Proposed Insurance Circular Letter
January 17, 2024
TO: All Insurers Authorized to Write Insurance in New York State, Licensed Fraternal Benefit Societies, and the New York State Insurance Fund
RE: Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing
STATUTORY AND REGULATORY REFERENCES: N.Y. Ins. Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 3221, 3425, 3426, 4224, and 4305, and Articles 24 and 26; 11 NYCRR 82; 11 NYCRR 89; 11 NYCRR 90; 11 NYCRR 243
I. Purpose and Background
- The New York State Department of Financial Services (“Department”) is committed to innovation and the responsible use of technology to improve financial access and contribute to the safety and stability of insurance markets. The Department expects that insurers use of emerging technologies such as artificial intelligence will be conducted in a manner that complies with all applicable federal and state laws, rules, and regulations.
- The use of external consumer data and information sources (“ECDIS”) and artificial intelligence systems (“AIS”) can both benefit insurers and consumers alike by simplifying and expediting insurance underwriting and pricing processes, and potentially result in more accurate underwriting and pricing of insurance. At the same time, ECDIS may reflect systemic biases and its use can reinforce and exacerbate inequality. This raises significant concerns about the potential for unfair adverse effects or discriminatory decision-making. ECDIS may also have variable accuracy and reliability and may come from entities that are not subject to regulatory oversight and consumer protections. Furthermore, the self-learning behavior of AIS increases the risks of inaccurate, arbitrary, capricious, or unfairly discriminatory outcomes that may disproportionately affect vulnerable communities and individuals or otherwise undermine the insurance marketplace in New York.
- Therefore, it is critical that insurers who utilize such technologies establish a proper governance and risk management framework to mitigate the potential harm to consumers and comply with all relevant legal obligations. The purpose of this circular letter (“Circular Letter”) is to identify DFS’s expectations that all insurers authorized to write insurance in New York State, licensed fraternal benefit societies, and the New York State Insurance Fund (collectively, “insurers”) develop and manage their use of ECDIS, artificial intelligence systems, and other predictive models in underwriting and pricing insurance policies and annuity contracts.
- For purposes of this Circular Letter, AIS means any machine-based system designed to perform functions normally associated with human intelligence, such as reasoning, learning, and self-improvement, that is used – in whole or in part – to supplement traditional medical, property or casualty underwriting or pricing, as a proxy for traditional medical, property or casualty underwriting or pricing, or to establish “lifestyle indicators” that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage.
- For purposes of this Circular Letter, ECDIS includes data or information used – in whole or in part – to supplement traditional medical, property or casualty underwriting or pricing, as a proxy for traditional medical, property or casualty underwriting or pricing, or to establish “lifestyle indicators” that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage. For the purposes of this Circular Letter, ECDIS does not include an MIB Group, Inc. member information exchangeservice, a motor vehicle report, or a criminal history search. An insurer conducting a criminal history search for insurance underwriting and pricing purposes must comply with Executive Law § 296(16). See e.g., Insurance Circular Letter No. 13 (2022).
- An insurer may deploy ECDIS and AIS in a variety of ways throughout the underwriting and pricing process. The Department recognizes there is no one-size-fits-all approach to managing data and decisioning systems. Therefore, insurers should take an approach to developing and managing their use of ECDIS and AIS that is reasonable and appropriate to each insurer’s business model and the overall complexity and materiality of the risks inherent in using ECDIS and AIS.
- This Circular Letter is not intended to provide an exhaustive list of potential issues that could arise from the use of ECDIS or AIS and is not intended to suggest that an insurer’s due diligence in assessing ECDIS or AIS should be limited to the concerns enumerated below. This Circular Letter also is not intended to address phases of the insurance product lifecycle other than underwriting and pricing.
- The Department may audit and examine an insurer’s use of ECDIS and AIS, including within the scope of regular or targeted examinations pursuant to New York Insurance Law (“Insurance Law”) § 309, or a request for special report pursuant to Insurance Law § 308.
II. Fairness Principles
- An insurer should not use ECDIS or AIS for underwriting or pricing purposes unless the insurer can establish that the data source or model, as applicable, does not use and is not based in any way on any class protected pursuant to Insurance Law Article 26. Moreover, an insurer should not use ECDIS or AIS for underwriting or pricing purposes if such use would result in or permit any unfair discrimination or otherwise violate the Insurance Law or any regulations promulgated thereunder.
