Insurance is one of the most regulated industries. As such, regulations have profound impact on what the organizations can do and how they do it.

This page is intended to capture as many of the direct and indirect regulations that impact insurance organizations. 

Note: This is a work in progress page that will be updated often.

Disclaimer: Content for this page has been sourced from a number of public sources as a compilation. Content links to a number of external sites, neither of which is endorsed or supported by

Key Insurance Regulations



Promulgated by


McCarran–Ferguson Act


United States federal law that exempts the business of insurance from most federal regulation, including federal anti trust laws to a limited extent.

Health Insurance Portability and Accountability Act


The Health Insurance Portability and Accountability Act (HIPAA) is intended to improve the efficiency and effectiveness of the health care system. It includes, among its various components, privacy and security rules that require the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans, and employers. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers.

Although the regulation focuses on the healthcare industry, other companies can be impacted if they engage in certain activities, such as the management of employee group health plans, or if they provide services to companies that are directly impacted by the regulation.

Health Information Technology for Economic and Clinical Health Act (HITECH)


Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.

Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.

Link to the law:

International Convergence of Capital Measurement and Capital Standards—A Revised Framework


Also called Basel II or the New Accord and it represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision for revising the international standards for measuring the adequacy of a bank's capital. This agreement was created in order to promote greater consistency in the way that banks and regulators approach risk management across national borders.

National Association of Registered Agents and Brokers Reform Act of 2013 (NARAB II



TRIA- Terrorism Risk Insurance Act of 2002



international capital standard (ICS)



Internationally Active Insurance Groups (IAIGs)



Model Holding Company Act (MCHA)



Own Risk Solvency Assessments (ORSA)


ORSA constitutes an internal process performed by an insurer (or group) to evaluate the adequacy of its own risk management and present and future solvency positions under various stress scenarios. In executing an ORSA, insurers will be required to analyze reasonably foreseeable and relevant material risks (i.e., underwriting, credit, market, operational, liquidity risks, etc.) that could affect an insurer’s capacity to meet its policyholder obligations.


State Regulations


Promulgated by







New York








North Carolina


South Carolina






Key Cross-Industry Governance Regulations Impacting Insurance


Promulgated by


Bank Secrecy Act


The Bank Secrecy Act (BSA), is one of the oldest laws on this list, having been passed into law by the United States in 1970. The BSA is sometimes referred to as an Anti-Money-Laundering Law (AML) or as BSA/AML. Several anti-money-laundering acts, including provisions of the USA PATRIOT Act, were subsequently enacted to amend the BSA. (See 31 USC 5311–5330 and 31 CFR 103.) The BSA requires banks and other financial institutions to report certain transactions to government agencies and to withhold from clients that such reports were filed about them. These transactions include deposits or withdrawals of more than $10,000 in cash in a day, or purchase of monetary instruments (money orders, cashier's checks, traveler's checks) worth more than $3,000. For such transactions, banks must supply information about the person doing the transaction, such as address and occupation, to the Internal Revenue Service in a currency transaction report (CTR). If it appears the person is in any way attempting to circumvent the report, the Bank must file a suspicious activity report (SAR) with the Financial Crimes Enforcement Network (FINCEN). There are stiff penalties for individuals and institutions that fail to file CTRs, or SARs, or that disclose to a client that it has filed a SAR about the client. Very complex monitoring of accounts has grown up around this law, which also illustrates that compliance is not new.



The USA PATRIOT Act (Public Law 107–56) is federal legislation in the U.S. Passed soon after the September 11, 2001, terrorist attacks, the Act expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the U.S. and abroad. This expanded legal authority is also used to detect and prosecute other alleged crimes. The portion of the Act that relates to IT is called the Financial Anti-Terrorism Act and deals with money laundering. This item works in conjunction with the BSA/AML just mentioned.

Dodd–Frank Wall Street Reform and Consumer Protection Act


The Dodd-Frank Act implements changes that, among other things, affect the oversight and supervision of financial institutions, provide for a new resolution procedure for large financial companies, create a new agency responsible for implementing and enforcing compliance with consumer financial laws, introduce more stringent regulatory capital requirements, effect significant changes in the regulation of over the counter derivatives, reform the regulation of credit rating agencies, implement changes to corporate governance and executive compensation practices, incorporate the Volcker Rule, require registration of advisers to certain private funds, and effect significant changes in the securitization market.

Sarbanes-Oxley (SOX)


The Sarbanes-Oxley Act of 2002 (SOX) was a response to corporate scandals. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long. Its most prominent aspect, from an IT perspective, is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. Section 404 also requires that the company's independent auditors attest to, and report on this assessment. The assessment of financial controls has been extended into the IT space by the opinion of the Public Company Accounting Oversight Board (PCAOB), a private-sector, non-profit entity created by SOX to oversee the auditors of public companies. This extension of financial controls into the IT space provides most of the current impetus for IT controls.


