Compliance

Introduction

Insurance is defined as a “system to make large financial losses more affordable by pooling the risks of many individuals and business entities and transferring them to an insurance company or other large group in return for a premium.”[1]  A multitude of sources not only define insurance terminology but provide educational opportunities as well.  However, the business of insurance is generally poorly understood by those who do not work directly within the industry.

Consider, for example, a new consumer’s perspective of establishing a new relationship with a company for auto or homeowners insurance.  Many first-time buyers of personal insurance are in their late teens or early twenties.  They know that in order to drive off the lot or to get through closing, they need a policy and in some cases, this may be all that they know.[2]

Determining whether to accept a new customer is part of underwriting.  The underwriting process is designed to ensure that the expected financial risk to the company as presented by new customers does not exceed the price of the policy.  Once a policy offer by the company is accepted by the applicant, the relationship between the insured and company is governed by the contract issued by the company to the insured.  Multiple decision points exist throughout the initial and renewing policy terms to ensure that the risk originally accepted remains acceptable to the company, and if not, that appropriate underwriting action be taken.

The complexities in the underwriting process of the personal lines insurance industry are to a great extent based upon the contract and compliance with various categories of laws.  The affects of legal requirements as they apply to insurance consumers are found throughout all decision points of the underwriting process, which is first presented from the contractual perspective to serve as a comparison to the changes made to be legally compliant.

U.S. P&C Personal Lines Insurance Underwriting Process – Contractual Perspective
The life cycle of the underwriting process includes these steps:

1. An applicant requests a quotation or a policy.
2. When the risk is not acceptable, the agent or a company underwriter would so advise the applicant and the process would stop.  Until a policy has been issued, the company has no contractual obligations towards the applicant.  The risk may become acceptable if the applicant accepts a premium increase by:

a.     application of a surcharge

b.    placement in a higher rating tier

c.     placement in an underwriting company with a higher rating structure as compared to the company that received the applicant’s request, or

d.    partial acceptance of the coverage request.  For example, if an applicant requested towing coverage for a vehicle for which several towing claims were recently made, the policy may be acceptable so long towing coverage was not included for that particular vehicle.

These four decisions are types of an “adverse underwriting decision”, which refers to any decision in which the consumer is told “no” in any fashion.  “No, we won’t offer you a lower price” is why a surcharge or placement in a higher rated tier or company is adverse.  “No, we won’t offer everything you requested” is a restriction of requested coverage, and “No, we won’t offer a policy to you” is a refusal to issue.

3. When the risk is acceptable or made acceptable, the application will be rated, a quotation provided, and an offer to insure is made.  The offer may be good for a short time, perhaps a week.  Should the applicant not request coverage during this time, the underwriter may flag the file to follow-up with the applicant shortly before a competitor’s policy would expire (“x”-date follow-up) six or 12 months in the future.  When the applicant accepts an offer to insure, a policy will be issued.
4. By contract, a newly issued policy may be cancelled within a specified period of 30-60 days from the inception date.  Companies want to retain newly acquired business but reserve the right to cancel should additional information be received which, if known before offering to insure would have resulted in the offer not being made.  Cancelling a policy for underwriting reasons is another type of adverse underwriting decision. When an applicant did not fully disclose the driving record of all drivers to be rated on the policy, the underwriter may elect to cancel the policy rather than continue.  Or the policy may be acceptable if the insured agrees to an increased premium or a coverage restriction.  By contract the insurance company must send a written notice to the insured which conforms to contractual provisions when making an adverse underwriting decision.
5. The insured is contractually obligated to make timely and adequate premium payments to maintain the policy.  When adequate and timely payments are received by the company, the policy will continue. Otherwise, the policy would be cancelled based upon the contractual provisions regarding cancellation for nonpayment of premium.
6. Insureds have the right to request cancellation of the policy at any time.  When an insured requests cancellation and the risk is acceptable to the company, the company may attempt to keep the insured as a customer.  If successful, the policy will continue and if not successful, the company will cancel the policy and may set an “x”-date follow-up.
7. Insureds may requests policy adjustments during the policy term.  When there are no underwriting concerns with the policy or the request, adjustments will be made as part of routine servicing of the policy.  Also during the policy period, the company’s claim department may provide information about the insured or the insured property to the underwriting department.  If the information forwarded by the claim department is not judged to materially change the risk, the information would be noted in the file but no further actions would be taken. An underwriter will review requests to adjust the policy and information provided by the claim department.  When the characteristics of the policy, the adjustment request, or the information from the claim department is not acceptable to the underwriter, a review of the contract takes place to determine if an adverse underwriting action may be taken.  If permitted by contract, the underwriter may elect to send an adverse underwriting notice at that time.  If the risk is not acceptable but the contract does not permit action at that time, any changes requested by the insured may still be made.
8. The last type of adverse underwriting decision to be discussed is not renewing a policy, which is contractually permitted so long as sufficient notice is given to the insured.  Before the expiration date of the policy, a review of the policy for continued acceptability will be made.  When it is determined that the policy is no longer acceptable as written, written notice of nonrenewal, adverse modification, surcharge, tier placement, or company placement needs to be sent to fulfill the contract.  If the policy is continued, either as is or after certain adverse underwriting decisions, it is rated and a renewal offer is sent to the insured.

