The Circular Letter does not amend existing laws or regulations but is significant in several ways. First, it provides guidance on how the NYDFS interprets applicable laws and regulations; courts have historically shown some deference to NYDFS interpretations. Additionally, the Circular Letter reflects the growing emphasis on the need for robust governance and risk management measures when utilizing AIS and will likely affect the regulatory landscape on the use of AIS in the financial services sector and other industries. The Circular Letter also includes several significant clarifications to the proposed circular letter on the same topic the NYDFS published on January 17, 2024 (the “Proposed Circular Letter”), which we discussed in our previous blog post. Notably, the Circular Letter clarifies that it is applies to AIS utilization and models regardless of whether they leverage ECDIS, suggesting that the NYDFS may require insurers to follow the guidance provided in the Circular Letter even if such AIS and models only use traditional data sources expressly excluded from the definition of ECDIS (i.e., MIB Group Inc. member information exchange service, a motor vehicle report, prescription drug data or a criminal search history).
This advisory outlines the key points of the Circular Letter for insurers, while also pointing out when these points represent updates from the earlier Proposed Circular Letter.
Fairness Principle
The Circular Letter sets out core fairness principles insurers must adhere to when using ECDIS or AIS for underwriting or pricing purposes to comply with insurers’ existing obligations to avoid unfair discrimination.
Proxy assessment
ECDIS may contain an array of behavioral, demographic, transactional, or other data fields about consumers, some of which may serve as proxies for protected classifications. Insurers must evaluate whether the data provided by an ECDIS, when used for underwriting or pricing, correlates to consumers’ status within any protected classes in a manner that may result in unfair or unlawful discrimination. While the NYDFS’s earlier Proposed Circular Letter already included this proxy assessment requirement, the final Circular Letter further clarifies that:
- Insurers may use the data available to them, or that may be reasonably inferred using accepted statistical methodologies, for the proxy assessment.
- Insurers that identify proxy correlations must consider whether a legitimate business necessity requires the use of the ECDIS.
Comprehensive assessment
Insurers must conduct a comprehensive assessment to establish that their underwriting or pricing guidelines, as executed by an AIS, are not unfairly or unlawfully discriminatory. The Circular Letter expands the minimum procedures necessary for the comprehensive assessment laid out in the Proposed Circular Letter by providing the following steps:
- Step 1: An insurer must assess whether its use of ECDIS or AIS produces disproportionate adverse effects in underwriting or pricing for (1) similarly situated insureds or insureds of a protected class; or (2) for any protected class. Here again, membership in a protected class may be determined using data available to the insurer, or that may be reasonably inferred by the insurer using accepted statistical methodologies, without needing to rely on further data sources. If there is a prima facie showing of such effect, then the insurer must continue to Step 2.
- Step 2: If the insurer identifies a differential effect on similarly situated insureds resulting from the use of ECDIS or AIS, the insurer must assess whether there is a legitimate, lawful, and fair explanation or rationale for the differential effect. If there is no explanation, then the insurer must modify its use of ECDIS or AIS and restart the comprehensive assessment. If there is an explanation, then the insurer must continue to Step 3.
- Step 3: The insurer must conduct and document a search and analysis for a less discriminatory alternative variable or methodology that would reasonably meet the insurer’s legitimate business needs. If a less discriminatory alternative exists, then the insurer must adopt the alternative and restart the comprehensive assessment. If there is no alternative, then the insurer may proceed with deploying the AIS, but must conduct ongoing model risk management, and repeat this step at least annually.
Regular testing and documentation
Insurers must carry out the comprehensive assessment before putting any AIS into production, and on a regular cadence thereafter, as well as whenever material updates or changes are made to either the ECDIS or AIS. The Circular Letter also requires insurers to document – and make available to the NYDFS upon request – the processes and reasoning behind their testing methodologies and analyses for unfair or unlawful discrimination.
Governance
The Circular Letter explains how insurers’ use of ECDIS or AIS affects insurers’ existing obligations to maintain a corporate governance framework appropriate for their nature, scale, and complexity. Notably, the NYDFS left the governance measures largely unmodified from the Proposed Circular Letter. Key governance requirements include the following:
Board and senior management
An insurer’s board of directors (or other similar governing body) is responsible for overseeing the insurer’s use of ECDIS or AIS, and for ensuring the effective implementation of a governance framework. The board may delegate its duties and authorities to its committees and to the insurer’s senior management, as long as appropriate lines of reporting are in place, including through regular meetings between the board and the delegates.
The insurer’s senior management is responsible for the “day-to-day implementation” of ECDIS and AIS, including by (1) establishing adequate policies and procedures; (2) assigning competent staff; (3) overseeing the insurer’s model risk management; (4) ensuring an independent risk assessment function is consulted; (5) reviewing internal audit findings; and (6) taking prompt remedial actions.
Policies and procedures
Insurers must formalize their development and management of ECDIS and AIS through written policies and procedures that cover (1) clearly defined roles and responsibilities of relevant personnel; (2) monitoring and reporting requirements to senior management; and (3) training for relevant personnel on the responsible and lawful use of ECDIS and AIS. Insurers’ boards of directors (or their committees or senior management through delegated authority) should review and approve these policies and procedures regularly, and at least annually, to ensure their alignment with industry best practices and insurers’ use of ECDIS and AIS.
