On July 11, 2024, the New York Department of Financial Services (“NYDFS”) released Insurance Circular Letter No. 7, which establishes guidelines on the use of artificial intelligence systems (“AIS”) and external consumer data and information sources (“ECDIS”) in insurance underwriting and pricing (“Final Circular Letter”). The Final Circular Letter comes in the wake of a proposed circular letter on the same topic – issued in January of this year – which elicited widespread commentary (“Proposed Circular Letter”). While the text of the Final Circular Letter closely follows that of the earlier Proposed Circular Letter, there are several differences that stakeholders should be aware of, as summarized below and further detailed in Privacy, Cyber & Data Strategy Advisory: New York Department of Financial Services Issues Final Guidance to Insurers on Using AI and External Consumer Data.
The Final Circular Letter does not amend existing laws or regulations but nevertheless provides a clear signal of the ways NYDFS interprets existing laws and regulations and provides valuable insight into NYDFS’ enforcement priorities.
Scope: In addition to “insurers authorized to write insurance in New York State, licensed fraternal benefit societies, and the New York State Insurance Fund,” the Final Circular Letter expands the scope of applicable entities to include Article 43 corporations and health maintenance organizations (collectively, “Insurers”) to the list of parties subject to NYDFS’ expectations with respect to ECDIS and AIS.
Fairness Principles: The Final Circular Letter sets out core fairness and nondiscrimination principles and processes Insurers should implement when leveraging AIS or ECDIS in underwriting or pricing processes. Like the Proposed Circular Letter, the Final Circular Letter states that Insurers should conduct “proxy assessments” to assess whether an ECDIS or the data fields contained therein, when used for underwriting or pricing, correlates to a status of any protected class that may result in unfair or unlawful discrimination. The Final Circular Letter, however, clarifies that Insurers may evaluate whether an ECDIS correlates with a protected class by using data available to them, or reasonably inferred by them, seemingly lowering the burden on Insurers by narrowing the scope of data they must consider for proxy assessments.
Step-by-Step Process for Comprehensive Assessments: In addition to requiring proxy assessments, the Final Circular Letter continues to contain requirements for Insurers to conduct “comprehensive assessments” before deploying AIS or ECDIS for underwriting or pricing. The goal of comprehensive assessments is to use testing to determine whether the AIS or ECDIS actually results in disparate or discriminatory treatment, and if so, to either remove such treatment, or to support it with a business justification and ongoing risk monitoring. The Final Circular Letter lays out a more detailed, step-by-step guide for conducting these comprehensive assessments, though the basic testing, review and approval framework remains the same as the Proposed Circular Letter.
Governance and Risk Management: The governance and risk management principles in the Final Circular Letter are materially similar to those in the Proposed Circular Letter and set forth the nature and extent of oversight and risk management required with respect to the use of AIS and ECDIS. Importantly, each Insurer’s board of directors (or similar governing body) is responsible for overseeing the use of AIS and ECDIS. This requirement is consistent with NYDFS’ emphasis of board oversight in its Second Amendment to its Cybersecurity Regulation (as discussed in further depth in our prior advisory – NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation).
One notable addition is a requirement for Insurers to include the following contractual terms in their agreements with third-party vendors (where appropriate and available): (i) the right to audit the third-party vendor or receive an audit report by a qualified auditor, and (ii) an obligation that the third-party vendor cooperate with the Insurer about any regulatory inquiries and investigations related to the Insurer’s use of the third-party vendor’s products or services. While NYDFS offers helpful contractual guidance for Insurers, ultimately, Insurers are going to be responsible for compliance, even if they engage third-party vendors to leverage their AI products in insurance underwriting and pricing.
Transparency: The Final Circular Letter continues to emphasize the importance of transparent disclosures at multiple stages, including providing an upfront disclosure to the insured or potential insured regarding the use of AIS or ECDIS. Further, insureds and potential insureds have the right to request information about the specific data that was involved in making the underwriting or pricing decision. In particular, in the event of any adverse underwriting decision, Insurers should provide notice that includes “details about all information upon which the [I]insurer based any declination, limitation, rate differential, or other adverse underwriting decision, including the source of the specific information upon which the [I]nsurer based its adverse underwriting or pricing decision.”
The Final Circular Letter does not specify an effective date, and thus Insurers should not wait to evaluate their use (or potential use) of AIS or ECDIS in underwriting and pricing.