Colorado SB21-169

Colorado SB21-169: AI and ECDIS compliance for insurers

If your insurance pricing or underwriting touches an algorithm, a predictive model or external consumer data, Colorado wants to see your testing. Life insurers are already under Regulation 10-1-1. Auto and health are next in line.

Book compliance consultation

What is Colorado SB21-169?

Colorado passed SB21-169 in July 2021 under the name "Protecting Consumers from Unfair Discrimination in Insurance Practices." The law tells insurers they can't use algorithms, predictive models or external consumer data (ECDIS) if the result is unfair discrimination against a protected class. Everything after that, deadlines, testing methods, attestations, sits in regulations written by the Division of Insurance.

One law, a sector-by-sector rollout. Regulation 10-1-1 has governed life insurance since November 2023, and it's where the core risk management framework and model inventory obligations live. Private passenger auto and health benefit plans are the next lines to come under specific rules, and that rulemaking is live right now.

Risk framework

Written governance and risk management required

Bias testing

Ongoing disparate-impact testing, not a one-off

Commonly confused with the broader Colorado AI Act (SB24-205) — see the comparison below.

Who is covered

Life insurers (already live)

Any life insurer authorized to do business in Colorado using ECDIS, algorithms, or predictive models in underwriting, pricing, or claims.

Private passenger auto insurers (rulemaking)

Auto insurers subject to pending rules covering the use of external data, telematics, and pricing algorithms.

Health benefit plans (rulemaking)

Health insurers and health benefit plans covered by forthcoming regulations targeting algorithms used in coverage, pricing, and claims.

MGAs and TPAs

Managing general agents and third-party administrators that operate algorithms or ECDIS on behalf of insurers fall within the insurer's compliance responsibility.

Reinsurers using ECDIS

Reinsurers whose models or data inform Colorado-admitted insurers' decisions are typically addressed through the ceding insurer's governance program.

InsurTech vendors

Vendors providing algorithms, models, or ECDIS to Colorado insurers should expect downstream diligence and contractual obligations tied to SB21-169.

SB21-169 vs SB24-205: what's the difference?

Two Colorado laws, two regulators, two compliance programs. If you're an insurer using AI in Colorado, you're on the hook for both.

Attribute

SB21-169

SB24-205 (Colorado AI Act)

Full name

Senate Bill 21-169 (Protecting Consumers from Unfair Discrimination in Insurance Practices)

Senate Bill 24-205 (Colorado Artificial Intelligence Act)

Year enacted

2021

2024

Sector scope

Insurance only (life, auto, health, etc.)

Cross-sector (employment, housing, healthcare, finance, education, legal)

Regulator

Colorado Division of Insurance (DOI)

Colorado Attorney General

What's covered

Algorithms, predictive models, and ECDIS used in insurance practices

High-risk AI systems making consequential decisions

Core obligation

Test data and models for unfair discrimination; document governance and remediation

Risk management, impact assessments, consumer notification, cure period

Effective date (current)

Life insurance: Nov 14, 2023. Auto/health: rulemaking ongoing 2025-2026

February 1, 2026

What counts as ECDIS?

If it didn't come from the consumer directly, it's probably ECDIS. Most of the compliance work ends up here.

Financial data

Credit-based insurance scores
Banking transaction patterns
Payment history
Tradeline data

Lifestyle and behavioral data

Social media activity
Consumer purchase history
Loyalty program data
Web browsing patterns

Geographic data

Census tract demographics
Neighborhood characteristics
Property and location data
Mobility patterns

Health and wellness data

Wearable device data
Prescription history
Gym and fitness program membership
Wellness program participation

Compliance timeline

Life insurance is already under a full framework. Auto and health are being written now.

November 14, 2023In effect

Life insurance framework deadline

Life insurers required to have a risk management framework in place under Regulation 10-1-1 governing the use of ECDIS, algorithms, and predictive models.

June 1, 2024In effect

Life insurance progress report

First progress report due to the Division of Insurance documenting framework implementation, testing results, and remediation activities.

December 1, 2024In effect

Full compliance attestation

Annual attestation from life insurers certifying full compliance with SB21-169 and its implementing regulations. Recurs annually thereafter.

