Colorado SB21-169

Protecting Consumers from Unfair Discrimination in Insurance Practices

Like in many other sectors, personal data and algorithms are increasingly being used by insurers in their underwriting, claims, and rating practices. Whilst these advances can bring benefits, concerns have been raised about the quality of information sources and the rationale for using algorithms without appropriate safeguards, particularly as insurance practices are high-risk and minority groups could be especially vulnerable to discrimination. This has resulted in widespread attention from policymakers and the introduction of various pieces of legislation to tackle this issue, including Colorado SB21-169.

What is Colorado SB21-169?

SB 21-169 aims to protect Colorado consumers from insurance practices that result in being unfairly discriminated on the basis of race, colour, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.

In particular, SB 21-169 21-169 restricts insurers’ use of external consumer information and data sources (ECIDS) - such as credit scores, social media habits, locations, purchasing habits, home ownership, educational attainment, occupation, licensures, civil judgments, and court records - as well as algorithms and predictive models using ECIDS.

What is the History of SB 21-169?

Colorado SB 21-169 was first introduced on 2 March 2021 and passed on 23 June 2021, before being adopted on 6 July 2021. The law was effective from 1 January 2023, but the rule development process for the first line of insurance, life insurance, kicked off a year earlier in February 2022. The process for auto insurance is underway and the first steps for health insurance started at the end of February 2024

Colorado SB 21 169

What Does Colorado SB 21-169 Require?

Although the law requires specific rules to be developed for different types of insurance practices and different types of insurance, in general, insurers are required to test their systems, demonstrate to the Division of Insurance (Division) how testing is conducted, and take corrective action if needed. Specific actions include:

  • Outline the type of external customer data and information sources used by their algorithms and predictive models.
  • Provide an explanation of how the external consumer data and information sources, and algorithms and predictive models are used.
  • Establish and maintain a risk management framework designed to determine whether the data or models unfairly discriminate.
  • Provide an assessment of the results of the risk management framework and ongoing monitoring.
  • Provide an attestation by one or more officers that the risk management framework has been implemented.

Who Does SB 21-169 Apply To?

The law applies to almost all insurance companies in Colorado, where those that do not use ECIDS, algorithms, or predictive models may be required to declare as such. Insurance practices subject to this law are marketing, underwriting, pricing, utilization management, reimbursement methodologies, and claims management.

However, SB 21-169 exempts title insurance, bonds covered by surety companies, and commercial insurance policies (with the exception of business owners’ policies or commercial general liability policies with annual premiums below $10,000).

What is the Role of the Commissioner of Insurance Under SB 21-169?

The Commissioner of Insurance (Commissioner) is required to consult with stakeholders to develop rules for specific insurance types and insurance practices. The stakeholder engagement process is underway for Life Insurance (LI) Underwriting and Private Passenger Auto (PPA) Insurance Underwriting, and the first stakeholder session for Health Insurance will take place on 29 February 2024.

Any material shared by insurers with the Commissioner pursuant to these rules is deemed to be proprietary. While the Commissioner is mandated to investigate insurers’ use of ECIDS and utilize this material as part of their investigations, they are not permitted to make this public without prior written consent and may only make data publicly available in an aggregated or de-identified format. The rules adopted by the Commissioner must also establish a reasonable time frame for insurers to remedy any unfairly discriminatory impact, as well as insurers’ ability to use ECIDS that have previously been evaluated by the Division and not found to be discriminatory.

Until 1 July 2025, the Division is also required to submit to the Colorado Legislative Committees of Reference a report containing:

  • Information about the rules adopted.
  • Information about changes in insurance rates as a result of the rules adopted, if any.
  • A summary of the stakeholder engagement process.
  • Any data sources discussed during stakeholder engagement sessions.

Are Bias Audits Required Under SB 21-169?

Under the proposed quantitative testing regulation for life insurers, analysis must be conducted to determine if there are statistically significant differences in approval and premium rates based on race/ethnicity.

This involves logistic and linear regressions using cumulative data collected until December 31 of the previous year. Race/ethnicity is inferred from surname and address using RAND’s BIFSG tool due to limited self-reported data.

If differences exceed 5 percentage points within each race/ethnicity category, further testing is required. This includes comparing coefficients in regression models with and without dummy variables for race/ethnicity to identify discriminatory factors.

Insurers must then implement risk management measures to address discrimination and conduct additional testing to verify effectiveness of mitigation. In particular, the report must contain information about:

  • The number of applications included in the dataset and the number of applications received overall since the data source, algorithms, and predictive models were adopted
  • The total number of policies included in the dataset and number of policies issued since the data source, algorithm, and predictive models were adopted
  • The basis for any applications not included in the dataset
  • The percentage of each estimated race/ethnicity
  • Factors used as control variables
  • Differences in approval rates per group
  • Average premium rate per $1000 per race/ethnicity group
  • Name and version of each algorithm/predictive model tested
  • All external consumer data and information sources and traditional factors included in investigative testing
  • Results of the regression analysis including coefficients and any differences discovered during investigative testing
  • If required, a description of mitigation steps taken, their timing, and subsequent testing carried out

How is SB 21-169 Being Enforced?

Although SB 21-169 does not outline specific penalties for non-complicate, sanctions relevant to insurance under the Colorado Revised Statutes can be issued. These include civil penalties, cease and desist orders, and suspensions or revocations of license.

Are There Any Other Laws Similar to SB 21-169?

New York introduced Assembly Bill 8369 (A08369) on 13 December 13 2023 with an almost identical text to the Colorado law, with the exception of swapping out minor details such as “Commissioner of Insurance” with the “superintendent [of financial services],” for example. The role of the superintendent is the same as that of the Commissioner, except that while the reporting obligation of the Commissioner to the Colorado General Assembly ends in 2025, the superintendent is required to make annual reports to the New York Governor, Senate, and Assembly. The exceptions SB 21-169 make apply to A08369 as well.

Insurtech is Being Increasingly Regulated

For candidates, this notice can be provided through the employment section of the website in a clear and conspicuous manner, in a job posting, or through mail or e-mail. For employees, notice can be given in a written policy or procedure, in a job posting, or via mail or e-mail.

Insurance is increasingly being targeted by lawmakers around the world, with several laws aiming to specifically regulate the use of AI and algorithms in insurance. Indeed, AI systems used to make or influence decisions about eligibility for health and life insurance will likely be considered high-risk under the final version of the EU AI Act.

Getting prepared early is the best way to stay compliant and gain a competitive edge. Schedule a demo with our experts to find out how Holistic AI can help you get ahead of the regulation wave.

DISCLAIMER:This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.