The underwriting process starting at step 5 then repeats until the policy is terminated, either by the customer or the company.  The link below is a graphical illustration of this entire cycle.
Figure 1 – Underwriting Process – Contractual Perspective
The effects of complying with the major categories of laws on the underwriting process follow.

U.S. P&C Personal Lines Insurance Underwriting Process – Contractual and Compliance Perspective

The contractual perspective of the underwriting perspective is simple when compared to the changes required to comply with federal and state laws that affect the business of insurance.[3]  Federal laws generally apply to entire industries or identified activities.  These two federal laws have a significant impact on the personal lines underwriting process.[4]

1. U.S. economic sanctions, administered by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).  The emphasis on compliance with OFAC sanctions increased greatly following the terrorist attacks of September 11, 2001 on U.S. soil.  OFAC regulations affect the underwriting process by prohibiting financial transactions with individuals named on government sanction lists.
2. The Fair Credit Reporting Act, as administered by the Federal Trade Commission.  The FCRA, enacted in 1970 and last amended in 2010, affects the underwriting process when consumer reports are used in the underwriting process.

Each state has unique requirements but the focus here is on laws that are common to most states (with two exceptions).  To further narrow the focus, the illustration is limited to personal auto insurance although it would generally apply to all personal lines policy types.

The categories of state laws that significantly affect the underwriting of personal auto insurance are:

1. Generalized rating and service laws, referring to requirements that affect how a risk is rated or how service to the applicant/insured is provided.  Many of these requirements are derived from the National Association of Insurance Commissioner’s (NAIC) Model Act 880 – the Unfair Trade Practices Act. Introduced by the NAIC in 1947, the Act prohibits unfair discrimination between similar risks and offers other protections.  All states have adopted this model act, at least in part.[5]
2. Underwriting, referring to the initial determination of risk acceptability and continued acceptability.  All jurisdictions regulate adverse underwriting decisions of auto insurance, although the specific application varies (as to how restrictive or permissive the law is, the number of days notice required, type of mailing, etc.). 
3. Privacy and Underwriting combined, based on the 1980 NAIC Insurance Information and Privacy Protection Act, Model 670, and applied to P&C insurance by 13 states.[6]  The Act requires that insurers notify consumer of privacy rights and specific notices associated with adverse underwriting decisions.
4. Privacy based on the state insurance privacy laws required by the Gramm-Leach Bliley Act (GLBA) of 1999.  Forty states used NAIC Model Act 672, the Privacy of Consumer Financial and Health Information Regulation.[7]  The Act requires that insurers notify consumers of privacy rights and to take certain actions based on choices made by consumers.
5. Residual market or assigned risk plans provide basic insurance coverages for applicants who cannot obtain coverage in the voluntary market.  All locations have some variation of a residual market.[8]  Two states (New Hampshire and North Carolina) have reinsurance facilities which require insurers to service risks that the insurer would not voluntarily provide coverage for while the state is the reinsurer.  Both states also have “take-all-comer” requirements – an insurer must accept an applicant and cannot terminate coverage for underwriting reasons.

How these laws affect underwriting is discussed in general terms.  The affects of each unique state law have their own complexities in procedures, notices, training, etc., and the specific details of each requirement are intentionally undeveloped.  The color key below identifies these laws throughout the various steps of the underwriting process.
How these categories of laws affect underwriting is presented in a time sequence begining with a new applicant requesting a policy and ending with the policy being renewed.  All of the individual sequences are part of the underwriting process and are used as to graphically display the entire process with the color coding above.  The first category to discuss is economic sanctions.

U.S. Economic Sanctions (OFAC) Compliance – Confirming Consumers Are Not Sanctioned on U.S. Government Lists

This process starts when an applicant contacts an insurer, or an agent of the insurer, and requests a quotation for a policy.  From the insurer’s perspective, applicant means someone who:

• has not had a previous relationship with the insurer,
• obtained quotations or insurance with the company in the past but presently does not have any active business, or
• an active policyholder who is requesting a quotation for a new policy.

The U.S. Treasury, through its Office of Foreign Assets Control (OFAC), requires all American citizens and businesses to confirm that all persons they do business with are not named on government lists of sanctioned individuals.  This may be done by collecting from applicants the same information that appears on the government lists:  name, date of birth, address, Social Security Number (SSN), and the number and issuing country for a passport.  This information would then be used to screen the applicants against the lists.

All U.S. citizens are required to have a SSN.  Some but not all non-U.S. residents of the United States have been issued Social Security Numbers.[9]  Simple collection of the SSN of all applicants having a SSN will not necessarily lead to compliance with OFAC requirements.  Validation edits in the SSN field to prevent collection and reliance on duplicate numbers, invalid numbers, or number combinations that have not or will not be issued are needed[10].  If the applicant is not a U.S. citizen and does not have a SSN, then the passport information should be obtained to screen against the government lists.

