An Overview of the Regulatory Framework of Insurance


It’s hard to imagine a time without insurance. Health, life, home, and auto protection have become staples of the average American’s life. Yet at the beginning of the country’s history, being uninsured was the norm — the term “insurance” wasn’t even in our lexicon until the early 1700s. Since then, there have been many changes in the industry, most notably in how it’s regulated.

A Brief History of Insurance in America

  • In 1851, the insurance regulatory system took shape when New Hampshire appointed the first-ever state insurance commissioner. Other states soon followed suit.
  • By the 1920s, more than 120 million life insurance policies had been sold in the United States — nearly equal to the total U.S. population in 1928.
  • In 1945, Congress enacted the McCarran-Ferguson Act, supporting state-based regulation of the insurance industry without federal interference.
  • In 1990, the National Association of Insurance Commissioners adopted the Unfair Claims Settlement Practices Act, protecting consumers from unfair actions that might occur during the claims settlement process.
  • In 1999, Congress passed the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act, which permits the partnering of banks, securities firms, and insurance companies. At the same time, however, Congress called for state reform in insurance regulatory practices, allowing insurers to compete more effectively in the new financial services marketplace.
  • In 2010,former President Barack Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act into law, placing further regulations on the financial services industry to protect consumers from predatory mortgage companies and lenders.

The history of the insurance industry has seen many iterations — and it continues to evolve. With the McCarran-Ferguson Act, for example, states were granted broad authority to regulate the business of insurance. Meanwhile, GLBA set new standards for the distribution and protection of consumer data. More recently, the Dodd-Frank Act took consumer protection to the next level while creating more stringent regulations around risky lending practices.

But with each new law or regulation, one thing remains the same throughout the history of insurance: Business practices and regulations of insurance companies vary state by state. That’s why it’s so hard to know precisely who regulates insurance companies. Regulation is often up to the states rather than the federal government.

Insurers doing business in one state or aren’t necessarily subject to the same laws and regulations as those in neighboring states. So, if you’re transacting on a national — or even global — level, you’re often looking at a number of different requirements. This lack of consistency makes compliance more difficult.

Fortunately, First Consulting & Administration, a PIMA member and part of our Legislative & Regulatory Interest Group, provides a resource center on its website. This can help insurers better understand the laws, regulations, statutes, and pending legislation affecting each state.


A Look at Laws Affecting the Modern Industry

With an increased focus on consumer protection, it seems like the industry faces new regulatory standards each year. The past few years were no exception, and some would argue that the pace of banking, securities, and insurance regulations has sped up so much that it’s nearly impossible to keep up with all the changes to the regulatory framework of insurance. While you might not know about every single change that comes along, the following laws and regulations are some you should definitely be aware of:

  1. NY Reg 187

NY Reg 187 sets new standards for how agents and brokers make insurance and annuity product recommendations. Recommendations must be in the “best interest” of clients rather than just suitable. However, this does not impact direct mail as long as recommendations are not made in the literature.

This law forces insurers to establish more stringent standards and procedures for the training and supervision of employees. Insurance companies must now ensure that all transactions address the insurance needs and financial objectives of clients in New York State. All in all, the goal of NY Reg 187 is to limit the influence of financial compensation during insurance recommendations.

  1. NYDFS Cybersecurity Regulation

NYDFS Cybersecurity Regulation, or 23 NYCRR 500, imposes stricter cybersecurity regulations on state-chartered banks, licensed lenders, insurance companies, and other covered entities — as well as third-party administrators and contractors who work on behalf of insurance companies. If your organization operates under the Department of Financial Services licensure, this rule stipulates that you must have a detailed cybersecurity plan and policy, a chief information security officer, and an ongoing reporting and documentation system for cybersecurity events.

  1. General Data Protection Regulation

Although the General Data Protection Regulation, or GDPR, addresses data protection and privacy for European Union citizens, it has set the stage for the regulation of insurance companies in the United States. In fact, some associations have adopted GDPR because of the amount of international business they do — and they want to apply the law uniformly to all their members.

