NYDFS Insurance Circular Letter No. 7 (2024) builder's guide

Rule: us-ny-dfs-ai-insurance-underwriting-2024. Source: NYDFS Insurance Circular Letter No. 7 (2024) — adopted July 11, 2024. Statutory framework: N.Y. Insurance Law §§ 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 (anti-discrimination); Articles 24, 26, 43, 45; 11 NYCRR 243 (recordkeeping). Audience: insurers authorized to write insurance in New York State, Article 43 corporations, HMOs, licensed fraternal benefit societies, the New York State Insurance Fund, and any insurtech vendor whose customers include the foregoing. Severity: mandatory.

What NYDFS did

On July 11, 2024 NYDFS Superintendent Adrienne A. Harris adopted Insurance Circular Letter No. 7 (2024) — Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing. The Circular Letter operationalizes the anti-unfair-discrimination provisions that have always governed insurance underwriting, but specifies how those provisions apply when the underwriting or pricing decision is informed by an Artificial Intelligence System (AIS) or External Consumer Data and Information Sources (ECDIS).

This is not a new statute. It is NYDFS's official supervisory position on how the existing N.Y. Insurance Law §§ 2606, 2616, 4224 (and the Articles cited above) apply to AI-informed insurance decisions. The Circular Letter has been treated, in practice, as the floor for AI insurance underwriting in NY since adoption.

Who's covered

The Circular Letter directly reaches:

• All NY-authorized insurers writing any line of insurance in New York State (life, accident & health, property & casualty, title, financial-guaranty, and others).
• Article 43 corporations (not-for-profit health-service corporations).
• HMOs operating under Article 44.
• Licensed fraternal benefit societies.
• The New York State Insurance Fund.

It indirectly reaches insurtech vendors and AI/ML model providers whose customers include any of the above — through the third-party-vendor-oversight requirement, which makes the insurer the responsible party for vendor outputs but creates contractual cascade onto the vendor.

What "AIS" and "ECDIS" mean

The Circular Letter intentionally defines these broadly:

• AIS (Artificial Intelligence System): any model that uses machine learning, statistical learning, or similar techniques to inform underwriting or pricing decisions. Covers conventional ML models AND generative-AI / large-language-model integrations into underwriting workflows.
• ECDIS (External Consumer Data and Information Sources): any data source consulted in underwriting that originates outside the insurer-applicant relationship — credit-bureau data, third-party data brokers, social-media inferences, geospatial / satellite-imagery data, IoT / telematics streams, prescription-drug history vendors, and so on.

Critical: AIS coverage applies regardless of whether the AIS uses ECDIS, AND ECDIS coverage applies regardless of whether the data is processed by an AIS. The two definitions are independent and either triggers the Circular Letter's requirements.

The five required-element clusters

1. Lifecycle documentation

Insurers must maintain comprehensive written records of every AIS / ECDIS used in underwriting or pricing. The records must cover:

• Development. Data provenance, training-data composition, validation methodology, model architecture, performance benchmarks.
• Deployment. Production configuration, monitoring thresholds, alerting + escalation procedures.
• Change management. Version history, rationale for each change, validation results post-change.
• Testing. Disparate-impact analysis methodology + results (see element 2).
• Retirement. Decommissioning rationale + transition plan.

Records must be preserved consistent with 11 NYCRR 243 (NY's insurance-recordkeeping regulation) and produced on examination.

The most-cited compliance failure in the early NYDFS examinations: insurers using vendor-supplied AI tools without copies of the vendor's model documentation. NYDFS treats "we don't have access to that, ask the vendor" as a Circular Letter violation.

2. Three-step disparate-impact testing

The Circular Letter mandates a specific three-step framework for disparate-impact analysis:

Step 1 — Detect. Test for disproportionate adverse effect on classes protected by N.Y. Insurance Law (race, color, creed, national origin, age, sex, sexual orientation, gender identity or expression, disability, marital status, prior victim status, lawful occupation, citizenship status). Use both quantitative metrics (adverse-impact ratio, odds ratios, marginal effects) AND qualitative review.

Step 2 — Identify rationale. If disproportionate effect is detected, identify the legitimate underwriting rationale that the model is serving. "We need to predict claims" is not specific enough; the rationale must connect to a particular insurance-actuarial purpose.

