Colorado Rocky Mountains representing Colorado SB 21-169 insurance AI bias testing regulation
Colorado SB 21-169 · Insurance

Colorado SB 21-169: AI bias testing for insurers

If your underwriting, pricing or claims touches an algorithm, a predictive model or external consumer data (ECDIS), the Division of Insurance wants to see your governance, your bias testing and your annual attestation. Life insurers already live under Regulation 10-1-1. Private auto and health are next.

Life insurance
Live since 2023
Auto + health
Rulemaking
Regulator
Division of insurance
Start compliance assessmentBook compliance consultation

What is Colorado SB21-169?

Colorado passed SB21-169 in July 2021 under the name "Protecting Consumers from Unfair Discrimination in Insurance Practices." The law tells insurers they can't use algorithms, predictive models or external consumer data (ECDIS) if the result is unfair discrimination against a protected class. Everything after that, deadlines, testing methods, attestations, sits in regulations written by the Division of Insurance.

One law, a sector-by-sector rollout. Regulation 10-1-1 has governed life insurance since November 2023, and it's where the core risk management framework and model inventory obligations live. Private passenger auto and health benefit plans are the next lines to come under specific rules, and that rulemaking is live right now.

Risk framework

Written governance and risk management required

Bias testing

Ongoing disparate-impact testing, not a one-off

Commonly confused with the broader Colorado AI Act (SB24-205) — see the comparison below.

Who is covered

Life insurers (already live)

Any life insurer authorized to do business in Colorado using ECDIS, algorithms, or predictive models in underwriting, pricing, or claims.

Private passenger auto insurers (rulemaking)

Auto insurers subject to pending rules covering the use of external data, telematics, and pricing algorithms.

Health benefit plans (rulemaking)

Health insurers and health benefit plans covered by forthcoming regulations targeting algorithms used in coverage, pricing, and claims.

MGAs and TPAs

Managing general agents and third-party administrators that operate algorithms or ECDIS on behalf of insurers fall within the insurer's compliance responsibility.

Reinsurers using ECDIS

Reinsurers whose models or data inform Colorado-admitted insurers' decisions are typically addressed through the ceding insurer's governance program.

InsurTech vendors

Vendors providing algorithms, models, or ECDIS to Colorado insurers should expect downstream diligence and contractual obligations tied to SB21-169.

SB21-169 vs SB24-205: what's the difference?

Two Colorado laws, two regulators, two compliance programs. If you're an insurer using AI in Colorado, you're on the hook for both.

Attribute
SB21-169
SB24-205 (Colorado AI Act)
Full name
Senate Bill 21-169 (Protecting Consumers from Unfair Discrimination in Insurance Practices)
Senate Bill 24-205 (Colorado Artificial Intelligence Act)
Year enacted
2021
2024
Sector scope
Insurance only (life, auto, health, etc.)
Cross-sector (employment, housing, healthcare, finance, education, legal)
Regulator
Colorado Division of Insurance (DOI)
Colorado Attorney General
What's covered
Algorithms, predictive models, and ECDIS used in insurance practices
High-risk AI systems making consequential decisions
Core obligation
Test data and models for unfair discrimination; document governance and remediation
Risk management, impact assessments, consumer notification, cure period
Effective date (current)
Life insurance: Nov 14, 2023. Auto/health: rulemaking ongoing 2025-2026
February 1, 2026

What counts as ECDIS?

If it didn't come from the consumer directly, it's probably ECDIS. Most of the compliance work ends up here.

Financial data

  • Credit-based insurance scores
  • Banking transaction patterns
  • Payment history
  • Tradeline data

Lifestyle and behavioral data

  • Social media activity
  • Consumer purchase history
  • Loyalty program data
  • Web browsing patterns

Geographic data

  • Census tract demographics
  • Neighborhood characteristics
  • Property and location data
  • Mobility patterns

Health and wellness data

  • Wearable device data
  • Prescription history
  • Gym and fitness program membership
  • Wellness program participation

Compliance timeline

Life insurance is already under a full framework. Auto and health are being written now.

