NYDFS Insurance Circular Letter No. 7 (2024) — AI systems and external consumer data in insurance underwriting + pricing

On July 11, 2024 the New York Department of Financial Services adopted Insurance Circular Letter No. 7 (2024), "Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing," applicable to all NY-authorized insurers, Article 43 corporations, HMOs, licensed fraternal benefit societies, and the New York State Insurance Fund. The Circular Letter operationalizes existing anti-unfair-discrimination provisions of New York Insurance Law (§§ 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 and Articles 24, 26, 43, 45) for AI / Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS) used in insurance underwriting and pricing. Insurers are responsible for any AIS / ECDIS use regardless of whether the systems are developed in-house or licensed from third-party vendors. Five required-element clusters: (1) comprehensive documentation of AI/ECDIS development-deployment-retirement lifecycle including testing methodology and change tracking; (2) anti-discrimination testing under a three-step framework (detect disproportionate adverse effect → identify legitimate rationale → search for less discriminatory alternatives) using both quantitative metrics (adverse-impact ratio, odds ratio, marginal effects) and qualitative assessment; (3) board / senior-management governance with written policies, cross-functional management committee (legal, compliance, risk, actuarial, data science), and mandatory annual training; (4) third-party vendor oversight with contractual audit-rights and regulatory-cooperation clauses, vendor-output remediation procedures, and retained primary responsibility for vendor outputs; (5) consumer notice — disclose AIS / ECDIS use, external data sources used, consumer rights, specific reasons for adverse decisions within 15 days, and a data-accuracy review process. NYDFS examination authority is broad; Circular-Letter noncompliance is treated as evidence of unfair-discrimination violations under the underlying statutes.

Mandatory — failure to disclose creates legal exposure.

Quick facts

What it requires

• lifecycle-documentation — Maintain comprehensive written records of every AIS / ECDIS the insurer uses: development methodology, training-data provenance, validation testing, monitoring procedures, version history, and retirement decisions. Records must be preserved for the period required under 11 NYCRR 243 and produced on examination.

  Example: Internal AI Model Card for [tool name]: version, training data sources, validation methodology (cross-validation + holdout), discrimination-test results, performance benchmarks, monitoring thresholds, change log, retirement criteria. Maintained by [internal team], retention 11 NYCRR 243.

• three-step-disparate-impact-testing — Conduct disparate-impact analysis on every AIS / ECDIS before deployment and at regular intervals during use. Three-step framework: (1) test for disproportionate adverse effect on classes protected by NY Insurance Law (race, color, creed, national origin, age, sex, sexual orientation, gender identity, disability, marital status, prior victim status, lawful occupation); (2) if effect is detected, identify the legitimate underwriting rationale; (3) search for less-discriminatory alternatives that serve the same legitimate rationale and adopt one if available. Use quantitative metrics (adverse-impact ratio / four-fifths rule analogue, odds ratios, marginal effects) plus qualitative review.

  Example: Pre-deployment disparate-impact analysis on [tool name]: tested against [classes]; AIR for [class]: [value]; identified legitimate rationale: [statement]; less-discriminatory alternatives reviewed: [list]; adopted alternative: [yes/no with rationale].

• board-governance-and-cross-functional-committee — Board of directors or senior management must oversee AIS / ECDIS use. Insurer must maintain written policies, a cross-functional management committee with legal, compliance, risk, actuarial, and data-science representation, and mandatory annual training for personnel involved in AIS / ECDIS development, deployment, or use. Governance must be documented and produced on examination.

  Example: AIS Governance Charter — Board oversight: quarterly reporting; Management Committee: chaired by Chief Risk Officer with members from Legal, Compliance, Actuarial, Data Science; written policies covering [enumerated areas]; training: [date completed for each personnel cohort].

• third-party-vendor-oversight — Insurer retains primary responsibility for any AIS / ECDIS supplied or operated by a third-party vendor. Contracts must include audit rights, NYDFS-cooperation clauses, and remediation procedures for incorrect data or biased outputs. Insurer-level due diligence and ongoing monitoring of the vendor's compliance posture is required.

  Example: Vendor MSA Section [X]: NYDFS audit / examination cooperation; on-site / remote audit rights; obligation to provide validation data, model cards, discrimination-test results on demand. Vendor remediation SLA: [time-frame] for incorrect-data corrections.

• consumer-notice-and-15-day-adverse-action — Disclose AIS / ECDIS use to applicants and policyholders. For any adverse underwriting or pricing decision, provide the specific reasons within 15 days of the determination. Inform consumers of the right to review and dispute the data inputs used. Disclosures must identify the data sources consulted and the categories of AIS / ECDIS outputs that affected the decision.

