Texas Bulletin B-0036-20 on Third-Party Data
The Texas Department of Insurance issued Commissioner’s Bulletin B-0036-20 on September 30, 2020, to remind all regulated entities that they are responsible for the accuracy of data used in rating, underwriting, and claims handling even when that data comes from a third party. The bulletin does not create a new legal duty, but it clarified that TDI may pursue enforcement action against an insurer if the use of inaccurate data harms policyholders.
The bulletin is short, but it carries a long shadow. It was issued before the current wave of AI and advanced analytics adoption, yet it directly addresses the risk that insurers now face when they license external data, embed vendor models, or use AI tools that rely on third-party information. The core message is that outsourcing a function does not outsource responsibility. An insurer cannot blame a data vendor or a model vendor if the information used to rate, underwrite, or deny a claim turns out to be wrong.
TDI specifically encouraged insurers to give policyholders a way to review and correct data being used about them. That recommendation is now echoed in many newer AI governance frameworks, including the NAIC Model Bulletin and state laws requiring consumer notice and appeal rights. In that sense, B-0036-20 was an early statement of what has become a central theme in insurance AI regulation: the carrier owns the outcome, even if a third party owns the algorithm.
For insurers, the bulletin remains relevant because third-party data use is only increasing. Carriers now commonly use external data for everything from property replacement costs and vehicle history to medical records and social media signals. Each of those data sources is a potential point of failure. If the data is inaccurate, stale, or misapplied, the insurer is responsible for the consumer harm, not the data broker.
The practical response is to treat third-party data and models as part of the carrier’s own risk management program. That means verifying data quality, understanding how models transform raw data into scores, monitoring outcomes for errors and bias, and giving consumers a clear path to dispute and correct information. Vendor due diligence is a starting point, but it does not end the carrier’s obligation.
The bulletin is also relevant to current AI governance frameworks. The NAIC Model Bulletin and many state AI laws now require carriers to document, test, and monitor AI systems. B-0036-20 anticipated this by making clear that the regulated entity owns the risk. A vendor contract that shifts liability to the model provider is not a substitute for a carrier’s own governance program, because regulators and courts will look at who made the decision that affected the consumer.
Texas has also issued more recent guidance on AI use by insurers, and the state’s rules on data localization and AI disclosure in healthcare continue to evolve. But B-0036-20 remains the foundational document for third-party data accountability in the state. For a framework on how to manage vendor AI risk, see our guide to AI vendor risk assessment.