Twenty-three comment letters reached the NAIC by February 6, 2026, each confirming the same gap: state regulators have no direct channel to the vendors whose models price and underwrite millions of consumer policies (NAIC Working Group comment file, February 2026). The Third-Party Data and Models Working Group's vendor registry, scheduled for an August 12 decision at the Summer National Meeting in Columbus, is the first regulatory structure designed to close it.
Reviewing actuarial opinion letters and rate filing documentation across multiple state submissions, the current standards for third-party model disclosure were written for ISO factor tables, not for ML models with live scoring APIs, and the vendor registration framework is the first attempt to close that gap. A filing that relies on ISO loss cost tables has a well-established certification path: the methodology is published, loss costs are filed separately with each state, and the actuary's reliance is documented in supporting exhibits. State regulators have reviewed ISO methodology for decades, and actuaries can reference that track record without building independent validation from the ground up. A filing that relies on ZestyAI's aerial imagery score, Cape Analytics' property condition data, or CCC Intelligent Solutions' vehicle total-loss valuation operates under a different and currently underspecified documentation regime. These vendors produce scored outputs that flow directly into underwriting and pricing decisions, but the documentation an actuary typically receives, a user guide, a data dictionary, and a general validation statement, was designed for an era when third-party data meant a weather station feed or a credit bureau pull. It rarely includes bias testing results by protected class, change control logs for model updates, or performance monitoring metrics showing whether outputs have drifted since the last validation cycle.
ZestyAI's Severe Convective Storm models are now approved in 29 states for carrier rate and rule filings (BeInsure, April 2026). Each approval required some form of state regulatory review of the model's methodology. But the documentation submitted to support each filing is held by the individual carrier, not the regulator, and not in a shared registry. A state reviewing a second carrier's use of the same model has no automatic access to what the first carrier submitted. The registry addresses that fragmentation by creating a centralized disclosure baseline accessible directly to regulators, not just to the carrier that paid for the vendor relationship.
Six Required Elements: What the Registration Filing Contains
The exposure draft, released December 9, 2025, structures registration as a disclosure regime rather than licensure. The distinction matters for the legal architecture: registration creates regulatory visibility, not state approval of the model. A registered vendor is not licensed; it is on file.
The registration filing, as proposed, requires six components: a description of the model and its intended use; the sources and date ranges of training data; documented testing methodology including bias testing results by protected class where applicable; known limitations; change management practices governing model updates; and a designated contact for regulator inquiries (NAIC Third-Party Regulatory Framework, December 2025). An annual attestation of compliance with the vendor's governance program maintains registration status. The annual cycle creates a live accountability mechanism, not a one-time filing that ages without review.
Confidentiality treatment mirrors the protections already available to insurers: vendor registration filings receive the same protection accorded to confidential, proprietary, and trade secret information under state insurance department rules. That accommodation addresses the concern most prominently raised in the comment letters, that registration would force public disclosure of proprietary modeling methodology. It does not.
Registration does not transfer liability. The Working Group stated at the March 23, 2026 Spring National Meeting in San Diego that the purpose of the requirement is to "facilitate transparency between regulators and third-party providers" and that an insurer using a registered model "is still answerable for the model's behavior" (NAIC Spring Meeting materials, March 2026). The 2023 NAIC Model Bulletin, adopted by approximately 24 states and the District of Columbia, places full diligence responsibility on carriers. The registration framework adds a parallel disclosure obligation on vendors without eliminating the carrier-side validation requirement.
Pricing and Underwriting First: How the Scope Narrowed
The December 2025 exposure draft applied to any third-party vendor whose data or models are used in insurer functions with "direct consumer impact": pricing, underwriting, claims processing, utilization review, marketing, and fraud detection across property/casualty, health, and life lines (NAIC, December 2025). That six-function scope drew the most criticism across the 23 comment letters, with multiple commenters citing concerns that the definitions of "data," "model," and "direct consumer impact" were broad enough to sweep in vendors with tenuous connections to consumer outcomes.
At the March 23 Spring session, the Working Group signaled it would revise the framework to be "initially applicable only to third-party vendors of data and models used in pricing and underwriting functions" (NAIC Spring Meeting, March 2026). That narrowing removes claims, utilization review, marketing, and fraud detection from the initial registration mandate. For a P/C actuary, the vendors most immediately in scope are those whose outputs appear in rate filings: ISO/Verisk rating algorithms and loss cost tables, ZestyAI's property risk scores, Cape Analytics property condition data, CCC Intelligent Solutions' vehicle valuation models, and EagleView's aerial imagery-based roof data.