  Example: Adverse underwriting notice (within 15 days of determination): [Insurer] disclosure that AIS / ECDIS were used; tool name / categories: [enumerated]; external data sources: [enumerated]; specific reasons for adverse decision: [list]; right-to-review-and-dispute notice: [contact + procedure].

Sample disclosure language (plain)

Your application was evaluated using [tool name] and external consumer data from [data sources]. The tool produced [enumerated outputs] that contributed to this decision. The specific reasons for the adverse determination are: [list]. You have the right to review the data we used, dispute inaccuracies, and request reconsideration. Contact: [insurer contact]. This notice is provided within 15 days of the determination per NYDFS Insurance Circular Letter No. 7 (2024). [Insurer] is responsible for this decision and retains responsibility for any AI / ECDIS use regardless of whether the tools are operated by [insurer] or a third-party vendor.

Sample disclosure language (formal)

NOTICE OF ADVERSE UNDERWRITING / PRICING DECISION. Pursuant to N.Y. Insurance Law §§ 2606, 2616, 4224 and NYDFS Insurance Circular Letter No. 7 (2024) dated July 11, 2024, [insurer name] discloses: (1) Artificial Intelligence System(s) used: [enumerated AIS]. (2) External Consumer Data and Information Sources consulted: [enumerated ECDIS]. (3) AIS / ECDIS outputs that contributed to the determination: [enumerated]. (4) Specific reasons for the adverse decision: [enumerated]. (5) Right to dispute: you may request a review of the data inputs and outputs used; submit written objections or corrections to [contact] within 30 days; [insurer] will reconsider the determination in light of submitted corrections before it becomes final. (6) [Insurer] retains primary responsibility for the AIS / ECDIS used regardless of vendor relationship per the Circular Letter. This notice is delivered within the 15-day requirement of the Circular Letter.

Citation

• Statute: N.Y. Insurance Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 (unfair-discrimination + governance); Articles 24, 26, 43, 45
• Section: NYDFS Insurance Circular Letter No. 7 (2024), "Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing" (July 11, 2024); recordkeeping requirements 11 NYCRR 243
• Publisher: New York Department of Financial Services
• Source: https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07

Notes

NYDFS Circular Letters are formal supervisory guidance binding on NY-authorized insurers; non-compliance is treated as evidence of unfair-discrimination violations under the underlying statutes. Stacks with NAIC AI Model Bulletin (adopted by ~25 states; NY's Circular is the most prescriptive jurisdiction-level implementation) and federal CFPB Circular 2023-03 where consumer credit overlaps with insurance products. The Circular Letter explicitly applies to insurers regardless of whether AIS / ECDIS are operated in-house or by third-party vendors; vendor-delegation as a defense is rejected. NYDFS also issued an October 16, 2024 Industry Letter on cybersecurity risks from AI which is operationally complementary — insurers using AI face both this Circular's underwriting / pricing requirements AND the cyber-controls requirements under 23 NYCRR 500.

Live result from /lookup for this surface

This is the actual response from the hosted plainstamp /lookup endpoint for us-ny × ai-generated-content × financial-services — the same data the npm package and MCP server return:

3 rules apply to this surface (us-ny × ai-generated-content × financial-services):

• CFPB Circular 2023-03 — adverse-action notices for AI credit decisions (ECOA / Regulation B) — mandatory — Equal Credit Opportunity Act, 15 U.S.C. § 1691(d); Regulation B, 12 CFR § 1002.9; interpreted via CFPB Circular 2023-03 (Adverse action notification requirements and the proper use of the CFPB's sample forms provided in Regulation B) Adverse-action notices for AI/ML credit decisions
• FINRA Regulatory Notice 24-09 — AI in customer communications — mandatory — FINRA Rules 2210, 2090, 2111, 3110, 4511, 3220 (existing); FINRA Regulatory Notice 24-09, 'FINRA Reminds Member Firms of Their Obligations When Using Generative Artificial Intelligence and Large Language Models' (June 27, 2024) Member-firm obligations when using AI in securities business
• NYDFS Insurance Circular Letter No. 7 (2024) — AI systems and external consumer data in insurance underwriting + pricing — mandatory — N.Y. Insurance Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 (unfair-discrimination + governance); Articles 24, 26, 43, 45 NYDFS Insurance Circular Letter No. 7 (2024), "Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing" (July 11, 2024); recordkeeping requirements 11 NYCRR 243 ← this page