Step 3 — Less-discriminatory alternative. Search for alternative model configurations, data inputs, or scoring methodologies that serve the same legitimate rationale with less disparate impact. If a less-discriminatory alternative is reasonably available, the insurer must adopt it.

This testing must occur before deployment AND at regular intervals during operation (the Circular Letter doesn't fix an interval but signals that annual is a floor; some insurers conduct quarterly).

3. Board / senior-management governance

The Circular Letter mandates governance at the board or senior-management level, plus operational governance via a cross-functional committee:

• Written policies + procedures covering AIS / ECDIS use, with clearly defined roles + responsibilities.
• Cross-functional management committee with representatives from legal, compliance, risk, actuarial, and data science. Some insurers add internal audit + business-line representation.
• Annual training for personnel involved in AIS / ECDIS development, deployment, or use. Mandatory, documented, retained.
• Reporting to the board or senior management on at least a quarterly cadence.

NYDFS examinations look for evidence that governance is operational rather than nominal — meeting minutes, training-completion records, escalation logs.

4. Third-party vendor oversight

The Circular Letter explicitly rejects vendor-delegation as a defense. Insurers retain primary responsibility for AIS / ECDIS used in underwriting regardless of whether the systems are insurer-developed or third-party-supplied.

Concrete contractual requirements:

• Audit / examination cooperation. Vendor must cooperate with NYDFS examinations and produce model documentation, validation data, and discrimination-test results on demand.
• Insurer audit rights. Insurer must have contractual rights to audit the vendor's AIS / ECDIS development, testing, and deployment practices.
• Remediation procedures. Defined SLAs for incorrect-data corrections, biased-output remediation, and notification-of-issue.
• Subprocessor visibility. If the vendor uses sub-vendors (e.g., a vendor's underlying data broker), that visibility cascades to the insurer.

Practical implementation: insurers using AI insurtech vendors (Lemonade, Hippo, Root, and similar) MUST have contracts that pass through NYDFS audit rights. Vendors that resist these clauses are increasingly de-selected from NY underwriting workflows.

5. Consumer notice and 15-day adverse-action

Consumer-facing requirements:

• Disclose AIS / ECDIS use to applicants and policyholders. Disclosure must identify the categories of AIS used, the categories of ECDIS consulted, and the consumer rights described below.
• Specific reasons within 15 days. For any adverse underwriting or pricing decision, the insurer must provide the specific reasons within 15 days of the determination. Generic language ("automated decisioning was used") does not satisfy this requirement.
• Right-to-review-and-dispute. Inform consumers of the right to review the data inputs the AIS / ECDIS used, dispute inaccuracies, and request reconsideration based on corrections.
• Data-accuracy review process. Operational process for accepting, reviewing, and acting on consumer disputes.

The 15-day window is materially shorter than the analogous federal-law windows (FCRA, ECOA), so insurers operating across both frameworks should default to the NY 15-day floor rather than maintaining separate workflows.

Common failure patterns

After ~10 months of NYDFS supervisory activity since adoption:

1. Vendor-supplied model with no insurer documentation. Insurer relies on vendor's representation that the model is bias-tested but cannot produce the underlying model card, training data summary, or discrimination-test results when asked.
2. One-time pre-deployment test only. Insurer conducts a pre-deployment disparate-impact test, then never retests as the model drifts in production. NYDFS treats ongoing-monitoring as a continuous obligation.
3. Generic adverse-action notice. Notice says "your application was reviewed using automated systems" without identifying the AIS / ECDIS categories or the specific reasons. NYDFS treats this as a Circular Letter violation regardless of FCRA-compliance status.
4. Cross-functional committee in name only. A committee that exists on paper but doesn't actually receive AIS-related material in its meetings, or whose meeting minutes don't show AIS-specific deliberation.
5. No less-discriminatory-alternative analysis. Insurer detects disparate impact, identifies a legitimate rationale, and stops there — without searching for alternatives. The Circular Letter is explicit that step 3 is mandatory.