Who has affected:U.S. public company boards, management, and public accounting firms

Full text of Sarbanes-Oxley Act:

Gramm-Leach-Bliley Act OR

The Financial Services Modernization Act of 1999


The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records. Recommendations for audit were produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group comprised of five of the eight major financial regulatory agencies.


Who is affected:Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).

Link to the law:The Privacy of Consumer Financial Information Rule within GLB:






Key Cross-Industry Data and Privacy Regulations Impacting Insurance


Promulgated by


Payment Card Industry Data Security Standard(PCI DSS)


ThePCI DSSis a set of requirements for enhancing the security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Using the Payment Card Industry (PCI) Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of 12 basic requirements supported by more detailed sub conditions.


The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).

Who is affected:Retailers, credit card companies, anyone handling credit card data.

Safe Harbor Act



What it covers:The Safe Harbor Act, which went into effect in October 1998, prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection established by the European Union Data Protection Directive (see above). The Act was intended to bridge the different privacy approaches of the U.S. and Europe, thus enabling U.S. companies to safely engage in trans-Atlantic transactions without facing interruptions or even prosecution by European authorities.

Who is affected:U.S. companies doing business in Europe.

Children's Online Privacy Protection Act (COPPA)


COPPA, which took effect in 2000, applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children's personal information. They codify what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.

Who is affected:Operators of commercial Web sites and online services directed to children under 13 that collect personal information from children, as well as general audience Web sites with the actual knowledge they are collecting personal information from children.

Link to the law:

Fair and Accurate Credit Transaction Act (FACTA)


Passed in December 2003, FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Act also says businesses in possession of consumer information or information derived from consumer reports must properly dispose of the information.

The Red Flags Rule establishes new provisions within FACTA requiring financial institutions, creditors, etc. to develop and implement an identity theft prevention program. The Red Flags Rule has been delayed several times and is currently scheduled for enforcement by the FTC starting December 31, 2010.

Who is affected:Credit bureaus, credit reporting agencies, financial institutions, any business that uses a consumer report and creditors. As defined by FACTA, a creditor is anyone who provides products or services and bill for payment.

Link to the law:

Federal Rules of Civil Procedure (FRCP)


In place since 1938, the FRCP discovery rules govern court procedures for civil lawsuits. The first major revisions, made in 2006, make clear that electronically stored information is discoverable, and they detail what, how and when electronic data must be produced. As a result, companies must know what data they are storing and where it is; they need policies in place to manage electronic data; they need to follow these policies; and they need to be able to prove compliance with these policies, in order to avoid unfavorable rulings resulting from failing to produce data that is relevant to a case.

Security professionals may be involved in proving to a court's satisfaction that stored data has not been tampered with.

Who is affected:Any company that is—or could be—involved in a civil lawsuit within the federal courts. Also, because states have adopted FRCP-like rules, companies involved in litigation within a state court system are also affected.

Link to the rules:

European Union Data Protection Directive


The European Union Data Protection Directive (EUDPD) standardizes the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all EU member states must achieve in national regulations. The EUDPD has a strong influence on international regulations due to the limitations it puts on sending EU citizens' personal information outside of the European Union to areas that are deemed to have less than adequate standards for data security. Example of specific laws in countries representing EU member states are the Finnish Personal Data Act (523/1999) and Amendment (986/2000), the Danish Act on Processing of Personal Data (Act No. 429) of May 31, 2000, and the Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000 - DSG 2000). The EUDPD, member state transpositions of the Directive, and the regulations enacted pursuant to it impact companies that do business in the EU or that handle the data of EU citizens.

Link to the law:

Additional legislative documents and case law:

Who it impacts:European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).

The Federal Information Security Management Act


The Federal Information Security Management Act of 2002 (FISMA) was enacted to bolster computer and network security within the U.S. federal government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA has brought attention within the federal government to the previously neglected area of cyber security. At the time of this writing, however, many government agencies have received extremely poor marks in this area on their official report cards. The average grade of 67.3 percent for 2004 was an improvement of only 2.3 percentage points over 2003, and experts warn that this average must increase for the federal government to truly protect itself and its citizens.

California Senate Bill 1386(CA SB 1386)


CA SB 1386 was introduced in July 2003 as a first attempt by a state legislature to address the problem of identity theft. In short, the bill introduces stiff disclosure requirements for businesses and government agencies that experience security breaches that might endanger the personal information of California residents. It is expected that many organizations in the Unites States are subject to these requirements. In addition, many other states since have, or are planning to, enact similar legislation.

Personal Information Protection and Electronic Documents Act(PIPEDA)


PIPEDA is a Canadian federal regulation that governs the collection, use, and disclosure of personally identifiable information in the course of commercial transactions. The act was created in response to European Union data protection directives that limit trade with nations whose privacy protection does not meet EU standards. PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Privacy Code of 1995. The act covers all of the Canada except those provinces that have "substantially similar" legislation (namely British Columbia, Alberta, and Québec) and covers all inter-provincial trade.