When after screening there is a positive match, then financial transactions between the insurer and applicant is prohibited unless a license is obtained from OFAC before proceeding with the transaction.  Declining a risk is typically an underwriting function; however, according to OFAC, a declination in this case would be based on an Executive Order addressing foreign affairs which preempts state insurance laws.[11]
Figure 3 is a picture of the underwriting process with respect to an applicant requesting a quotation for a policy and compliance with OFAC requirements.
Consumer Report Compliance

Once it is determined that an applicant and all other prospective insureds are not sanctioned by OFAC, or if sanctioned but a license was obtained from OFAC, the next process is determining if a consumer report will be used to underwrite the policy.  Typical examples of the types of consumer reports used in personal lines insurance are investigative consumer reports, insurance scores, motor vehicle reports (MVR), and loss history reports (often generically referred to as a C.L.U.E. report, or Comprehensive Loss Underwriting Exchange).  Two laws affecting privacy, rating, and underwriting need to be addressed.

The Insurance Information and Privacy Protection Act (IIPPA) requires that before personal information about a consumer is obtained from a source other than the consumer or a public database that the insurer is to apprise the consumer of rights available under the act.  To comply with this requirement for applicants who do business over the phone when a consumer report will be ordered, a verbal scripting of these rights is required.  The Fair Credit Reporting Act permits insurance companies to obtain a consumer report when the report will be used in the underwriting process with an individual consumer.
The next phase of the underwriting process is determining if the risk is acceptable.

Quoting and Risk Acceptability and Adverse Underwriting Decision Compliance

The same three outcomes when determining acceptability exist:  acceptable as is, acceptable with modifications, or not acceptable.  The first two outcomes result in the risk being rated.  The last two outcomes require written notice of an adverse underwriting decision.

Two states require insurers to offer auto liability insurance to all who request it because such coverage is mandatory (often called a “take-all-comer” (TAC) requirement).  Insurers may not refuse a TAC under state law.  However, OFAC has issued an opinion that an insurer must refuse to write any request for insurance from for anyone on a sanction list or to obtain a license from OFAC before writing the policy.  The Fair Credit Reporting Act requires notice when the adverse underwriting decision is made, in whole or in part, upon information contained in a consumer report received from a consumer reporting agency.  IIPPA requires notice when the adverse decision is made regardless of whether a consumer report was relied upon.  The wording of an adverse underwriting notice is dependent upon:

•  whether the individual consumer is named on an OFAC list
•  the type of policy
• whether a consumer report was used
• where the consumer resides
• provisions of the state’s version of the Unfair Trade Practices Act and any other applicable state laws, and
• the contract between the insured and the insurance company.

When a quotation is provided and an offer to insure is made, the consumer will decide to accept the offer or not.  When the offer is not accepted, many insurers will follow-up.  When the consumer ultimately agrees, it may be necessary to order consumer reports.
Figure 5 shows how all this fits together.
If a request is made to issue the policy, then determining which written privacy notice or notices must be sent needs to be determined next.

Consumer Privacy Notice Compliance and Adverse Underwriting Decision Compliance

Insurers send consumers a privacy notice to comply with the requirements of the Gramm-Leach-Bliley Act (GLBA) privacy provisions.  IIPPA has separate privacy provisions than those of the GLBA.  In an IIPPA location, the consumer will receive both the GLBA and IIPPA privacy notices if the insurer does not voluntarily extend IIPPA privacy rights to consumers outside of IIPPA states.

GLBA requires the notice be given to all new consumers and then annually thereafter.  However, it would not be necessary to send an additional GLBA notice to an existing consumer.  IIPPA requires the notice to be provided with each new policy and also at least annually with renewal policies.

While a company may simply provide the GLBA notice with every new policy, there are consequences to doing so.  There is an expense associated with printing, paper, postage, etc.  More practically, a company may not legally alter its data sharing practices without having first notified all affected consumers.  This means that if the company relies on its annual GLBA notice, it could time changes to when the mass mailing is sent.  If, however, the company routinely sends a GLBA notice, then it would have to send an off-cycle notice, thereby changing the date of the mass mailing.  From a consumer perspective, there could be several notices received in the mail addressing privacy matters.
Once the privacy notice process is complete, the company enters into the initial underwriting period in which it may re-assess its risk decision.
Initial Underwriting Period Risk Acceptability and Adverse Underwriting Decision Compliance

Some companies avoid the expense of consumer reports when preparing a quotation.  If the applicant decides not to buy a policy, this expense is not incurred.  Most locations allow insurers a set amount of time, typically 45 or 60 days, in which to evaluate its risk decision.  For insurers that wait to order consumer reports until after a policy has been issued, the company evaluates the information provided by the consumer report and determines if the risk is acceptable.  The outcomes are the same as before:  acceptable as is, acceptable with modifications, or not acceptable.  Once again, the first two outcomes result in the risk being rated.  The last two outcomes require written notice of an adverse underwriting decision.

When the policy is continued, either as is or following an adverse underwriting decision, the insured is contractually obligated to make timely and adequate premium payments to maintain the policy.  This is a continual process occurs which occurs throughout the life of the policy.  When appropriate amounts are timely received by the company, the policy will continue.  Otherwise, the policy would be cancelled in accordance with the contractual provisions regarding cancellation for nonpayment of premium.
The next process, which is also continuous, encompasses insured’s requests to cancel the policy, making decisions regarding consumer requests for policy changes and/or communication from the company’s Claims Department that may be made during the life of the policy.