2025-2026Rulemaking

Auto and health insurance rulemaking

Colorado DOI expanding SB21-169 regulations to private passenger auto insurance and health benefit plans. Virtual rulemaking hearing held June 2, 2025.

OngoingOngoing

Annual attestation and testing

All covered insurers must conduct ongoing bias testing, maintain governance documentation, and file annual attestations with the DOI.

The four compliance pillars

Regulation 10-1-1 sits on four building blocks. Each annual attestation needs evidence from all of them.

Governance

Board- or senior-management-approved policies, documented roles, and oversight for every algorithm, predictive model, and ECDIS used in insurance practices.

Written governance framework
Documented senior-management oversight
Role and responsibility mapping
Vendor due diligence program

Risk management

A written risk management framework covering the full lifecycle of data and models, from acquisition and validation through deployment and ongoing monitoring.

Inventory of ECDIS, algorithms, and models
Lifecycle risk assessments
Change-control and model-retirement procedures
Third-party and vendor risk controls

Testing for unfair discrimination

Ongoing quantitative testing of data and models to detect unfair discrimination against protected classes including race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, and gender expression.

Proxy-variable analysis
Disparate-impact testing across protected classes
Documented test methodology
Reproducible test datasets

Reporting and remediation

Documented findings, corrective action when unfair discrimination is detected, and annual attestation to the Division of Insurance.

Written findings documentation
Remediation plans with owners and deadlines
Annual attestation filings
Ad-hoc reporting on material issues

See how your bias audit report looks

Download a sample Colorado SB21-169 bias testing report generated by VerifyWise.

Download sample (PDF)

How VerifyWise supports SB21-169 compliance

Each pillar maps to a VerifyWise module. Governance lives in policy, models live in the inventory, testing runs in the audit engine, and attestation pulls the evidence together.

SB21-169 requirement

VerifyWise coverage

Governance framework documentation

Policy module captures framework versions, approvals, and review history

Model and ECDIS inventory

Centralized AI system inventory with vendor, data source, and lifecycle metadata

Risk management lifecycle

Risk assessment workflows covering acquisition, validation, deployment, and retirement

Bias and disparate-impact testing

Configurable bias audit engine supporting Colorado protected classes and custom groupings

Proxy variable analysis

Feature-level proxy detection workflows with audit trails and reviewer sign-off

Remediation tracking

Incident and corrective-action module with owners, deadlines, and evidence

Vendor and third-party diligence

Vendor management workflows for ECDIS and model providers with questionnaire templates

Annual attestation support

Attestation packages with linked controls, evidence, and timestamped sign-offs

Evidence and audit trail

Immutable activity logs across models, datasets, tests, and approvals

Regulator-ready export

Report export for Division of Insurance filings and internal audit packages

Common mistakes to avoid

These are the patterns we keep seeing in life insurance programs. Expect them to resurface when auto and health go live.

Treating SB21-169 like SB24-205

They're separate laws. Different regulators, different deadlines, different scope. SB21-169 is insurance-specific and the Division of Insurance enforces it. The Colorado AI Act (SB24-205) is broader and sits with the Attorney General. If you're an insurer in Colorado, you owe compliance under both.

Assuming only public data triggers ECDIS rules

ECDIS is broader than most teams expect. Vendor-supplied scores, data brokers and consortium data all count. Credit-based insurance scores are firmly in scope, even though they've been part of insurance pricing for years.

Relying on vendor 'fairness' assurances

A vendor's compliance is not your compliance. The Colorado-licensed insurer owns the obligation. You still need your own testing, your own documentation and your own governance, even if every model on your stack came from a third party.

Limiting testing to race

Regulation 10-1-1 covers a wider set of protected classes than most legacy bias testing programs. Stopping at race leaves gaps around sex, gender identity, gender expression, sexual orientation, disability and national origin.

Running tests once and moving on

This isn't an annual checkbox. Models change, data drifts and new versions ship. Each of those is a new testing event against the same documented methodology.

Frequently asked questions

The questions we get from insurance legal, compliance and data science teams working through SB21-169.