Skip to content

AI Underwriting Compliance: What Insurers Must Prove First

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
AI Underwriting Compliance: What Insurers Must Prove First

Before an insurer deploys AI in underwriting or pricing, it has to prove the model doesn't discriminate, can be explained, sits under human oversight, and meets the rules of every market it operates in. In the EU, life and health risk-assessment and pricing AI is named high-risk in the AI Act. In the US, the NAIC bulletin and Colorado's law put the burden of proof on the insurer. In the UK, Consumer Duty asks whether the price a customer pays is fair. The common thread: you test for bias and document it, or you don't deploy.

This is a board and chief-underwriting-officer problem now, not a data-science one. The penalty for getting it wrong isn't only a fine. It's a model you've already wired into pricing that a regulator can order you to switch off.

Why is AI underwriting classed as high-risk in the EU?

The EU AI Act lists the use cases it treats as high-risk in Annex III. Insurance is named directly.

Annex III, point 5(c) covers "AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance." That's the explicit hook. (artificialintelligenceact.eu, Annex III)

Two things matter for how wide this reaches.

First, scope. Draft classification guidance reads "life and health" broadly. It pulls in private long-term care cover, personal pension products that affect someone's livelihood in old age, and credit-life cover attached to a mortgage. If your AI scores a person's risk and that score moves their price or their access, assume Annex III bites.

Second, the test. The trigger is whether the system assesses and classifies a natural person's risk. A pricing model built only on external parameters, with no individual risk profiling, may sit outside the high-risk net. Most underwriting and personalised pricing models do profile the individual. So most are in.

General insurance lines (motor, home, commercial) aren't named in 5(c). They still carry GDPR and anti-discrimination duties, but the high-risk label in the Act is specific to life and health.

What the timeline actually says

The original high-risk obligation date under the Act is 2 August 2026. A Digital Omnibus package, agreed in principle in late 2025, would defer standalone Annex III high-risk obligations to 2 December 2027. As of June 2026 that deferral is not yet formally adopted in the Official Journal, so don't treat the later date as locked. (artificialintelligenceact.eu, implementation timeline)

Plan to the earlier date. If the deferral lands, you've bought slack. If it doesn't, you're ready.

What does a high-risk classification require insurers to do?

High-risk status isn't a label. It's a set of obligations that have to exist before the system goes live and keep running after.

Obligation What it means for underwriting
Risk management system A documented, ongoing process to find and reduce risks the model creates across its life
Data governance Training and input data tested for bias and gaps relevant to the people being priced
Technical documentation Records that let a regulator see how the model works and why
Human oversight A qualified person who can understand, challenge, and override the output
Accuracy and resilience Evidence the model performs consistently and resists failure
Logging Automatic record-keeping so decisions can be traced after the fact

Sitting alongside the Act, GDPR Article 22 gives a person facing a solely automated decision with legal or similar effect the right to human intervention, to express a view, and to contest it. An automatic decline or a materially higher premium set by AI alone falls inside that. The fix is genuine human review with the authority to change the decision, not a sign-off box.

How big are the penalties, really?

This is where insurers get the number wrong, so be precise.

Breaching the high-risk obligations is not the top fine tier. Under Article 99, non-compliance by providers and deployers with the high-risk and transparency rules is capped at up to 15 million euros or 3% of total worldwide annual turnover, whichever is higher. (artificialintelligenceact.eu, Article 99)

The 35 million euro / 7% tier applies to a different thing: deploying a prohibited AI practice under Article 5. Most insurance underwriting AI isn't prohibited, it's high-risk, so the 15 million / 3% figure is the one to plan against. Quoting the bigger number to your board overstates the legal exposure and understates the real one, which is operational: a regulator can require you to withdraw or retrain a model that's already pricing live business.

What do US insurers have to do?

There's no single federal AI insurance law. Two instruments do the heavy lifting.