A. Data Actuarial Validity
- As with any other variables employed in underwriting and pricing, insurers should be able to demonstrate that the ECDIS are supported by generally accepted actuarial standards of practice and are based on actual or reasonably anticipated experience, including, but not limited to, statistical studies, predictive modeling, and risk assessments. The underlying analyses should demonstrate a clear, empirical, statistically significant, rational, and not unfairly discriminatory relationship between the variables used and the relevant risk of the insured.
- Proxy Assessment. Insurers must be able to demonstrate that the ECDIS employed for underwriting and pricing are not prohibited by the Insurance Law or regulations promulgated thereunder and should be able to demonstrate that they do not serve as a proxy for any protected classes that may result in unfair or unlawful discrimination.
B. Unfair and Unlawful Discrimination
- State and federal law prohibits insurers from unlawfully discriminating against certain protected classes of individuals and from engaging in unfair discrimination, including the ability of insurers to underwrite based on certain criteria.1 An insurer should not use ECDIS or AIS in underwriting or pricing unless the insurer has determined that the ECDIS or AIS does not collect or use criteria that would constitute unfair or unlawful discrimination or an unfair trade practice.
- When using ECDIS or AIS as part of their insurance business, insurers are responsible for complying with these anti-discrimination laws irrespective of whether they themselves are collecting data and directly underwriting consumers, or relying on ECDIS or AIS of external vendors that are intended to be partial or full substitutes for direct underwriting or pricing. An insurer may not use ECDIS or AIS to collect or use information that the insurer would otherwise be prohibited from collecting or using directly. An insurer may not rely solely on a vendor’s claim of non-discrimination or a proprietary third-party process to determine compliance with anti-discrimination laws. The responsibility to comply with anti-discrimination laws remains with the insurer at all times.
- An insurer should not use ECDIS or AIS in underwriting or pricing unless the insurer can establish through a comprehensive assessment that the underwriting or pricing guidelines are not unfairly or unlawfully discriminatory in violation of the Insurance Law. A comprehensive assessment of whether an underwriting or pricing guideline derived from ECDIS or AIS unfairly discriminates between similarly situated individuals or unlawfully discriminates against a protected class should, at a minimum, include the following steps:
- assessing whether the use of ECDIS or AIS produces disproportionate adverse effects in underwriting and/or pricing on similarly situated insureds, or insureds of a protected class. If there is no prima facie showing of a disproportionate adverse effect, then the insurer may conclude its evaluation.
- if there is prima facie showing of such a disproportionate adverse effect, further assessing whether there is a legitimate, lawful, and fair explanation or rationale for the differential effect on similarly situated insureds. If no legitimate, lawful, and fair explanation or rationale can account for the differential effect on similarly situated insureds, the insurer should modify its use of such ECDIS or AIS and evaluate the modified use of ECDIS or AIS.
- if a legitimate, lawful, and fair explanation or rationale can account for the differential effect, further conducting and appropriately documenting a search and analysis for a less discriminatory alternative variable(s) or methodology that would reasonably meet the insurer’s legitimate business needs. If a less discriminatory alternative exists, the insurer should modify its use of ECDIS or AIS accordingly.
C. Analyzing for Unfair or Unlawful Discrimination
- Documentation. An insurer should appropriately document the processes and reasoning behind its testing methodologies and analysis for unfair or unlawful discrimination commensurate with the insurer’s use of ECDIS and AIS and the complexity and materiality of such ECDIS and AIS. An insurer should be prepared to make such documentation available to the Department upon request.
- Frequency of Testing. Unfair or unlawful discrimination testing, and analysis should be administered prior to putting AIS into production and on a regular cadence thereafter, as well as whenever material updates or changes are made to either the ECDIS or AIS.
- Quantitative Assessment. Insurers are encouraged to use multiple statistical metrics in evaluating data and model outputs to ensure a comprehensive understanding and assessment. Such metrics may include, among others:
- Adverse Impact Ratio: Analyzing the rates of favorable outcomes between protected classes and control groups to identify any disparities.
- Denials Odds Ratios: Computing the odds of adverse decisions for protected classes compared to control groups.
- Marginal Effects: Assessing the effect of a marginal change in a predictive variable on the likelihood of unfavorable outcomes, particularly for members of protected classes.
- Standardized Mean Differences: Measuring the difference in average outcomes between protected classes and control groups.
- Z-tests and T-tests: Conducting statistical tests to ascertain whether differences in outcomes between protected classes and control groups are statistically significant.
- Drivers of Disparity: Identifying variables in AIS that cause differences in outcomes for protected classes relative to control groups. These drivers can be quantitatively computed or estimated using various methods, such as sensitivity analysis, Shapley values, regression coefficients, or other suitable explanatory techniques.
