Underwriting and Pricing.”
Our Take
Insurers that utilize ECDIS or AIS in its underwriting or pricing processes have a responsibility to properly oversee these technologies. Such oversight should be implemented internally and should also be used to monitor third-party vendors that use them. While the Proposed Circular is not final (see Feedback Request above), insurers can use this time to assess their board and management structures, policies and procedures, and risk management plans to see where changes or additions should be made. Insurers are also encouraged to analyze the various Proposed Circular’s expectations with an eye towards their existing policies and procedures for use of ECDIS and AIS, in order to identify potential gaps.