How Will the NAIC Regulate Third-Party Data and Modeling Vendors?
Over the weekend, the NAIC’s Third-Party Data and Models (H) Task Force released for a 30-day comment period (the comment period expires Monday May 6, 2024) a proposed work plan to develop a framework for the regulatory oversight of “third-party data and model vendors and their products and services,” including artificial intelligence. It is anticipated the process of developing this regulatory “framework” will be a two-year process. The spring and summer of 2024 will be a fact gathering period while over the fall the task force plans to discuss general ideas for the framework while ultimately finalizing a general concept at the November Fall National Meeting in Denver, Colorado. Drafting is slated to begin in 2025. It is contemplated that the anticipated framework “may require new or modification of adopted model laws or regulations in 2025.”
Specific concerns raised in the proposed work plan include:
Licensing data and model vendors like advisory or rating organizations;
Certification, SOC reports,[1] and third-party warranties;
Mandated contract provisions;
Prior regulatory review of models, even prior approval; and
Variation by line of business and/or specific activities.
The proposed work plan recognizes that some activities entail greater risks to consumers and thus raises questions of proportionality to the potential risk, while also being mindful not to discourage innovation.
While the form and content of the anticipated regulatory framework is uncertain at this time, in its proposed work plan, the task force is “clear that insurers are ultimately responsible for ensuring that insurance laws and regulations continue to be complied with while using data and models from third-party vendors.”
Locke Lord will continue to monitor developments at the NAIC pertaining to third-party data and predictive modeling vendors, including artificial intelligence. If you have any questions, please reach out to the author or your Locke Lord partner.
[1] Generically speaking, an SOC report is an independent evaluation of the controls of a service provider.