Simplify compliance with Colorado 10-1-1
Colorado is leading the effort for state-level regulation of AI, starting with life insurance and expanding to other categories.
What is Colorado Regulation 10-1-1?
In September 2023, the Colorado Division of Insurance (CO DOI) adopted risk management requirements to prevent algorithmic discrimination by life insurance providers. Under the final regulation, life insurance providers that use external consumer data and information sources (ECDIS) as a component of the life insurance process (e.g., setting policy premiums or reviewing claims) must set up a risk management program to ensure that use of ECDIS does not result in unfair discrimination. Life Insurance providers must also submit reports to the CO DOI on their compliance with the regulation.
Key Requirements of Colorado Regulation 10-10-1
ECDIS could cover an array of “non-traditional underwriting factors,” which means life insurers must be aware of what data they use to make life insurance decisions.
Taking AI Inventory
Life insurance providers are required to take inventory of their AI use cases as it pertains to ECDIS.
Risk Management Policies & Procedures
Life insurers must create and maintain, in perpetuity, a risk management framework to oversee and govern the use of any ECDIS.
Life insurers must submit an annual report with a narrative summary of their risk management practices surrounding ECDIS.
A board level committee must oversee risk management functions and an internal cross-functional oversight team must be established.
Third Party Oversight
Life insurance providers that use third party vendors must ensure those vendors comply with the regulation’s AI governance and risk management requirements.
Navigate Colorado 10-10-1 with Trustible
RISK & IMPACT ASSESSMENTS
Identify, manage, measure, and mitigate potential risks or harms in your AI systems.
Centralize your AI documentation in a single source of truth.
Seamlessly generate reports with your narrative summaries and oversight requirements.
When do I need to begin complying with the regulation?
The regulation took effect on November 14, 2023. The first report is due to the CO DOI in June 2024, which requires life insurers to disclose their progress in adopting the regulation. Subsequently, starting in December 2024 and every year after, life insurance providers must submit an annual report to the CO DOI with a narrative summary of their risk management practices surrounding ECDIS.
Will only life insurance providers be subject to regulations?
The regulation was adopted pursuant to the requirements of SB 21-169, which directed the CO DOI to adopt risk management requirements that prevent algorithmic discrimination in the insurance industry. Life insurances providers were the first sector of the insurance industry to be regulated under the law and the CO DOI is currently beginning a rule-making proceeding for auto insurers.
How does the regulation define EDCIS?
ECDIS is defined as “a data or an information source that is used by a life insurer to supplement or supplant traditional underwriting factors or other insurance practices or to establish lifestyle indicators that are used in insurance practices.” The definition of ECDIS does not explicitly state what qualifies as ECDIS, but does provide a non-exhaustive list of ECDIS examples and excludes ‘traditional underwriting factors.'
How do I know if my vendors are in compliance with the regulation?
Communication with vendors is key to understanding what types of AI governance structures they have adopted. For existing relationships, organizations should review contractual language to determine if it requires AI governance policies and procedures. For new relationships, consider how your due diligence process should cover key AI governance features. For more thoughts on working with vendors to address AI risks, read our blog post “Navigating AI Vendor Risk: 10 Questions for your Vendor Due Diligence Process.”