Stacking with adjacent regimes

The Circular Letter doesn't stand alone. Insurers operating AI in NY underwriting will, in practice, also be subject to:

• NAIC AI Model Bulletin (2023) — adopted by ~25 states in some form. NY's Circular is the most prescriptive jurisdiction-level implementation; insurers operating multi-state should default to NY's floor.
• Federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) — when the AIS / ECDIS produces a "consumer report," FCRA dispute / accuracy / adverse-action regimes layer on. The 15-day NYDFS notice timing is shorter than FCRA's adverse-action notice window; honor the shorter.
• Federal CFPB Circular 2023-03 — when the insurance product overlaps with consumer credit (e.g., warranties, certain auto-finance-bundled insurance). See the CFPB Circular 2023-03 builder's guide.
• 23 NYCRR 500 (NYDFS Cybersecurity Regulation) — insurers using AI face the cyber-controls requirements in addition to the AI underwriting / pricing requirements. NYDFS issued a complementary October 16, 2024 Industry Letter on cybersecurity risks from AI.
• Federal HIPAA + state insurance information privacy — when ECDIS includes health data.

Minimum-viable-compliance checklist

For an NY-authorized insurer using a third-party AIS / ECDIS in underwriting:

• Inventory every AIS and every ECDIS used in underwriting or pricing.
• For each, obtain (from the vendor or build internally) a model card covering development, training data, validation, and monitoring.
• Conduct pre-deployment three-step disparate-impact analysis. Document.
• Schedule recurring monitoring intervals (annual minimum; quarterly for higher-risk lines). Document.
• Establish written policies; convene cross-functional management committee with quarterly cadence; complete annual training for all relevant personnel.
• Update vendor contracts with NYDFS audit-cooperation clauses, insurer-audit rights, remediation SLAs.
• Update adverse-action notice templates to identify AIS / ECDIS used and provide specific reasons within 15 days.
• Build / maintain an operational data-accuracy review process accepting consumer disputes.
• Retain all of the above per 11 NYCRR 243.

Sample disclosures

Plain-language adverse underwriting notice (≤200 words)

Your insurance application was evaluated using [AIS tool name] and external consumer data from [data sources]. The tool produced [enumerated outputs] that contributed to this decision. The specific reasons for the adverse determination are: [enumerated reasons].

You have the right to review the data we used, dispute inaccuracies, and request reconsideration based on corrections. Contact [insurer contact] within 30 days. [Insurer] will reconsider the determination in light of submitted corrections.

This notice is provided within 15 days of the determination per NYDFS Insurance Circular Letter No. 7 (2024). [Insurer] is responsible for this decision and retains responsibility for any AI / ECDIS use regardless of whether the tools are operated by [insurer] or a third-party vendor.

Formal-language adverse underwriting notice (legal-counsel-grade)

NOTICE OF ADVERSE UNDERWRITING / PRICING DECISION

Pursuant to N.Y. Insurance Law §§ 2606, 2616, 4224 and NYDFS Insurance Circular Letter No. 7 (2024) dated July 11, 2024, [insurer name] discloses:

1. Artificial Intelligence System(s) used: [enumerated AIS].
2. External Consumer Data and Information Sources consulted: [enumerated ECDIS].
3. AIS / ECDIS outputs that contributed to the determination: [enumerated outputs].
4. Specific reasons for the adverse decision: [enumerated reasons].
5. Right to dispute: you may request a review of the data inputs and outputs used. Submit written objections or corrections to [contact] within 30 days. [Insurer] will reconsider the determination in light of submitted corrections before it becomes final.
6. [Insurer] retains primary responsibility for the AIS / ECDIS used regardless of vendor relationship per the Circular Letter and N.Y. Insurance Law.

This notice is delivered within the 15-day requirement of the Circular Letter (Section [X], paragraph [Y]). Records of this determination are preserved consistent with 11 NYCRR 243.

Authoritative sources

• NYDFS Insurance Circular Letter No. 7 (2024) — primary source.
• NYDFS press release announcing adoption (July 11, 2024).
• NYDFS Cybersecurity AI Industry Letter (October 16, 2024) — complementary 23 NYCRR 500 obligations.
• N.Y. Insurance Law §§ 2606, 2616, 4224 and Articles 24, 26, 43, 45.
• 11 NYCRR 243 (recordkeeping).

Disclaimer

Not legal advice. plainstamp surfaces the published text of the NYDFS Circular Letter and the underlying statutory framework, with citation back to NYDFS's published source. For any actual NY insurance underwriting deployment, verify against the cited Circular Letter and consult counsel licensed in New York. NYDFS examination scope is broad and the right answer in any specific case depends on the line of insurance, the AIS / ECDIS profile, and the protected-class composition of the applicant pool.