- Qualitative Assessment. In addition to quantitative analysis, insurers’ comprehensive assessment should include a qualitative assessment of unfair or unlawful discrimination. This includes being able to explain, at all times, how the insurer’s AIS operates and to articulate the intuitive logical relationship between ECDIS and other model variables with an insured or potential insured individual’s risk.
III. Governance and Risk Management
- 11 NYCRR § 90.2 requires an insurer to have a corporate governance framework that is appropriate for the nature, scale, and complexity of the insurer.2 11 NYCRR § 90.1(c) defines “corporate governance framework” as “the structures, processes, information, and relationships used for the oversight, direction, control, and management of an insurer or system and for ensuring compliance with legal and regulatory requirements.” An insurer should have a corporate governance framework that provides appropriate oversight of the insurer’s use of ECDIS and AIS to ensure compliance with the Insurance Law and regulations promulgated thereunder.
A. Board and Senior Management Oversight
- The role of an insurer’s board of directors, or other governing body, is to provide oversight of the insurer’s activities, including providing for an effective governance framework to carry out the board’s or other governing body’s strategic vision and monitor the entity’s risk appetite.
- The board of directors, or other governing body, may delegate specific duties and authorities for overseeing an insurer’s activities, including development and management of ECDIS and AIS, to board or other governing body committees and senior management. When delegating specific duties and authorities, an insurer should ensure appropriate lines of reporting are in place, along with regular, quality reporting to meet the board’s or other governing body’s information needs. This should include all timely and relevant facts for a board or other governing body to understand the material activities and risks associated with the insurer’s use of ECDIS and AIS.
- Senior management is responsible for day-to-day implementation of the insurer’s development and management of ECDIS and AIS, consistent with the board’s or other governing body’s strategic vision and risk appetite. This includes establishing adequate policies and procedures, assigning competent staff, overseeing model risk management, ensuring effective challenge and independent risk assessment, reviewing internal audit findings, and taking prompt remedial action when necessary.
- In carrying out their duties to provide for effective implementation of the insurer’s use of ECDIS and AIS, senior management should ensure all relevant operation areas are appropriately engaged, such as through a cross-functional management committee with representatives from key function areas, including legal, compliance, risk management, product development, underwriting, actuarial, and data science, as appropriate.
B. Policies, Procedures, and Documentation
- Insurers that use ECDIS or AIS should formalize their development and management of ECDIS and AIS in written policies and procedures consistent with this Circular Letter.
- An insurer’s board of directors, or other governing body, or senior management through delegated authority, should review and approve the insurer’s ECDIS and AIS-related policies and procedures at least annually to ensure that they are kept current with changes in the insurer’s use of ECDIS and AIS and best practices in the industry.
- Policies and procedures should include clearly defined roles and responsibilities, as well as monitoring and reporting requirements to senior management.
- Policies and procedures should include training for relevant personnel on the responsible and lawful use of ECDIS and AIS, appropriately tailored to staff responsibilities. Additionally, the training program should include prompt training for new staff and a regular cadence for training thereafter, as well as accountability for completing training in a timely manner.
- Insurers should maintain comprehensive documentation for their use of all AIS, including all ECDIS relied upon for such AIS, whether developed internally or supplied by third parties consistent with 11 NYCRR 243, and be prepared to make such documentation available to the Department upon request. Such documentation may include:
- a description of the process for identifying and assessing operational, financial, and compliance risks associated with an insurer’s use of ECDIS and AIS and associated internal controls designed to mitigate such identified risks;
- an up-to-date inventory of all AIS implemented for use, under development for implementation, or recently retired;
- a description of how each AIS operates, including any ECDIS or other inputs and their sources, the purpose and products for which the AIS is designed, actual or expected usage, any restrictions on use, and any potential risks and appropriate safeguards;
- a description of the process for tracking changes of an insurer’s use of ECDIS and AIS over time, including documented explanation of any changes, associated rationale for such changes, and parties responsible for the approval of such changes;
- a description of the process for monitoring ECDIS and AIS usage and performance, including a list of any previous exceptions to policy and reporting;
- a description of testing conducted to periodically assess the output of AIS models, including drift that may result from the use of machine learning or other automated updates; and
- a description of data lifecycle management process, including ECDIS acquisition, storage, usage and sharing, archival, and destruction.
- Insurers must be prepared to respond to consumer complaints and inquiries about the use of AIS and ECDIS by implementing procedures to receive and address such complaints. Insurers must maintain any records of complaints regarding AIS or ECDIS in accordance with 11 NYCRR 243 and be prepared to make such records available to the Department upon request.