Who is affected: All private-sector companies doing business in Canada.

Link to the law:

Nevada Personal Information Data Privacy Encryption Law NRS 603A


What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.

Who is affected: Businesses that collect and retain personal information of Nevada residents.

Link to the law:

Massachusetts 201 CMR 17 (aka Mass Data Protection Law)


This Massachusetts law—which went into effect March 2010—works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach—rather than a prescriptive one—to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.

More about Mass 201 CMR 17 and data breach notification

• The 201 CMR 17 survival guide

• Mass data protection law's tough requirements

• How NOT to write a disclosure letter

Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.

Law on the Protection of Personal Data Held by Private Parties—Mexico



Published in July 2010, this Mexican law requires organizations to have a lawful basis—such as consent or legal obligation—for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.

Link to the law(Spanish language):

Who it will impact:Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.

Customs-Trade Partnership Against Terrorism (C-TPAT)


C-TPAT is a worldwide supply chain security initiative established in 2004. It is avoluntaryinitiative run by U.S. Customs and Border Protection, with the goals of preventing terrorists and terrorist weapons from entering the U.S. It is designed to build cooperative government-business relationships that strengthen and improve the overall international supply chain and U.S. border security. Businesses are asked to ensure the integrity of their security practices and communicate and verify the security guidelines of their business partners within the supply chain.

More about C-TPAT and supply chain security

C-TPAT and cargo security: Sea change

10 steps to loading dock security

Benefits for participating in C-TPAT include a reduced number of CBP inspections, priority processing for CBP inspections, assignment of a C-TPATsupply chain securityspecialist to validate security throughout the company's supply chain and more.

Who is affected:Trade-related businesses, such as importers, carriers, consolidators, logistics providers, licensed customs brokers, and manufacturers.

Free and Secure Trade Program (FAST)


FAST is avoluntarycommercial clearance program run by U.S. Customs and Border Protection for pre-approved, low-risk goods entering the U.S. from Canada and Mexico. Initiated after 9/11, the program allows for expedited processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. Participation in FAST requires that every link in the supply chain -- from manufacturer to carrier to driver to importer -- is certified under the C-TPAT program (see above). Cards cost $50 and are valid for 5 years.

Benefits of using FAST and C-TPAT include:

Upon terrorist alerts, FAST/C-TPAT drivers will be allowed to cross the border.

Dedicated lanes for greater speed and efficiency

Reduced cost of compliance with customs requirements.

Who is affected:Importers, carriers, consolidators, licensed customs brokers, and manufacturers.

Link to FAST program details:

Electronic Fund Transfer Act, Regulation E (EFTA)


Enacted in 1978, this law protects consumers engaging in electronic fund transfers from errors and fraud. It carries out the purposes of the Electronic Fund Transfer Act, which establishes the basic rights, liabilities, and responsibilities of EFT consumers of financial institutions that offer these services. EFTs include ATM transfers, telephone bill-payment services, point-of-sale terminal transfers in stores and preauthorized transfers from or to a consumer's account (such as direct deposit and Social Security payments). Effective August 2010, a new provision states that institutions may not impose dormancy, inactivity or service fees for pre-paid products, such as gift cards, nor can they have an expiration date of less than five years.

Who is affected:Financial institutions that hold consumer accounts or provide EFT services, as well as merchants and other payees.

Comparison of the US State Insurance Regulations



Published By


The 2015 Insurance Regulation Report Card


The 2015 Insurance Regulation Report Card, the R Street Institute’s annual publication, assigns scores in 10 different areas including solvency monitoring, anti-fraud efforts, rating and underwriting freedom, minimizing politicization of regulation, consumer protection and fostering competitive markets.

NAIC Compendium of State Laws on Insurance Topics (3 Volumes)


The Compendium is a three-volume compilation of legislative and regulatory data. It consists of more than 100 issue-specific charts, combining states' statutes and regulations on various insurance topics in a concise and clear format.

The All-in-One Guide to Statutory Insurance Carrier Notification Requirements for All 50 States

Insurance Journal / Academy of Insurance

The Insurance Professional’s Guide to Statutory Insurance Carrier Notification Requirements for All 50 States

Fundamentals of Insurance Coverage in all 50 States

Juris Publishing, Inc

Fundamentals Of Insurance Coverage In All 50 States-2nd Edition is a unique compendium and overview of all aspects of insurance coverage law, in every state. The treatise utilizes and cites state and federal statutes, insurance regulations, and case law from every state as a framework for a unique and unprecedented treatment of this confusing and varied body of law. The book is designed specifically for insurance claims handlers and supervisors who have responsibility for or occasion to deal with coverage issues relating to third-party defense litigation, first-party claims litigation, and/or reservation of rights scenarios.