See how Forma Health supervises their AI
Reg 10-1-1 (3 CCR 702-10)Colorado's own regime

AI governance for Colorado insurers

Colorado does not follow the NAIC AI model bulletin. It runs its own, stricter regime. Senate Bill 21-169 prohibits insurers from using external consumer data and information sources (ECDIS), algorithms, and predictive models in ways that unfairly discriminate against consumers based on a protected class, and Regulation 10-1-1 requires a governance and risk-management framework around that use. The rules currently reach life, private passenger auto, and health benefit plan insurers.

Talk to an expertExplore the hub
StatuteSB 21-169
Regulation3 CCR 702-10
ScopeLife, auto, health
Life complianceDec 1, 2024

What Colorado requires

Colorado's framework is built around the use of external consumer data and predictive models, not the NAIC's AIS-Program structure. Covered insurers must govern that use and prove it is not unfairly discriminatory.

01

Governance & accountability

Stand up a risk-based governance and risk-management framework for any use of ECDIS, algorithms, and predictive models, with documented senior-management and board oversight.

02

Bias testing & corrective action

Assess and document whether ECDIS or models produce unfairly discriminatory outcomes against consumers on the basis of a protected class, and take corrective action when they do.

03

ECDIS & model inventory

Maintain an inventory of the external data sources, algorithms, and predictive models in use, including third-party tools, and document how data flows into insurance decisions.

04

Reporting & attestation

File the progress reports and compliance documentation the Division requires. Insurers that do not use ECDIS must file an attestation to that effect.

Legal authority

Colorado grounds its regime in statute and regulation that go beyond the NAIC model:

  • Restrictions on the use of external consumer data, algorithms, and predictive models (SB 21-169)C.R.S. §10-3-1104.9
  • Governance and Risk Management Framework (Regulation 10-1-1)3 CCR 702-10
  • Unfair methods of competition and unfair or deceptive actsC.R.S. §10-3-1104

Who it applies to

The ECDIS rules reach these lines today:

  • Life insurers
  • Private passenger automobile insurers
  • Health benefit plan insurers
  • Not yet extended to farm or commercial property and casualty lines

Scope note: Colorado's ECDIS rules currently reach life, private passenger auto, and health benefit plan insurers. They do not yet apply to farm or commercial property and casualty lines. The Division has expanded the framework line by line, so carriers in those segments should track new rulemaking rather than assume they are out of scope for good.

Compliance timeline

  • Jul 6, 2021Governor signs SB 21-169 into law, codified at C.R.S. §10-3-1104.9.
  • Sept 2023Division of Insurance adopts Regulation 10-1-1 (3 CCR 702-10), the governance framework for life insurers.
  • Jun 1, 2024Life insurers' initial progress report due to the Division.
  • Dec 1, 2024Life insurers' full governance-framework compliance; insurers that do not use ECDIS file an attestation.
  • OngoingFramework extended to private passenger auto and health benefit plan insurers.
Learn the basics

Resources for Colorado insurers

Start with these plain-language explainers and field guides.

Guide

What is the NAIC Model Bulletin on AI?

The NAIC Model Bulletin on the Use of AI Systems by Insurers is the template most states use to set AI governance expectations. Here is what it says and why it matters.

Guide

What is an AIS Program?

An AI Systems Program (AIS Program) is the written program the NAIC Model Bulletin expects every insurer to maintain. Here are its four pillars and what each one requires.

Guide

What are the NAIC AI Principles?

The NAIC AI Principles, adopted in 2020, are the foundation beneath every state AI bulletin. The five principles spell FACTS: Fair, Accountable, Compliant, Transparent, and Secure.

Guide

AI in Insurance: Key Regulatory Definitions

The NAIC Model Bulletin defines the terms that carry legal weight, from AI System to Adverse Consumer Outcome to Model Drift. Here is what each one means for insurers.

Article

Insurance Regulators Are Forcing AI Governance. Most Carriers Aren't Ready.

State insurance regulators and bar associations are sounding the alarm on AI in insurance. Legal and regulatory pressure is forcing insurers to operationalize AI governance, not just document it.

Article

The NAIC Bulletin Is the Floor Your Reinsurer Will Hold You To

Twenty-four jurisdictions have adopted the NAIC Model Bulletin on AI. Most carrier compliance teams are working to the regulatory text. Their reinsurers will use the same document as an evidentiary baseline at the next placement, and the cedent that meets the floor and stops there is preparing for the wrong audience.

Colorado insurance AI FAQs

Does Colorado follow the NAIC AI model bulletin?
No. Colorado has its own regime. SB 21-169 (C.R.S. §10-3-1104.9) and Regulation 10-1-1 (3 CCR 702-10) govern insurers' use of external consumer data and information sources, algorithms, and predictive models. They pre-date and go beyond the NAIC model bulletin.
What is ECDIS?
External consumer data and information sources: data used to supplement or replace traditional underwriting factors, such as credit-based insurance scores, social media, purchasing and homeownership data, education, occupation, biometric data, court records, and any risk scores derived from them.
Which insurers does Colorado's regime cover?
Today the governance framework applies to life insurers, private passenger automobile insurers, and health benefit plan insurers. It does not yet reach farm or commercial property and casualty lines.
What must a covered insurer do?
Stand up a risk-based governance and risk-management framework, inventory the ECDIS and models in use (including third-party tools), test for and correct unfairly discriminatory outcomes against protected classes, and file the required reports. Insurers that do not use ECDIS file an attestation instead.
What were the key compliance dates?
Life insurers had to submit an initial progress report by June 1, 2024 and meet the full governance-framework requirements by December 1, 2024. The Division has since extended the framework to private passenger auto and health benefit plan insurers.
Sources
  1. Colorado SB 21-169 (C.R.S. §10-3-1104.9), Colorado General Assembly
  2. Colorado Division of Insurance — SB 21-169 program page
  3. Regulation 10-1-1 (3 CCR 702-10), Colorado Secretary of State
  4. Bryan Cave Leighton Paisner — Colorado's new ECDIS and AI model regulations
  5. Alston & Bird — New AI Regulation from the Colorado Dept. of Insurance

Get audit-ready for Colorado's ECDIS rules

Swept AI inventories your models and external data sources, runs the bias testing Colorado expects, and produces the governance documentation the Division can request.

Book a demoExplore the platform