The NAIC Model Bulletin on the Use of AI Systems by Insurers, adopted 4 December 2023, is the national template. More than two dozen states have adopted it, mostly unchanged. It tells insurers to build and keep a written AIS Program (AI Systems Program) covering governance, risk controls, testing for errors and unfair discrimination, third-party vendor oversight, and documentation a regulator can ask for. Responsibility for a vendor's model stays with the insurer. (content.naic.org, members approve bulletin)

Colorado SB21-169 is the sharpest law on the books. Signed in July 2021, it bars insurers from using external consumer data, algorithms, or predictive models that produce unfair discrimination against a protected class. (leg.colorado.gov, SB21-169) The first binding rules sit in Regulation 10-1-1, finalised in 2023 and effective 14 November 2023, starting with life insurance. The point that catches insurers off guard: the burden is on you. You have to test your data and tools, show the Division of Insurance the results, and fix any harm you find. (doi.colorado.gov, SB21-169)

Other states are moving. If you write multi-state, the safe build is one governance standard that meets the strictest market, not a patchwork per jurisdiction.

What does the UK FCA expect?

The UK has no standalone AI insurance statute. It runs AI through existing rules, and the binding one is Consumer Duty, in force since July 2023.

Consumer Duty asks for good outcomes across four areas. Two press hardest on AI underwriting:

  • Price and value. The price a customer pays has to be fair against the benefit they get. An AI pricing model that quietly charges more to a group that isn't a worse risk fails this, whatever the algorithm's internal logic says. (fca.org.uk, price and value outcome)
  • Consumer understanding. A customer should be able to make an informed decision. A black-box decline they can't query sits badly against that.

The FCA has been clear that doing a fair-value assessment once isn't enough. Firms have to monitor outcomes over time and act when they drift. That means watching how an AI model treats different customer groups after launch, not just at sign-off. The regulator's recent message: completing the assessment is the floor, using it to catch and fix harm is the test.

The proxy discrimination trap

The hardest problem isn't the obvious one. No serious insurer feeds race or gender straight into a model. The risk is the proxy: a neutral-looking variable that stands in for a protected characteristic and reproduces the bias without naming it.

Postcode is the classic. It can track ethnicity and income. Shopping data, device type, and online behaviour can all correlate with a protected class. The model never "sees" the characteristic, yet the outcome discriminates. Colorado's law and the NAIC bulletin both target exactly this, which is why both demand outcome testing across demographic groups, not just a check that protected fields were excluded.

Outcome testing is the only defence that holds. You measure approval rates, premiums, and decline rates across groups, look for gaps a legitimate risk factor doesn't explain, and document what you found and what you changed. One-time testing isn't enough either. Models drift as they retrain on new data, so the testing has to repeat.

Frequently asked questions

Is all insurance AI high-risk under the EU AI Act?

No. The Act names life and health insurance risk-assessment and pricing for natural persons in Annex III, point 5(c). Motor, home, and commercial lines aren't named there, though they still carry GDPR and anti-discrimination duties. The trigger is whether the system profiles an individual's risk.

What's the maximum EU AI Act fine for non-compliant underwriting AI?

Up to 15 million euros or 3% of worldwide annual turnover, whichever is higher, for breaching high-risk obligations under Article 99. The larger 35 million / 7% figure applies only to prohibited practices under Article 5, which most underwriting AI isn't.

Does Colorado SB21-169 apply to insurers based outside Colorado?

Yes, if you sell to Colorado residents. The law applies to insurance practices affecting Colorado consumers, so an out-of-state insurer writing business there has to test its models and report to the Division of Insurance.

Does UK Consumer Duty mention AI directly?

No. It sets outcome standards, mainly fair price and value and consumer understanding, and the FCA applies them to AI-driven decisions. An AI pricing or underwriting model has to deliver those outcomes and the insurer has to monitor that it keeps doing so.

The bottom line

The three regimes use different words and land in the same place: prove the model is fair before it prices anyone, and keep proving it after. The insurers who'll struggle aren't the ones without an AI policy. They're the ones who treated bias testing as a launch checkbox instead of a standing control, and who can't show a regulator the working when asked.

Here's the opinion. Outcome testing across demographic groups, repeated and documented, is the single highest-value thing an insurer can do right now. It's the common requirement under the EU Act, the NAIC bulletin, Colorado, and Consumer Duty. Build that one capability well and most of the compliance picture follows. Skip it and no amount of policy paperwork saves you, because the proxy discrimination is already in the pricing.

For the cross-sector view, our EU AI Act compliance checklist by industry maps obligations beyond insurance. For the governance layer underneath any high-risk deployment, see our AI agent risk assessment executive framework.

This is the kind of work our our AI governance practice handles.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI