NAIC Unveils Proposed Model Bulletin on Insurers’ Use of AI Systems: Implications for Third-Party Vendors Sparks Industry Concern
The National Association of Insurance Commissioners (NAIC) recently presented a new exposure draft of the proposed NAIC Model Bulletin titled Use of Algorithms, Predictive Models, and Artificial Intelligence Systems by Insurers at their meeting in Seattle. This draft has raised concerns within the industry, particularly among third-party vendors, regarding the implications it may have on their operations.
The current version of the Bulletin is based on principles rather than being prescriptive, and the Innovation Cybersecurity and Technology Committee stressed that they are not currently seeking to adopt a model rule. Instead, the draft Bulletin encourages insurers to establish a written Artificial Intelligence Systems (AIS) program. This program should address the standards for the acquisition, use, or reliance on AI systems developed or deployed by third parties.
Under this proposed program, insurers are encouraged to include specific terms in their contracts with third-party vendors. These terms outline various requirements, such as the obligation for vendors to maintain an AIS program in line with the insurer’s standards, the insurer’s right to conduct audits for compliance, the provision of audit reports by qualified auditing entities confirming compliance, and the requirement for the third party to cooperate with regulatory inquiries and investigations related to the insurer’s use of their products or services.
One section of the draft Bulletin that received significant attention during the Committee meeting was the language pertaining to third-party vendors. Industry groups, particularly those representing small- and mid-size insurers, expressed concerns about their limited leverage when negotiating contracts with third parties. They felt constrained by their inability to modify contract language to align with the terms specified in the draft Bulletin. The Committee was particularly interested in understanding insurers’ level of control when purchasing products and the extent to which they can enforce coordination with insurance departments that may have questions about third-party vendors.
Furthermore, the Committee has been evaluating whether third-party AI service providers can be regulated through the insurers they do business with or if they require separate licensing by insurance departments. Although this point was not elaborated on, it is an aspect worth monitoring. Regulators have begun scrutinizing AI solutions developed both in-house by insurers and those provided by third-party AI service providers. Recent cases, such as Kisting-Leung et al. v. Cigna Corp. et al., have alleged violations of insurance regulations, prompting regulators to take a closer look at these technologies.
In summary, the NAIC’s proposed Model Bulletin on Insurers’ Use of AI Systems has generated concern within the industry, particularly among third-party vendors who worry about the impact it may have on their operations. While the current draft is not prescriptive, it advocates for insurers to establish written AIS programs and include specific terms in contracts with third-party vendors. The Committee is exploring the regulation of third-party AI service providers through insurers and closely examining the development and use of AI solutions in the insurance sector. As the industry continues to evolve, it is important for all stakeholders to consider the implications of AI systems and ensure compliance with relevant regulations.