Tag Archives: naic

NAIC’s New Rules: Challenges, Solutions

For security and compliance professionals, the announcement of new regulatory standards can be a stark reminder that the to-do list is long and the day is short. But with careful preparation and concerted, coordinated efforts to mature governance, risk management and compliance (GRC) activities, compliance and security teams can face new rules and standards with confidence.

After many iterations and comment periods, the National Association of Insurance Commissioners (NAIC) announced the adoption of the Insurance Data Security Model Law in October 2017. The model law — which encompasses rules for licensed entities about data security and data breach investigations and notifications — establishes more rigorous guidelines for the insurance industry. It shares many similarities with the New York State Department of Financial Services (NYDFS) cybersecurity requirements for financial services companies, currently considered to be the highest bar — and a best practice — so the NAIC’s model law is likely to be adopted by many states as the governing standard.

The NAIC’s rules specify information security programs should be based on “an ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event.”

In particular, take a close look at Section 4: Information Security Program. It details implementing a program and the requirements for assessments, reporting, audits, policies and procedures. It sounds straightforward on the surface but grows in complexity the more you read; you need to not only identify internal and external threats but also assess the potential damage and take active, concrete steps to manage the threats. Section 4 also calls for more accountability when it comes to protecting data — each insurer must submit an annual statement by February 15 certifying compliance with Section 4 or identifying areas that need improvement, as well as remediation plans.

See also: Insurance Is Not a Magazine Subscription

It is important to note that the insurance industry has unique challenges around internal risk, third parties and intricately collaborative processes. Many entities and individuals are involved in a single claim: brokers, dealers, agents, actuaries, adjustors and claims processors. This creates more room for error, more potential gaps in security coverage and more difficulty managing contributors. Comprehensive procedures supported by integrated risk management technology solutions will help weave a tighter web.

Renewed Focus on Third Parties

As is the case with many of the major cyber security and data privacy frameworks (e.g., HIPAA, NYDFS, GDPR), the NAIC’s model law gives special attention to required oversight of third-party providers. Licensed entities are responsible for ensuring that third parties implement administrative, technical and physical measures to protect and secure the information systems and nonpublic information they hold or have access to.

Meeting these requirements means licensed entities need to conduct assessments to ensure third parties are following security, privacy and notification guidelines. In Section 4.c.: Risk Assessment, it stipulates identifying threats by means of an ongoing assessment and an annual review of systems, controls, processes and procedures.

Developing a comprehensive and streamlined system for vendor risk management is an increasingly critical component of both security and compliance programs — especially for large enterprises and those with complex partnership and outsourcing structures.

Incident Response is Key

The NAIC’s model law also specifies requirements for incident investigations and mandates that breaches are reported to the commissioner within 72 hours. In this notification, insurers must provide as much information as possible, including: the date of the breach; how the information was exposed; the types of information exposed; the period during which the system was compromised; planned remediation efforts; a copy of the company’s privacy policy; and more. Additionally, licensees must notify consumers of the breach as their state’s data breach notification law requires.

It will be nearly impossible to meet these demands if your security information is outdated, incomplete or difficult to pull together. Expedient incident response can have a significant effect on outcomes. If you can quickly coordinate clear, accurate communications to regulators, third parties and customers about a breach or cyber attack, you can contain reputational damage, protect end-users and prove negligence was not a factor.

See also: It’s Time to Act on Connected Insurance

How to Become Prepared — and Stay that Way

While some of the specific requirements of NAIC’s new model law might cause alarm, most insurance businesses already have well-defined processes and controls. The need to keep sensitive customer data secure and private isn’t new, and high-profile data breaches (e.g., Equifax, Anthem, Aetna) keep a spotlight on the consequences of failing to do so.

Licensed entities are most likely to be challenged by the outer ends of the integrated risk management spectrum — the granular details of controls, policies and procedures on one end as well as the development of a sustainable security culture on the other. Both can be enhanced and reinforced through an enterprise-wide, technology-driven approach to GRC efforts.

By implementing a centralized integrated risk management platform, insurance organizations can move away from fragmented manual processes (spreadsheets and email) and toward higher degrees of automation and analytics.

