Colorado SB21-169: 8 Things You Need To Know About Colorado’s New AI Insurance Regulation

By December 1, 2024, all life insurers authorized to do business in the state of Colorado that are using external consumer data and information sources (ECDIS) as well as algorithms and predictive models relying on ECDIS, must be prepared to prove that they are not using either in a manner that leads to “unfair discrimination” of customers based on protected characteristics. Moreover, those same organizations must report their progress toward this goal to the Colorado Division of Insurance as soon as June 1, 2024.

Specifically, life insurers (and eventually other lines of insurance) must submit to the Division a narrative report summarizing the progress made towards complying with the requirements specified in subsequent regulation, including identifying the areas still under development, any difficulties encountered, and expected completion date.

So, how did Colorado arrive at this action to ensure transparency and accountability for insurance enterprises using ECDIS and AI, and what does it all mean? 

Colorado made a bold move back on July 6th, 2021 to prevent unfair discrimination in insurance practices by passing Senate Bill (SB) 21-169. SB 21-169 is a landmark legislation that sets an important precedent for the responsible use of algorithms and predictive models in the insurance industry. 

Adherence to this law and subsequent rulemaking will require careful change management and strategic planning. Nevertheless, Credo AI's Responsible AI Governance Platform simplifies the compliance process and helps insurers implement a robust governance and risk management framework. But first, let’s get started by answering the eight most frequently asked questions: 

1. What is Colorado SB 21-169?

On July 6th, 2021, the Governor of Colorado signed Senate Bill 21-169 into law, prohibiting insurance companies from using external consumer data and information sources (ECDIS), as well as algorithms and predictive models relying on ECDIS, in a manner that leads to “unfair discrimination” of customers based on protected characteristics that include race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. 

SB 21-169 directed the Insurance Commissioner to adopt additional governance, reporting, and testing regulations as soon as January 2023. Prior to the adoption of rules for any type of insurance and insurance practice (such as life or auto insurance), the Division of Insurance (DOI) has engaged in a stakeholder process with carriers, producers, consumer representatives, and other interested parties.

2. What constitutes External Consumer Data and Information Sources (ECDIS)?

The law defines "External Consumer Data and Information Sources" (ECDIS) as data or information sources used by insurers to supplement or substitute traditional underwriting factors and establish lifestyle indicators in their insurance practices. 

This includes, but is not limited to, credit scores, social media behavior, purchasing patterns, home ownership, educational background, licensures, civil judgments, court records, and any insurance risk scores calculated by the insurance company or a third party using similar data and information sources.‍

3. What is “unfair discrimination” according to the law?

The law determines unfair discrimination occurred if:

• The use of ECDIS or algorithms or predictive models using ECDIS correlate with a protected characteristic,
• The use results in a proportionately negative outcome for an individual or individuals with those protected characteristics, and
• The negative outcome exceeds the reasonable correlation to the underlying insurance practice.

4. What rules and regulations have been enacted since?

On September 21, 2023, the Colorado Division of Insurance (DOI) adopted Regulation 10-1-1 on ‘Governance and Risk Management Framework Requirements for Life Insurers’ Use of ECDIS, Algorithms, and Predictive Models which went into effect November 14, 2023. 

This regulation requires life insurance carriers that use ECDIS and algorithms or predictive models relying on ECDIS to:

• Establish a Governance and Risk Management Framework for ECDIS usage.
• Create and maintain comprehensive documentation of insurers' usage of all ECDIS, algorithms, predictive models that utilize ECDIS, and predictive models supplied by third parties to ensure its continued accuracy and relevance. 
• Submit regular reports to the DOI regarding the two components above. 

5. When does enforcement for life insurers start? 

Insurers that are using ECDIS, as well as algorithms and/or predictive models that use ECDIS, as of the effective date of this regulation must submit to the Division a narrative report summarizing the progress made towards complying with the requirements specified in Section 5 including identifying the areas still under development, any difficulties encountered, and expected completion date. This report is due June 1, 2024.

• Insurers that use ECDIS, and algorithms and/or predictive models that use ECDIS, must submit a compliance report by December 1, 2024 and annually thereafter demonstrating compliance or corrective action plan.
• Insurers that plan to use ECDIS or algorithms and/or predictive models that use ECDIS must submit to the Division a compliance report prior to the use of ECDIS or algorithms and/or predictive models that use ECDIS.

6. What additional regulations related to SB 21-169 are expected?

The implementation of SB 21-169 is ongoing, and several additional regulations are yet to be introduced. The DOI plans to introduce regulations that cover other lines of insurance, creating a comprehensive framework for the industry. Expected regulations include: 

• A quantitative testing regulation for life insurance establishing the requirements for testing of ECDIS, algorithms, and predictive models for unfair discrimination. Draft regulation was published on September 27, 2023 and is expected to be adopted in 2024.
• Proposed regulation for underwriting practices in private passenger auto insurance. Expected to be more fully detailed and adopted in 2024.

7. How should insurers prepare?

As subsequent rules for specific insurance types are enacted, insurance providers will need to adhere to a systematic and strategic approach to change management and governance. To start the compliance journey, insurers should:

• Inventory all usage of the ECDIS and algorithms and models that use ECDIS. To meet documentation requirements, insurers must keep track of all ECDIS and algorithms/models that utilize ECDIS. 
• Consult with third-party vendors about their ECDIS or algorithms/models that use ECDIS. To assess compliance with AI tools and prevent potential unfair discrimination, insurers should start consulting third-party vendors about their ECDIS or algorithms/models using ECDIS. 
• Adopt a governance and risk management framework that aligns with the rules outlined in the recent regulation. To fully comply with regulations, insurers must utilize the expertise of subject matter specialists and advanced tools to implement the requirements of risk management frameworks and governance into practical assessments and system requirements.

Overall, the process of establishing governance and risk management, creating comprehensive documentation and ensuring regular reporting can be complex, particularly when organizational change management is also a factor. 

8. How can Credo AI help insurance companies comply with SB21-169?

Credo AI can simplify this journey for insurers by providing the necessary tools at every stage of the compliance process.

Our governance platform provides a governance-driven model registry and supports insurers with inventory management to support gathering required evidence, evaluating models, and reporting on compliance and risk of third-party AI tools. Our Platform helps maintain and document a robust governance and risk management framework across the organization, giving insurers peace of mind and confidence in their compliance efforts. 

We have built an SB21-169 Policy Pack, which includes all of the requirements of the law, translated into a clear checklist of documentation and assessment requirements —making it easy for insurers to comply with the regulation. By implementing a robust governance and risk management framework across the entire organization, our platform helps insurers feel confident and secure in their compliance efforts. 

Don't wait until it's too late! Make sure that you have governance processes in place and start your compliance journey with SB 21-169 today. Reach out to us at to learn more!