Insurance Compliance Checklist

Confirm the written information security program names a qualified individual (CISO equivalent), covers risk assessment, access controls, encryption, vendor oversight, and incident response. GLBA Safeguards Rule revisions effective June 2023 require these elements explicitly — pre-2023 WISPs are commonly out of date.

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from external networks — including third-party vendors with VPN or portal access. Treating MFA as employee-only is a common scoping miss.

Pull the AMS (Applied Epic, AMS360, EZLynx) and PolicyCenter access lists. Each role should have least-privilege access to nonpublic personal information; flag terminated employees still in active groups and shared logins.

For each exception flagged in the access review, open a ticket with owner and due date. Material gaps under Part 500 may also trigger the 72-hour DOI notification analysis — escalate to the CISO before closing.

Confirm the GLBA Privacy Rule notice reflects current sharing practices and state-specific overlays — Vermont opt-in for non-affiliate sharing, California CCPA/CPRA disclosures for personal lines. Templated national forms commonly fail state tests.

Export the active producer list from NIPR keyed by NPN. Reconcile against the AMS producer table — orphaned producers in the AMS still receiving commissions are a common audit finding.

For each state where the agency bound business this quarter, confirm the producer holds a resident or non-resident license AND a carrier appointment. Binding without appointment can trigger rescission and an unauthorized-transaction filing.

Hours and lines vary by state; flag producers within 60 days of their renewal date who have not completed required CE. A lapsed license means no authority to bind — including endorsements on in-force policies.

Send written notice with the remaining hours, the renewal date, and the carriers/states that will be affected if CE lapses. Suspend binding authority until evidence of completion is on file.

Pull current binding authority letters from each appointed carrier. Confirm hazard grade, line of business, and limit caps still match what producers are quoting in the rater. Authority breaches are common when an MGA refreshes appetite mid-year.

For each state, confirm filing posture (prior-approval, file-and-use, use-and-file, no-file) and that any rate change pushed live in PolicyCenter has the corresponding SERFF approval or acknowledgement. Pushing a PA-state rate live before approval creates unauthorized rates.

NY, CA, FL, NJ, OH, NM, KY, LA, and MN require Anti-Fraud Plan filings on a periodic cadence. Acquired books often inherit unfiled or stale plans — confirm the current filing acknowledgement is on file for each applicable state.

Sample first-party TX claim files from the quarter. Confirm acknowledgement within 15 business days of FNOL, decision within 15 business days of receipt of all info, and total cycle within 60 days. Each missed deadline carries 18% statutory interest plus attorney's fees.

Pull a sample of denials and reservation-of-rights letters issued this quarter. Confirm cited policy provisions, recorded-statement consent disclosures, and state unfair-claim-settlement-practices compliance. File any deficient letters for re-issuance before quarter-end.

Many carriers OFAC-screen at policy issuance but skip re-screening at claim payment. Pull the quarter's payee list (claimants, assignees, providers) and re-screen — additions to the SDN list mid-policy are the gotcha.

For any confirmed match, block the payment, report to OFAC within 10 business days, and coordinate with carrier counsel before any further communication with the payee. Document the determination in the claim file.

Section 500.11 scope includes TPAs, claims vendors, document destruction firms, mail houses — anyone handling NPI, not just IT vendors. Confirm SOC 2 Type II reports and NDAs are current for each in-scope vendor.

Cover phishing, NPI handling, and incident-reporting routes (including the 72-hour DOI notification trigger). Track completion in the LMS and follow up with non-completers before quarter-end.

NY Reg 187, CA SB 250, and equivalents require written commission disclosure to commercial insureds. Have each producer attest that disclosures were issued for in-scope mid-market accounts bound this quarter.

Compliance officer signs the quarterly report summarizing Part 500 / NAIC Data Security posture, licensing exceptions, OFAC activity, and open remediation. Archive per the carrier's retention schedule (commonly 5–7 years; longer for WC).