The difficulty of meeting the NAIC’s requirements depends on the maturity of a company’s security and compliance program.

Companies that are already using an integrated risk management platform will easily be able to identify the gaps in compliance and efficiently make needed changes to achieve compliance. Those who do not have mature programs in place will have a longer path, from reviewing the requirements and identifying compliance gaps to the challenging goal of creating a culture of security.

Interview with Nick Gerhart (Part 3)

I recently sat with Nick Gerhart to discuss the regulatory environment for U.S. insurance carriers. Nick offers a broad perspective on regulation based on his experience: after roles at two different carriers, Nick served as Iowa insurance commissioner and currently is chief administrative officer at Farm Bureau Financial Services.

Nick is recognized as a thought leader for innovation and is regularly called on to speak and moderate at insurtech conferences and events. During our discussion, Nick described the foundation for the state-based regulatory environment, the advantages and challenges of decentralized oversight and how the system is adapting in light of innovation.

This is the last installment of a three-part series. The first focused on the regulatory framework insurers face (link). In the second part (link), Nick provided the regulator’s perspective, with a focus on the goals and tactics of the commissioner’s office. Here we discuss the best practices of the insurers in compliance reporting as well as future trends in compliance reporting.

From my experience in speaking with carriers, I’ve been struck by the challenges of reporting data in various different reports to so many different entities. A lot of carriers struggle just with the process, and the quality of the data reported suffers. So, to dive into the quality of the filings for a moment, what are you looking for?

Garbage in, garbage out, obviously.

The most obvious issues start with the outliers. And it would come back to the state catching the company filing some bad data. So, for instance, on the life and annuity side, how you define “replacement” can trigger a percentage up or down that maybe you shouldn’t have in there.

If you think about it, from the company side, a lot of MCAS data is probably gathered on an Excel spreadsheet, or in Sharepoint, or a shared drive, and it’s someone’s job to pull the data. And, he or she is often not the subject expert of the report to be filed.

Overall, companies make a commendable effort in terms of timeliness and accurate data. But, to the extent that a carrier does not pay close attention to what’s going into the file, it can be a problem. You really don’t see the output very well from a 30,000-foot view; a carrier is far more likely to have issues unless it has a really solid data entry process in place or someone who owns it on the executive team who actually knows what is going into the report.

Any examples you can share?

One that comes to mind was a company that reported an unbelievably high replacement ratio. And when we dove into it, we realized they had pulled the wrong file to calculate the rate. Now, it worked itself out, and the ratio was actually much lower, which is a good thing, but again I think companies need to pay more attention to how they are filing this data and where they’re pulling it from.

And that’s where every company could do a little bit better job. I’ve had roles in three insurance companies now, and you can look at something as a check-the-box exercise, or hey-let’s-do-it-right. In my view, if you’re a bigger company, all of this does build into your ORSA filing in some respect.

See also: Why Risk Management Certifications Matter  

Your Own Risk and Solvency Assessment is just a picture of where you are on a risk basis. But a lot of your risks are related to market issues. Every company can probably do a little bit better job of making sure the data you submit is timely, relevant and the right data.

And, when you’re looking at specific data with a report, the replacement rate within MCAS, for instance, how do you come up with that benchmark data? Are you looking at trending analysis in the context of industry benchmark data or trending within the company?

That’s a really good question. It’s more art than science; there isn’t one right way to do it. If you had a 75% replacement ratio, but you only sold four annuities, that may or may not mean anything. If you have a 75% replacement ratio, and you sold 25,000, that’s a different issue.

You start to look at it from a benchmarking of industry, a standard across the industry. Whether you can get that data from LOMA, LIMRA or WINK. Regulators have all of those same data points and benchmark studies, so you have a gut feel for what is an industry number.

Then beyond that, to your point, you’d have to dig down for context. For example, Transamerica sells a lot more life insurance and annuities than EMC National Life. A benchmark is a benchmark, but it doesn’t differentiate from a small mutual carrier or small stock carrier.