What happens to vendors whose model outputs influence underwriting selection without entering a formal rate filing remains an open question for the August session. Agency-level tiering tools and predictive triage scoring systems sit in a definitional gray zone. Their outputs affect which policies a carrier writes, and at what price, but they may not appear explicitly in rate filing exhibits. Whether the narrowed scope captures them depends on how the Working Group defines "pricing and underwriting functions" in the revised draft.
Registered vs. Unregistered: The Documentation Asymmetry
The framework's most consequential implication for actuaries is not the vendor's registration burden. It is the documentation question that registration status creates for the rate filing itself, and that question runs in two opposite directions depending on whether the vendor is registered.
If the vendor is registered, the actuary's rate filing certification can reference the vendor's registered governance documentation as confirmation that minimum documentation standards have been met. The vendor's registration provides a documented baseline that state regulators have implicitly accepted as adequate, giving the actuary a foundation for reliance that does not currently exist. The actuary still bears full responsibility for the actuarial work product and must assess the reasonableness of relying on the model for its stated use, but the certification rests on a stronger documentary record than a user guide and a carrier-side validation summary.
If the vendor is not registered, the actuary's filing documentation must stand alone. An unregistered vendor's model carries no regulator-validated governance baseline. The burden of demonstrating that the model is appropriate for its use falls entirely on the carrier's actuarial certification and supporting materials, with no external reference point a regulator has already reviewed. In states that adopt the registry, actuaries supporting filings that rely on unregistered vendor models will need to produce substantively more robust documentation than they would for a comparable registered vendor, or risk the filing raising questions an examiner will need to resolve at the carrier level.
That asymmetry creates pressure across the vendor ecosystem in a direction that is hard to reverse. A carrier that discovers mid-filing that a vendor it has used for three years is not registered faces two options: document the model's adequacy independently, the harder path, or switch to a registered alternative. The commercial incentive points toward registered vendors. The practical effect is that "is this vendor registered?" becomes a new step in the actuarial rate filing workflow, preceding and informing the certification process. The framework never says that explicitly; the asymmetry creates it.
Governance Program Standards: What Vendors Must Maintain
The governance program requirements in the exposure draft map closely to what a mature carrier governance team already expects from a third-party model vendor. A model description, training data sources and date ranges, bias testing methodology and results, known limitations, change control practices, and a regulatory contact are exactly what an actuary should be requesting before certifying reliance on a third-party model in a rate filing. The registration requirement does not invent new standards; it codifies existing best practices and makes them enforceable through the registration mechanism.
The gap between what the framework requires and what actuaries currently receive from vendors varies substantially by vendor type. ISO/Verisk's methodology documentation is extensive and already familiar to actuaries from decades of rate filing practice; registration adds an annual attestation step without materially changing the documentation an actuary receives. For specialized ML vendors, the typical actuarial documentation package describes model outputs and intended use but often lacks explicit bias testing results segmented by protected class, model performance monitoring metrics, or a change control log detailed enough to establish whether the model version referenced in a filing is the same version the carrier validated before deployment. For carriers relying on those vendors, the registry's minimum standards require documentation that the vendor may not currently produce or share.
The annual attestation requirement concentrates the operational burden on vendors, not carriers. A vendor with documented testing cycles, version control, and a functioning governance committee can attest annually with limited overhead. A vendor without that infrastructure either builds it or exits the market for regulated insurance applications. For smaller specialty vendors, the compliance cost is real, and that is where the mandatory-versus-voluntary debate has the most practical stakes.
Mandatory vs. Voluntary: What the August Session Must Settle
The American Council of Life Insurers argued in its comment letter that mandatory vendor registration is "not necessary" and recommended a voluntary framework in which vendors elect to seek registration. The ACLI's position is that mandatory registration stifles innovation, reduces competition among model vendors serving the insurance sector, and creates a disproportionate burden on smaller vendors lacking multi-state compliance infrastructure. Several other comment letters echoed the concern, with some adding a legal objection: state insurance departments may lack statutory authority to impose registration requirements directly on third-party vendors, rather than enforcing vendor governance obligations indirectly through carrier licensing conditions.
The Working Group has been unambiguous in its response. At the March 2026 session, the group stated that the purpose of registration is to "identify, track, and ensure minimum governance requirements related to third-party providers" and that a voluntary system cannot achieve that purpose. The group confirmed it intends to keep registration as a mandatory requirement. The question heading into Columbus is not whether registration will be required, but whether the framework will adopt a tiered or risk-based structure that calibrates obligations to vendor size and market impact. The Working Group's charge explicitly references a "risk-based regulatory framework," which suggests some form of tiering is under active consideration. A materiality threshold defined by the number of carriers using a model, or the volume of consumer decisions influenced by its outputs, would address smaller vendors' concerns while ensuring the highest-impact vendors face binding disclosure requirements.