Consumer Requests (Policy Cancellation or Policy Adjustments), Claims Department Communications, and Adverse Underwriting Decision Compliance

An insured may request to cancel the policy at any time during the policy term.  If the company’s experience with this consumer is favorable, the company may attempt to change the insured’s decision.  If this effort is favorable, then the policy is allowed to continue.  If not, then the policy is cancelled and any unearned premium must be timely returned.  If the company’s experience is not favorable, then the request would likely be fulfilled without any further action or follow-up.  Also throughout the life of the policy, the insured may make requests or the company’s claims department may send notices to the underwriting department.  The request or the information provided has to be evaluated, after which it may be determined that request or information means the risk is acceptable as is, acceptable with modifications, or not acceptable.

The first two outcomes result in the risk being rated.  The last two outcomes require written notice of an adverse underwriting decision, if the laws of that jurisdiction permit sending notice at this time.
If the policy is continued, the next process is the review of the risk to determine continued acceptability before the company agrees to renew the policy.
Periodic OFAC Compliance, Renewal Risk Acceptability and Adverse Underwriting Decision Compliance
Periodically, OFAC expects that businesses check the government lists again to validate that there are no matches.  This may be done as often as determined by the company to be prudent, but it is likely done before a policy renews or paying a claim.  Renewal risk reviews are usually completed by insurers before each policy renewal, regardless of the periodic OFAC review.  Insurers typically check all insureds’ experience with the company.  Unfavorable factors, such as a poor payment or loss history are considered.  If it is decided to obtain a consumer report, it may be necessary to provide the appropriate notifications before doing so.

If a consumer report is obtained, it must be evaluated with sufficient time to send a notice of adverse underwriting, if that is the ultimate decision.  Any information provided by the company’s claims department is evaluated during this review also.  Once again, the outcome of the evaluation is acceptable as is, acceptable with modifications, or not acceptable.
The first two outcomes result in the risk being rated for an offer to renew the policy.  The last two outcomes require written notice of an adverse underwriting decision, if it is permitted to send notice at this time.
If the policy is continued, it is then rated and renewed.
The final process is determining which privacy notices to send with the offer to renew the policy.

Renewal Consumer Privacy Notice Compliance

As previously noted, if the GLBA notice was already sent within the past year, it is not necessary to send it for the renewal of this policy.  However, the IIPPA notice must be sent with the policy at least annually.

From here, the cycle continues throughout the life of the policy. While this may not be the exact steps or sequence of steps that are followed from company to company, this presentation shows the essential processes and complexity of personal lines insurance underwriting.

The link below shows how all of these processes fit together into a cohesive flowchart.
Figure 10 – Underwriting Process – Contractual and Compliance Perspective
Summary
Most insurance consumers believe the business of insurance is difficult to comprehend, even though there are educational opportunities to learn more about insurance.  Insurers are bound by the contract issued to insureds and have incentive to maintain positive customer relationships in order to remain profitable.  When insurance companies do not abide by the contractual language or fail to comply with statutory requirements, the consequences to the company range from negligible to catastrophic.  Additionally, not only consumers but regulators, examiners and auditors, rating agencies, and courts expect insurers to comply with all applicable contractual provisions and regulations.
As demonstrated in the preceding graphs, insurance is made even less comprehensible to consumers and others outside the industry based on changes to processes necessitated to comply with the various laws that affect the business.  Although both consumers and companies would benefit from consumers being better informed, when considering the range of regulatory requirements above the contractual provisions, the insurance industry has limited opportunities to simplify its processes so that insurance consumers achieve a level of understanding with any significant depth.
Appendix A:  Major U.S. Federal Laws and General Affects on P&C Personal Lines Insurance Companies

Appendix B:  Insurance Information and Privacy Protection Act State Populations[12]

INTRODUCTION

REFERENCES

ENDNOTES

Joseph L. Wiest, CPCU, ARC, ACP, is a corporate compliance director of market conduct with a top ten P&C insurance group.  He is a graduate of the University of Nebraska, having earned a B.S. in business administration. Since 1984, he has been employed in the insurance industry, working 20 years for a major personal lines direct writer, holding positions in customer service, line underwriting, staff underwriting, and compliance.  He also served as the compliance officer of a nonstandard auto carrier for two years.  He has earned a business ethics certificate from Colorado State University in addition to nine other professional insurance designations.

Introduction
All businesses, including insurance companies, have a philosophy, or an ethical position, whether to comply or not comply with external requirements.  This article analyzes the processes of a compliance program in the context of the property and casualty insurance industry of the United States, from the perspective that a company’s philosophy is to comply with external requirements (laws), and that the company has an established and effective compliance program.  The processes within a compliance program are discussed in more detail below and are offered as a model of best practices.
A company’s philosophy is often stated in a corporate ethics policy which provides a general framework for the entire company.  The effectiveness of a company’s compliance program is largely dependent upon the given company’s philosophy.  A philosophy that is supportive of compliant practices gives these companies a competitive and profitability advantage over companies that do not have a supportive policy or an ineffective compliance program.
A compliance program, like any other program, is administered through its processes.  Beyond a supportive philosophy, the effectiveness of a compliance program is dependent upon processes within the program.
To ensure understanding, the terms listed below are used as follows:

• Compliance:  the act or process of conforming to a desire, demand, or proposal or to coercion, a disposition to yield to others¹
• Laws:  a rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority² (includes laws, statutes, regulations, administrative codes, court rulings, and hearing decisions as issued by a governmental agency with jurisdictional authority)
• Program:  a plan or system under which action may be taken toward a goal³
• Process: a series of actions or operations conducing to an end⁴

The Processes of a Compliance Program
The goal of a company’s compliance program is to assist the company in meeting its financial goals by focusing on at least three separate processes.