This is why context is really important. If you see a disturbing relationship or ratio develop on complaints, you have to look at the line of business, how much business they write, whether or not it’s an agent issue, or a producer issue, or home office issue, or a misunderstanding issue. You really have to dig in. Benchmarking is a start, and it’s certainly helpful.

Iowa has 216 carriers, and the vast majority are small or midsize, sometimes just county mutual carriers. You have to look at each carrier on its own, as well. The benchmark helps, but it’s not the end all and be all.

Did you look at consistency of data? For instance, premiums written is a component, in some form, of the financial reporting, market conduct and premium tax filings.

Certainly. Our team would look for consistency of data across filings. Our biggest bureau at the division was on the financial side. And that’s really where I spent a lot of my time to develop staff.

If we start to realize that a premium tax number doesn’t line up with premiums written, they start to ask questions. And sometimes there are good answers, and, other times, it’s a miss. And so, again, it’s data consistency and quality across all the reporting to make sure we have a clear picture.

Because oftentimes, it’s something we didn’t understand, or the carrier filed but didn’t pull the right number. The sophistication of the models that the companies use – as well as the sophistication of the reporting – varies greatly from small carriers to big carriers. Some have home-grown systems; some have ad hoc processes. It’s all done differently.

Do you have a sense – both from your time in industry as well as your role as insurance commissioner – how feasible it is to have a meaningful review process? To put this question in concrete terms: If you’re the CFO, you’re signing off on a lot of reports. Based on the volume of reports you’re signing, are you truly reviewing the data that’s being reported?

That’s a great question.

You’ve got reporting requirements for Sarbanes-Oxley if you’re public. You’ve got other reporting requirements under corporate governance at the state level. It’s impossible to dig into every single report for every single data point. So, you do have to rely on your staff, on your auditors and your chief accounting officer. And that’s why you have those controls in place leading up the reporting structure of those organizations.

That being said, a CFO would want to have a clear picture from a benchmarking dashboard. There are a lot of tools for people in the C-Suite for tracking and visualizing data that call out for attention when a metric is out of place or not reported.

The CFO relies on the team and the controls in place for the data to be correct in order to sign off. But, having a snapshot that showed what is filed, and when, and different data points and sources would be of immense help.

What are the consequences, from a regulator’s standpoint, of poor quality or inconsistent data? Is it reputational? Does it add to question marks around a company?

There are several things. Yes, it’s possibly reputational. But that’s in the longer term. Most immediately, the carrier is going to have to commit resources to resolve the issue.

If a commissioner’s officer is asking questions, he or she has found something. You’ve got to commit resources to adjudicate and resolve the issue. And, it could very well lead to a targeted exam, which, in turn, could end up as a full-blown market conduct exam.

It could also create a number of other issues during the triennial exam or the five-year deeper dive exam, which would require additional resources. These exams can cost quite a bit of money. And so, that’s a hard dollar cost. But, there is also the soft dollar cost of staff time, resources expended and opportunity cost in that it kept the carrier from have done something more productive.

How does this work in practice?

I can think of when I was commissioner once or twice when we had targeted exams based on filings that ultimately led us to say, “Okay, there is a problem here.” Both times were out-of-state companies.

To your point earlier, you can call an exam on any company that is doing business in your state, certainly on the market side. On the financial side, you’re going to have more deference. But, on the market side, every commissioner’s office is reviewing the data, as well.

Often for us, we would start with the complaints that are coming in, and then identify a trend with a carrier. And if you start to see a number of complaints, then you pull the data.

Some insurers have a cynical view of regulators, particularly in some states. I’ve heard them refer to this as “the cost of doing business.” They feel that, if you’re going to write policies in some states, you’re going to get fined from time to time. And then, if you get fined by one state, then you’re going to see fines from other states as well. How does this work in practice?

A carrier has an obligation to report a fine in all states in which it’s licensed. On top of that, there is this thing called the internet. When a state issues a fine – Commissioner Jones or Director Huff was famous for this – it would be followed by a press release, as well.

