On August 20, 2025, Colorado finalized amendments to Regulation 10-1-1, extending its governance framework for external consumer data and information sources (ECDIS) beyond life insurance to private passenger auto and health benefit plan insurers. The regulation took effect October 15, 2025, with interim progress reports due December 1, 2025, and full compliance required by July 1, 2026.
ECDIS refers to data sources used to supplement or replace traditional underwriting factors or other insurance practices, such as credit scores, shopping patterns, or telematics data. The amended regulation explicitly names telematics as ECDIS, bringing usage-based insurance programs squarely into regulatory scope.
The framework requires insurers to establish board-level governance and risk management systems, maintain inventories of ECDIS sources and affected models, document design and testing processes, monitor for model drift, and provide consumers with meaningful information about adverse decisions, denial of coverage, or significant rate increases, etc. Importantly, the regulation mandates quantitative testing to detect unfair discrimination with respect to race, though detailed testing guidance from the Department of Insurance remains pending. Colorado’s approach goes beyond the NAIC’s 2023 model bulletin on AI systems, with more prescriptive requirements and enforcement mechanisms. While many states have adopted the NAIC’s principles-based framework, Colorado’s requirements around ECDIS and its explicit focus on racial discrimination testing make it notably more specific.
What this means for actuaries:
The practical requirements center on documentation and ongoing oversight. Insurers will need to maintain inventories of ECDIS sources and models with version control, establish protocols for bias detection, and monitor model performance over time. These governance requirements formalize practices that extend across the entire modeling life cycle, from data collection through deployment.
For actuaries working with telematics or alternative data sources, these governance requirements add formal documentation and oversight protocols to traditional model development and validation work. Meeting these requirements will necessitate cross-functional collaboration with compliance, legal, and data science teams, particularly for developing bias-testing protocols and maintaining documentation standards. Colorado’s specificity around telematics and its focus on binding compliance timelines may signal where other states are headed, suggesting that multistate carriers should build governance frameworks flexible enough to meet varying jurisdictional standards. ●
Sources:
- https://doi.colorado.gov/announcements/notice-of-adoption-amended-regulation-10-1-1-governance-and-risk-management-framework.
- https://www.insurereinsure.com/2025/08/27/colorado-division-of-insurance-expands-ai-governance-and-framework-regulation-to-private-passenger-auto-and-health-benefit-plan-insurers/.
