Thursday, August 29, 2019

INSURANCE 101: Federal Regulation


Insurance regulation in the U.S. has taken shape through several key U.S. Supreme Court decisions and eventual laws pertaining to who regulates insurance in the U.S. Insurance is mainly regulated on the state level; however, the federal government plays a specific role in regulation as well. Several historical key federal court rulings and laws have helped shape the industry into what it is today.

Regulatory control between the states and federal government has been a back and forth battle for most of its history in the U.S.  Throughout the 1800s, the U.S. insurance industry was strictly regulated by the states and was considered outside of the jurisdiction of the federal government.  As time went on, the federal government began to view insurance as a form of interstate commerce, thus wanting to regulate it.  The following court rulings and laws have paved the way for the current industry regulations.

Paul v. Virginia (1868)

The federal government has jurisdiction over interstate commerce in the U.S., and according to the Supreme Court case Paul v. Virginia, it was one of the first attempts of the federal government to try to regulate insurance as interstate commerce.

The Supreme Court, however, decided that issuing an insurance policy is not considered a transaction of commerce; therefore, it cannot be regulated by the federal government as interstate commerce.  Although this ruling would later be reversed, for 75 years following this Supreme Court decision, insurance was not considered to be interstate commerce, nor was it regulated by the federal government.

The Armstrong Investigation (1905)
Another important event, known for creating the New York Insurance Code, led to the investigation into various life insurers in the state of New York. The outcome of this investigation led to stricter regulation of insurance companies by the state, which ultimately led to other states adopting similar insurance regulation.

United States v. Southeastern Underwriters Association (1944)

This Supreme Court case placed the regulation of insurance within the authority of the federal government by defining insurance as a form of interstate commerce.  Any state laws that may have been in force at that time that conflicted with the laws of the federal government became void and unenforceable.  Due to the conflicts that arose from this Supreme Court decision, Congress later enacted the ‘McCarran-Ferguson Act’ to further define the roles of the federal and state governments.

The McCarran-Ferguson Act (1945)
This Act ratified legislation in all states to conform to federal law; however, Congress still concluded that state regulation of insurance made the most sense from a consumer’s standpoint. Under this act, the business of insurance is primarily regulated by the states, allowing the federal government to regulate in addition to, but not to supersede state insurance laws.  Since insurance is considered to be interstate commerce, federal law regulates such business in addition to state regulation.

1958 Intervention by the FTC
In an attempt by the FTC to regulate insurance advertising, the Supreme Court decided, due to the McCarran-Ferguson Act, that a federal agency such as the FTC had no ruling or authority over the states regarding insurance advertising regulation.

1959 Intervention by the SEC
Both annuities and variable life insurance were questioned and concluded to be securities, instead of insurance; therefore, the Supreme Court decided that insurance companies selling variable life products and annuities were to be regulated under the authority of both the Securities and Exchange Commission (SEC), and the states.

Fair Credit Reporting Act (1970)
The Fair Credit Reporting Act states that all consumers have the right to keep personal financial information private between the collecting party and the consumer.  At no time may private personal and financial information be given to a non-affiliated third party unless an Initial Privacy Notice, or a notice that accurately reflects the insurer’s privacy policies and practices, is given by the insurer to the consumer regarding disclosure of this information.

This federal consumer privacy regulation requires disclosure of any ‘financial institution’ that denies coverage to a consumer.  In addition, if a consumer is denied coverage, he or she has the right to dispute this denial and provide correct information if inaccurate information is portrayed about the consumer.

A Financial Institution is defined as any institution engaged in activities that are financial in nature or incidental to such financial activities.

This Act was created to ensure that correct information is obtained regarding a consumer and that a consumer’s privacy is not at risk.  Federal law mandates the following:

Individuals must be notified within three (3) days from the date that a credit report has been requested.  In addition, the credit reporting agency must advise the individual of such report being requested as well as provide him or her with a summary of the report within five (5) days, if requested by the individual.

A consumer has the right to know the identity of anyone who is questioned regarding a credit report.
If the consumer is rejected, due to findings in a report, information regarding the consumer reporting agency must be provided to the consumer.

The consumer reporting agency must disclose any information in the event an applicant requests it; however, an insurance company is not obligated to disclose such information to an applicant.
If an individual disagrees with the agency’s report, he or she has the right to file a statement to the insurer that better clarifies any negative issues presented by the insurer.

Privacy Act (1974)

According to a study conducted by the Privacy Protection Study Commission in the early 1970s, insurance companies were among the top companies that collected personal consumer information. Due to the size and depth of the information collected by insurers, legislation was passed to regulate and safeguard this personal consumer information. The Privacy Act set forth the standards of fair information practices that govern the collection, maintenance, use, and dissemination of personally identifiable information about individuals.

