Quarterly Risk Monitoring Checklist

Pull bulletins, circular letters, and adopted regulations from each state DOI portal where the carrier is licensed. SERFF activity and NAIC model law adoptions belong here too. Flag anything affecting rate filings, form filings, or unfair claim settlement timing.

Run the NIPR roster against the appointed-producer list in the AMS. A lapsed CE = lapsed license = no authority to bind, and the carrier wears the unauthorized-transaction exposure. Confirm cross-state appointments for any producer who bound coverage outside their resident state this quarter.

Walk the §500.17 control list with the CISO: written information security program current, biennial risk assessment on file, MFA on all external access, encryption of NPI in transit and at rest, annual pen test, vendor risk program. Anything trending toward the April 15 certification deadline that isn't green is captured here.

Document the gap, the responsible owner, the target close date, and any compensating controls in place until close. The plan goes to the CISO and Audit Committee — not just sitting in a tracker — because §500.17 requires prompt remediation, not eventual remediation.

Sample 30 first-party Texas claims opened this quarter from ClaimCenter. Confirm 15-business-day acknowledgement and 15-business-day decisioning after all info received. Each missed deadline triggers 18% statutory interest plus attorney's fees and shows up at the next market-conduct exam.

Pull all open claims past the 30/60/90-day reserve-review cadence. Placeholder reserves at FNOL that haven't been refreshed are the leading driver of IBNR drift, and stale reserves are a common market-conduct finding.

Many carriers screen at policy issuance but not at every claim payment. Claimants, assignees, and structured-settlement annuitants can be added to the SDN list mid-policy. Re-screen all payees this quarter, not just new ones.

Walk the claim cycle-time report with the claims manager. Note examiner caseload outliers, IME scheduling delays, and any TPA hand-off friction. Capture the top three drivers and the accountable owner.

Pull WP, EP, paid losses, and incurred losses by line of business from the data warehouse. Compare loss ratio to plan and to the prior four quarters. Combined ratio above 100 in any line is a flag for the next pricing cycle.

Pull the latest RBC calculation from the actuarial team. Anything trending toward the Company Action Level threshold gets surfaced to the CFO this quarter, not at year-end statutory filing.

Confirm asset allocation, NAIC designation distribution, and duration are within the Investment Policy Statement bands. Note any fair-value declines on bond holdings that would affect statutory surplus if realized.

Match ceded losses booked in the system to billings sent to each treaty reinsurer. Aged recoverables over 90 days drag on surplus and are a Schedule F penalty if uncollateralized. Flag any follow-form treaty whose triggers don't cleanly match the underlying policy form.

Synthesize the loss ratio, RBC, investment, and reinsurance signals into a single answer. Any one of: RBC trending toward Company Action Level, combined ratio above 105 in a top-three line, or aged recoverables above 5% of surplus is a Yes.

Pull complaints filed via each state DOI portal this quarter, broken out by complaint reason code. The NAIC complaint index is the trailing public number; the DOI portal feed is what shows up in the next market-conduct exam.

Compare claim-close NPS and first-call resolution rate to last quarter. A drop in NPS that lines up with a spike in cycle time usually points at a single examiner team or TPA — drill down before the trend becomes a complaint cluster.

Pull a sample of dec pages issued this quarter. Confirm GLBA privacy notice was sent at issuance, NY Reg 187 commission disclosure was included for commercial accounts, and CCPA-aligned language is present for California personal-lines insureds.

Scope is every third party that handles NPI — TPAs, claim vendors, document destruction firms, even printers handling claim packets. Confirm SOC 2 Type II reports are current and that contractual security clauses are in place. Treating this as IT-vendor-only is a §500.11 finding.

For each finding, log the vendor, the control gap, the contractual remedy invoked, and the cure date. Vendors that miss the cure date go into a substitution plan — Part 500 expects prompt action, not a tracker entry that ages out.

Section 500.12(b) covers any individual accessing the Covered Entity's network from an external network — including contractor VPN access. Treating MFA as employee-only is the most common scope miss at exam time.

Annual penetration test and bi-annual vulnerability assessment per §500.05. Confirm the report is on file and that material findings have remediation tickets, not just acknowledgements.

Walk every recorded event against the §500.17 72-hour DOI notification standard. Many response plans default to the HIPAA 60-day window or GLBA's lack of a hard window and miss the much shorter state-DOI clock.