Insurance industry professionals tend to underestimate the business threat of regulatory actions. While data from the National Association of Insurance Commissioners (NAIC) indicates the industry has a relatively low level of fines, many people miss the true costs – the cost to your business of an extended investigation.
The pain of an investigation could take months, or even years, and drain resources and attention from core business functions.
NAIC data published in December 2022 and September 2021 can give us a taste of the industry’s regulatory activity. It gives us the broad strokes of administrative and compliance violations, though, to be clear, we’re not talking criminal fraud and intentional harm – DOIs refer those shenanigans to the criminal justice system for resolution.
The role of state departments of insurance
To understand the process of insurance regulatory inquiries, let’s start with the function of the departments of insurance. Thanks to legislative and judicial football of the last century, insurance is mostly (*cough cough* looking at you, Affordable Care Act *cough cough*) regulated by the states. In each state, a department of insurance or an office, division, or some sort of state entity houses an insurance commissioner and staff to regulate the insurance market.
The department of insurance in each state or territory has a twofold responsibility: Consumer protection and market solvency. State DOIs generally aim for a thriving market; without options for insurance on the open market, consumers (aka “voters”) inevitably turn to public options and state-based insurance solutions.
A thriving market then requires public trust and consumer protection. And it requires insurance carriers to be able to fund their products while also having the space to innovate and profit – hence, solvency requirements. The DOIs aren’t interested in business prevention. They want a thriving insurance market, but one that’s compliant; they want insurers to pay claims, and they want to protect consumers.
This understanding of insurance regulation is key to understanding public data around fines and regulatory actions. For one thing, the biggest threat a regulator poses isn’t a large fine; it is the possibility that they’ll strip a business of its certificate of authority or licensure, period. It’s an act that’d effectively end the business, period.
Insurance regulators rarely take an adversarial approach to the market. Situations where a DOI revokes a license or certificate of authority, or where a commissioner levies a substantial public fine, tend to be following repeat or flagrant offenses.
Certainly that isn’t always the case; some states have a reputation for taking an “our sandbox, our rules” approach to regulation, an attitude of “fine them into compliance.” But most state regulators believe in taking an education-first approach that is necessarily lenient on businesses with minor first-time violations, things that can be attributed to ignorance.
As one Virginia regulator put it, “We’re not out there to hammer agents, we’re just looking for compliance.”
One result of this is that regulatory investigations end up being like an iceberg; what we see reflected in public reports or in headline-grabbing fines tends to be a small portion of what regulators and market conduct investigators are doing to maintain compliance in their states.
What we know about the regulatory environment from the NAIC Insurance Department Resources Report
The most recent NAIC Insurance Department Resources Report is based on market activity in 2021. The report breaks down budget sources, staffing levels, and regulatory activities by state, offering insight into how state DOIs are staffed and resourced.
In 2021, the collective jurisdictional DOIs took 2,513 actions against companies, including suspending or revoking 83 certificates of authority, which are the authorizations that allow insurance carriers to operate legally in any given state.
Producer fines, which may include agencies and individuals combined, totaled $20,810,291, and restitutions – when the state demands a producer pay back money to make a client whole – ran $14,796,164.
Generally, fines decreased from 2020 to 2021, possibly indicating some insurance malfeasance was specific to the conditions-which-shall-not-be-named of 2020. Producer restitutions, however, nearly doubled in that time.
Fines against insurance carriers and agencies in insurance
The NAIC report on 2021 market data doesn’t give a full tally of insurance fines against carriers or agencies. That’s not unexpected because, frankly, many fines don’t end up being paid. To understand why, consider the earlier-stated role of DOIs: They want compliant participation above all else. So, frequently, company penalties are levied in a way that incentivizes compliance. Among the penalty arrangements we’ve seen:
- Half a fine levied against a company upfront, with the second half pending a compliance audit in the next quarter; if the company passes the audit, the second half will be waived
- A fine levied against a firm to the tune of twice the amount of restitution; for every dollar the firm pays in restitution, two dollars will be removed from the fine
In fact, our best guess at an annual “actual” penalty rate is that state budgets in 2021 included $207,922,008 in “fines and penalties.” (Even then, many states sweep penalties into other parts of the state’s budget, which may not show up on this report.)
If you split those penalties among the 2,513 regulatory actions taken against companies, it comes out to a whopping $82,739.
If that number seems low for insurance carriers that report their premiums per million, you’re not the only one thinking it. Yet, aside from a few outlying industry examples such as the Zenefits fine (assessed more than $10 million in fines for licensing violations), insurers and agencies don’t often see the eye-popping totals that are far more common (along with jail time) in SEC judgments. To understand why, it’s important to understand that fines often aren’t the true punishment; the investigation process is punishment enough.
How does a state department of insurance start a compliance investigation?
Many states have proactive market examinations and every state has solvency controls that involve a degree of financial reporting. So, it’s possible that, in the course of routine compliance, regulators will discover some concerning threads that unravel something worse (yes, this is an ugly sweater analogy).
Often, consumer complaints or industry chatter will get the attention of a state DOI. In 2021, the DOIs had 259,345 consumer complaints and more than 1.5 million consumer inquiries. California took the lead with the complainiest market, with more than 44,000 consumer complaints. We’re kidding, but, for the record, California had about 12 percent of the overall population of the U.S., and about 17 percent of the complaints. (There’s a joke there about people finding faults and California’s earthquakes.)
So, a DOI gets a complaint. Next, they’ll reach out to the carrier or agency to ask them to respond to a specific complaint, or request the relevant records in a broader investigation, which often comes from a pattern of complaints.