C. Risk Management and Internal Controls
- Insurers should manage the relevant risks at each stage of the AIS life cycle and should consider risk from individual AIS models and in the aggregate. Insurers may choose to manage the risks of AIS within an existing enterprise risk management function, as required by the Insurance Law, or separately as part of an independent program.3
- Insurers should include standards for model development, implementation, use, and validation, and promote independent review and effective challenge to risk analysis, validation, testing, development, and other processes related to an insurer’s ECDIS and AIS development and risk management.
- Insurers should have competent and qualified personnel to execute and oversee AIS risk management with clearly defined roles and responsibilities, and appropriate means of accountability.
- 11 NYCRR § 89.16 requires an insurer to have an internal audit function to provide general and specific audits, reviews, and tests necessary to protect assets, evaluate control effectiveness and efficiency, and evaluate compliance with policies and regulations. Insurers should ensure the internal audit function is appropriately engaged with the insurer’s use of ECDIS and AIS consistent with the financial, operational, and compliance risk. Such auditing should assess the overall effectiveness of the AIS and ECDIS risk management framework, which may include:
- verifying that acceptable policies and procedures are in place and are appropriately adhered to;
- verifying records of AIS use and validation to test whether validations are performed in a timely manner and AIS models are subject to controls that appropriately account for any weaknesses in validation activities;
- assessing the accuracy and completeness of AIS documentation and adherence to documentation standards, including risk reporting;
- evaluating the processes for establishing and monitoring internal controls, such as limits on AIS usage;
- assessing supporting operational systems and evaluating the accuracy, reliability, and integrity of ECDIS and other data used by AIS;
- assessing potential biases in the ECDIS or other data that may result in unfair or unlawful discrimination against insureds or potential insureds; and
- assessing whether there is sufficient reporting to the board or other governing body and senior management to evaluate whether management is operating within the insurer’s risk appetite and limits for model risk.
D. Third-Party Vendors
- Insurers retain responsibility for understanding any tools, EDCIS, or AIS used in underwriting and pricing for insurance that were developed or deployed by third-party vendors and ensuring such tools, EDCIS, or AIS comply with all applicable laws, rules, and regulations.
- To ensure appropriate oversight of third-party vendors, insurers should develop written standards, policies, procedures, and protocols for the acquisition, use of, or reliance on ECDIS and AIS developed or deployed by a third-party vendor. Additionally, insurers should put in place procedures for reporting any incorrect information to third-party vendors for further investigation and update, as necessary. Further, insurers should develop procedures to remediate and eliminate incorrect information from their AIS that the insurer has identified or has been reported to a third-party.
E. Disclosure and Notice
- As discussed in Circular Letter No. 1 (2019), transparency is an important consideration in the use of ECDIS to underwrite and price insurance. Insurance Law sections 3425 and 3426 provide that non-commercial and certain commercial property and casualty policies may not be cancelled, nonrenewed, or conditionally renewed unless the specific ground or reason is provided in writing to the insured. Additionally, Insurance Law sections 4224(a)(2) and (b)(2) provide that no life or accident and health insurer doing business in this state shall refuse to insure, refuse to continue to insure, or limit the amount, extent, or kind of coverage available to an individual, or charge a different rate for the same coverage solely because of the physical or mental disability, impairment or disease, or prior history thereof, of the insured or potential insured, except where the refusal, limitation, or rate differential is permitted by law or regulation and is based on sound actuarial principles or is related to actual or reasonably anticipated experience, in which case the insurer must notify the insured or potential insured of the right to receive, or to designate a medical professional to receive, the specific reason or reasons for such refusal, limitation, or rate differential. Further, the failure to adequately disclose to the insured or potential insured any other specific reason or reasons for refusal, limitation, or rate differential may be deemed to be an unfair or deceptive act and practice in the conduct of the business of insurance and may be deemed to be a trade practice constituting a determined violation, as defined in Insurance Law section 2402(c), and in such case may be a violation of Insurance Law section 2403.
- Where an insurer is using ECDIS or AIS, the reason or reasons provided to the insured or potential insured, or a medical professional designee, should include details about all information upon which the insurer based any declination, limitation, rate differential, or other adverse underwriting decision, including the specific source of the information upon which the insurer based its adverse underwriting or pricing decision.
- The notice should disclose to the insured or potential insured, or a medical professional designee, (i) whether the insurer uses AIS in its underwriting or pricing process, (ii) whether the insurer uses data about the person obtained from external vendors, and (iii) that such person has the right to request information about the specific data that resulted in the underwriting or pricing decision, including contact information for making such request.
