Compliance Audit Checklist

List every state where the entity holds a certificate of authority or producer appointments. Each state DOI has its own market conduct posture — NY (Part 500), CA, FL, TX, and NAIC Data Security Model adopting states drive most of the work.

Retrieve the most recent state DOI market conduct exam report, financial exam report, and any open Corrective Action Plans. Repeat findings carry materially higher penalties at the next exam.

Pull the current producer roster from the AMS (Applied Epic, AMS360, or equivalent) and reconcile NPNs against NIPR. Flag any producer bound business in a state where they hold a non-resident license but no carrier appointment.

CE hours and lines vary by state. A lapsed CE is a lapsed license — any business bound after the lapse is an unauthorized transaction subject to rescission and producer fines.

NY Insurance Reg 187 and CA SB 250 require written commission disclosure to mid-market commercial insureds. Sample 25 bound accounts from the past year and confirm the disclosure is on file.

Triggered only when unauthorized binds are found. Coordinate with the carrier on rescission of any out-of-authority bound policies and self-report to the affected state DOIs to reduce penalty exposure.

The Written Information Security Program is required by GLBA Safeguards and the NAIC Insurance Data Security Model Law. Confirm the named CISO is current, the program reflects this year's systems inventory, and the most recent risk assessment is attached.

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including third-party vendors with VPN access. Pull the IdP report and confirm contractor accounts are in scope, not just employees.

NAIC Insurance Data Security Model Law and NYDFS Part 500 both require 72-hour notification of cybersecurity events to the state DOI. Walk through a tabletop scenario and time the path from detection to draft notice.

Vendor scope under Part 500.11 includes TPAs, claims vendors, document destruction firms, and printers handling claim packets — not just IT vendors. Spot-check that each has a current SOC 2 Type II or equivalent attestation on file.

VT requires opt-in for non-affiliate sharing; CA requires CCPA/CPRA-aligned disclosures for personal-lines insureds. Form letters templated nationally fail state-specific tests.

Pull a 30-file sample across ACORD 125, 130, and 140. Verify auto-populated fields (class codes, payroll, sales) match current insured operations. Multi-cycle drift in auto-populated fields is a frequent market conduct finding.

Texas Insurance Code Chapter 542 sets 15 business days to acknowledge FNOL, 15 business days to decision after all info, 60 days max. Each missed deadline triggers 18% statutory interest plus attorney's fees. Pull the claims TAT report and flag outliers.

Confirm reserves are reviewed at the carrier's defined 30/60/90-day cadence. Placeholder reserves left untouched contribute to IBNR drift and surface as findings in financial exams.

Many carriers screen at issuance but not at every claim payment. Confirm the screening runs at payment as well — claimants and assignees can be added to the SDN list mid-policy.

NY, CA, FL, NJ, OH, NM, KY, LA, and MN require periodic Anti-Fraud Plan filings. Acquired entities often inherit unfiled plans — verify the current plan is on file with each required DOI.

Most states require producer-collected premium to be held in a fiduciary trust account separated from operating funds. Reconcile the trust account against the AMS premium ledger; commingling is a top-five state DOI finding.

For each in-scope state, confirm prior approval / file-and-use / use-and-file posture matches what was followed when rates were last changed. PA states require pre-approval — pushing rate live early creates unauthorized rates.

E&S policies require state-specific premium tax remittance and stamping office filings within 30–60 days post-bind. Compliance rests with the producer of record even when handled by the wholesale broker.

Required under the Insurance Holding Company System Regulatory Act for any insurer in a holding company structure. Confirm the registration was filed with the domiciliary state by the April 30 deadline.

Each CAP needs a named owner, target remediation date, and verification method. Repeat findings carry materially higher penalties at the next market conduct exam — prioritize those.