The New York State Department of Financial Services (DFS) has issued guidance on the use of artificial intelligence (AI) in insurance underwriting and pricing.  The complete DFS guidance can be read below.

Insurance Circular Letter No. 7

July 11, 2024

TO: All Insurers Authorized to Write Insurance in New York State, Article 43 Corporations, Health Maintenance Organizations, Licensed Fraternal Benefit Societies, and the New York State Insurance Fund

RE: Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing

STATUTORY AND REGULATORY REFERENCES: N.Y. Ins. Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 3221, 3425, 3426, 4224, and 4305, and Articles 24, 26, 43, and 45; 11 NYCRR 82; 11 NYCRR 89; 11 NYCRR 90; 11 NYCRR 243

On January 17, 2024 the Department published Proposed Insurance Circular Letter, Re: Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (“Proposed Circular Letter”).

During the comment period, the Department received submissions from insurers, trade associations, advisory firms, universities, and the broader public. In addition, the Department conducted direct outreach regarding the Proposed Circular Letter to ensure we received feedback from a range of interested parties representing different opinions. In response to feedback received, the Department is publishing this circular letter (“Circular Letter”) in its final form.  

Several themes were identified from the comments and outreach, which are incorporated into this final Circular Letter. These themes include:  

• Definitions. Commenters encouraged multiple different definitions for the terms external consumer data and information sources (“ECDIS”) and artificial intelligence systems (“AIS”), and encouraged a limit on the applicability of the guidance to only AIS that utilized ECDIS. Additionally, commenters noted that certain terms such as “unfair” and “unlawful” would benefit from definitions. The final Circular Letter maintains the original definitions of ECDIS and AIS as it is the intent of the Department to cover AIS utilization and models regardless of whether they leverage ECDIS. The definitions regarding unfair and unlawful discrimination can be found in the state and federal law cited within the final Circular Letter. Commenters also requested a definition of the term “traditional underwriting.” The Department understands that traditional underwriting differs across types of insurance products based on the risks being evaluated by insurers during the underwriting process, but expects that it does not include ECDIS or AIS as defined in this Circular Letter.
• Proxy Assessments. Commenters requested the removal of the provision regarding proxy assessments, which articulates that insurers should be able to demonstrate that ECDIS do not serve as a proxy for any protected classes that may result in unfair or unlawful discrimination. Given the potential negative impacts of proxy variables1 , the final Circular Letter clarifies what the proxy assessment may entail and the protected classes to which this provision applies. This proxy assessment provision does not prevent insurers from using data to infer or impute protected class status for the limited purpose of the quantitative assessments (Section 17) discussed in this Circular Letter.  
• Quantitative Assessments. Commenters expressed that they are unable to perform quantitative assessments for many protected classes because they do not collect data regarding the protected classes to which individuals may belong. The final Circular Letter clarifies that its provisions regarding quantitative proxy assessments and assessment of disproportionate adverse effects only apply to protected classes for which data are available, or may be reasonably imputed using statistical methodologies.2 The final Circular Letter further clarifies that insurers are not expected to collect additional data from or about individuals for such analyses.   
• Governance and Risk Management. Commenters sought additional detail on thresholds for sufficiency across risk management procedures in the Proposed Circular Letter. They also noted that commercial property/casualty and group life insurance products may not always have a direct consumer impact. The final Circular Letter maintains the expectation that insurers take an appropriate, risk-based approach to utilizing ECDIS and AIS. It is up to insurers to determine the appropriate sufficiency thresholds and standards of proof based on the product and the particular use of ECDIS or AIS. It is noted by the Department that in certain circumstances commercial property/casualty and group life insurance may not have a direct consumer impact, and in other cases it could. For example, commercial property/casualty insurance is issued to sole proprietors. It is further noted that some insurance products may not utilize risk-based underwriting and pricing. 
• Board and Senior Management Oversight. Commenters noted that it is unreasonable to expect senior management or boards to perform the day-to-day work of ECDIS and AIS development and implementation. The final Circular Letter maintains the expectation that both senior management and the board have a responsibility for the overall outcomes of the use of ECDIS and AIS, not the day-to-day implementation. This expectation is consistent with long-standing supervisory approaches in the insurance sector and other sectors.
• Third-Party Vendors. Commenters expressed concern over how to effectively perform oversight over ECDIS and AIS provided by third-party vendors. The final Circular Letter maintains the expectation that insurers conduct appropriate oversight over third-party vendors. This does not mean that insurers are expected to understand the detailed inner workings of AIS, but rather should perform appropriate due diligence and oversight relative to the risks of the ECDIS or AIS used by third-party vendors, and are ultimately responsible for the outcomes of that use. This expectation is consistent with long-standing supervisory approaches in the insurance sector and other sectors. The final Circular Letter provides an additional clause drawn from the NAIC’s Model Bulletin on the Use of Artificial Intelligence Systems by Insurers demonstrating the expectation that insurers incorporate certain terms into contracts with third-party vendors, where appropriate. 
• Confidentiality. Commenters sought additional assurances from the Department regarding the confidentiality of information. The final Circular Letter does not promise the confidentiality of information, but the Department is committed to protecting confidential information, intellectual property, and trade secrets of insurers and third-parties. The Department cannot promise confidentiality in all cases as the Department must comply with the Freedom of Information Law, Public Officers Law Article 6, which provides that all agency records are public unless they fall within an exception from disclosure. However, if an insurer submitting information to the Department deems such information to be a trade secret that if disclosed would cause substantial injury to the competitive position of the insurer pursuant to Public Officers Law § 87(2)(d), then the insurer may, at the time the information is submitted to the Department, request that the Department except such information from disclosure pursuant to Public Officers Law § 89(5)(a)(1).