November 14, 2023In effect

Life insurance framework deadline

Life insurers required to have a risk management framework in place under Regulation 10-1-1 governing the use of ECDIS, algorithms, and predictive models.

June 1, 2024In effect

Life insurance progress report

First progress report due to the Division of Insurance documenting framework implementation, testing results, and remediation activities.

December 1, 2024In effect

Full compliance attestation

Annual attestation from life insurers certifying full compliance with SB21-169 and its implementing regulations. Recurs annually thereafter.

2025-2026Rulemaking

Auto and health insurance rulemaking

Colorado DOI expanding SB21-169 regulations to private passenger auto insurance and health benefit plans. Virtual rulemaking hearing held June 2, 2025.

OngoingOngoing

Annual attestation and testing

All covered insurers must conduct ongoing bias testing, maintain governance documentation, and file annual attestations with the DOI.

The four compliance pillars

Regulation 10-1-1 sits on four building blocks. Each annual attestation needs evidence from all of them.

Governance

Board- or senior-management-approved policies, documented roles, and oversight for every algorithm, predictive model, and ECDIS used in insurance practices.

  • Written governance framework
  • Documented senior-management oversight
  • Role and responsibility mapping
  • Vendor due diligence program

Risk management

A written risk management framework covering the full lifecycle of data and models, from acquisition and validation through deployment and ongoing monitoring.

  • Inventory of ECDIS, algorithms, and models
  • Lifecycle risk assessments
  • Change-control and model-retirement procedures
  • Third-party and vendor risk controls

Testing for unfair discrimination

Ongoing quantitative testing of data and models to detect unfair discrimination against protected classes including race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, and gender expression.

  • Proxy-variable analysis
  • Disparate-impact testing across protected classes
  • Documented test methodology
  • Reproducible test datasets

Reporting and remediation

Documented findings, corrective action when unfair discrimination is detected, and annual attestation to the Division of Insurance.

  • Written findings documentation
  • Remediation plans with owners and deadlines
  • Annual attestation filings
  • Ad-hoc reporting on material issues

See how your bias audit report looks

Download a sample Colorado SB21-169 bias testing report generated by VerifyWise.

Download sample (PDF)

How VerifyWise supports SB21-169 compliance

Each pillar maps to a VerifyWise module. Governance lives in policy, models live in the inventory, testing runs in the audit engine, and attestation pulls the evidence together.

SB21-169 requirement
VerifyWise coverage
Governance framework documentation
Policy module captures framework versions, approvals, and review history
Model and ECDIS inventory
Centralized AI system inventory with vendor, data source, and lifecycle metadata
Risk management lifecycle
Risk assessment workflows covering acquisition, validation, deployment, and retirement
Bias and disparate-impact testing
Configurable bias audit engine supporting Colorado protected classes and custom groupings
Proxy variable analysis
Feature-level proxy detection workflows with audit trails and reviewer sign-off
Remediation tracking
Incident and corrective-action module with owners, deadlines, and evidence
Vendor and third-party diligence
Vendor management workflows for ECDIS and model providers with questionnaire templates
Annual attestation support
Attestation packages with linked controls, evidence, and timestamped sign-offs
Evidence and audit trail
Immutable activity logs across models, datasets, tests, and approvals
Regulator-ready export
Report export for Division of Insurance filings and internal audit packages

Common mistakes to avoid

These are the patterns we keep seeing in life insurance programs. Expect them to resurface when auto and health go live.

Treating SB21-169 like SB24-205

They're separate laws. Different regulators, different deadlines, different scope. SB21-169 is insurance-specific and the Division of Insurance enforces it. The Colorado AI Act (SB24-205) is broader and sits with the Attorney General. If you're an insurer in Colorado, you owe compliance under both.

Assuming only public data triggers ECDIS rules

ECDIS is broader than most teams expect. Vendor-supplied scores, data brokers and consortium data all count. Credit-based insurance scores are firmly in scope, even though they've been part of insurance pricing for years.

