Understanding the NAIC model AI bulletin: what it means for insurers

The National Association of Insurance Commissioners (NAIC) adopted the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (“Model AI Bulletin”), in December 2023.  The Model AI Bulletin provides guidelines for insurers on the responsible use of artificial intelligence (AI) within the industry. The Model AI Bulletin is heavily influenced by various AI policy frameworks and laws, including the OECD AI Principles, G20 AI Guidelines, the US Executive Order on AI, and the EU AI Act. These frameworks and laws share common principles that are increasingly becoming standard in the development of AI regulations, including:

  • Transparency
  • Accountability & Responsibility
  • Fairness and Non-Discrimination
  • Safety & Risk Management
  • Privacy & Data Protection
  • Human-Centric Approach
  • Fostering Innovation

Key takeaway from the NAIC AI bulletin

The NAIC’s model bulletin is prescriptive in nature and emphasizes the need for insurers to develop comprehensive AI governance frameworks. Insurers are required to create a written program (“AIS Program”) detailing the responsible use of AI systems, especially when these systems are used in decision-making processes that impact regulated insurance practices.

Written AI program

Insurers must develop, implement, and maintain a documented AI program that supports responsible AI practices. This includes outlining the purpose, scope, and structure of AI systems used in decision-making while addressing potential risks to consumers. The program must demonstrate clear oversight and auditing processes to ensure compliance with relevant laws and best practices. The AIS Program should address the use of AI systems across the insurance lifecycle, including, product development and design, marketing, use, underwriting, rating, and pricing, case management, claim administration and payment, and fraud detection.

Governance framework: transparency, fairness, and accountability 

Like security and privacy frameworks, the Model AI Bulletin emphasizes the need to incorporate policies, procedures, processes, risk management, and internal controls to an existing or new governance structure. The governance structure should include stakeholders from various verticals, such as actuarial, data science, underwriting, compliance, and legal departments. Each representative should have defined responsibilities, authority, and decision-making powers. Establishing such a framework helps ensure that AI systems operate in a manner that is ethical and aligned with regulatory requirements.

Risk management and internal controls

The NAIC highlights the need for robust risk management controls tailored to the specific risks associated with AI systems. Drawing on the “CIA Triad” – the confidentiality, integrity, and availability of data – the AIS Program should include validation, testing, and retesting as necessary to assess the generalization of AI system outputs upon implementation to ensure quality and data integrity. This process should also evaluate the suitability of the data used for developing, training, validating, and auditing the model. Additionally, the program should establish data practices and accountability procedures that ensure data currency, lineage, quality, integrity, bias analysis and minimization, and overall suitability.

Notice to consumers

A key consumer protection principle in the NAIC bulletin is that insurers must notify consumers when AI systems are in use. Additionally, consumers should have access to appropriate information regarding how these AI systems may affect decisions that impact them. The level of information provided may vary depending on the phase of the insurance lifecycle in which AI systems are deployed.

Third-party vendor management

Implementing strong third-party vendor management practices is another important concept under the Model AI Bulletin.

Insurers will be responsible for overseeing third-party vendors involved in AI development, procurement, and implementation. This includes assessing the data and AI systems provided by third parties and ensuring contractual protections, such as audit rights and cooperation with regulatory inquiries. Like the privacy space, regulatory oversight may require insurers to provide information on their vendor diligence processes, including their assessment of third-party data sources and AI technologies.

Regulatory oversight

Insurers may be asked to provide documentation related to the development, use, and oversight of AI systems, particularly if there are concerns about market conduct or consumer harm. The Model AI Bulletin relies on the Unfair Trade Practices Act (#880) (UTPA) and the Unfair Claims Settlement Practices Model Act (#900) (UCSPA), meaning, Insurers operating in any given state must ensure their actions comply with the UTPA and the UCSPA, regardless of the methods used to determine or support those actions. Insurers are expected to implement practices, including governance frameworks and risk management protocols, that are specifically designed to prevent the use of AI systems from resulting in unfair trade practices and/or unfair claims settlement practices.

The Model AI Bulletin also highlights that insurers may be required to provide documentation regarding the development and use of AI, including details on governance, risk management, and internal controls, as part of an investigation or market conduct action.

Model AI bulletin adopted by state:

Since the NAIC adopted the bulletin, nearly half the states have enacted the Model AI Bulletin, reflecting a growing commitment to these standards across the country. These states include:

State

Date of adoption

Alaska

February 1 2024

Arkansas

July 31, 2024

Connecticut

February 26, 2024

District of Columbia

May 21, 2024

Illinois: Company

March 13, 2024

Iowa

November 7, 2024

Kentucky

April 16, 2024

Maryland

April 22, 2024

Massachusetts

December 9, 2024

Michigan

August 7, 2024

Nebraska

June 11, 2024

Nevada

February 23, 2024

New Hampshire

February 20, 2024

North Carolina

December 18, 2024

Oklahoma

November 14, 2024

Pennsylvania

April 6, 2024

Rhode Island

March 15, 2024

Vermont

March 12, 2024

Virginia

July 22, 2024

Washington

April 22, 2024
West Virginia

August 9, 2024

 

What does this mean for insurers?

The NAIC Model AI Bulletin introduces a comprehensive framework for insurers looking to integrate AI into their operations. Insurers must:

  • Develop written AI programs with clear policies and procedures.
  • Establish robust governance structures with transparent and accountable decision-making processes.
  • Implement strong risk management practices and internal controls to safeguard consumers.
  • Ensure consumer transparency and informed consent regarding AI’s role in decision-making.
  • Carefully manage third-party vendors and AI procurement to ensure compliance and oversight.

By adhering to these guidelines, insurers can not only enhance consumer protection but also reduce the risks associated with deploying AI systems.

Related content

Article

The Smokefree Generation: A look into the UK’s Tobacco and Vapes Bill

06/02/2025

Article

Caught in the net? Understanding the EU Digital Services Act’s regulation of user interactivity

05/02/2025

Article

Developments in low exposure to asbestos litigation: Bannister, Johnstone, and Kerr

05/02/2025

Article

The UK Government’s consultation on proposals for new ransom payment prevention and reporting regime

04/02/2025

View more

Services

Sectors

Locations