I. Purpose and Background

1. The New York State Department of Financial Services (“Department”) is committed to innovation and the responsible use of technology to improve financial access and contribute to the safety and stability of insurance markets.
2. The purpose of this Circular Letter is to identify the Department’s expectations that all insurers authorized to write insurance in New York State, Article 43 corporations, health maintenance organizations, licensed fraternal benefit societies, and the New York State Insurance Fund (collectively, “insurers”) develop and manage their use of ECDIS, AIS, and other predictive models in underwriting and pricing insurance policies and annuity contracts.3
3. The Department expects that insurers’ use of emerging technologies, such as AIS and ECDIS, will be conducted in a manner that complies with all applicable federal and state laws and regulations.
4. The use of ECDIS and AIS can benefit insurers and consumers alike by simplifying and expediting insurance underwriting and pricing processes, and potentially result in more accurate underwriting and pricing of insurance. At the same time, ECDIS may reflect systemic biases and its use can reinforce and exacerbate inequality. This raises significant concerns about the potential for unfair adverse effects or discriminatory decision-making. ECDIS also may have variable accuracy and reliability and may come from entities that are not subject to regulatory oversight and consumer protections. Furthermore, the self-learning behavior that may be present in AIS increases the risks of inaccurate, arbitrary, capricious, or unfairly discriminatory outcomes that may disproportionately affect vulnerable communities and individuals or otherwise undermine the insurance marketplace in New York. It is critical that insurers that utilize such technologies establish a proper governance and risk management framework to mitigate the potential harm to consumers and comply with all relevant legal obligations.
5. For purposes of this Circular Letter, AIS means any machine-based system designed to perform functions normally associated with human intelligence, such as reasoning, learning, and self-improvement, that is used – in whole or in part – to supplement traditional health, life, property or casualty underwriting or pricing, as a proxy for traditional health, life, property or casualty underwriting or pricing, or to identify “lifestyle indicators” that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage.
6. For purposes of this Circular Letter, ECDIS includes data or information used – in whole or in part – to supplement traditional medical, property or casualty underwriting or pricing, as a proxy for traditional medical, property or casualty underwriting or pricing, or to identify “lifestyle indicators” that may contribute to an underwriting or pricing assessment of an applicant for insurance coverage. ECDIS does not include an MIB Group, Inc. member information exchange service, a motor vehicle report, prescription drug data, or a criminal history search. An insurer conducting a criminal history search for insurance underwriting and pricing purposes must comply with Executive Law § 296(16). See e.g., Insurance Circular Letter No. 13 (2022).
7. An insurer may deploy ECDIS and AIS in a variety of ways throughout the underwriting and pricing process. The Department recognizes there is no one-size-fits-all approach to managing data and decisioning systems. Therefore, insurers should take an approach to developing and managing their use of ECDIS and AIS that is reasonable and appropriate to each insurer’s business model and the overall complexity and materiality of the risks inherent in using ECDIS and AIS.
8. This Circular Letter is not intended to provide an exhaustive list of potential issues that could arise from the use of ECDIS or AIS and is not intended to suggest that an insurer’s due diligence in assessing ECDIS or AIS should be limited to the concerns enumerated below. This Circular Letter also is not intended to address phases of the insurance product lifecycle other than underwriting and pricing.
9. The Department may audit and examine an insurer’s use of ECDIS and AIS, including within the scope of regular or targeted examinations pursuant to New York Insurance Law (“Insurance Law”) § 309, or a request for special report pursuant to Insurance Law § 308.

