Office Opening Checklist

Walk the suite with a punch list before furniture arrives. Confirm HVAC, lighting, restrooms, and locks all function. Photograph any landlord-responsible defects and email the property manager so repairs are documented before move-in.

Test smoke detectors, confirm fire extinguishers are within inspection date, post the OSHA "It's the Law" poster, and confirm exit-route signage. A first-day fire-marshal walkthrough is common in some municipalities — schedule it before lease commencement.

One workstation per producer and CSR with locking file storage for any printed NPI. Files containing nonpublic personal information must be stored in a way that satisfies GLBA Safeguards Rule physical-security requirements.

Confirm doorway clearances, restroom grab bars, ramp access, and counter heights meet ADA Title III for public accommodations. Insurance offices serving walk-in personal-lines clients are routinely cited; a pre-opening review is cheaper than a remediation order.

Stand up workstations on the AMS in use — Applied Epic, AMS360, EZLynx, HawkSoft, or NowCerts — and confirm each user has a named account, not a shared login. Shared logins fail SOC 2 and NYDFS Part 500 access-control requirements.

Each appointed carrier requires its own portal credentials, and several carriers tie portal access to specific NPNs and state appointments. New office producers may need their appointments amended to reflect the new location code before binding authority works in the portal.

NYDFS Part 500.12(b) requires MFA for any individual accessing internal networks from an external network — including third-party vendors with VPN access. Treating MFA as employee-only misses the contractor scope and is a common exam finding.

The new office's state determines which cybersecurity regime applies. NY (NYDFS Part 500) is the strictest; SC, OH, MS, AL, CT, IN, IA, KY, LA, ME, MD, MI, MN, NH, ND, TN, VT, VA, WI have adopted some form of the NAIC Insurance Data Security Model Law. Several states impose only GLBA Safeguards.

Required when Part 500 or the NAIC model applies in the new office's state. Designate a CISO (may be a vendor under §500.4(c)), document the written information security program, and schedule the biennial risk assessment. Note the 72-hour cybersecurity event notification window applies from go-live.

Confirm DID numbers ring through, voicemail-to-email works, and any call recording on inbound claim or sales calls includes the state-required disclosure. Several states are two-party consent — failing to disclose recording can support a bad-faith complaint on first-party claims.

Pull each producer's NPN on NIPR and confirm resident and non-resident licenses are active for every state and line they will write from this office. Lapsed CE means a lapsed license, which means no authority to bind — carriers can rescind.

File a change-of-location with each appointed carrier and update the agency's listing on the state DOI's agency-of-record database. Commission statements, 1099s, and policy mailings tie to the registered address.

Endorse the new office onto the agency E&O policy and confirm the retro date covers all prior acts of the producers being relocated. New offices in new states often trigger an additional premium and expanded territory schedule.

NY, CA, FL, NJ, OH, NM, KY, LA, and MN require Anti-Fraud Plan filings. Opening an office in any of these states means the agency's plan must be on file with that DOI before transacting; acquired books and new offices commonly inherit unfiled plans.

Confirm the new office screens insureds, additional insureds, and claim payees against the OFAC SDN list at issuance and at every payment. Many agencies screen at policy issuance only and miss claimants or assignees added to the SDN list mid-policy.

Cover the AMS workflow for new business, endorsements, and renewals; the rater used (TurboRater, EZLynx Rating, PL Rating); and at least the top three carrier portals. New CSRs commonly mistake an indication for a bound quote — call out the difference explicitly.

Include the binding-authority matrix (which producer can bind which line at what limit for which carrier), the privacy and information-security policy, and the recorded-statement disclosure script. Collect signed acknowledgements before any producer transacts.

Email a transition notice to active personal-lines and commercial-lines clients with the new office address, phone, hours, and producer assignments. Pair with the annual GLBA privacy notice if it is due in the same window.

Refresh the website footer, Google Business listing, and AMS document templates so new COIs (ACORD 25), commercial applications (ACORD 125/130/140), and dec-page cover letters carry the new office address from day one.

For commercial accounts with active certificate holders, reissue ACORD 25 COIs with the producer office update so additional-insured filings reflect the correct producer of record. Confirm the certificate-holder vs. additional-insured boxes match the underlying contract.

Coordinate venue, refreshments, carrier rep invitations, and any local chamber co-hosting. Confirm the agency E&O and host-liquor coverage extend to the event location and date.