EU AI Act Compliance for Insurance

Underwriting and pricing: Likely high-risk

AI systems used in underwriting and pricing decisions that affect individuals' access to insurance coverage fall under Annex III category 5(a) (essential services). This includes:

• Automated underwriting: Systems that approve, decline, or refer applications
• Risk scoring models: AI determining individual risk levels for pricing
• Premium calculation: Automated pricing based on individual characteristics
• Coverage eligibility: Systems determining what coverage individuals can access
• Renewal decisions: AI affecting whether policies are renewed

Claims processing: Depends on automation level

Claims AI classification depends on how much decision authority the system has.

Likely high-risk: Automated claims denial without human review, systems determining fraud with automated consequences, AI setting final settlement amounts without human approval.

Likely NOT high-risk: Claims triage routing to appropriate adjusters, fraud flagging for human investigation, document processing and extraction, settlement estimation for adjuster guidance.

Fraud detection: Typically internal tool

Fraud detection systems are likely NOT high-risk when used internally to flag suspicious claims for investigation, when humans review all flagged cases before action, and when there are no automated consequences for customers.

They are potentially high-risk when automated actions are taken against customers, when used for underwriting decisions, or when combined with automated claims processing.

Existing Solvency II model governance

Solvency II already requires model validation and documentation, governance frameworks for model risk, regular review and update procedures, and board-level oversight of material models.

Where EU AI Act adds obligations

Beyond Solvency II, the EU AI Act requires Annex IV specific format documentation, fundamental rights impact consideration, human oversight at decision time, evidence capture with integrity verification, and specific focus on individual impacts.

• Human oversight mechanisms: Solvency II focuses on model-level governance; EU AI Act requires decision-level oversight
• Evidence of actual decisions: Beyond model validation, you need records of what the AI decided and who approved it
• Fundamental rights: Solvency II does not address discrimination and fairness in the same way
• Transparency to individuals: Information requirements for affected individuals are new

Unified compliance approach

Build a compliance framework that satisfies both: extend existing model documentation to include Annex IV requirements, add fundamental rights sections to risk assessments, include human oversight procedures, implement decision-time approval workflows, and capture evidence at both model and decision levels.

Actuarial sign-off requirements

Actuarial oversight is already standard practice. EU AI Act formalizes it by requiring documented oversight mechanisms, ensuring humans can understand AI outputs, enabling intervention and override at decision time, and capturing evidence of oversight actions.

Claims adjuster workflows

Claims operations already involve human review. Structure this for compliance with risk-based routing:

Appeal and override procedures

Override documentation must include the AI recommendation being overridden, the human decision and rationale, who made the decision and their authority, supporting evidence for the override, and timestamp with audit trail.

Insurance-specific fairness considerations

Insurance pricing legitimately uses risk factors, but some factors correlate with protected characteristics (gender, age, race/ethnicity, disability, religion). Legitimate risk factors that may proxy for protected characteristics include geographic location, occupation, health history, and claims history.

Proxy discrimination analysis

AI systems can discriminate through proxies even without using protected characteristics directly. Required analysis includes identifying relevant protected characteristics, analyzing correlations between model inputs and protected characteristics, testing model outputs for disparate impact, documenting methodology and findings, and implementing remediation for detected issues.

Remediation procedures

When bias is detected: immediate response (document finding, assess severity, determine if system should be paused), investigation (identify root cause, quantify affected population), and remediation (implement fixes, validate effectiveness, document changes, monitor for recurrence).

What insurance regulators will ask

Expect questions on governance (How do you classify AI systems? Who is accountable at board level?), specific decisions (Can you show the AI's role in this underwriting decision? Who reviewed this claims decision?), fairness (How do you monitor for discrimination? What disparities have you identified?), and incidents (What AI-related incidents have occurred?).

Evidence retention and integrity

Insurance-specific considerations include aligning retention periods with policy retention requirements (often 7+ years after policy end), considering claims tail for long-tail lines, and regulatory examination lookback periods. Evidence integrity requires tamper-evident storage, cryptographic verification, chain of custody documentation, and independent verification capabilities.