II. Fairness Principles

10. An insurer should not use ECDIS or AIS for underwriting or pricing purposes unless the insurer can establish that the data source or model, as applicable, does not use and is not based in any way on any class protected pursuant to Insurance Law Article 26. Moreover, an insurer should not use ECDIS or AIS for underwriting or pricing purposes if such use would result in or permit any unfair discrimination or otherwise violate the Insurance Law or any regulations promulgated thereunder.

A. Data Actuarial Validity

11. As with any other variables employed in underwriting and pricing, insurers should be able to demonstrate that the ECDIS are supported by generally accepted actuarial standards of practice and are based on actual or reasonably anticipated experience, including, but not limited to, statistical studies, predictive modeling, and risk assessments. The underlying analyses should demonstrate a clear, empirical, statistically significant, rational, and not unfairly discriminatory relationship between the variables used and the relevant risk of the insured.
12. Proxy Assessment. Insurers must be able to demonstrate that the ECDIS employed for underwriting and pricing are not prohibited by the Insurance Law or regulations promulgated thereunder. Insurers should evaluate the extent to which such ECDIS are correlated with (i.e., proxy for) status in any protected classes that may result in unfair or unlawful discrimination. Whether ECDIS correlates with a protected class may be determined using data available to the insurer or may be reasonably inferred using accepted statistical methodologies. If such correlations are identified, insurers should consider whether the use of such ECDIS is required by a legitimate business necessity.

B. Unfair and Unlawful Discrimination

13. State and federal law prohibit insurers from unlawfully discriminating against certain protected classes of individuals and from engaging in unfair discrimination, including the ability of insurers to underwrite based on certain criteria.4 An insurer should not use ECDIS or AIS in underwriting or pricing unless the insurer has determined that the ECDIS or AIS does not collect or use criteria that would constitute unfair or unlawful discrimination or an unfair trade practice.
14. When using ECDIS or AIS as part of their insurance business, insurers are responsible for complying with these anti-discrimination laws irrespective of whether they themselves are collecting data and directly underwriting consumers, or relying on ECDIS or AIS of external vendors that are intended to be partial or full substitutes for direct underwriting or pricing. An insurer may not use ECDIS or AIS to collect or use information that the insurer would otherwise be prohibited from collecting or using directly. An insurer may not rely solely on a third-party’s claim of non-discrimination or a proprietary third-party process to determine compliance with anti-discrimination laws. The responsibility to comply with anti-discrimination laws remains with the insurer at all times.

15. An insurer should not use ECDIS or AIS in underwriting or pricing unless the insurer can establish through a comprehensive assessment that the underwriting or pricing guidelines are not unfairly or unlawfully discriminatory in violation of the Insurance Law. A comprehensive assessment of whether an underwriting or pricing guideline derived from ECDIS or AIS unfairly discriminates between similarly situated individuals or unlawfully discriminates against a protected class should, at a minimum, include the following steps:

    1. Step 1: assessing whether the use of ECDIS or AIS produces disproportionate adverse effects in underwriting or pricing for similarly situated insureds or insureds of a protected class. This assessment should be conducted for any protected class where membership in such protected class either may be determined using data available to the insurer or may be reasonably inferred using accepted statistical methodologies.
       1. If there is no prima facie showing of a disproportionate adverse effect, then the insurer may conclude its evaluation after Step 1.
       2. If there is a prima facie showing of such a disproportionate adverse effect, then the insurer should continue to Step 2.
    2. Step 2: assessing whether there is a legitimate, lawful, and fair explanation or rationale for the differential effect on similarly situated insureds.
       1. If no legitimate, lawful, and fair explanation or rationale can account for the differential effect on similarly situated insureds, the insurer should modify its use of such ECDIS or AIS and evaluate the modified use of ECDIS or AIS beginning with Step 1.
       2. If a legitimate, lawful, and fair explanation or rationale can account for the differential effect, then the insurer should continue to Step 3.
    3. Step 3: conducting and appropriately documenting a search and analysis for a less discriminatory alternative variable(s) or methodology that would reasonably meet the insurer’s legitimate business needs.
       1. If a less discriminatory alternative exists, the insurer should modify its use of ECDIS or AIS accordingly, and should evaluate the modified use of ECDIS or AIS beginning with Step 1.
       2. If no less discriminatory alternative exists, the insurer should conduct ongoing model risk management consistent with Section III of this guidance, and repeat Step 3 at least annually.

    C. Analyzing for Unfair or Unlawful Discrimination

    16. Documentation. An insurer should appropriately document the processes and reasoning behind its testing methodologies and analysis for unfair or unlawful discrimination commensurate with the insurer’s use of ECDIS and AIS and the complexity and materiality of such ECDIS and AIS. An insurer should be prepared to make such documentation available to the Department upon request.
    17. Frequency of Testing. Unfair or unlawful discrimination testing and analysis should be administered prior to putting AIS into production and on a regular cadence thereafter, as well as whenever material updates or changes are made to either the ECDIS or AIS.
    18. Quantitative Assessment. In performing the analyses described in paragraphs 11 and 14, insurers are encouraged to use multiple statistical metrics in evaluating data and model outputs to ensure a comprehensive understanding and assessment. There is no expectation that insurers collect additional data from, or about, individuals to perform exemplary analysis. Such metrics may include, among others:
        1. Adverse Impact Ratio: Analyzing the rates of favorable outcomes between protected classes and control groups to identify any disparities.
        2. Denials Odds Ratios: Computing the odds of adverse decisions for protected classes compared to control groups.
        3. Marginal Effects: Assessing the effect of a marginal change in a predictive variable on the likelihood of unfavorable outcomes, particularly for members of protected classes.
        4. Standardized Mean Differences: Measuring the difference in average outcomes between protected classes and control groups.
        5. Z-tests and T-tests: Conducting statistical tests to ascertain whether differences in outcomes between protected classes and control groups are statistically significant.
        6. Drivers of Disparity: Identifying variables in AIS that cause differences in outcomes for protected classes relative to control groups. These drivers can be quantitatively computed or estimated using various methods, such as sensitivity analysis, Shapley values, regression coefficients, or other suitable explanatory techniques.
    19. Qualitative Assessment. In addition to quantitative analysis, an insurer’s comprehensive assessment should include a qualitative assessment of unfair or unlawful discrimination. This includes being able to explain, at all times, how the insurer’s AIS operates and to articulate a logical relationship between ECDIS and other model variables with an insured or potential insured individual’s risk.

    III. Governance and Risk Management

    20. 11 NYCRR § 90.2 requires an insurer to have a corporate governance framework that is appropriate for the nature, scale, and complexity of the insurer.5 11 NYCRR § 90.1(c) defines “corporate governance framework” as “the structures, processes, information, and relationships used for the oversight, direction, control, and management of an insurer or system and for ensuring compliance with legal and regulatory requirements.” An insurer should have a corporate governance framework that provides appropriate oversight of the insurer’s use of ECDIS and AIS to ensure compliance with the Insurance Law and regulations promulgated thereunder.

