The importance of insurance compliance programs

While most individuals and organizations choose traditional financial institutions and their array of product offerings, there are other options available in the market. When looking for savings and investment options, for example, many have considered life insurance companies as well.

When thinking of a life insurance policy, most people think of a traditional term-life policy. These policies hold no cash value, and the only benefit is that, if premiums are paid over the course of the agreed-upon term, and the insured person dies, the company will pay out. However, if the term comes to an end and the insured is alive, the person gets no money back.

In addition to the standard term-life policy, however, there are several types of life insurance policies with cash value:

• • • Whole life insurance — It provides coverage for the insured’s entire lifetime, as long as the premiums are paid. It also includes a savings component known as cash value, which grows over time and can be borrowed against or withdrawn.
    • Universal life insurance — This type of permanent life insurance offers more flexibility than whole life insurance. Policyholders can adjust their premiums and death benefits. Universal life also includes a cash value component that earns interest.
    • Variable life insurance — This type also provides lifelong coverage, but with a built-in investment component under which the cash value can be invested in a variety of different accounts similar to mutual funds. This type of policy has potential for higher returns but also comes with increased risk, as the cash value can fluctuate based on the performance of the chosen investments.
    • Indexed universal life insurance — A variation of universal life, this policy allows the cash value to grow based on a stock market index (like the S&P 500). It usually provides a guarantee that the cash value will not drop below a certain level, even if the index performs poorly.

Unfortunately, these products also can become attractive to scammers that can steal from the policyholder or the insurance company. There is a high cash value in many cases, making a relatively easy scam lucrative; and the onus is on the insurance companies to protect themselves and their customers.

Complying with regulatory requirements

It is critical that insurance companies comply with all regulatory standards to protect themselves and their customers. A failure to confirm identification at the time of application, loan, or payout, for example, offers a clear opening for scammers. Accounts can be fraudulently opened or closed, which also could give cash to the scammer.

Some insurance companies have lower thresholds for personal identification than traditional banks. This lapse allows scammers access to these high-value accounts with less personal identifying information, which could result in scammers changing deposit accounts and making loans or withdrawals without the actual owners’ knowledge. Multifactor identification and other protection measures need to be in place within insurance companies to mitigate this danger. In addition to protecting individuals from basic scams, insurance companies want to be protected from losses as well as violations of regulatory standards.

Knowing their regulatory standards

A proper compliance program will limit the ability of nefarious actors to take advantage of the system in place. For an insurance company to have a proper compliance program, the first step is to know what regulatory standards are in place.

Insurance companies must comply with a number of regulatory standards, depending on the products that they offer. The National Association of Insurance Commissioners (NAIC) provides uniform regulatory guidance in the insurance industry. However, according to the McCarran-Ferguson Act, individual states have the authority to implement the guidance as they deem appropriate.

For example, the NAIC Insurance Data Security Model Law offers several points of guidance for insurance companies to follow to establish a stronger data security system for their own and their customers’ protection. This guidance includes provision to address:

• • • Risk assessment ­— Insurance companies are required to conduct risk assessments to identify potential threats to the security of personal information.
    • Information security program — Insurers must develop, implement, and maintain a comprehensive information security program based on the outcome of the risk assessment.
    • Oversight of third-party service providers — Insurers are responsible for ensuring that their third-party service providers are capable of protecting personal information and are held to appropriate standards of conduct.
    • Incident response plan — The law requires insurers to have an incident response plan in place to promptly address and mitigate any breach of security that compromises personal information.
    • Notification of breach — In the event of a data breach, insurers are required to notify affected individuals and regulators within a specified timeframe.

The NAIC published this model law, which aims to establish standards for data security, investigation, and notification of a cybersecurity event applicable to insurers, agents, and other licensed entities. As of January, only 23 jurisdictions have implemented it, which means that many individuals in most jurisdictions are vulnerable.

As insurance companies’ offerings become more diverse, it becomes more important for these companies to have proper compliance programs that protect the insurance company itself from scams, manipulation, reputational damage, and financial penalties.