So, there is some truth to the idea that if an insurer has trouble in one state, it might have it in multiple states. But there is some right to have a level of cynicism. There are some states where you’re much more prone be fined. Whether this is a cost of doing business, that’s a decision for that management team. But, if there is a fine in one state, the chances that of it in multiple states is high

Our view of the world, in the Iowa division, was not necessarily to gang tackle but rather how to resolve the issue in our state. If there was a problem, we asked, “Did you make customers whole?” I would look at a systems issue with billing differently from an issue in which someone was ripped off. We tried to use judgment and look at the issues based on the facts and circumstances.

Currently, data flows from carriers to commissioners in a defined cadence. What do you think of the promises of regtech – the concept that software and system automation will allow for data to flow to regulators seamlessly, in real time and without the need for insurers to prepare and curate data for filings?

Right now the NAIC is the hub of a lot of this. And the idea that a state would get this directly from the insurer is a stretch.

What about through the NAIC?

Through the NAIC, I could see it happening. They’ll go to a cloud-based system, I’m guessing. As they make that shift, could that happen? Possibly.

I always joke that for the state of Iowa, and most states, you have the best technology from 1985. Some states are ‘95. It is a stretch to think that this could happen without the NAIC leading.

See also: The Current State of Risk Management  

The NAIC really is the hub. If you’ve been to Kansas City, you’ve seen how impressive their system is, and their folks are. NIPR, for instance, I would always joke, is a technology firm. It’s not a producer licensing firm. The NAIC has tremendous resources. Their CTO has ideas on how to streamline it further. I could see this happening in 10 years or less. The reality is that a state could never do this.

So, a state has to rely on the NAIC. Going back to why this system works, well it works because you have an association – the NAIC – that has the ability to upgrade and transform quicker than any state ever could.

Is it possible that the states could innovate on their own, outside the NAIC?

It would be hard, at best. If you think about the state-based system, if Iowa doesn’t transform as quickly as California, or Montana as Wyoming, that starts to be a problem.

The NAIC can take care of that in one fell swoop and we, as state regulators, all benefit from that work.

I could see data delivery and reporting being quicker, more meaningful, real-time. I could even see, down the road, machine learning processes put in place to help on policy review form, financial review form. I think you could get there. I don’t know if it’ll be five years, 10 years or 15 years, but it will certainly happen in my career, where it’s going to be a continuously improving process.

The NAIC is the best way that regulators keep up with the demands that are happening, through leveraging the NAIC tech and personnel.

An Interview With Nick Gerhart (Part 1)

I recently sat with Nick Gerhart to discuss the regulatory environment for U.S. insurance carriers. Nick offers a broad perspective on regulation based on his experience: After roles at two different carriers, Nick served as Iowa insurance commissioner, and he currently is chief administrative officer at Farm Bureau Financial Services.

Nick is recognized as a thought leader for innovation and is regularly called on to speak and moderate at insurtech conferences and events. During our discussion, Nick described the foundation for the state-based regulatory environment, the advantages and challenges of decentralized oversight and how the system is adapting in light of innovation.

This is the first of a three-part series and focuses on the regulatory framework insurers face. In the second part, Nick will provide the regulator’s perspective, with a focus on the goals and tactics of the commissioner’s office. Finally, in the third installment, we will cover the best practices of the insurers in compliance reporting.

Part I: The Regulatory Framework

You served as the chief regulator in Iowa: How do regulatory practices in Iowa compare with other states?

Every state essentially has the same mission. Iowa has one of the largest domestic industries, so we have to focus a lot on the issues that go along with having a lot of domiciled companies. We have over 220 companies domiciled in Iowa. I believe that is the eighth most in the country; therefore, we are a top-10 state in the number of domiciled carriers. So, how we focus may be a bit different than if we only had a handful of domestic carriers. Due to the number of companies domiciled in Iowa, we must have a technical skill set and ability to completely understand the all facets of the industry.

Level-setting: What are the goals of the office of the insurance commissioner?

First and foremost, the goal is to protect the consumer. You do that through monitoring a company’s solvency and financial status. You also make sure that companies are following rules and regulations and all the laws on the books.