1. Pre-compliance monitoring
2. Compliance implementation
3. Post-compliance validation

Pre-Compliance Monitoring
The pre-compliance monitoring process focuses on three areas:  the monitoring of governmental agencies for proposed new laws or changes to current laws; analyzing these proposals to determine likely affects on the business; and possible attempts to influence the proposal to a more favorable outcome.  This process necessarily concentrates on the three branches of the government.
Besides governmental agencies there are other external sources that may impose limits on businesses.  Additionally, a business may limit its actions though policies the company adopts.  Table 1 summarizes this information.

Table 1 – Sources of Limitations upon Business Processes

Laws are enacted by and enforced through the authority of the government; contracts by the signing parties; and policies by companies.  Since laws are enforceable by the government, laws are complied with.  Companies voluntarily agree to sign contracts and thus voluntarily agree to fulfill their obligations under the contract and expect all other parties to the contract to do the same.  Companies and employees agree to a mutual exchange of payment for work.  By accepting payment, the employee agrees to the terms of employment, which includes agreeing to follow company policies, and companies expect their employees to follow company policies.  With the compelling forces behind contracts and company policies being self-imposed (voluntary), the proper term to describe abiding with contracts and policies is adherence, not compliance.

Each of the sources of requirements upon businesses is explored next.
Regulatory Agencies. State governments are the primary regulators of the insurance industry in the United States, based upon U.S. federal law (the McCarran-Ferguson Act of 1945), which stipulates:

No Act of [the U.S.] Congress shall be construed to invalidate, impair, or supersede any law enacted by any State for the purpose of regulating the business of insurance, or which imposes a fee or tax upon such business, unless such Act specifically relates to the business of insurance:  Provided, That after June 30, 1948, the Act of July 2, 1890, as amended, known as the Sherman Act, and the Act of October 15, 1914, as amended, known as the Clayton Act, and the Act of September 26, 1914, known as the Federal Trade Commission Act, as amended (15 U.S.C. 41 et seq.), shall be applicable to the business of insurance to the extent that such business is not regulated by State Law.⁵

Although state insurance departments are the primary regulators, many other state and federal agencies also affect the industry.  For example, a state’s Department of Labor has regulations that affect all businesses that hire employees.  Specific to insurance, regulations from a state’s Department of Motor Vehicles address topics such as financial responsibility and auto insurance identification cards.  The Federal Trade Commission, through the Fair Credit Reporting Act, imposes requirements upon companies that use consumer reports to underwrite or rate business.  To remain compliant, companies should monitor for new and changes in existing laws from the federal government and all state agencies.
A regulatory agency’s authority is derived from a legislative statute, which often empowers the appropriate regulator to publish regulations to implement and administer the statute’s requirements.  Some jurisdictions grant regulators the authority to conduct administrative hearings, which enable regulators to issue binding decisions without a formal court proceeding.
Legislative Actions. Some laws apply to all but exempted businesses.  Examples include income taxes, employee safety and payroll laws, and medical information privacy.  All companies are subject to income taxes unless exempted under the law.  All businesses that employ more than a specified number of employees must abide by employee safety and payroll laws.  Before an individual’s health information is obtained, medical care providers and the requesting party must abide by the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Some laws apply only to a specific activity, such as the business of insurance.  Although most state statutes that affect an insurance company’s operations are grouped together in a state’s insurance code, some statutes that affect operational activities appear outside of the insurance code.  Insurers writing homeowners insurance need to know about statutes often categorized as family law for risks related to a daycare business in the home.  Insurers writing auto insurance need to review the motor vehicle or traffic code for laws about driver’s licenses and other topics.  A comprehensive review of all of the various codes is needed to identify all statues that affect the business of insurance.
In addition to legislation, another method of laws being enacted is ballot propositions which are approved in elections.  Twenty-seven states allow propositions to be placed on ballots in a variety of forms, including through the collection of voters’ signatures or directly by an elected legislature.⁶ The effect of ballot propositions that receive a majority popular vote is the same as a legislative bill that becomes law.
Judicial Decisions. Court decisions, called either case law or common law, may involve an individual or class, be from any level of government (city, county, state, or federal), and may or may not be specific to insurance.  A decision may be narrowly construed to the case decided or it may strike entirely or a portion of or redefine a statute, regulation, contract, or a previous court decision.  Insurance companies need to monitor case law because a violation of court rulings would result in non-compliance.
Non-Governmental Limitations on the Processes of Companies. Contracts into which a company voluntarily enters with a trade association, partner, vendor, or other businesses often require the company to agree to certain limitations or provide information on the insurer’s activities.  For example, a contract may specify that the products or services may only be used for lawful purposes, or have restrictions on whether data obtained through the particular business relationship may be shared outside that relationship.
A contract may also require the company to provide data on its activities.  A company may choose to be a member of a trade association or rating organization.  One of the requirements of being a member may include providing data on the company’s business activities, such as premium volumes by line of business or claim indemnification payments.
Lastly, a company may limit its activities through its own policies.  For example, many states permit insurers to use consumer credit information as a rating factor, yet a given insurer’s policy may be to not use credit information.  Thus, insurers may refrain from exercising legally permitted rights.
Upon identification of all of the sources of requirements, a compliance program would establish a process to monitor for changed or new requirements from these sources.  This is discussed below.
Initiation of the Pre-Compliance Monitoring Process
The pre-compliance monitoring process is initiated when an external requirement from a governmental authority is proposed.  Before laws are enacted, companies regularly analyze proposed laws to determine if their passage would require the company to change any of its business processes.  The pre-compliance monitoring process consists of at least three activities:

