Some Thoughts on Recent Legislative, Regulatory, and Market Conduct Developments

Legislative and Regulatory

Looking back at 2024, there is certainly no surprise that multiple legislative and regulatory changes occurred in the areas of cybersecurity, artificial intelligence, and privacy. Cybersecurity continues to feature prominently in recent legislative and regulatory activity. Puerto Rico adopted Rule No. 108 titled “Cybersecurity Rules For The Insurance Industry” Insurance Code Regulations of Puerto Rico. Other activity included Alaska’s new statutory provisions on insurance data security (SB 134), Oklahoma’s Bulletin No. 2024-10 that addressed that state’s Insurance Data Security Act (SB 543), Rhode Island’s new statutory requirements for information security programs and notifications of cybersecurity events (HB 7281 and SB 2802), and Illinois Company Bulletin 2024-10 on the previously enacted Public Act 103-0142.

The NAIC’s “Model Bulletin: Use Of Artificial Intelligence Systems By Insurer” continued to be adopted, in whole or in part, by multiple states through the end of 2024. One of the latest states to address AI is North Carolina in its Bulletin 24-B-19, dated December 18, 2024.

Included in the privacy updates area is Alabama’s “Genetic Data Privacy Act” that was effective October 1, 2024. One of the Act’s key provisions states: “A genetic testing company may not do any of the following without a consumer's express written consent: (1) Disclose a consumer's genetic data to any person issuing health, life, disability, or long-term care insurance.” Additionally, legislative activity included revised provisions to California’s Consumer Privacy Act of 2018 (AB 1008 and SB 1223). Regulatory activity included Iowa Insurance Division’s rescission of the prior Chapter 90 “Financial And Health Information Regulation” and its adoption of a new Chapter 90 with the same title. This new regulation became effective April 24, 2024 with the stated purpose to remove unnecessarily restrictive terms and provide additional clarity. 

Regarding consumer protection provisions, additional adoptions of the NAIC Model 275’s “best interest standard” in the sale of annuities continued in 2024. State mandated benefits in health insurance policies continued to be adopted with varying effective dates. Another update from “looking back at 2024” is the Illinois Department of Insurance relocation of its Chicago office in December. Company Bulletin 2025-01 provides the new address and reminds regulated entities of their obligation to ensure that the accurate address information for the Department's new Chicago office is reflected on all public-facing communications. Failure to include the correct Chicago office is often noted as a market conduct violation.

Market Conduct 

Looking across all lines of insurance, cybersecurity compliance challenges were detailed in a couple of fairly recent New York Department of Financial Services (“DFS”) consent orders. Noted violations of various provisions of 23 NYCRR Part 500 included a failure to implement and maintain written cybersecurity policies that address access controls, identity management, and customer data privacy. Other violations included a failure to limit user access privileges to certain information systems that provided access to Nonpublic Information (“NPI”), as well as a failure to conduct continuous monitoring or, in the absence of such continuous monitoring, annual penetration testing. Regarding risk assessment related to cybersecurity requirements, the DFS determined a failure to conduct a periodic risk assessment of information systems as sufficient to inform the design of the insurer’s cybersecurity program.

Recent property and casualty market conduct exams provide multiple noncompliance findings in claims and underwriting. Apart from issues with handling claims in a timely manner and providing required disclosures to claimants, an area which continued to pose compliance challenges in recent enforcement actions is that of processing total loss motor vehicle claims. One of the most frequently seen findings is a failure to include applicable taxes, license fees, and other fees incident to transfer of ownership in total loss claims. However, vehicle total loss compliance issues last year also involved some state-specific requirements such as Oregon’s requirement for insurers to provide its longstanding required “Vehicle Total Loss Notice” in accordance with ORS 742.554(2) and OAR 836-080-0240(4), the latter adopted effective January 1, 2010.

Regarding underwriting issues, recent market conduct exam determinations in Arizona included a failure to demonstrate a process to identify at renewal whether a policy's bankruptcy record aged to more than seven years. Additional bankruptcy-related findings included a failure to demonstrate the ability to disregard bankruptcy information or re-rate once the bankruptcy surpassed its allowable usage in violation of A.R.S. § 20-2110. Continuing on the underwriting side, a recent Kentucky exam determined that an insurer used noncompliant endorsements related to siding and roofing restoration on new and renewal homeowner business in violation of 806 KAR 12:095 Section 9(l)(b). Language in this statute specifies that “[i]f a loss requires replacement of items and the replaced items do not reasonably match in quality, color, and size, the insurer shall replace all items in the area so as to conform to a reasonably uniform appearance. This applies to interior and exterior losses. The insured shall not bear any cost over the applicable deductible.” In another example applicable to homeowner polices, a California Stipulation and Consent Order, issued in September 2024, indicated that companies were using unfiled eligibility and underwriting guidelines to require policyholders to conduct virtual self-inspections of their property on a mobile device as a condition of renewal. This practice was alleged to violate CIC sections 1861.01(c) and 1861.05(b), and CCR sections 2360.0(b) and 2360.2.

In terms of life insurance and annuities market conduct violations, a claims compliance requirement that has been addressed in recent California life market conduct exams involves the “Insurance Payment Intercept Program.” Examiners determined a failure to cooperate with the Department of Child Support Services to identify claimants who are also obligors who owe past-due child support and report those claimants to the Department of Child Support Services. The underlying requirement is in CIC §13550 where it mandates that “[a]n insurer shall identify and report a claimant to the Department of Child Support Services if the claim seeks an economic benefit for an obligor who owes past-due child support.”

Recent health insurance market conduct exam findings continue to provide examples of compliance challenges including those in claims processing, grievance procedures, and provider credentialing requirements. For a look at a claims example, a Texas Commissioner Order in June 2024 determined insurer failures to comply with Texas law regarding the state’s independent dispute resolution (IDR). The IDR was established for health insurers and HMOs to settle balance bills with healthcare providers. The examiner findings included a failure to timely participate in an informal settlement teleconference (TEX. INS. CODE §§ 1467.054(d) and 1467.084(b)); a failure to timely notify the Texas Department of Insurance of the outcome of the informal settlement teleconference (28 TEX.ADMIN.CODE § 21.5021(c)); and a failure to pay the nonrefundable mediator or arbitrator fee to the mediator or arbitrator when the mediator or arbitrator is assigned (28 TEX. ADMIN. CODE §§ 21.5011(d)(2) and 21.5021(d)(2)). In the area of mental health parity, an Illinois exam found that a health insurer “. . . applied more stringent and restrictive step therapy policies for mental health medications as compared to step therapy policies for medical/surgical medications” (215 ILCS 5/370c.1; 26 CFR 54.9812-1(c)(4)(i); 29 CFR 2590.712(c)(4)(i); 45 CFR 146.136(c)(4)(i)).

All of the above issues point to a very active 2025 on all fronts.

Kathy Donovan is Senior Compliance Counsel, insurance with Wolters Kluwer Financial Services. Kathy has more than two decades of experience in insurance compliance. Her expert commentary on legal and regulatory issues affecting the insurance industry is widely published and she is a regular presenter at various industry events.