A lot of folks don’t recognize how complex that regulatory framework is, so you really spend your time not only on financial solvency but also on the market side, making sure that rules are followed.

See also: Time to Revisit State-Based Regulation?  

Even if a state has fewer companies domiciled, is it still interested in solvency? Or is this outsourced to the state of domicile?

That’s a good question. There are two sides – the financial side and the market side. On the financial side, there’s great deference to the lead state. For instance, if you are the lead state regulator of a group that is doing business in multiple states, there will be great deference to that regulator and his or her team that is reviewing those financials and that file. Any regulator can check and have their own views, obviously. But, there’s going to be great deference to that lead state.

Is this the same for market conduct?

On the market side, there’s not nearly as much deference. In fact, while I was commissioner, the NAIC was undertaking an accreditation standard for the market side. On the financial side, every state is accredited by the NAIC. And through this process, there’s much more cohesiveness and deference to that lead state. That doesn’t exist as much on the market side.

So, backing up a second, I’d like to touch on the topic of state-based regulation vs. federal regulation. Is this the right way to regulate this market?

I think it’s a good thing, because it’s local. A lot of insurance is local.

The feds have done a lot of work – whether it’s CMS, the Department of Labor or Treasury – that encroaches on state insurance regulators. I submit that this encroachment creates confusion and is counterproductive. I personally do not believe a federal regulator is going to do a better job and, in fact, believe it would lead to poorer results and hurt consumers. In my opinion, the federal government did not do exemplary work during the financial crisis, and I believe insurance regulators actually performed and executed quite well during that financially stressful time. In looking at that crisis, I have concluded that I do not want federal regulators or prescriptive banking standards forced upon the insurance industry.

State insurance commissioners are either elected by the people they serve or are appointed by a governor or other official or agency head. Those are held accountable at that local level and are part of the communities they serve. On countless occasions, I was stopped by people and asked about insurance issues. It would be very difficult to get that accountability or access if insurance were regulated at a federal level.

Are there areas where the states could improve?

There are some areas: They can do a better job of working together on the market side. But that’s why the National Association of Insurance Commisioners, the NAIC, exists – to create model laws that will create more uniformity across all states. And again, the states have done a tremendous job on the financial side.

The market side has more room to improve –  at least as far as coordination. Regulators have made tremendous progress in recent years, though. In the last six years, by collaborating and coordinating through the NAIC, monumental modernization has occurred. As an example, annuity suitability, ORSA, principal-based reserving, corporate governance, credit for reinsurance and now cyber model laws have all been created and passed in numerous states. Passing a model law out of the NAIC is important because it provides a state a solid model to guide through the legislative process.

What is the downside of state regulation?

There are certainly challenges with the state-based system. One is, at the state level, having resources to do the job. The state of Iowa is really an international regulator as we’re the lead state for Transamerica/Aegon and group-wide supervisor for Principal Financial. We have firms in Iowa with significant international footprints, so Iowa regulates alongside international peers from all over the world. I believe it is critical that Iowa resource the insurance division appropriately, as limiting resources too much ultimately hurts the ability to regulate effectively.

After resources, I think the biggest challenge for states is uniformity issues. An emerging challenge is keeping up with all the technological advances and innovation emerging from the insurtech and fintech area.

Is regulation keeping up with innovation?

Whether or not the old regulatory framework is still relevant today – I believe we will soon have a debate around that and how to modernize. The use of data is going to be a challenge for regulators, whether it’s genetic testing in life insurance or some other topic. There are a lot of issues in the innovation space that regulators are going to have to step up and meet because, if consumers demand change, the answer shouldn’t necessarily be, “We can’t do that.” Maybe we need to look at the rules and the laws and make a concerted effort to modernize.

Over the years, a number of people have come into my office frustrated at the limitations of the current rules and said, “That law’s stupid.” I have to inform them that just because it is illogical doesn’t mean that you can get rid of it. That’s not the commissioner’s job. The legislature passes the laws. The commissioner interprets and enforces the laws. Commissioners do not pass the law, so, when individuals are frustrated, often that frustration is misplaced.

