Model Risk Management for Biometric Underwriting: OCC and Fed Guidance

The increasing reliance on algorithmic models for biometric underwriting requires a robust framework for governance and risk mitigation. As insurance carriers integrate technologies like contactless vital sign monitoring and facial analytics, the regulatory scrutiny applied to these systems intensifies. While the insurance industry has its own set of regulations, the principles established by federal banking regulators, the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, offer a mature and tested blueprint for model risk management. Understanding this guidance is not just a compliance exercise; it is a strategic imperative for carriers seeking to build sustainable and trustworthy digital underwriting programs. This article examines the core tenets of the OCC and Federal Reserve's model risk management guidance and its direct application to the use of biometric data and AI in insurance underwriting.

"Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports. This risk is more pronounced for models with higher complexity, such as AI and machine learning models, which are becoming prevalent in underwriting." - The Federal Reserve, SR 11-7 (2011)

Adapting banking guidance for model risk management in biometric underwriting

The foundational document for model risk management from the banking sector is the "Supervisory Guidance on Model Risk Management," jointly issued by the OCC and the Federal Reserve Board in 2011, commonly known as SR 11-7. Its principles have become the de facto standard for all financial institutions, and its influence is extending into insurance as carriers adopt similar technologies. The guidance provides a framework for managing the risk that models will perform inadequately, leading to financial loss, poor business decisions, or reputational damage. For insurers, this provides a clear path for establishing a model risk management biometric underwriting guidance that can stand up to regulatory review.

The core of SR 11-7 is built on three pillars:

• Model Development, Implementation, and Use: This requires well-documented processes for model design, theory, and testing.
• Model Validation: A comprehensive process for verifying that models are performing as intended. This includes evaluating conceptual soundness, ongoing monitoring, and outcomes analysis.
• Governance, Policies, and Controls: This establishes clear roles and responsibilities, creating a framework for the entire model lifecycle.

While SR 11-7 was written before the current wave of AI and machine learning, regulators have clarified its applicability. For instance, the Federal Reserve has noted that the principles remain relevant for these more complex models. The broad definition of a "model" in the guidance, a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates, easily encompasses the algorithms used in biometric underwriting.

Core Principle (SR 11-7)	Application to Biometric Underwriting Models
Model Development & Implementation	Document the scientific basis for the biometric measurement, the data used to train the algorithm, and the specific inputs and outputs. For example, a model that estimates blood pressure from a video feed must have its underlying photoplethysmography (PPG) principles documented.
Independent Validation	A separate team from the model developers should test the model's accuracy across different demographic groups to check for bias. The validation should assess performance against ground-truth clinical data and monitor for drift over time.
Governance & Oversight	The board and senior management must have a clear understanding of the models used in underwriting. This includes establishing risk tolerance levels, approval processes for new models, and protocols for when a model must be retired.
Effective Challenge	All aspects of the model lifecycle should be subject to critical review. For biometric models, this means questioning the data sources, the fairness of the outcomes, and the potential for misuse of sensitive health information.

Industry Applications

The application of this guidance is critical for carriers using biometric data. The potential for models to introduce bias or produce inaccurate results has significant implications for both regulatory compliance and consumer trust.

Fairness and bias testing

Biometric models, if not carefully developed and tested, can perpetuate or even amplify existing societal biases. A model risk management biometric underwriting guidance based on the SR 11-7 framework would mandate rigorous testing for bias across various demographic segments, including age, gender, and skin tone. Researchers have demonstrated the importance of this, such as the work of Joy Buolamwini at the MIT Media Lab (2018), which highlighted significant accuracy disparities in facial recognition technology.

Data governance and privacy

The use of biometric data brings with it heightened data governance and privacy concerns. The principles of model risk management align with the need for strong data governance. This includes:

• Ensuring data integrity and quality.
• Managing consumer consent for data use.
• Establishing clear data retention and deletion policies.
• Protecting data through robust security controls.

Reinsurance and capital markets

For carriers that use reinsurance, a documented model risk management program is becoming essential. Reinsurers are increasingly conducting due diligence on the models used by their ceding partners. A carrier that can demonstrate a robust, well-documented approach to model risk management, aligned with established standards like SR 11-7, is in a much stronger position during reinsurance treaty negotiations.

Current research and evidence

The academic and research community continues to explore the challenges of managing risk in complex algorithmic systems. Studies from institutions like Stanford University's Institute for Human-Centered Artificial Intelligence (HAI) have focused on the interpretability and explainability of AI models, which is a key component of effective model validation. A 2021 paper from the National Association of Insurance Commissioners (NAIC) also adopted principles for AI that echo the themes of SR 11-7, focusing on fairness, accountability, and transparency.

The future of model risk management in insurance

As regulators in the insurance sector develop more specific guidance for AI and biometric data, the principles outlined by the OCC and the Federal Reserve will likely serve as a foundational layer. We can expect to see a convergence of regulatory expectations, with insurance-specific rules building on the established banking framework. Carriers that proactively adopt a rigorous model risk management program today will be better positioned to adapt to this evolving regulatory environment.

Frequently asked questions

What is the most critical part of SR 11-7 for an insurer to focus on? The most critical element is the independent validation process. For biometric underwriting, this means having a qualified team, separate from the model developers, rigorously test the model for accuracy, bias, and stability. This independent review provides the "effective challenge" that regulators expect to see.

Does this guidance apply to models developed by third-party vendors? Yes. The guidance makes it clear that the board and management of the institution are ultimately responsible for all models used, regardless of who developed them. Insurers must conduct thorough due diligence on vendor models and ensure they have access to the information needed to perform their own validation.

How is model risk different from other types of risk, like cybersecurity risk? Model risk is the specific risk that the model itself is flawed or is used incorrectly. This is different from cybersecurity risk, which is the risk of a data breach or system compromise. While related, a cyber attack could alter a model's inputs or outputs, model risk management focuses on the inherent correctness and appropriate use of the model itself.

As carriers navigate the complexities of digital transformation, Circadify is working to provide the compliance infrastructure needed to address the evolving regulatory landscape for biometric underwriting. To learn more about how to build a compliance-first approach, explore our compliance guides and regulatory insights.