    A. Board and Senior Management Oversight

    21. The role of an insurer’s board of directors, or other governing body, is to provide oversight of the insurer’s activities, including providing for an effective governance framework to carry out the board’s or other governing body’s strategic vision and monitor the insurer’s risk appetite.
    22. The board of directors, or other governing body, may delegate specific duties and authorities for overseeing an insurer’s activities, including development and management of ECDIS and AIS, to the board’s or other governing body’s committees and senior management. When delegating specific duties and authorities, an insurer should ensure appropriate lines of reporting are in place, along with regular, quality reporting to meet the board’s or other governing body’s information needs. This should include all timely and relevant facts for a board or other governing body to understand the material activities and risks associated with the insurer’s use of ECDIS and AIS.
    23. Senior management is responsible for day-to-day implementation of the insurer’s development and management of ECDIS and AIS, consistent with the board’s or other governing body’s strategic vision and risk appetite. This includes establishing adequate policies and procedures, assigning competent staff, overseeing model risk management, ensuring effective challenge and independent risk assessment, reviewing internal audit findings, and taking prompt remedial action when necessary.
    24. In carrying out their duties to provide for effective implementation of the insurer’s use of ECDIS and AIS, senior management should ensure all relevant operation areas are appropriately engaged, such as through a cross-functional management committee with representatives from key function areas, including legal, compliance, risk management, product development, underwriting, actuarial, and data science, as appropriate.

    B. Policies, Procedures, and Documentation

    25. Insurers that use ECDIS or AIS should formalize their development and management of ECDIS and AIS in written policies and procedures.
    26. An insurer’s board of directors or other governing body, committees thereof, or senior management through delegated authority, should review and approve the insurer’s ECDIS and AIS-related policies and procedures at least annually to ensure that they are kept current with changes in the insurer’s use of ECDIS and AIS and best practices in the industry.
    27. Policies and procedures should include clearly defined roles and responsibilities, as well as monitoring and reporting requirements to senior management.
    28. Policies and procedures should include training for relevant personnel on the responsible and lawful use of ECDIS and AIS, appropriately tailored to staff responsibilities. Additionally, the training program should include prompt training for new relevant staff and a regular cadence for training thereafter, as well as accountability for completing training in a timely manner.
    29. Insurers should maintain comprehensive documentation for their use of all AIS, including all ECDIS relied upon for such AIS, whether developed internally or supplied by third parties consistent with 11 NYCRR 243, and be prepared to make such documentation available to the Department upon request. Such documentation may include:
        1. a description of the process for identifying and assessing operational, financial, and compliance risks associated with an insurer’s use of ECDIS and AIS, and associated internal controls designed to mitigate such identified risks;
        2. an up-to-date inventory of all AIS implemented for use, under development for implementation, or recently retired;
        3. a description of how each AIS operates, including any ECDIS or other inputs and their sources, the purpose and products for which the AIS is designed, actual or expected usage, any restrictions on use, and any potential risks and appropriate safeguards;
        4. a description of the process for tracking changes of an insurer’s use of ECDIS and AIS over time, including documented explanation of any changes, associated rationale for such changes, and parties responsible for the approval of such changes;
        5. a description of the process for monitoring ECDIS and AIS usage and performance, including a list of any previous exceptions to policy and reporting;
        6. a description of testing conducted at least annually to assess the output of AIS models, including drift that may result from the use of machine learning or other automated updates; and
        7. a description of data lifecycle management process, including ECDIS acquisition, storage, usage and sharing, archival, and destruction.
    30. Insurers must be prepared to respond to consumer complaints and inquiries about the use of AIS and ECDIS by implementing procedures to receive and address such complaints. Insurers must maintain any records of complaints regarding AIS or ECDIS in accordance with 11 NYCRR 243 and be prepared to make such records available to the Department upon request.

    C. Risk Management and Internal Controls

    31. Insurers should manage the relevant risks at each stage of the AIS life cycle and should consider risk from individual AIS models and in the aggregate. Insurers may choose to manage the risks of AIS within an existing enterprise risk management function, as required by the Insurance Law, or separately as part of an independent program.6
    32. Insurers should include standards for model development, implementation, use, and validation, and promote independent review and effective challenge to risk analysis, validation, testing, development, and other processes related to an insurer’s ECDIS and AIS development and risk management.
    33. Insurers should have competent and qualified personnel to execute and oversee AIS risk management with clearly defined roles and responsibilities, and appropriate means of accountability.
    34. 11 NYCRR § 89.16 requires an insurer to have an internal audit function to provide general and specific audits, reviews, and tests necessary to protect assets, evaluate control effectiveness and efficiency, and evaluate compliance with policies and regulations. Insurers should ensure the internal audit function is appropriately engaged with the insurer’s use of ECDIS and AIS consistent with the financial, operational, and compliance risk. Such auditing should assess the overall effectiveness of the AIS and ECDIS risk management framework, which may include:
        1. verifying that acceptable policies and procedures are in place and are appropriately adhered to;
        2. verifying records of AIS use and validation to test whether validations are performed in a timely manner and AIS models are subject to controls that appropriately account for any weaknesses in validation activities;
        3. assessing the accuracy and completeness of AIS documentation and adherence to documentation standards, including risk reporting;
        4. evaluating the processes for establishing and monitoring internal controls, such as limits on AIS usage;
        5. assessing supporting operational systems and evaluating the accuracy, reliability, and integrity of ECDIS and other data used by AIS;
        6. assessing potential biases in the ECDIS or other data that may result in unfair or unlawful discrimination against insureds or potential insureds; and
        7. assessing whether there is sufficient reporting to the board or other governing body and senior management to evaluate whether management is operating within the insurer’s risk appetite and limits for model risk.

    D. Third-Party Vendors

    35. Insurers retain responsibility for understanding any tools, EDCIS, or AIS used in underwriting and pricing for insurance that were developed or deployed by third-party vendors and ensuring such tools, EDCIS, or AIS comply with all applicable laws, rules, and regulations.
    36. To ensure appropriate oversight of third-party vendors, insurers should develop written standards, policies, procedures, and protocols for the acquisition, use of, or reliance on ECDIS and AIS developed or deployed by a third-party vendor. Additionally, insurers should put in place procedures for reporting any incorrect information to third-party vendors for further investigation and update, as necessary. Further, insurers should develop procedures to remediate and eliminate incorrect information from their AIS that the insurer has identified or has been reported to a third-party vendor.
    37. Where appropriate and available, insurers should include terms in their contracts with third-party vendors that: (i) provide audit rights or entitle the insurer to receive audit reports by qualified auditing entities; and (ii) require the third-party vendor to cooperate with the insurer regarding regulatory inquiries and investigations related to the insurer’s use of the third-party vendor’s product or services.

    IV. Transparency 

    E. Disclosure and Notice 

    38. Transparency is an important consideration in the use of ECDIS to underwrite and price insurance. As noted in Circular Letter No. 1 (2019), the accuracy and reliability of external data sources can vary greatly, and many external data sources are entities that may not be subject to regulatory oversight and consumer protections. Disclosure is an essential mechanism to aid applicants in identifying and correcting any incorrect data used in underwriting and pricing decisions. Insurance Law §§ 3425 and 3426 provide that non-commercial and certain commercial property and casualty policies may not be cancelled, nonrenewed, or conditionally renewed unless the specific ground or reason is provided in writing to the insured. Additionally, Insurance Law § 4224(a)(2) and (b)(2) provide that no life or accident and health insurer doing business in this state shall refuse to insure, refuse to continue to insure, or limit the amount, extent, or kind of coverage available to an individual, or charge a different rate for the same coverage solely because of the physical or mental disability, impairment or disease, or prior history thereof, of the insured or potential insured, except where the refusal, limitation, or rate differential is permitted by law or regulation and is based on sound actuarial principles or is related to actual or reasonably anticipated experience, in which case the insurer must notify the insured or potential insured of the right to receive, or to designate a medical professional to receive, the specific reason or reasons for such refusal, limitation, or rate differential. Further, the failure to adequately disclose to the insured or potential insured any other specific reason or reasons for refusal, limitation, or rate differential may be deemed to be an unfair or deceptive act and practice in the conduct of the business of insurance and may be deemed to be a trade practice constituting a determined violation, as defined in Insurance Law § 2402(c), and in such case may be a violation of Insurance Law § 2403.
    39. Where an insurer is using ECDIS or AIS, the notice to the insured or potential insured, or medical professional designee, should disclose: (i) whether the insurer uses AIS in its underwriting or pricing process; (ii) whether the insurer uses data about the person obtained from external vendors; and (iii) that such person has the right to request information about the specific data that resulted in the underwriting or pricing decision, including contact information for making such request. In the event of a declination, limitation, rate differential, or other adverse underwriting decision the reason or reasons provided to the insured or potential insured, or a medical professional designee, should include details about all information upon which the insurer based any declination, limitation, rate differential, or other adverse underwriting decision, including the source of the specific information upon which the insurer based its adverse underwriting or pricing decision. 
    40. An insurer may not rely on the proprietary nature of a third-party vendor’s algorithmic processes to justify the lack of specificity related to an adverse underwriting or pricing action.
    41. The failure to adequately disclose the material elements of an AIS, and the external data sources upon which it relies, to a consumer may constitute an unfair trade practice under Insurance Law Article 24.