August 12: What the Session Can Settle
The August 12 session in Columbus runs one hour, from 11:45 AM to 12:45 PM, per the NAIC Summer 2026 tentative agenda. That is not enough time to finalize a model law or resolve every definitional question in the exposure draft. What the session can accomplish is settling the mandatory/voluntary question, approving a revised draft for a second comment period, and confirming the initial scope as pricing and underwriting only, with a defined path for expanding to other functions in subsequent phases.
First-state adoption, assuming the Working Group produces a revised draft after August and holds a second exposure period in the fall, is most realistically a 2027 event in early-adopter states. The 2023 NAIC Model Bulletin took more than a year to achieve meaningful state-level adoption after finalization, and that bulletin required no new vendor-facing obligations. A registration framework that creates direct compliance obligations on third-party vendors is a more significant legal step, and the comment letters' authority concerns signal that some states will need enabling legislation before a mandatory requirement is enforceable. That legislative process varies by state and adds a timeline the NAIC's Working Group cannot control.
The latent litigation risk is real. A carrier can be required, as a condition of its license, to maintain documentation of third-party model governance. A vendor that is not a licensed entity in a state operates on different legal footing, and whether state insurance departments can reach it directly or only indirectly through carrier obligations may end up tested in court before the framework's second generation of state adoptions.
Three Channels From the Registry to the Actuary Workflow
The practical consequences for actuaries supporting P/C rate filings run through three channels, each with a different operational response.
Documentation standards rise for unregistered vendor models. Actuaries certifying rate filings that rely on models from vendors that have not registered will need actuarial supporting documentation that addresses governance, bias testing, and change control independently. Without the documentation anchor a registered vendor's governance filing provides, the actuary bears the entire evidentiary burden. That burden was always there in principle; the registry makes the gap between registered and unregistered vendor documentation visible and consequential in a way the current framework does not.
Vendor registration status becomes part of rate filing due diligence. Once the registry is operational in adopting states, verifying whether each third-party model vendor is registered is a new pre-filing step that does not currently exist. It parallels the verification step already in place for ISO circulars and state-specific loss costs, but it applies to a broader set of third-party inputs. Actuaries who do not build that verification into their rate filing workflow will encounter surprises at a point in the filing cycle that does not accommodate them well.
Annual attestation cycles create ongoing renewal risk for existing programs. A vendor that registers but fails to maintain its governance program loses registration at the next annual cycle. Carriers and actuaries who have built rate filing documentation around a registered vendor's governance baseline need to monitor registration status continuously, not just at filing time. The risk is not hypothetical: a vendor acquiring another company, reorganizing its technical team, or deprioritizing its compliance function during a growth phase can fail an annual attestation without the carrier's actuarial team having any early warning.
The current standards for third-party model reliance in rate filings were written for ISO factor tables and industry benchmark data. They were not written for models with quarterly retraining cycles, real-time scoring APIs, and proprietary training data that the actuary has never seen. The vendor registry is regulators' formal acknowledgment that the documentation architecture needs to change, and it creates the external governance checkpoint that actuarial certification has not previously had to reference. Actuaries who build their rate filing workflows around that new checkpoint now, before state adoption reaches their jurisdiction, will not be scrambling to reconstruct vendor governance evidence under examination pressure.
Further Reading
- NAIC AI Model Bulletin Gets a Compliance Report Form
- Verisk ISO Indications, Claude MCP, and Rate Filing Governance
- The AI Governance Gap in Actuarial Practice
- NAIC Pilot Tests AI Model Scrutiny in Rate Filings Across 12 States
- NAIC Market Conduct Modernization and AI Governance
Sources
- NAIC Third-Party Data and Models (H) Working Group Committee Page
- NAIC Third-Party Regulatory Framework Exposure Draft (December 9, 2025)
- NAIC Spring 2026 Third-Party Data and Models Working Group Meeting Materials (March 23, 2026)
- NAIC Summer 2026 National Meeting Tentative Agenda (August 11-14, Columbus)
- Mondaq: NAIC Spring 2026 Third-Party Data and Models Working Group (March 23, 2026)
- Mondaq: NAIC Fall 2025 Third-Party Data Working Group Exposure (December 2025)
- Sidley Data Matters: NAIC Spring 2026 National Meeting Regulatory Update (April 2026)
- Swept AI: The 2026 NAIC Third-Party Model Law Vendor Registry
- BeInsure: ZestyAI SCS Risk Models Approved in 29 States (April 2026)