Relying on vendor 'fairness' assurances

A vendor's compliance is not your compliance. The Colorado-licensed insurer owns the obligation. You still need your own testing, your own documentation and your own governance, even if every model on your stack came from a third party.

Limiting testing to race

Regulation 10-1-1 covers a wider set of protected classes than most legacy bias testing programs. Stopping at race leaves gaps around sex, gender identity, gender expression, sexual orientation, disability and national origin.

Running tests once and moving on

This isn't an annual checkbox. Models change, data drifts and new versions ship. Each of those is a new testing event against the same documented methodology.

Frequently asked questions

The questions we get from insurance legal, compliance and data science teams working through SB21-169.

SB21-169 is a 2021 Colorado law that tells insurers they can't use algorithms, predictive models or external consumer data (ECDIS) if the end result is unfair discrimination against a protected class. The Colorado Division of Insurance enforces it, and they write sector-specific regulations to spell out what compliance actually looks like.
ECDIS stands for External Consumer Data and Information Sources. In plain language, it's any data you didn't collect from the consumer directly. Credit-based insurance scores, purchase history, social media signals, wearable data, geographic data and anything from third-party brokers or consortiums all fit under ECDIS. Most insurers use a centralized model inventory to track every source.
Different laws, different regulators. SB21-169 is insurance-specific and the Division of Insurance runs it. SB24-205 (the Colorado AI Act) covers high-risk AI across employment, housing, healthcare and other sectors, and the Attorney General runs that one. They both go after algorithmic discrimination, but each one comes with its own compliance program and its own deadlines.
Life insurers are fully in scope today under Regulation 10-1-1. You need a live risk management framework, ongoing testing and an annual attestation on file. Private passenger auto and health benefit plans are in active rulemaking as of April 2026 and will pick up obligations once those rules are finalized.
For life insurers the milestones are: risk management framework in place by November 14, 2023; first progress report due June 1, 2024; first full compliance attestation due December 1, 2024. Attestations recur every year after that.
Colorado's framework covers race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity and gender expression. Build your testing methodology to cover every protected class relevant to your book of business, not just the ones other jurisdictions happen to care about.
Unfair discrimination is when algorithms, predictive models or ECDIS produce disproportionate adverse outcomes for a protected class and there's no legitimate, actuarially sound business reason for the difference. The Division of Insurance's regulations are prescriptive about the testing methodology you need to use to detect it.
A covered insurer files an attestation with the Colorado Division of Insurance saying, on the record, that it has built and is maintaining the required governance, risk management and testing program. Most teams use a compliance framework module to pull the evidence together. The first one for life insurers went in on December 1, 2024. After that, it's an annual filing.
Yes. The obligation sits with the Colorado-licensed insurer, full stop. A vendor model, third-party data feed or managing general agent doesn't transfer responsibility to them. You still need vendor diligence, contractual protections and your own evidence that testing happened and governance held up.
The insurer takes corrective action. That usually means documenting the finding through an incident workflow, remediating the model or data source, retesting and tightening the governance controls so the same thing doesn't happen again. All of it goes into the record, and the Division of Insurance can ask to see it.
The NAIC AI Model Bulletin is a national template other state regulators are adopting. Colorado's SB21-169 and Regulation 10-1-1 go deeper than the bulletin, especially on quantitative testing and attestation. If you also work with the NIST AI RMF, most of the governance scaffolding overlaps. Usually it makes sense to build one program that meets Colorado's bar and then flex it for the other states.
Yes. As of April 2026, Colorado's AI insurance rules face litigation arguing that state-level AI regulation creates conflicting requirements across states and that federal standards should take precedence. This is a pattern we're seeing with other state AI laws too, including the Texas AI Act and the Colorado AI Act. The law is still in force while the case plays out.
VerifyWise gives you the governance, inventory, bias testing, remediation tracking and attestation workflows the regulation asks for. Insurers use it to document the risk management framework, run ongoing disparate-impact tests, track corrective actions and pull evidence together for the annual attestation. For a full walkthrough of the platform, see our product overview.

Further reading

Colorado SB 21-169 compliance: AI bias testing and ECDIS rules for insurers