    F. Clarification of Insurance Circular Letter No. 1 (2019)

    42. The Department has received requests from life insurers to clarify the consumer disclosure/transparency section of Circular Letter No. 1 (2019).
    43. If an insurer has threshold criteria for a process utilizing ECDIS or AIS for underwriting, the insurer should disclose such criteria in writing in a clear and prominent manner in all relevant advertisements and marketing materials, and in disclosures provided to consumers during an application process. For example, if the ECDIS or AIS-based process is only available for certain ages or coverage amounts or only available to non-smokers, this should be disclosed. However, the disclosure need not include all possible combinations of factors that could result in the process utilizing ECDIS or AIS not being applied in underwriting the applicant for insurance. Failure to disclose eligibility criteria at the outset could raise concerns about misleading advertising under Insurance Regulation 34-A, 11 NYCRR § 219.4 or unfair trade practices under Insurance Law Article 24.
    44. If an underwriting process utilizing ECDIS or AIS determines that an applicant will not be approved for insurance under this process and can only obtain insurance by submitting to a non ECDIS or AIS-based underwriting process, the applicant has the right to know why. Within 15-days of such a determination an insurer should provide notice to the applicant in writing in the manner(s) through which the applicant has elected to receive communications from the insurer, and the notice should identify the reason or reasons that the applicant cannot be underwritten for insurance using ECDIS or AIS. During the notice period the insurer should continue the non ECDIS or AIS-based underwriting process. An insurer’s failure to provide this notice may be considered an unfair trade practice under Insurance Law Article 24.
    45. If an applicant will not be approved for insurance under an underwriting process utilizing ECDIS or AIS based on specific ECDIS data, the insurer should provide the applicant with a process to review for accuracy those data that resulted in the applicant not qualifying for the ECDIS or AIS-based underwriting process. This review process needs to be provided at the time the applicant is notified that the application cannot be processed under the underwriting process utilizing ECDIS or AIS described in paragraph 43 above. An insurer’s failure to provide a review process may be considered an unfair trade practice under Insurance Law Article 24.

    ---

    1 The American Academy of Actuaries has noted that “algorithm[s] may learn to identify and rely upon seemingly facially neutral variables that have a close correlation to protected characteristics or traits” and that such “problematic proxy variables . . . may cause protected classes to be disparately impacted[.]” American Academy of Actuaries, Discrimination: Considerations for Machine Learning, AI Models, and Underlying Data (Feb. 2024), https://www.actuary.org/sites/default/files/2023-08/risk-brief-discrimination.pdf.

    2 For example, the Consumer Financial Protection Bureau has published a report explaining that race and ethnicity may be imputed from geography- and surname-based information using the Bayesian Improved Surname Geocoding proxy method. See Consumer Financial Protection Bureau, Using publicly available information to proxy for unidentified race and ethnicity (Summer 2014), https://files.consumerfinance.gov/f/201409_cfpb_report_proxy-methodology.pdf. The Department is not endorsing any particular statistical methodology. 

    3 This Circular Letter does not apply to Child Health Plus, Essential Plan, and Medicaid managed care coverage.

    4 See Insurance Law Article 26 and §§ 4224(a)–(b), 3221(q)(3), and 4305(k)(3), Executive Law, General Business Law, and federal Civil Rights Act. See also Insurance Law § 2303 prohibiting unfairly discriminatory rates for property and casualty insurance coverage.

    5 Section 90.2 permits an insurer to satisfy this section if it is a member of a system and the system has a corporate governance framework.

    6 See Insurance Law §§ 1501, 1503(b), 1604(b), 1702,and 1717(b). See also 11 NYCRR § 82.