Risk management
Insurers must implement an ECDIS/AIS risk management framework, either within an existing enterprise risk management program or separately as part of an independent program. The risk management framework must address the following:
- AIS Lifecycle. Management of relevant risks, including risks from individual AIS models and in the aggregate, at each stage of the AIS lifecycle. For in-house-developed AIS models, the lifecycle may include planning, development, testing/validation, and deployment. For procured AIS models, the relevant life cycle may more closely resemble vendor risk management processes.
- Model Standards. Standards for model development, implementation, use, and validation. Since model standards may differ significantly based on the use cases a model is developed for, documentation on model standards may need to be kept at a higher level, with specific validation metrics developed on a model-by-model basis.
- Independent Review. Promotion of independent review and effective challenge to risk analysis, validation, testing, development, and other processes related to ECDIS and AIS development and risk management.
- Personnel. Appointment of competent and qualified personnel to execute and oversee the ECDIS/AIS risk management framework with clearly defined roles and responsibilities and appropriate means of accountability. We are generally seeing increased demand for AI-specific roles in larger organizations; this requirement may intensify that.
- Internal Audit. Establishment of an internal audit function to assess the overall effectiveness of the ECDIS/AIS risk management framework, taking into account financial, operational, and compliance risks.
The Circular Letter states that insurers retain responsibility for the use of any tools, ECDIS, or AIS developed or deployed by third-party vendors. Insurers must develop (1) written standards, policies, procedures, and protocols for using ECDIS or AIS developed or deployed by third-party vendors for underwriting or pricing; (2) procedures for reporting any incorrect information identified to relevant third-party vendors for further investigation and update; and (3) procedures for remediating and eliminating incorrect information identified or reported to third-party vendors.
The Circular Letter amends the Proposed Circular Letter by adding an explicit requirement for insurers to include terms in their contracts with third-party vendors that (1) provide insurers with the right to audit the vendors or receive audit reports by qualified auditing entities; and (2) require the vendors to cooperate with insurers regarding regulatory inquiries and investigations related to the vendors’ products or services.
Transparency
The Circular Letter lays out several transparency requirements, expanding on and clarifying the NYDFS’s Insurance Circular Letter No. 1 issued in 2019 that addressed life insurers’ obligations for the use of ECDIS in life insurance underwriting.
Direct notice
Any insurer that uses ECDIS or AIS must provide notice to the insured, potential insured, or medical professional designee that explains: (1) whether the insurer uses AIS in its underwriting or pricing; (2) whether the insurer uses data obtained from external vendors; (3) that the notice recipient has the right to request information about the specific data that resulted in the underwriting or pricing decision, including contact information for making such request; and (4) if there is an adverse underwriting decision, details about all information upon which the insurer based any such adverse decision, including the information’s sources. This notice must be provided to the insured before an ECDIS or AIS is used to make underwriting or pricing determinations.
Disqualification notice
If any life insurer determines that an insurance applicant will not be approved for insurance through an underwriting process utilizing ECDIS or AIS (i.e., the applicant can only obtain insurance through traditional or a non-ECDIS- or AIS-based underwriting process), then the life insurer must provide written notice to the applicant within 15 days of the decision that explains (1) the reasons the applicant does not qualify for the ECDIS- or AIS-based underwriting process; and (2) how the applicant can review the accuracy of the ECDIS that disqualified the applicant from the ECDIS- or AIS-based underwriting process, if any.
While not expressly addressed in the Circular Letter, it bears repeating that the NYDFS – along with other consumer financial services regulators – would not permit insurers to withhold reasons, or provide vague reasons that do not convey the actual basis for disqualification, due to an AIS being a “black box.” The NYDFS will continue to expect insurers to be able to derive sufficiently specific, meaningful reasons for any disqualification decision.
Marketing and advertising
If any life insurer has threshold criteria for applicants who are eligible for its ECDIS- or AIS-based underwriting process, then the life insurer must clearly and prominently disclose such criteria in writing in all relevant marketing and advertising materials.
Consumer complaints
Insurers must implement a procedure to respond to consumer complaints and inquiries about the use of ECDIS and AIS. The Circular Letter also requires insurers to maintain – and make available to the NYDFS upon request – any records of consumer complaints about ECDIS or AIS.
Implementation Date
Unlike other circular letters, this Circular Letter does not include an effective or implementation date. When asked, the NYDFS staff has not provided a deadline by which insurers must be in compliance with the guidance, nor indicated when the NYDFS will begin examining insurers regarding their use of ECDIS or AIS. Nevertheless, we recommend that insurers that want to use ECDIS or AIS in New York comply with the requirements in the Circular Letter before they deploy or start using the ECDIS or AIS. For organizations already using ECDIS or AIS systems, we suggest reviewing for gaps and beginning with remediation now, before the NYDFS makes announcements about enforcement or examination dates. Specifically, insurers should assess their current policies and procedures against the guidance to identify any potential gaps and determine what additional resources and investments may be required to operationalize a program utilizing ECDIS or AIS.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form. If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy Team.