1. Monitoring the sources of law changes
2. Analysis of the proposed changes and the expected affects on the relevant business process.
3. Possible attempts to influence a governmental official to pass or not pass laws that are deemed beneficial or harmful to the company or expression of support for those proposals that are viewed as being favorable.

Employees responsible for the company’s compliance implementation process, in coordination with the business area or areas that would be affected should a legal requirement change, typically handle impact analyses.  The analysis is then communicated to the company’s staff that is registered as lobbyists of government officials.  Lobbying attempts occur in at least four different ways.

1. A legislator is asked to support or withdraw a bill or amend it to be favorable or have no effect.
2. The governor is asked to sign or veto a bill.
3. A regulator is asked to introduce or withdraw a proposed regulation or amend it to be favorable or have no affect.
4. Businesses directly communicate with customers or request communication through a trade organization or lobbyist.  The purpose of the communication is to educate customers as to the positive or negative affects on customers and the particular business of the proposed law and to request the customers to notify their elected officials of their support for or against the proposed law.

Companies may also attempt to influence the outcome of a pending court case.  Although the company is not a party in the lawsuit, if it has sufficient interest in the outcome, the company may attempt to persuade the court to decide the case in accordance with its interests.  This attempt is accomplished through an amicus curiae (friend of the court) filing.
While employees supporting the compliance implementation process identify suggestions to document a company’s stance on a proposed change, lobbying, developing customer correspondence, and filing legal petitions require specialized skills.  The first three lobbying methods usually are handled by the company’s staff with governmental affairs responsibilities or a contracted lobbying firm.  The fourth lobbying method would probably include these same areas along with the business department for customer communications, and staff or retained counsel, with the expertise to petition a court, would handle the last lobbying method.
The pre-compliance monitoring process assists a company to meet its financial goals by identifying legal requirements and attempts to mitigate the extent of these requirements.  A company that does not monitor and analyze proposed new laws and changes to existing laws faces unknown legal risks.⁷  The consequences of these unknown risks range from a nominal fine to a threat to the company’s survival.  A company that does not engage in lobbying activities may be limiting its opportunities to eliminate or constrain the affect of proposals, which if enacted, would be an expense to the company.
Once the compliance monitoring process is completed, the result will either be that the company is now subject to an altered or new requirement.  As this occurs, the next process within the compliance program begins.
Compliance Implementation
The goal of the compliance implementation process is to ensure that a company analyzes all laws which may affect its business activities and to make changes to become or remain compliant with those laws.  The compliance implementation process begins when a new law or changes to an existing law are enacted, which requires monitoring of all of the governmental agencies identified in the previous section.  A compliance implementation process and the staff that support it should bridge the company’s legal counsel with the company’s business functions. Once aware of a new or changed law, employees responsible for this process in a company react to the new law and proactively execute this process.
The steps in the compliance implementation process are to:

1. Identify all of the requirements contained in the changed or new law.⁸
2. Understand the requirements.  If the requirements are not understood, an attorney who specializes in the particular section of law should be consulted.
3. Understand the business process that is affected.  This is accomplished by meeting with the functional area responsible for the process.
4. Determine what changes, if any, need to be made to the business process in consultation with the functional area and other necessary areas (computer systems, etc.).
5. Document that the appropriate changes were made by the business area affected by the law.

Companies may choose to monitor for changes to laws by subscribing to a service or joining a trade association that provides notices of new statutes and regulations.  Another monitoring method is to routinely review state government legislative and regulatory websites for information on new statutes and regulations.
Case law, administrative law, and alternative dispute resolution methods such as binding arbitration, each of which issue binding decisions that address a specific situation, also need to be monitored.  Changes to a business process may be required to comply with a judicial or administrative ruling or arbitration decision.  If so, the compliance process steps should be followed to ensure the business process is appropriately changed to be compliant.
In addition to responsibilities for monitoring changes in existing laws or new laws, a compliance implementation process should be used to evaluate changes to processes initiated by management proposals.  This evaluation should help ensure that all business processes are compliant and that those who administer the compliance implementation process are aware of all business processes.  The first two steps in the compliance implementation process are modified during a review of management proposals to:

1. Find out what the requirements are as contained in the management decision.
2. Understand the requirements.  If the requirements are not understood, additional details should be sought from management.  As needed, an attorney should be consulted.

