On June 29, 2017, the New York Department of Financial Services (NYDFS) issued an information request pursuant to Section 308 of the New York Insurance Law addressed to all life insurers and fraternal benefit societies authorized to write life insurance in New York (the 308 Request) requesting information about how they use “external consumer data” and algorithms in their underwriting processes. Under Section 308, NYDFS has broad authority to make inquiries to any licensed insurer in relation to its “transactions or condition or any matter connected therewith.”1
NYDFS explained that it has become aware of a number of insurers using external consumer data or information sources as part of an accelerated or algorithmic underwriting program. It cites as examples of such information credit scores, purchasing habits, affiliations, home ownership records, and educational attainment. The 308 Request indicates that NYDFS is requesting this information to determine whether underwriting programs using external consumer data and algorithms are in compliance with applicable New York State laws and regulations.
As a threshold matter, NYDFS is requiring life insurers to disclose whether they (1) offer an accelerated or algorithmic underwriting program; or (2) use external consumer data or information sources to supplement a medical underwriting program. An “accelerated or algorithmic underwriting program” is defined as any non-medical underwriting program or criteria (i.e., no paramedical exam or not physically invasive) based on external data or information sources other than an attending physician’s statement, MIB Group member exchange information, motor vehicle report, inspection report, or prescription drug database.
Insurers that use either of the above are required to respond to a detailed questionnaire that, among other things, requests information about:
- What specific data elements are being used;
- Which third-party vendors are providing external consumer information;
- Exactly how external consumer information is being used;
- When external consumer information is an input to an algorithm, and how those algorithms work, including details on how algorithms weigh and scale certain data elements;
- How algorithmic underwriting is disclosed to policy applicants;
- What recourse policy applicants have for adverse decisions that rely on algorithmic underwriting; and
- Data security and minimization procedures.
NYDFS is the first state insurance regulator to directly examine life insurers’ use of algorithms using external consumer data for underwriting (algorithmic underwriting), although recent regulatory trends have suggested that such examinations have been under consideration.
For example, the National Association of Insurance Commissioners (NAIC) Big Data (EX) Working Group has been closely following how insurance companies use consumer data, algorithms and predictive analytics for underwriting, and has developed a comprehensive work plan for how to address those issues. While the Working Group’s attention is currently focused on property and casualty (P&C) insurance, it anticipates completing its charges for life insurance by 2019. Further, and almost contemporaneously with NYDFS’s transmission of the 308 Request, the Working Group held a conference call that specifically addressed insurers’ use of non-traditional data sources. To enhance its capabilities in this area, the Working Group will also create a “Predictive Analytics Team” and a Predictive Analytics Working Group to support state regulators in their review of complex underwriting models.
In addition, on the federal level, the US Securities and Exchange Commission (SEC) has increased its scrutiny of the use of algorithms in financial services. In February, the SEC released a Guidance Update on Robo-Advisers, which encouraged registered investment advisers to disclose the particular risks inherent in the use of algorithms for investment advice, to provide an explanation of the degree of human involvement in algorithmic decision-making, and to describe all algorithmic functions, assumptions, and limitations. While the guidance the SEC provided to registered investment advisers is not directly relevant to life insurers, it demonstrates that regulators are beginning to focus on how regulated industries use algorithms in providing services to their customers.
Insurers that write P&C insurance in New York may recall that NYDFS also issued a section 308 letter in 2015 as part of its investigation into the use of consumer data for “price optimization” purposes in potential violation of Insurance Law § 2303 (prohibiting unfairly discriminatory rates). A proposed amendment to New York’s regulations governing private passenger automobile insurance2 (Insurance Regulation 150) would ban the use of occupational status and education level for rating classifications unless the insurer demonstrates to the superintendent’s satisfaction that it has a reasonable relationship to the insurer’s risk of loss. Commentators have suggested the Department is placing too heavy a burden of proof on insurers, and the proposal likely signals the NYDFS’s skepticism that customer information being used by insurers is truly causally connected to the risks they present. It remains to be seen whether NYDFS will examine the use of algorithmic underwriting in life insurance for compliance with Insurance Law § 4224 (prohibiting unfair discrimination between individuals of the same class).
Further, the fact that NYDFS is requesting information on what disclosures insurers make to consumers about algorithmic underwriting, and what recourse consumers have for adverse decisions based on algorithmic underwriting, suggests that NYDFS will be evaluating compliance with New York’s Fair Credit Reporting Act (FCRA).3 Insurers should also be considering their obligations under the federal FCRA to obtain consumer consent to use covered information in some circumstances, to ensure the accuracy of certain information used for insurance purposes, and to provide specific methods of recourse to consumers affected by adverse decisions based on covered information. A recent article in the Wall Street Journal (authored by Leslie Scism) also highlighted the potential application of the FCRA to the NYDFS inquiry into algorithmic underwriting.4
Additionally, the 308 Request includes several items that may raise compliance issues with the new NYDFS cybersecurity rule.5 Notably, the 308 Request seeks information on which third-party vendors life insurers are using to gather external consumer information, as well as how such data are being utilized, stored, or destroyed after the underwriting process. This kind of information may implicate life insurers’ data security practices. The use of outside vendors by life insurers to furnish external consumer data will also be relevant as insurers develop their third-party service provider policies under the cybersecurity rule.
As regulators increase their scrutiny of algorithmic underwriting and other big data practices, insurers that are using or planning to use these techniques should be sure to consider the full range of obligations and risks they face going forward.