Complying with a DOI investigation
Often, your compliance discipline experience will begin with a notice from a state commissioner’s office.
When a carrier or agency receives a notice of an investigation, in most states this begins an invisible legal clock, which counts down the days in which the business has to respond to regulators. In states where it’s easier to keep designated responsible licensed producers (DRLPs) and other compliance stakeholder information up-to-date, then there’s more of a likelihood that states will contact the right person and communication will proceed in good order. But, in states where company contact lists are more manual, there’s a higher likelihood that regulators’ emails or letters will go unanswered. Not maintaining up-to-date contact information with the state DOI in and of itself can become a red flag for regulators in cases like these.
The administrative notice from the state lays out the basis of a complaint and asks for more information. Most states have strictly stated response expectations (such as needing to respond to the DOI within 14 days). While most states’ expectations are weeks long to account for snail mail responses, it behooves companies to get in front of whatever is happening.
You’ll want to be as quick as possible in gathering whatever information the state is asking for, organizing it, and sending it on to them, because maintaining good will goes a long way. Often, a business will also want to begin their own internal investigation to find the extent of the compliance issue and be ready to present the state with a solution.
Sometimes, by presenting a complete voluntary disclosure with a proposed remedy, that’s the end of the story. Particularly if you have the receipts that show your own business’s diligence, the state may look further up or down the distribution chain to find the source of the issue, if there is one at all (many complaints stem from genuine misunderstandings, after all). Other times, however, it may take several months’ worth of back-and-forths to fully articulate the full problem-response-solution scenario.
Responding to DOI inquiries with an internal investigation
Businesses may spend more on internal resources and possibly outside counsel to deal with the matter than what they’ll ultimately spend on a fine. Once in the process of an investigation, mid-size and large companies may have to bring in outside attorneys, professionals who bill hundreds or thousands of dollars an hour, to examine your internal operations and respond to every inquiry.
In the meantime, while your team scrambles to provide regulators with sufficient information, others may have to stop what they’re doing to answer questions for the legal team about how they handle certain processes, or who is assigned to what data, or when certain information was handled.
Current work is delayed for the sake of the investigation. If your own internal pace of business slows, your downstream relationships can strain and crack. Sales can slow or stop as other internal processes affected by a regulatory investigation create bottlenecks.
The more manual a business’s internal operations are, the more difficult it becomes for staff to quickly comply with an investigation. Unfortunately, when the DOI issues a request for information, they’re not able to specify which of your business systems might contain the data they’re looking for, or where the timestamped record you need might live. For businesses that use manual processes to handle compliance data, you may be looking through audit trails in spreadsheets, emails, folders on your server, or even fax logs.
The way a DOI requests its data and requires a business to present it may not be in line with that business’s internal systems. Businesses that rely on automated systems with flexible reporting, timestamps, and clear data sources can meet DOI expectations far speedier and with fewer internal hours.
And, to be clear, just ignoring the DOI to focus on business as usual isn’t an option for insurance carriers and agencies that want to keep their doors open. For as laborous and frustrating as an investigation can be, the state’s department of insurance owns your ability to do business in that state. Businesses that fail to comply with the state’s data requests and timelines will find themselves with no license or certificate of authority.
Even with proactive communication and timely responses, however, an insurance investigation often doesn’t have a quick resolution. As regulators indicated in an FAQ session with the AgentSync blog, an investigation could be weeks long. Or it could take years. The process itself may involve primarily email or even snail mail communication, sending documents and files back and forth in a series of investigatory call-and-response.
While this may resolve in a cadence that gradually fizzles out as the state decides you were in compliance or that you’ve acted in good faith to resolve any issues, there’s also a chance that your company lawyers may end up in front of an administrative judge to reach a final resolution.
Often, if a DOI begins pulling threads and finding more violations, an investigation will continue to expand beyond the scope of the original exam or complaint. So being able to present a tidy resolution quickly is paramount to prevent the kind of inquiry that goes from distracting to business-halting. Because manual, disparate systems that require lots of time to pick over to find records are also more inclined to reveal other gaps as you go.
While no compliance investigation is guaranteed to be short and sweet, giving a state DOI increasing reasons to question your compliance and find more errors in your internal controls is a fast path to a long, drawn out investigation.
Contagion: Multistate investigations and NAIC task forces
The contagion risk is, if your business has a multistate footprint, then issues complying with one state’s rules are likely to make you a target of the other state DOIs in which you operate. After all, the regulators talk to each other regularly.
It’s not the fine, it’s the investigation, remember? Now, imagine a scramble to provide the information you have to give to a DOI, on time, times more than 50 other jurisdictions.
Because of the National Association of Insurance Commissioners, states may join together for one large NAIC task force joint investigation of your business. In some cases, this actually may be a less hectic experience. Though an NAIC task force has more investigative resources at its disposal and may be slowed down by the cacophony of regulators, it also offers a single point of communication and a streamlined process. If you get faced with a multistate investigation where each state has its own independent investigation, keeping track of who asked for what and when can be overwhelming.
Even if you “win” and show yourself to be in the right, you may spend innumerable hours of time, energy, and money to address compliance queries. And all the time you spend on an investigation is time you can’t spend addressing the challenges or opportunities of your core business.
For those responding to inquiries that have the threat of regulatory action, some approaches to keep in mind:
- Get in front of communications
- Generate agnostic data internally that regulators can trust
- Show both the extent of the problem and the speed in which you can fix it
At AgentSync, our customers have agnostic data synced with a source of truth that they can point to for timestamped, validated appointment and licensing data for producers, and verified licensing for adjusters and variable lines brokers. To learn more about AgentSync’s application in preventing or helping you through any regulatory investigations, schedule a demo today.