A compliance implementation process that is consistently followed will ensure that compliance is systemically integrated into all business processes.  This proactive control increases the likelihood that the company will be consistently successful and fulfills the goal of the compliance implementation process.
After the implementation process is completed, there may be interest in validating that the process was properly completed.  The final process to be completed is post-compliance validation.
Post-Compliance Validation Process
Post-compliance validation of the effectiveness of a compliance implementation process is conducted either internally or externally.  Validation is determined internally by an audit or externally by a regulatory examination, a regulatory or judicial hearing, or through arbitration.  From the perspective of the company, the goal of post-compliance validation exercises is to protect the company by determining whether the compliance implementation process was accurately completed.  From the perspective of an external examiner, the goal is protect insurance consumers by determining if the company was compliant or non-compliant.
Companies utilize internal auditing as a “safety net for compliance with rules, regulations, and overall best business practices.”⁹  State regulators have statutory responsibility and authority to conduct examinations and hearings to protect consumers.¹⁰  Judicial hearings and arbitration are legal proceedings that are granted respectively through lawsuits or contractual requirements.
An audit or exam that determines the company did not properly comply with the requirements of the laws under review subjects the company to:

• take corrective actions (possibly including premium refunds or additional claim settlements);
• assess the reason or reasons why the compliance implementation process failed; and
• regulatory fines.

However, should the determination be that the company did properly comply with legal requirements, it will validate that the compliance implementation process was successful.  In so doing, it also confirms that the process assisted the company to meet its financial goals by avoiding the consequences of not complying as listed above.
Separate Skills Required for Each Process
The pre-compliance monitoring and compliance implementation processes each require skills unique to that process.  As noted, the lobbying skill of pre-compliance is different from the skills required with implementing changes to be compliant.  For each process to be effective, and therefore a competitive advantage, a company should select staff to administer each process of its compliance program with employees who have the required skills for the particular compliance process.  Similarly, the internal process of conducting audits or the internal process of supporting external examiners requires different skills than those necessary for pre-compliance monitoring and compliance implementation.  For a company to administer these processes as “other duties as assigned” is to fail to see the unique nature of each process.
Compliance Case Study
The case study below emphasizes the iterative nature of handling changes to existing laws and new laws and points out the differences of compliance and other business processes.  Activities are identified as occurring externally or internally with respect to the insurer and the entity taking the action.
The study entails what appears to be a relatively simple proposal:  to reduce the initial underwriting period, during which an insurer is permitted to cancel a policy with few restrictions, from 60 days to 45 days.  Such a change would require that the underwriting of newly accepted risks and determination to continue or cancel the policies in a shorter timeframe.
This fictional jurisdiction requires each insurer to file its underwriting manual and agree to arbitration for unresolved disputes between the insurer and insured; permits consumers to sue insurers; and the insurance department has the authority to conduct examinations and administrative hearings. This apparently minor change to one of a fictional jurisdiction’s underwriting laws also illustrates the complexity of compliance within the business of insurance.
I. Pre-Compliance (External):  State Legislature
A legislative bill is introduced to reduce the initial underwriting period from 60 days to 45 days.
II. Pre-Compliance (Internal):  Governmental Affairs, Compliance, and Underwriting Departments
The insurance company’s governmental affairs department notifies the compliance department of the bill.  After analysis of all expected changes necessary at a high level, the compliance department coordinates a response with underwriting and responds to governmental affairs.  Governmental affairs may take no action or work with a lobbyist or trade association, directly lobby legislators or the governor, or testify at a legislative hearing to ensure that the company’s position on the bill is known.
III. Pre-Compliance (External):  Legislature and Governor
The legislature passes the bill.  If the governor signs the bill, or if the governor vetoes the bill but the legislature overrides the veto, the bill becomes a public act.
IV. Compliance Implementation (Internal):  Compliance, Underwriting, Procedures, Training, Computer Systems, and Regulatory Filings Departments
The compliance department becomes aware of the public act and follows its process to:

1. Identify all of the requirements contained in the changed or new law.
2. Understand the requirements.  If the requirements are not understood, an attorney who specializes in the particular section of law should be consulted.
3. Understand the business process that is affected.  This is accomplished by meeting with the functional area responsible for the process.
4. Determine what changes, if any, need to be made to the business process in consultation with the functional area and other necessary areas (support, computer systems, etc.).
5. Document that the appropriate changes were made by the functional area.

The simple change of reducing the initial underwriting period from 60 to 45 days would be easily identified and understood by the compliance department.  An attorney’s assistance is not needed to clarify the change to the law, but staff counsel would likely be notified to ensure awareness of the change.  The compliance employee would then discuss the issue with an underwriting department employee to determine the scope of the changes.  After this consultation, a detailed account of all affected processes would be made.
Compliance with this change in law requires:

• Creation of a new mandatory amendatory endorsement that changes the section of the insurance policy which discusses the number of days notice needed to cancel a policy.  The endorsement needs to be filed with the state by the company’s regulatory filing department;
• Amendment and filing of the company’s underwriting manual by the company’s regulatory filing department;
• Modification of the procedures, forms and correspondence used to send notice of cancellation to consumers, training, and computer systems used by underwriters;
• Communication of the change to all underwriters; and
• Communication of the change to claims staff, so claim handlers are aware of the new amendatory endorsement as it affects policy effective dates.