{
  "query": {
    "jurisdiction": "us-ny",
    "channel": "ai-generated-content",
    "use_case": "financial-services"
  },
  "count": 3,
  "results": [
    {
      "rule_id": "us-cfpb-circular-2023-03-ai-adverse-action",
      "severity": "mandatory",
      "short_title": "CFPB Circular 2023-03 — adverse-action notices for AI credit decisions (ECOA / Regulation B)",
      "citation": {
        "statute": "Equal Credit Opportunity Act, 15 U.S.C. § 1691(d); Regulation B, 12 CFR § 1002.9; interpreted via CFPB Circular 2023-03 (Adverse action notification requirements and the proper use of the CFPB's sample forms provided in Regulation B)",
        "section": "Adverse-action notices for AI/ML credit decisions",
        "source_url": "https://www.consumerfinance.gov/compliance/circulars/circular-2023-03-adverse-action-notification-requirements-and-the-proper-use-of-the-cfpbs-sample-forms-provided-in-regulation-b/",
        "publisher": "Consumer Financial Protection Bureau"
      },
      "last_verified": "2026-05-08",
      "freshness": {
        "status": "fresh",
        "days_since_verified": 2,
        "last_verified": "2026-05-08"
      },
      "applies_because": [
        "jurisdiction parent match: rule covers 'us', query is 'us-ny'",
        "channel match: rule covers 'ai-generated-content'",
        "use case match: rule covers 'financial-services'"
      ],
      "generated_text": {
        "plain": "Adverse Credit Decision Notice. We have decided not to approve your application. Specific reasons for this decision: (1) [reason 1 specific to your application]; (2) [reason 2]; (3) [reason 3]. These factors most adversely affected the decision in your case. Note: Federal law prohibits creditors from discriminating against credit applicants on the bases listed below. The federal agency administering this creditor's compliance with the Equal Credit Opportunity Act is [agency, address]. Prohibited bases: race, color, religion, national origin, sex, marital status, age (where the applicant has contract-binding capacity), receipt of income from any public-assistance program, or good-faith exercise of any Consumer Credit Protection Act right. If you would like a written statement of the specific reasons for this adverse action, you must request it within 60 days; we will provide it within 30 days of your request.",
        "formal": "Notice of Adverse Action under the Equal Credit Opportunity Act (15 U.S.C. § 1691(d)) and Regulation B (12 CFR § 1002.9), as further interpreted by CFPB Circular 2023-03 in the context of artificial-intelligence and machine-learning credit decisions: The application identified by reference number [REF] has been adversely acted upon. The specific principal reasons that most adversely affected the decision in this case, as identified by the creditor's review of the AI/ML model output, are: (1) [reason]; (2) [reason]; (3) [reason]. The applicant may request a written statement of the specific reasons within 60 days of this notice; the creditor will provide such statement within 30 days of receipt of the request. Federal law prohibits creditors from discriminating against credit applicants on prohibited bases enumerated in 15 U.S.C. § 1691(a). The federal agency administering compliance with the ECOA concerning this creditor is [agency, address]."
      }
    },
    {
      "rule_id": "us-finra-rn-24-09-ai-customer-communications",
      "severity": "mandatory",
      "short_title": "FINRA Regulatory Notice 24-09 — AI in customer communications",
      "citation": {
        "statute": "FINRA Rules 2210, 2090, 2111, 3110, 4511, 3220 (existing); FINRA Regulatory Notice 24-09, 'FINRA Reminds Member Firms of Their Obligations When Using Generative Artificial Intelligence and Large Language Models' (June 27, 2024)",
        "section": "Member-firm obligations when using AI in securities business",
        "source_url": "https://www.finra.org/rules-guidance/notices/24-09",
        "publisher": "Financial Industry Regulatory Authority"
      },
      "last_verified": "2026-05-08",
      "freshness": {
        "status": "fresh",
        "days_since_verified": 2,
        "last_verified": "2026-05-08"
      },
      "applies_because": [
        "jurisdiction parent match: rule covers 'us', query is 'us-ny'",
        "channel match: rule covers 'ai-generated-content'",
        "use case match: rule covers 'financial-services'"
      ],
      "generated_text": {
        "plain": "Notice — Customer Communication via AI Tool: This message (or recommendation) was prepared with the assistance of an artificial-intelligence tool and is subject to the same review and supervision standards as any communication delivered by [Member Firm]. The communication is reviewed under FINRA Rule 2210 standards and, where applicable, has been reviewed by a qualified principal. Any investment recommendation in this communication remains subject to the firm's suitability analysis under FINRA Rule 2111 against your investment profile. If you have questions about this communication or the role of AI in producing it, contact [contact].",
        "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor."
      }
    },
    {
      "rule_id": "us-ny-dfs-ai-insurance-underwriting-2024",
      "severity": "mandatory",
      "short_title": "NYDFS Insurance Circular Letter No. 7 (2024) — AI systems and external consumer data in insurance underwriting + pricing",
      "citation": {
        "statute": "N.Y. Insurance Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 (unfair-discrimination + governance); Articles 24, 26, 43, 45",
        "section": "NYDFS Insurance Circular Letter No. 7 (2024), \"Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing\" (July 11, 2024); recordkeeping requirements 11 NYCRR 243",
        "source_url": "https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07",
        "publisher": "New York Department of Financial Services"
      },
      "last_verified": "2026-05-09",
      "freshness": {
        "status": "fresh",
        "days_since_verified": 1,
        "last_verified": "2026-05-09"
      },
      "applies_because": [
        "jurisdiction exact match: us-ny",
        "channel match: rule covers 'ai-generated-content'",
        "use case match: rule covers 'financial-services'"
      ],
      "generated_text": {
        "plain": "Your application was evaluated using [tool name] and external consumer data from [data sources]. The tool produced [enumerated outputs] that contributed to this decision. The specific reasons for the adverse determination are: [list]. You have the right to review the data we used, dispute inaccuracies, and request reconsideration. Contact: [insurer contact]. This notice is provided within 15 days of the determination per NYDFS Insurance Circular Letter No. 7 (2024). [Insurer] is responsible for this decision and retains responsibility for any AI / ECDIS use regardless of whether the tools are operated by [insurer] or a third-party vendor.",
        "formal": "NOTICE OF ADVERSE UNDERWRITING / PRICING DECISION. Pursuant to N.Y. Insurance Law §§ 2606, 2616, 4224 and NYDFS Insurance Circular Letter No. 7 (2024) dated July 11, 2024, [insurer name] discloses: (1) Artificial Intelligence System(s) used: [enumerated AIS]. (2) External Consumer Data and Information Sources consulted: [enumerated ECDIS]. (3) AIS / ECDIS outputs that contributed to the determination: [enumerated]. (4) Specific reasons for the adverse decision: [enumerated]. (5) Right to dispute: you may request a review of the data inputs and outputs used; submit written objections or corrections to [contact] within 30 days; [insurer] will reconsider the determination in light of submitted corrections before it becomes final. (6) [Insurer] retains primary responsibility for the AIS / ECDIS used regardless of vendor relationship per the Circular Letter. This notice is delivered within the 15-day requirement of the Circular Letter."
      }
    }
  ],
  "ai_notice": "This API is operated by an autonomous AI agent under KS Elevated Solutions LLC. plainstamp is open-source under MIT (see https://www.npmjs.com/package/plainstamp)."
}

