NAIC Spring 2026 Meeting: Third-Party Data and Models (H) Working Group – March 23, 2026

Summary and Takeaways:

• The Third-Party Data and Models (H) Working Group continues to move its Third Party Regulatory Framework forward.
• The Framework is still contemplated to recommend significant registration and regulatory review components.
• The Working Group is considering some industry comments that may lead to a narrowing of registration triggers and requirements.

On March 23, 2026, the Third-Party Data and Models (H) Working Group (the “Working Group”) met during the NAIC Spring National Meeting to discuss potential revisions to its proposed third-party regulatory framework.[1] As previously exposed, the framework would establish a registration-based approach for certain third-party data and model vendors whose products are used in insurer operations with direct consumer impact.

The Spring Meeting discussion followed the Working Group’s February 26, 2026, virtual meeting, at which the Working Group reviewed comments submitted on the exposure draft. At the February virtual meeting, the Working Group explained that the proposal is intended to give insurance regulators timely access to information about third-party data and models used by insurers and to establish governance expectations for those vendors, while preserving insurer accountability. The draft framework would apply across lines of business and, as exposed, would require certain third-party data and model vendors to register before their products could be used in insurer functions with direct consumer impact, which the draft identifies as including: pricing, underwriting, claims, utilization review, marketing, and fraud detection.

Written submitted comments that were discussed in February generally supported consumer protection and responsible AI oversight, but raised significant concerns regarding the draft framework. Among the principal issues raised were whether mandatory vendor registration would create operational burdens, increase costs, or chill innovation; whether state insurance departments have sufficient legal authority to regulate third-party vendors directly; whether confidentiality and trade secret protections would be adequate; and whether the framework’s scope is too broad, including with respect to key terms such as “data,” “model,” “third-party vendor,” and “direct consumer impact.” Several commenters also urged the Working Group to consider narrowing the framework to specific use cases, such as pricing and underwriting, or to focus instead on insurers’ use of third-party tools. 

At the Spring Meeting, the Working Group discussed those comments and communicated that the purpose of the registration requirement is to facilitate transparency between regulators and third-party providers rather than to create a full licensure process with comprehensive regulatory oversight. The Working Group reiterated, however, that they do foresee the registration requirement remaining in the framework as a way to identify, track, and ensure minimum governance requirements related to third-party providers. However, in response to commentors’ suggestions, the Working Group indicated that they would discuss commentors proposals to narrow applicability of the registration requirements suggested in the framework. Accordingly, insurers, model vendors, and other stakeholders that rely on third-party data, analytics, or AI-enabled tools should continue to monitor Working Group updates as the framework moves forward.