The compliance specialist would document that the changes made to remain compliant took place by the effective date of the law, provided there was sufficient lead time to accomplish the necessary changes before the law’s effective date and in consideration of when regulatory approvals to use the amendatory endorsement and revised underwriting manual are received.
With both simple and complex laws, an insurance company must review all affected processes to ensure it is meeting its compliance obligations.  Thus, a company that has already established a systemic compliance process is in a better position to effectively comply with a law requiring complex changes than a company that does not have a systemic compliance process.
V. Post-Compliance (Internal):  Auditing Department
The company’s internal auditing or quality assurance/control department conducts an audit to determine if:

• Regulatory approval to use the amendatory endorsement and revised underwriting manual were received;
• The amendatory endorsement was attached to policies after the regulatory approval date;
•  All initial underwriting cancellations are sent within the first 45 days of the policy;
• Any claims were improperly denied based on an improper cancellation date, and;
• If any of these items was not properly handled, to determine what corrective actions are necessary.

VI. Post-Compliance (External):  State Insurance Regulator, Arbitration, and Judiciary, and Post-Compliance (Internal):  Various Departments

1. Customer Complaints:  Customers write to the insurance regulator and assert that cancellation notices are not valid because they were sent after the first 45 days from the policy issue date.  The regulator sends the complaint to the insurance company’s consumer affairs department, which would coordinate with the underwriting department to provide a response.
2. Market Regulation:  The state department of insurance conducts a market conduct examination.  With respect to this topic, the examination would review the same points which the company’s internal audit reviewed.  The business unit within the company that coordinates regulatory examinations is involved and would coordinate with the regulatory filing, underwriting and claim departments.
3. Administrative Hearing:  The state department of insurance holds an administrative hearing following consumer complaints alleging that cancellations are taking place after the first 45 days, to determine if the allegations are accurate.  The company would have representation at the hearing, perhaps a government affairs specialist, attorney, or underwriter.
4. Arbitration:  An individual consumer who believes that the initial underwriting period cancellation was invalid requests that the company submit to arbitration.  The company would likely be represented by an attorney at the arbitration proceedings.
5. Litigation:  An individual consumer, or a class of consumers, sues the insurance company for sending initial underwriting period cancellation notices after the initial underwriting period.  The company would be represented either by staff or retained counsel.

Both simple and complex legal requirements must be properly understood, coordinated, and implemented to ensure compliance.  A compliance process that is proactive and systemic permits a company to be proactive and systemic in handling allegations of non-compliance.
Summary
Every business, as part of the larger society, is subject to government oversight.  Businesses have an interest in proposed law changes that may alter their business processes (pre-compliance monitoring), in following laws (compliance implementation), and in confirming compliance (post-compliance validation) and therefore form a compliance program to administer these processes.  A pre-compliance monitoring process must monitor all government sources for proposals to change current law or for new laws to ensure risk exposures to the company do not remain unidentified.  With the enactment of a new law or a change to an existing law, a compliance implementation process reacts to the law to proactively change its business processes.  Post-compliance validation of a company’s compliance processes may be conducted by the company, a regulator, or through arbitration or a judicial proceeding.
The primary goal of any company is to be profitable.  One way for a company to meet its financial goals is to support compliance as a separate business function that links the company’s other business programs to the company’s legal counsel and governmental affairs lobbyists.  In so doing, companies establish a competitive advantage over companies that either do not support compliance activities, do not treat compliance as a separate business function, or have an ineffective compliance program or processes.
References

Initiative and Referendum Institute, “States with Direct (DA) and Indirect (IDA) Initiative Amendments; Direct (DS) and Indirect (IDS) Initiative Statutes and Popular (PR) Referendum”,.
The Institute of Internal Auditors, “Frequently Asked Questions – Internal Auditing”, [http://www.theiia.org/about-the-profession/internal-audit-faqs/?i=1078].
The Maven’s Word of the Day, “roger wilco”, [http://www.randomhouse.com/wotd/index.pperl?date=19970207].
Merriam-Webster, Inc., Merriam-Webster Online, Dictionary definitions of the words compliance, complying, law, process, and program, [http://m-w.com/dictionary/compliance], [http://www.m-w.com/dictionary/complying], [http://m-w.com/dictionary/law], [http://www.m-w.com/dictionary/process], [http://www.m-w.com/dictionary/program].
National Underwriter, “Insurance Legislation Surges This Year In Congress, Legislatures”, [http://www.property-casualty.com/News/2009/9/Pages/Insurance-Legislation-Surges-This-Year–In-Congress-Legislatures.aspx].
New York Insurance Law Chapter 28, Section 304 and Section 309, [http://codes.lp.findlaw.com/nycode/ISC/3/304  and http://codes.lp.findlaw.com/nycode/ISC/3/309].
Office of the Law Revision Counsel, U.S. House of Representatives.  “The McCarran-Ferguson Act, Section 1012 (b), [http://uscode.house.gov/uscode-cgi/fastweb.exe?getdoc+uscview+t13t16+1469+4++%28mccarran%2].
United States Army, Fort Belvoir, Virginia, History of the term WILCO, [http://www.afms1.belvoir.army.mil/dictionary/w_terms.htm].

Joseph L. Wiest, CPCU, ARC, ACP, is a corporate compliance director of market conduct with a top ten P&C insurance group.  He is a graduate of the University of Nebraska, having earned a B.S. in business administration. Since 1984, he has been employed in the insurance industry, working 20 years for a major personal lines direct writer, holding positions in customer service, line underwriting, staff underwriting, and compliance.  He also served as the compliance officer of a nonstandard auto carrier for two years.  He has earned a business ethics certificate from Colorado State University in addition to nine other professional insurance designations.