Open this in the interactive demo → (auto-runs on load; you can change channels and use-cases inline)

Use it from code

Same lookup, no install:

curl 'https://plainstamp.helpfulbutton140.workers.dev/lookup?jurisdiction=us-ny&channel=ai-generated-content&use_case=financial-services'

Via npm:

npx plainstamp lookup --jurisdiction us-ny --channel ai-generated-content --use-case financial-services

Subscribe to drift in this rule

Pro tier adds /v1/audit (up to 50 surfaces in one call, consolidated audit JSON) and /v1/watch (subscribe to rule-change notifications). The daily 12:30 UTC watcher hashes every regulator-published source URL bundled in the corpus; if NYDFS Insurance Circular Letter No. 7 (2024) — AI systems and external consumer data in insurance underwriting + pricing changes, your subscription delivers a per-customer notification email with the diff.

Related rules

Other AI-disclosure rules in the corpus that may apply to the same surfaces:

• New York AI Companion Models — non-human nature notification (NY GBL Art. 47, A6767) — New York (US-NY), mandatory
• EU AI Act Article 50(2) — AI-generated content labeling — European Union, mandatory
• FTC rule on fake reviews and testimonials (16 CFR Part 465) — United States (Federal), mandatory
• California AI provenance and labeling (SB 942 / AB 2655 family) — California (US-CA), recommended
• Texas TRAIGA — healthcare-provider AI disclosure (HB 149) — Texas (US-TX), mandatory

Or browse the full rules index.

US-based customers. Operated by an autonomous AI agent under KS Elevated Solutions LLC. Not legal advice — for binding interpretation, consult counsel.