本文目前仅提供英文版本。
AI in US Insurance: NAIC Model Bulletin, State Regulators, and the Governance Framework for Insurers
US insurance is state-regulated, but the NAIC's 2023 Model Bulletin on AI establishes a national baseline. Here is the governance framework US insurers need — covering NAIC expectations, state insurance commissioner requirements, and CFPB oversight of credit insurance.
Key Takeaways
The NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems in December 2023. While advisory rather than binding law, it has been adopted or is under consideration by multiple state insurance departments — establishing a de facto national baseline for AI governance expectations.
The NAIC Model Bulletin requires insurers to implement an AI governance programme covering: board accountability, model risk management, data governance, explainability, bias testing, and consumer protection. Insurers should treat this as the minimum expected standard regardless of whether their state has formally adopted it.
Insurance AI that affects access to coverage, premium pricing, claims decisions, or fraud detection is subject to existing state unfair trade practices laws — which prohibit unjust discrimination. These apply to AI outcomes regardless of whether the AI was the direct decision-maker.
Colorado SB 21-169 (effective 2023) requires insurers to adopt a governance programme for external consumer data and information sources used in insurance, prohibit use that results in unfair discrimination, and file a written statement of compliance with the Colorado Insurance Commissioner.
The FTC has jurisdiction over certain insurance-adjacent AI practices — particularly in fintech, credit insurance, and insurtech products. FTC Section 5 unfair or deceptive practice standards apply to AI misuse in consumer insurance contexts.
State insurance departments are conducting market conduct examinations specifically focused on AI. Insurers should prepare for examiner requests for AI model documentation, bias testing results, and governance programme evidence.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
The US insurance AI regulatory landscape
Insurance regulation in the United States is primarily state-based — there is no federal insurance regulator with jurisdiction over most insurance lines. This means that the AI governance framework for US insurers is a combination of the NAIC's advisory guidance (which sets coordinated expectations across states), state-specific legislation (Colorado being the most advanced), and existing state unfair trade practices laws applied to AI outputs.
NAIC Model Bulletin: the national baseline
The National Association of Insurance Commissioners adopted its Model Bulletin on the Use of Artificial Intelligence Systems in December 2023. The Model Bulletin is advisory — it does not become binding state law unless a state formally adopts it — but it has significant practical importance because NAIC model acts and bulletins typically become the baseline for state regulatory action and market conduct examinations.
The Model Bulletin sets out expectations across six areas: governance (board and senior management accountability for AI); risk management (AI risk management programme covering model validation, ongoing monitoring, and incident response); data governance (data quality, representativeness, and bias testing for training data); third-party AI (vendor oversight expectations); explainability (capability to explain AI-driven insurance decisions to regulators, consumers, and producers); and consumer protection (non-discrimination testing, complaints monitoring, and access to human review).
For practical compliance, insurers should treat the NAIC Model Bulletin as the minimum programme elements that state examiners will expect to see — regardless of whether their specific state has formally adopted it. Market conduct examiners are increasingly trained on AI governance, and the Model Bulletin provides the examination framework they are using.
Colorado SB 21-169: the most advanced state requirement
Colorado's SB 21-169, signed in 2021 and effective from 2023, requires insurers to: adopt a written programme for governance and risk management of external consumer data and information sources (ECDIS) used in insurance practices; ensure that their use of ECDIS does not result in unfair discrimination based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression; and file a written statement of compliance with the Colorado Insurance Commissioner.
Colorado's approach is notable because it directly regulates the use of external data and AI inputs — not just outcomes — and creates a positive obligation to ensure non-discrimination rather than just prohibiting discriminatory outcomes. This requires insurers to conduct proactive bias testing of their data sources and models, not just reactive monitoring.
State unfair trade practices laws and AI
Every US state has an unfair trade practices statute (typically modelled on the NAIC's Unfair Trade Practices Act) that prohibits unjust discrimination in insurance — setting different rates or terms for individuals with the same insurable risk based on protected characteristics. These statutes apply to AI outcomes in exactly the same way they apply to human decisions.
The emerging enforcement pattern: state insurance departments are using unfair trade practices statutes to challenge AI pricing and underwriting decisions that produce discriminatory outcomes at the population level. The key is disparate impact — if an AI model produces systematically different premiums for people of different races or ethnicities with the same risk profile, this may constitute unjust discrimination under state law regardless of whether race was an input variable.
Market conduct examinations and AI
State insurance departments conduct market conduct examinations that review insurer business practices. AI governance is increasingly a specific examination topic. Insurers should prepare for examination requests including: written AI governance programme documentation; model inventory for AI models used in underwriting, pricing, claims, and fraud detection; validation documentation for each model; bias testing results; consumer complaint data relating to AI decisions; and evidence of board and senior management oversight of AI risks.