On July 11, 2024, the New York Department of Financial Services (DFS) issued Insurance Circular Letter No. 7 (2024) (Letter No. 7) adopting guidance regarding the use of artificial intelligence (AI) in underwriting and pricing decisions. The guidelines require insurers to develop and implement a governance framework to manage the risks of AI, which should include oversight by the board of directors, senior management, and qualified personnel. In a press release announcing Letter No. 7, DFS Superintendent Adrienne Harris described the goal of the letter as “ensuring that the implementation of AI in insurance does not perpetuate or amplify systemic biases that have resulted in unlawful or unfair discrimination while safeguarding the stability of the marketplace.”

Summary of Letter No. 7’s Guidance and Key Compliance Takeaways

Through Letter No. 7, DFS seeks to provide guidance to Insurers authorized to write insurance in New York State, Article 43 corporations, health maintenance organizations, licensed fraternal benefit societies, and the New York State Insurance Fund (collectively, “Insurers”) pertaining to the development and management of the use of external consumer data and information sources (ECDIS), artificial intelligence systems (AIS), and other AI predictive models deployed in underwriting and pricing insurance policies and annuity contracts.

Addressing Fairness Concerns

While the use of ECIDS and AIS can be beneficial for Insurers, DFS is concerned that the use of such technologies may reinforce and exacerbate inequality andincrease the risks of inaccurate, arbitrary, capricious, or unfairly discriminatory outcomes, all of which may disproportionately affect vulnerable communities and individuals or otherwise undermine the insurance marketplace in New York. Of particular concern are the sources, accuracy, and reliability of ECDIS, especially when the source is not subject to DFS’ regulatory oversight, as well as AIS’ self-learning behavior that can reinforce and amplify disproportionate effects on vulnerable individuals and communities. Therefore, Insurers now must be able to demonstrate that ECDIS and AIS employed for underwriting and pricing are supported by generally accepted actuarial standards and should demonstrate a clear, empirical, statistically significant, rational, and not unfairly discriminatory relationship between the variables used and the relevant risk of the insured.

In order to use ECDIS or AIS in underwriting or pricing, an Insurer should establish, through a comprehensive assessment, that the underwriting and pricing guidelines derived from AI do not violate the Insurance Law. Such a comprehensive assessment should, at a minimum, contain the following three steps:

1. Assess whether the use of ECDIS or AIS produces disproportionate adverse effects in underwriting or pricing for similarly situated insureds or insureds of a protected class.
2. Assess whether there is a legitimate, lawful, and fair explanation or rationale for the differential effect on similarly situated insured.
3. Conducting and appropriately documenting a search and analysis for a less discriminatory alternative variable(s) or methodology.

Corporate Governance Impact

Pursuant to 11 NYCRR § 90.2, Insurers are required to have corporate governance frameworks that are appropriate for their nature, scale, and complexity. Such framework must provide robust oversight of the Insurer’s use of AI in the spirit of Letter No. 7. Such oversight is exercised by each Insurer’s board of directors, and the governance framework should provide clear lines of accountability relating to the use of AI and ensure senior management is adequately positioned to understand the overall impact of AI on the insurance industry. Letter No. 7 further provides that Insurers using AI should formalize their development and management of such technologies in written policies and procedures—a “living” document that should be reviewed and approved at least annually by Insurers’ governing bodies or senior management (if so delegated) to account for the rapidly developing market and conform to industry best practices.

In addition to written policies and procedures, Insurers should maintain comprehensive documentation as it relates to the use of all AI, whether developed internally or through third parties (in accordance with 11 NYCRR 243). Insurers should manage the relevant risks at every stage of the AIS life cycle, as well as in the aggregate, which can be accomplished within an existing risk management function or separately as part of an independent program. As required by 11 NYCRR § 89.16, Insurers already must have an internal audit function to provide general and specific audits, reviews, and tests necessary to protect assets, evaluate control effectiveness and efficiency, and evaluate compliance with policies and regulations. The new guidance requires that the internal audit function be appropriately tailored for any use of ECDIS and AIS.

Insurers must understand how ECDIS or AIS are used in tools provided by third-party vendors that the Insurer uses in underwriting and pricing, and have responsibility for ensuring that such tools meet all legal and regulatory requirements. Insurers should develop written standards, policies, procedures, and protocols for the acquisition, use of, or reliance upon any third-party ECDIS or AIS. Insurers should also develop procedures to remediate and eliminate incorrect information from their AIS that the Insurer has identified or has been reported to a third-party vendor.

Transparency is Key

Insurers should disclose any use of ECDIS or AIS in underwriting or pricing to potential insureds. The disclosure should include: (i) whether the insurer uses AIS in its underwriting or pricing process; (ii) whether the insurer uses data about the person obtained from external vendors (e.g., through ECDIS); and (iii) that such person has the right to request information about the specific data that resulted in the underwriting or pricing decision, including contact information for making such request. In the event of a declination, limitation, rate differential, or other adverse underwriting decision, the reason or reasons provided to the insured or potential insured should include details about all information upon which the insurer based its decision. DFS has now taken the position that the failure to adequately disclose the material elements of an AIS, and the external data sources upon which it relies (whether or not from ECDIS), to a consumer may constitute an unfair trade practice under the Insurance Law.

We’re Here to Help

Our legal team is here to assist you in navigating this evolving regulatory landscape. We can help you with:

• Impact Assessment: Assessing the impact of the new regulations on your existing ECDIS or AI systems.
• Compliance Procedures: Developing compliant procedures for ECDIS and AIS analysis.
• Governance Framework Development: Implementing a robust governance framework for ECDIS and AI oversight.
• Consumer Disclosures: Drafting clear and concise consumer disclosures regarding ECDIS or AI use in insurance decisions.

By proactively addressing these requirements, you can ensure your company remains compliant with the Letter No. 7 and any other applicable DFS requirements and minimize the risk of regulatory action. Don’t hesitate to contact us for further guidance on navigating this new era of electronic data use and AI in insurance.