Insurers should use GDPR standards and regulations to inform future data protection compliance measures. Any move to protect consumer data will not only instill trust in your customer base, but it also will help you prepare for the inevitable adoption of similar regulations in your state of business.

  1. New York Privacy Act

If enacted, the New York Privacy Act, or NYPA, would give residents of New York more control over their data than in any other state. Companies would be required to make their data “de-identification” methods public; place special protections around data sharing; and disclose, upon consumer request, the names of any entities with which someone’s personal information is shared.

  1. California Consumer Protection Act

Much like GDPR and NYPA, the California Consumer Protection Act, or CCPA, gives consumers greater control over their data. Under this regulatory framework of insurance, companies are required to report what data they’ve collected, the reason for its collection, and whether it’s been shared with other parties.

  1. SOC 2

While Systems and Organization Controls for Service Organizations 2, or SOC 2, isn’t a law, it is a framework for compliance that all companies that store and process consumer data must follow. Under SOC 2 regulations, companies have to create and follow strict information security policies as they relate to the confidentiality of customer data in the cloud.


Organizations That Provide Oversight in Standards

With the constantly changing regulatory framework of insurance and lack of standardization, it might seem impossible to keep up. Luckily, a number of agencies, organizations, and advisory boards have been established to help with the regulation of insurance companies and to provide oversight in developing standards for the financial services and insurance markets. Many of these entities — including the following — are membership-driven because no federal regulatory agency exists to oversee the entirety of the insurance industry.

  • International Association of Insurance Supervisors. A voluntary organization, the International Association of Insurance Supervisors, or IAIS, works to set standards for all insurance-related activities. Its goal is to develop and maintain fair, safe, and stable insurance markets to protect consumers.
  • Insurance Capital Standard. Though not an actual governing body, the Insurance Capital Standard, or ICS, serves as a set of groupwide principles for internationally active insurance groups. Similar to the IAIS, ICS promotes consumer protection and supports the financial stability of the insurance market through prudentially sound behavior and risk management.
  • National Association of Insurance Commissioners. The National Association of Insurance Commissioners, or NAIC, is a U.S. insurance standard-setting organization. Instead of voluntary participation, its members consist of the chief insurance regulators from all 50 states, the District of Columbia, and the five U.S. territories. Its primary role is establishing standards and best practices for the insurance industry, but the NAIC also coordinates regulatory oversight and conducts peer reviews.


Structure of Insurance Regulation

By and large, insurance regulation is structured around several key functions, including the following:

  1. Company Licensing

All insurers and insurance-related businesses must be licensed in their states of business prior to selling products or services. Once licensed, insurers are then subject to regulatory standards. Failing to comply with any one of these standards could result in licensure suspension or revocation — as well as potential fines, which vary from state to state.

  1. Producer Licensing

Like insurers, agents and brokers must be licensed in their residing states prior to selling insurance-related products or services. Many states also require that producers be appointed with the insurance companies with which they do business. Unsurprisingly, they also are subject to regulatory requirements. Any agent or broker who fails to comply could face license suspension or revocation as well as state-based fines. To maintain high professional standards, all licensed agents and brokers must participate in continuing education programs.

  1. Product Regulation

To ensure that insurance policy provisions comply with state laws, all insurance-related products are subject to regulation. Although rules and standards vary by state, most regulations ensure that policies are reasonable and fair to consumers — leaving no gaps in coverage unknown to policyholders.

  1. Financial Regulation

Financial regulation is yet another safeguard for policyholders that verifies and validates an insurer’s accounting methods, procedures, and more. The goal is to ensure the financial standing of insurers. Should an insurance company become financially impaired, the state insurance department would step in and use guaranty funds to cover policyholder losses.

  1. Market Regulation

Market regulation is just as it sounds: It’s a process to maintain fair and reasonable prices, products, and trade practices in the industry. To ensure consumer protection, states conduct routine examinations of an insurance company’s business, such as sales practices, claims handling, and the types of products sold by the company. Should state regulators find violations, the insurance department may recommend operational improvements and/or issue a civil penalty, license suspension, or revocation.

