Risk-Based Regulatory Framework for Third-Party Data and Model Vendors

Chairman Lapham:

The American InsurTech Council (AITC) is an independent advocacy organization dedicated to advancing the public interest through the development of ethical, technology-driven innovation in

insurance. Our diverse group of sponsors and supporters include legacy insurers, more than 120 insurtech startups and technology developers, and other stakeholders in the insurance and technology sectors. Many of those small startups and developers already provide AI Systems and

other technology solutions to insurance carriers. They are living examples of the engine that is

driving innovation in the insurance industry. All of these entities share a common interest in

effective regulation while advancing ethical, technology-driven innovation within the insurance

industry to improve business practices and consumer experiences.

AITC appreciates the opportunity to provide our comments on the proposed Risk-Based

Regulatory Framework for Third-Party Data and Model Vendors (the "Framework"). While we

share the NAIC's commitment to consumer protection and responsible innovation, we are deeply

concerned that the Framework in its current form will produce outcomes directly contrary to the

Working Group’s stated objectives. We identify below a series of concerns with the Framework,

and we offer an Alternative Proposal that we think would accomplish the Working Group’s goals

and objectives.

It is important to note first, however, our view that the Framework’s extremely wide breadth is a

significant flaw. By this we mean that for regulatory purposes, the Framework treats all data and

models alike when the world of AI Systems and models is extremely diverse, serving vastly

different insurance functions with dramatically different risk profiles and impact on consumers.

American InsurTech Council: The Future of Insurance 2

For instance, the risks associated with mortality prediction models for life insurance underwriting,

claims fraud detection systems that determine whether to pay or deny benefits, or dynamic pricing

algorithms that set premium rates, are very different from customer service chatbots that answer

policy questions, or marketing optimization models that target advertising, or operational

efficiency tools that route claims to appropriate adjusters or predict application processing times,

Document classification systems, data enrichment services that append publicly available

information to applications, and workflow automation tools that schedule appointments or send

policy renewal reminders are altogether entirely different from the previous use cases and present

an altogether different risk profile.

The Model AI Bulletin recognizes these risk-based distinctions and calls on companies to calibrate

their goverance and risk management to each particular risk. We respectfully suggest that it is

equally appropriate that the tools used by regulators also be carefully calibrated to the risk

associated with a particular model.

A regulatory framework should clearly specify the type or types of data, models and business use

cases the Working Group is attempting to address, and the resources are already available to

regulators to ensure model transparency. For instance, more than one-half of the states already

allow third party data vendors to directly file and inspect the models that carriers are currently

using for personal lines rating and underwriting. If greater transparency involving these models is

an objective that can be easily achieved by the remaining states simply adopting the filing and

review process already being used by other states.

Additional concerns with the Framework include:

1. Imposes fixed costs that don't scale, creating insurmountable barriers for small vendors

while being easily absorbed by large vendors—guaranteeing market consolidation

2. Accelerates vendor consolidation, creating "too big to fail" mega-vendors that pose

greater systemic risks than a distributed ecosystem made up of smaller vendors

3. Creates a class of “too small to succeed” small vendors and startups whose only logical

recourse is to exit the insurance market entirely

4. Disproportionately harms small and mid-sized insurers through “one-size-fits-all”

insurer responsibilities that functionally restrict their access to affordable, innovative

technology

5. Stifles innovation in AI and advanced analytics through technology-specific restrictions

at a time when these technologies offer the greatest potential to expand insurance access

and improve consumer outcomes

6. Takes a monolithic approach to “data” and “access to data” that ignores critical

distinctions between the various types of data encompassing different legal and

competitive implications

7. Create regulatory incoherence by contradicting the risk-based principles established in

the NAIC's own Model AI Bulletin

8. Lacks clear legal authority while creating unenforceable requirements that invade

vendor intellectual property and raise serious questions regarding regulators' jurisdiction

9. Creates insurmountable uniformity problems while ensuring a patchwork of

regulatory standards across the states

American InsurTech Council: The Future of Insurance 3

AITC’s Alternative Approach

Rather than directing its efforts to regulating technology providers, we believe a more effective

approach to achieving meaningful consumer protection without the Framework’s negative impacts

would be to align with the NAIC’s approved policy of a risk-based approach established in the

Model AI Bulletin. Examples of the elements of this approach include:

• Focus on regulators’ existing authority over insurers’ vendor governance and risk management

practices

• Adopt meaningful materiality thresholds and risk-weighted requirements

• Scaling insurer responsibilities to insurer size

• Focus on outcomes rather than methods

• Create safe harbors for certain categories of vendors, e.g.,:

• Vendors compliant with SOC 2 Type II, ISO 27001, or similar third-party

certifications

• Vendors already regulated by federal agencies (OCC, CFPB, FTC)

• Vendors serving multiple industries where insurance is <25% of business

• Vendors serving a small number of insurers, e.g., 5 - 10

Unlike the proposed Framework that would require years and significant effort to develop into a

Model Law, AITC’s proposed approach relies upon states’ existing regulatory authority. A

workable framework focusing on insurers rather than vendors can also be developed reasonably

quickly, provide certainty to both insurers and vendors, reduce confusion in the marketplace, and

would avoid the uniformity problems associated with development of a Model Law.

Thank you again for the opportunity to address our comments. We look forward to further

discussion of these issues.

Respectfully Submitted,

Co-Founders, American InsurTech Council

JP Wieske (jpwieske@monumentadvocacy.com), Jack Friou (jfriou@americaninsurtech.com),

The Hon. Thomas Mays (tmays@americaninsurtech.com) Scott Harrison

(sharrison@americaninsurtech.com), Teri Hernandez (thernandez@americaninsurtech.com)