- An insurer may not rely on the proprietary nature of a third-party vendor’s algorithmic processes to justify the lack of specificity related to an adverse underwriting or pricing action.
- The failure to adequately disclose the material elements of an AIS, and the external data sources upon which it relies, to a consumer may constitute an unfair trade practice under Insurance Law Article 24.
F. Clarification of Insurance Circular Letter No. 1 (2019)
- The Department has received requests from life insurers to clarify the statement in the consumer disclosure/transparency section of Circular Letter No. 1 (2019) that states that [a]n adverse underwriting decision would include the inability of the applicant to utilize an expedited, accelerated, or algorithmic underwriting process in lieu of traditional medical underwriting.” This language only addresses disclosure. It does not address any other implications of an adverse underwriting decision.
- Except as discussed in paragraph 43 below, any objective threshold criteria for using the accelerated process (e.g., only available for certain ages or coverage amounts) should be disclosed prior to application. Failure to disclose such criteria at the outset could raise concerns about misleading advertising or unfair trade practices (e.g., promises of an accelerated underwriting opportunity for which the consumer could never qualify; promises of an accelerated underwriting opportunity for which very few, if any, consumers would qualify). Where the applicant is being rejected from the process because the applicant does not meet objective threshold criteria to use the process, the applicant should be told which objective criteria were not met.
- It is common for insurers to set different levels of underwriting review based on objective criteria, such as age or the amount of coverage requested. These are often internal proprietary guidelines and applicants are not made aware of the existence of these internal standards. The language in Circular Letter No. 1 (2019) does not require that the applicant be given disclosure about internal underwriting guidelines where the applicant was never aware of the existence of these internal standards and therefore had no expectation that they would undergo anything other than full traditional underwriting.
- Except as discussed in paragraph 43 above, if the accelerated process determines that an applicant will not be approved for insurance under the accelerated process and can only obtain insurance by submitting to the traditional underwriting process, the applicant has the right to know why. As noted in Circular Letter No. 1 (2019), the accuracy and reliability of external data sources can vary greatly, and many external data sources are entities that are not subject to regulatory oversight and consumer protections. If an applicant will not be approved for insurance under the accelerated process based on data that is incorrect, the applicant needs a mechanism for identifying the incorrect data. The insurer must provide a notice to the applicant, where required by Insurance Law § 4224(a)(2) as discussed above, that the applicant has the right to receive, or designate a medical professional to receive, the details relating to the reasons for that decision. The insurer should include in the notice contact information for the applicant to exercise this right. This notice needs to be provided at the time the applicant is notified that the application cannot be processed under the accelerated process.
- The notice should disclose to the applicant that the insurer’s accelerated underwriting process uses data about the applicant obtained from external vendors, that the applicant has the right to request information about the specific data that resulted in the applicant not qualifying for the accelerated process and contact information for making such request. It is permissible for an insurer to also provide the reason in the initial notice.
- In some instances, an insurer may need additional information or clarification from the applicant about a specific data item obtained from a data vendor during the accelerated process in order to process the application under the accelerated process but would not otherwise be moving the applicant to full traditional underwriting. Such limited request would not trigger the notice requirement. If after obtaining the additional information or clarification it is determined that the applicant must go through the full traditional underwriting process, then, at that point, the notice requirement would be triggered.
- In some instances, an applicant may be randomly moved to the traditional underwriting process for purposes of testing the results of the accelerated process against the results of the traditional process. In such as case, the disclosure should not give the impression that removal from the process was due to the applicant’s medical or other underwriting criteria.
V. Feedback Request
The Department is requesting feedback on all aspects of this Circular Letter. Interested parties are encouraged to provide feedback on the proposed guidance by March 17, 2024. Comments should be submitted to [email protected]. Please use “Proposed Circular on the use of AI and ECDIS in Insurance Underwriting and Pricing” in the subject line. Comments may be subject to public inspection and should not include any sensitive or confidential information. The Department looks forward to reviewing and considering feedback on this proposed Circular Letter.
1 E.g., Insurance Law Article 26 and §§ 4224(a)–(b), 3221(q)(3) and 4305(k)(3), Executive Law, General Business Law, and federal Civil Rights Act. See also Insurance Law § 2303 prohibiting unfairly discriminatory rates for property and casualty insurance coverage.
2 Section 90.2 permits an insurer to satisfy this section if it is a member of a system and the system has a corporate governance framework.
3 See Insurance Law §§ 1501, 1503(b), 1604(b), 1702, 1717(b). See also 11 NYCRR § 82.