  1. Consumer Services

With the many changes taking place in the insurance and financial services marketplace, states are establishing consumer services to handle questions and complaints. These services often include toll-free numbers, informational websites, educational seminars, and special consumer services units.


Insurtech: A Means to Ensure Compliance

In the current regulatory framework of insurance, insurtech can help you remain compliant. While you’ve probably heard about it, you may still be wondering exactly what insurtech is. Basically, it’s technological innovations that allow companies in the insurance industry to do their work more efficiently while maintaining the optimal level of compliance and customer care.

As the regulatory landscape evolves, so does the insurtech industry. In the future, for example, third-party data providers will make consumer information available to insurers without supplying detailed data. Insurers will get only the information they need and avoid the regulatory issues that often accompany a more robust dataset. The following technologies — among many others — will make this possible:

  • Homomorphic Computing. Homomorphic computing is an advanced means of encrypting data, allowing you to operate on the information without the need for decryption. Think of it as obscuring the details within the data. The only potential drawback of this technology is that not everyone in a transaction needs to stay online, which can leave the data open to unauthorized actions. In theory, you could do something with the information that the other party didn’t consent to.
  • Multiparty Computation. Multiparty computation breaks down data into nonsensical parts, allowing different people with different computers to come together to operate on those parts without ever seeing the whole. It’s like a giant jigsaw puzzle, but you only get access to a set number of pieces. Nobody would be able to complete the full picture because everyone is working with just a portion of the data. Needless to say, this approach helps maintain the privacy and security of sensitive data.
  • Hybrid Computing. With hybrid computing, the data first runs through homomorphic computation, which encrypts the information before it’s broken out into pieces through multiparty computing. The main advantage of hybrid computing is data protection. Because the information isn’t stored in a human-readable form, hacking is almost impossible.
  • Private Set Intersection. Private set intersection is another cryptographic method of encrypting data. With this technique, however, two parties can compare their encrypted datasets to determine the intersection. The only elements revealed during the exchange are those in the intersection.
  • Secure Searchable Encryption. Secure searchable encryption uses a server to search encrypted data, pulling only the information relevant to your search; all other information is kept private. It’s a means of protecting sensitive data while still making it useful to insurers.

Obviously, there are a variety of cryptographic protocols available. The overarching theme, though, is that cryptographically enabled privacy and regulatory compliance is the gold standard. Consumers own their data and have the right to consent to how it’s used. And even if the data is encrypted, consent must be obtained prior to any action. It also must be relinquished should the consumer request it.

That’s why it’s so important for insurers to keep track of where consumer data is stored and how it’s used, which can come with its own set of challenges. There’s a lot of data to manage, so using insurtech to work on the process now might help mitigate a crisis later — and ensure compliance when data privacy laws go into effect in your state of business.

For many insurers, cloud computing has become an essential part of this process. It provides all the necessary functionalities for managing and using datasets. It also provides flexibility and scalability because companies can often integrate cloud-computing solutions with their legacy systems.


Preparing for the Future Regulatory Framework of Insurance

The regulatory landscape has faced no shortage of changes, especially with regard to data privacy and security. CCPA and NYPA are just the first of many regulations to come about, and you can rest assured similar ballot measures will come to your state — and the nation. To stay ahead of the curve, we recommend a proactive approach to data privacy.

Use CCPA, NYPA, and even GDPR as templates to draw up your own set of data policies and procedures to protect your clients’ personal information. Even if a pared-down version of these regulations passes in your state, proactively implementing such controls will help reassure your customers that their personal data is safe.

Besides, nearly 70% of consumers seek honesty and transparency from companies that use their personal data. Making data protection a priority could give you a competitive advantage in the marketplace, helping you grow your business like never before. It’s just one more mechanism to build trust, which is essential to your success.

Published on June 25, 2020.

To become a PIMA member and participate in its online Legislative & Regulatory Interest Group, 
click here. The group also convenes at PIMA’s semiannual conferences. PIMA® (Professional Insurance Marketing Association®) is a member-driven trade association focused exclusively on the group-sponsored benefits market. For more information on becoming a member, click here.