See also: The Coming Changes in Regulation  

All in all, you would say that state-based regulation is the better answer?

I would put the state system up against a federally based system any day.

At the same time, we are the only country, to my knowledge, that has 56 different jurisdictions regulating insurers. Every other nation has a federal one. This poses challenges for international groups; certainly, some reinsurers are facing these issues. It is for that reason that we must coordinate better and speak with a unified voice.

As I have said, I do think the state system is remarkably better for consumers. When I was commissioner, the phone number on my business card went right to my office. I talked to consumers every day who called me directly. I would answer my phone, and they would be shocked that I would answer. There is genuine appeal in that.

When something goes wrong, insurance quickly becomes very personal. Sometimes, it’s bad things happening intentionally or willfully, while other times it’s just misunderstandings. Insurance is incredibly complex. I’d much rather have a system where there is accountability at the state level. You have people working for their citizens whom they go to church with and see around the state.

That’s a much better system than a federal bureaucracy that might have 10 regional offices where it’s impersonal and you have no idea who in the heck you’re talking to.


Innovation Executive Video – Wisconsin’s Ted Nickel

Wisconsin Insurance Commissioner Ted Nickel, president of the National Assn. of Insurance Commissioners, talks with Innovator’s Edge CEO Wayne Allen about insurance innovation, the pace of change and the opportunity for regulators to be more engaged in these efforts.

View more Insurtech Executive videos

Learn more about Innovator’s Edge

Time to Revisit State-Based Regulation?

The states do not have a constitutional “right” to oversee insurance. Clearly, insurance and reinsurance is interstate commerce, which gives federal government the oversight. There are no states rights issues involved.

The McCarran–Ferguson Act, 15 U.S.C. §§ 1011-1015, which was passed by Congress in 1945, does not regulate insurance, nor does it mandate the state regulation of insurance. Section 2(b) of the act does specify that the business of insurance is exempt from the antitrust laws only if it is regulated by the states. It provides that “Acts of Congress” that do not expressly regulate the “business of insurance” will not preempt state laws or regulations that regulate the “business of insurance.”

What else was going on in 1945? Oh, yeah, that World War II thing. Perhaps congress then did not want more responsibility.

It is time that this war-generated act is revisited.

“Perfunctory” would be a kind word for how some of the states actually oversee the insurance process. I have personally experienced insurance departments that are totally unaware of the laws by which they are supposed to be regulating insurance. Regulators either do not know the law or do not care about enforcing it. While I have not witnessed the federal government’s efficiency, to continue the regulatory status quo is to argue that the demonstrated 50-plus (states and territories) individual messes are better than one big mess, while having to accept as a foregone conclusion that a federal system would be a mess.

The states have clearly proven to be lacking in both integrity and self-restraint. The 2015 State Integrity Investigation shows the reality of the situation. Only three states score higher than D-plus; 11 states flunked. The State Integrity Investigation is an in-depth collaboration designed to assess transparency, accountability, ethics and oversight in state government, spotlight the states that are doing things right and expose practices that undermine trust in state capitals. The project is not a measure of corruption, but of state governments’ overall accountability and transparency. The investigation looks at both the laws in place and the “in practice” implementation of those laws to assess the systems that are meant to prevent corruption and expose it when it does occur. State foxes are guarding the henhouse.

While the state insurance regulatory heads are adamant about keeping their perfunctory regulation of insurance based on the misnomer of “states’ rights,” they are by design or defect giving away that power to the quasi-private nongovernmental National Association of Insurance Commissioners (NAIC) or the private rating agencies, which may be thought of as shadow regulators.

In the name of commonality of law among the states, the NAIC produces model legislation, which the states are pressured to accept, lest they lose their cherished accreditation status by the NAIC.

See also: How to Bulletproof Regulatory Risk  

The tactic used by the NAIC is not unlike the federal speed limit of 55 MPH in the ’70s and ’80s. Where does the federal government have the right to tell any state what its speed limit should be? It doesn’t. But the Transportation Department said, Do this, or we won’t give you any highway funds.

So how does this NAIC model legislation thing work? Here is an example.

