AITC Comment Letter on Third Party Vendor Definition

June 20, 2025

Chairman Lapham:

The American InsurTech Council (AITC) is an independent advocacy organization dedicated to advancing the public interest through the development of ethical, technology-driven innovation in

insurance. We appreciate the opportunity to provide the following comments in response to the National Association of Insurance Commissioners’ (NAIC) request for proposed definitions of Third-Party Data Vendor and Third-Party Model Vendor.

As a preliminary comment, it remains unclear to us and perhaps others what issue (or issues) concerning insurer use of third party data vendors or third party model vendors the Working Group is attempting to address. Any discussion of regulatory oversight of third party vendors should

begin with a clear statement of the issues that need to be addressed. Until that has been made clear we respectfully suggest that an effort to define key terms is premature. AITC would welcome a public discussion that clarifies this question.

In considering the Working Group’s request, we revisted the NAIC’s statement of Principles on Artificial Intelligence (AI) and the NAIC’s statement of Principles on Artificial Intelligence (AI), the Model Bulletin: Use of Artificial Intelligence Systems By Insurers. We also considered how

the term third party vendor (or provider) is used in other NAIC models and in common industry practice. At a minimum, the Working Group must ensure that any definition of third party vendor is consistent with the Principles of Artificial Intelligence, the Model AI Bulletin, and existing definitions of third party vendors in state’s insurance laws and standards of practice.

Based upon the results of our review, it is not clear why these terms require new definitions, or how definitions could meaningfully add to the authority to oversee insurer use of AI that already exists under state law. To the contrary, we see significant potential for unintended adverse consequences. Third-party vendors provide a wide array of services, ranging from providing raw data to complex predictive modeling. These services often combine elements of “data provider” and “data modeler. ” At a time of rapid change in technology and the development of business use cases for

AI that benefit consumers, we would be concerned that attempts to parse descriptions of these services into rigid definitions would undermine the dynamic, rapidly evolving and innovative nature of third-party services to insurers. Rigid definitions would also create confusion in

contracting and compliance efforts, impose unnecessary regulatory burdens, and create the conditions for inconsistent interpretations across the states. Existing regulatory frameworks and established industry practice developed over decades already provide sufficient tools to oversee vendor relationships and activities through principles-based risk management, due diligence, and

contractual oversight.

Should members of the Working Group determine, however, that a definition is essential AITC would recommend combining both terms into a single definition. The following definition is intended to reflect current practice and standards associated with third party vendors in the context

of providing models or data services to insurers. “Third-party data or model vendor” means a person, partnership, corporation, or other entity

that provides external consumer data, an algorithm, or a predictive model to an insurer for use in an insurance practice, but does not include an employee or affiliate of the insurer.

Thank you again for the opportunity to address our comments. We look forward to further discussion of these issues.

Respectfully Submitted,

Scott R. Harrison

Co-Founder, American InsurTech Council