Goals of the Privacy Act:

  • To minimize consumer intrusiveness
  • To be fair and impartial in collecting and reporting on consumers
  • To build public trust regarding the safeguarding of personal information collection
  • Financial Services Modernization Act (1999)

Also referred to as the Gramm-Leach-Bliley Act (GLBA) or (GLB Act), the Financial Services Modernization Act, enacted by Congress in 1999, changed the way in which financial institutions such as commercial banks, investment companies and insurance carriers conduct business by allowing these various institutions to merge together into what are commonly called ‘financial supermarkets,’ providing consumers with a larger, more centralized and more diverse selection of financial products.

Under this Act, regulation of financial institutions is based on the type of product or service marketed instead of on the type of company selling the product.  This means that a financial institution can become a conglomerate of banking, securities and insurance products, all marketed under the same company’s name.  The GLBA reversed previous legislation that limited the financial business of banks, securities companies and insurance carriers based on the company itself, rather than the products or services it sold.

Upon the enactment of the GLBA, financial institutions such as federal and state banks, mutual and stock insurance companies, and mortgage and securities companies began to merge together and offer a wider selection of products such as life and health insurance alongside other financial products and services already provided by the bank or lending institution.  As a result of the GLBA, various financial institutions began to capture a larger customer base, and in the process, the disclosure and collection of a larger amount of private consumer information.

Due to the large amount of private information disclosed to theses financial institutions, a major part of the GLBA is the requirement that all financial institutions design, implement and maintain ‘safeguards’ to protect private information obtained from consumers, and to maintain customer privacy once an ongoing relationship is established with the financial institution.

Consumer vs. Customer
The GLBA defines a Consumer as an individual, or the legal representative of such an individual, who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes.  A Customer is defined as a consumer who has a continuing ‘customer relationship’ with a financial institution in which it provides one or more insurance products or services to the individual that are to be used primarily for personal, family or household purposes.

A customer has a continuing relationship with a financial institution if he or she is a current policyholder or policyowner of an insurance product issued by or through the financial institution; or if he or she obtains financial, investment or economic advisory services relating to an insurance product or service from the financial institution for a fee.

In protecting both consumers and customers, the privacy requirements of the GLBA include the ‘Financial Privacy Rule,’ which regulates the collection and disclosure of non-public personal information, and the ‘Safeguards Rule,’ which requires financial institutions to set up and maintain a system of protecting consumer and customer records.  In addition, the GLBA regulates against attempts to obtain non-public personal information from consumers and customers under false pretenses, a method known as Pre-texting.

Financial Privacy Rule
As mandated by the GLBA, a financial institution must disclose to all consumers in advance of any contractual agreement between the consumer and financial institution that it intends to collect and retain both public and private information on the consumer as part of the contractual agreement between the financial institution and consumer.  It requires clear disclosure by all financial institutions of their privacy policy regarding the sharing of non-public personal information with both affiliates and third parties.

The GLBA further clarifies that the disclosure of a financial institution’s privacy policy is required to take place at the time of establishing a ‘customer relationship’ with a consumer, and not less than annually during the continuation of such relationship.

Non-Public Personal Information (NPI)

The term ‘non-public personal information,’ also referred to as NPI, is defined as personally identifiable financial information:

 Provided by a consumer to a financial institution
 Resulting from any transaction with the consumer or any service performed for the consumer
Otherwise obtained by the financial institution


Non-public personal information includes any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any non-public personal information other than publicly available information.

‘Public personal information’ includes any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any non-public personal information.

‘Opting Out’ of Information Sharing and Disclosure
Although information is collected by a financial institution at the time of establishing a customer relationship with a consumer, the GLBA requires a notice to consumers and an opportunity to Opt Out, or allow a consumer the opportunity to prevent the sharing of certain non-public financial information with non-affiliated third parties, subject to certain exceptions.

A financial institution may not disclose non-public personal information to a non-affiliated third party unless:

Such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted, that such information may be disclosed to such third party
The consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party, and
The consumer is given an explanation of how the consumer can exercise that nondisclosure option


A non-affiliated third party that receives (from a financial institution) non-public personal information shall not, directly or through an affiliate of such receiving third party, disclose such information to any other person that is a non-affiliated third party of both the financial institution and such receiving third party.

A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any non-affiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.

Life and Health Insurance: ‘Opting In’

In regards to life and health insurance, consumers (insurance applicants) Opt In, or give permission to an insurer to disclose and share non-public personal information.  Because an insurer often times needs to disclose and share specific applicant information with a third party such as a doctor’s office or credit agency in order to issue a policy, the insurer must first obtain the applicant’s permission before sharing non-public personal information with necessary third parties involved in the issuance of the policy.

Safeguards Rule

  • Also mandated by the GLBA, appropriate standards were established to protect consumer privacy including technical, administrative, and physical safeguards:
  • To insure the security and confidentiality of customer records and information
  • To protect against any anticipated threats or hazards to the security or integrity of such records, and
  • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer


Customer Information Systems are the electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of non-public personal information, whether that information is maintained in paper, electronic or other form.

A Service Provider is defined as any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the licensee.

Pre-texting Regulation
It is a violation of the GLBA for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person:


  • By making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
  • By making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
  • By providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation

No comments:

Post a Comment