In the NAIC’s Deceptive Trade Practices Act (DTPA) or (Unfair Trade Practices Act), the NAIC said that if a company does something (bad) with regularity, that may be considered a “trade practice.” Originally, this was NOT anything but additional ammunition for the state insurance regulator, but when Texas passed this model, it did so with two big changes:

  1. A one-time act of bad by the insurance company could be considered a trade practice.
  2. There was a private right of action against the insurance company for violating the DTPA — the right didn’t just belong to the insurance regulator.

Oklahoma passed the act close to the way the NAIC wrote it, yet according to the NAIC both states have passed the model. But sameness in name does not mean sameness in fact.

Fighting Back:

Not everyone sees this drift toward private oversight as a good thing for the insurance consumer. The National Conference of Insurance Legislators (NCOIL) — those elected guys who actually pass the insurance legislation — are trying to do something about the drift.

At its fall meeting in November 2015, NCOIL urged each state legislature, the departments of insurance and insurance commissioners to foster competition in insurer rating.

No single insurer rating agency should be allowed to position itself to supersede state regulation. The message is clear; the state is in charge of insurance regulation, not some private rating agency setting up rules as to what an insurance company must do to get a certain grade.

Major intermediaries appear to favor state oversight, which is logical because reinsurance intermediaries are basically unregulated by the various states, and they are not so likely to remain unregulated if the federal government assumes its rightful place in insurance regulation.

Thomas B. Considine, now NCOIL’s chief executive but previously commissioner of the New Jersey Department of Banking and Insurance, used NCOIL’s spring meeting in New Orleans as the venue to raise public concerns about states becoming subject to the authority of the NAIC, a private trade association composed of the nation’s insurance regulators. The circumstance under which lawmaking authority may be delegated to private organizations is narrow. For that reason, delegation of states’ authority to a private organization (such as the NAIC) needs to be stopped.

The situation makes a good argument for the Treasury Department’s Federal Insurance Office, an agency whose existence has been questioned by the NAIC, as well as some other elements of the industry.

State oversight is not a good argument against federal oversight, especially when the state regulator is doing what it can to cede its power to the private industry and away from itself.

See also: Investment Oversight: Look Beyond Scores!  

Bigger issue

This is not just a turf war; it goes to the very core of the McCarran Ferguson Act itself. An analysis of the act will determine the scope of the antitrust exemptions. History paints a narrow picture. Issues are not centered on whether Congress has the power to regulate the business of insurance but rather whether the commerce clause precludes state regulation altogether. That changes the argument and the analysis.

This is also not a case of which oversight is more appropriate, federal or state, but whether the state should be allowed to continue its oversight in order for various federal exemptions to apply to the entities in the business of insurance. That is, the Sherman, Clayton, and Federal Trade Commission (antitrust laws) apply to insurance only “to the extent that such business is not regulated by state law.” If states regulate, then exemptions apply; if the states do not regulate, the exemptions do not apply. This is a very clear indication that any dismissive perfunctory attitude of some state regulators invites the application of federal law against those in the business of insurance.


  1. Is the activity part of the business of insurance? (Unfortunately, the act does not define the business of insurance, and the legislative history here is not clear.)
  2. If it is, then the analysis goes to the extent to which the activity is regulated by the state. § 2 (b) of the McCarran -Ferguson Act addresses the state regulation activity. (Case law shows that any uncertainty regarding the applicability of the exemption should be resolved against a grant of antitrust immunity.) Unfortunately, the U.S. Supreme Court has not defined what extent is necessary; however, lower courts hold that a statutory framework that is a mere pretense is insufficient. Perfunctory regulation won’t suffice. The legislative history indicates that Congress intended the exemption only when effective state law exists.
  3. If the activity is not regulated effectively by the state, or if the activity constitutes a form of boycott, coercion or intimidation, the activity will be subject to the scrutiny of the antitrust laws.

The wholesale delegation of authority by the various states to the NAIC or deferring to select private rating agencies brings with it the very real possibility of a successful challenge to the state’s current insurance regulatory status quo.