Skip to main content

1.7 Federal Regulations

At the federal level, Congress has established regulatory agencies that provide oversight affecting insurance industry practices. In addition, the business of insurance is subject to various federal laws designed to protect consumer privacy, promote fair business practices, and safeguard consumers from deceptive or unfair conduct.

Fair Credit Reporting Act (15 USC 1681–1681d)

The Fair Credit Reporting Act (FCRA) protects consumers' rights regarding the privacy and use of their credit and financial information. The law is intended to ensure that information collected about consumers is kept confidential, remains accurate and relevant, and is used only for legitimate and authorized purposes. The Act also helps protect consumers from excessively intrusive or improper information-gathering practices. The FCRA is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB).

Consumer reports, commonly referred to as credit reports, are prepared by consumer reporting agencies and contain information related to a consumer's creditworthiness, financial capacity, reputation, character, and general lifestyle or mode of living. Investigative consumer reports provide additional detail by gathering information through personal interviews with individuals such as the consumer's friends, neighbors, or associates. Certain types of older adverse information are restricted from appearing in these reports, including most negative information older than seven years, such as civil suits and judgments, and bankruptcies older than ten years.

Under the Act, consumer reports may only be obtained for legitimate business purposes, such as evaluating a consumer's financial responsibility and character for employment decisions, loan approvals, or insurance underwriting. When an investigative consumer report is used in connection with an insurance transaction, the consumer must be notified in writing that such a report may be prepared. Upon request, the consumer is also entitled to receive information describing the nature and scope of the investigation.

Note

Insurers must also comply with state laws governing the use of credit information in underwriting and rating practices. Some states restrict or prohibit insurers from using credit information or credit-based insurance scores as a factor in determining premium rates or underwriting decisions.

Adverse Actions and Disputes

If information contained in a consumer report leads to an adverse action against an applicant or policyholder—such as a denial of coverage, an increase in premium rates, or the cancellation or nonrenewal of a policy—the insurer must provide the consumer with notice of that action. The notice must also inform the consumer of their right to obtain a free copy of the consumer report upon request and their right to dispute or challenge the accuracy of the information contained in the report.

If a consumer reporting agency receives a request to correct or dispute information contained in a consumer report, the agency is required to reinvestigate the information within the time period allowed by law. During the investigation process, any adverse action based on the disputed information may not be considered final until the reinvestigation is completed. For example, if an insurer decides not to renew a policy because of information contained in a consumer report and the policyholder disputes the accuracy of that information, the insurer may be required to continue the policy in force until the investigation has been completed and the matter has been resolved.

Identity Theft and Fraud Alerts

Identity theft can severely damage a consumer's credit history and financial reputation. To address this risk, the law establishes procedures for handling reports of fraud and identity theft. If a consumer, or someone acting on the consumer's behalf, reports in good faith that they are a victim of fraud, the consumer reporting agency must place a fraud alert on the consumer's file for at least 90 days unless the consumer requests its earlier removal. The agency must also notify the consumer of their right to obtain a free copy of their credit file. After properly verifying the consumer's identity, the consumer reporting agency is required to block any information identified as fraudulent from appearing in the consumer's report within four business days of receiving the request.

Gramm-Leach-Bliley Act of 1999 (GLBA, or the Financial Services Modernization Act)

The Gramm-Leach-Bliley Act (GLBA) of 1999 introduced significant changes to the financial services industry. One major change was the repeal of certain provisions of the Glass-Steagall Act, which allowed banks, securities firms, and insurance companies to merge and operate together under common ownership. The GLBA also established important consumer privacy protections through the Financial Privacy Rule and the Safeguards Rule. These provisions are designed to protect the confidentiality of consumers' personal financial information and to safeguard that information against unauthorized access, misuse, and security threats.

Financial Privacy Rule

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, including insurance companies, to provide consumers with notice regarding their information-sharing practices whenever nonpublic personal information may be disclosed to nonaffiliated third parties. This privacy notice must be provided when the customer relationship is first established and annually thereafter. The notice may be delivered in writing or electronically if the consumer consents to electronic delivery.

The notice must explain:

  • What information is collected about the consumer
  • How and where the information may be shared
  • How the information is used
  • The measures taken to protect the information
  • The consumer's right to opt out of certain information-sharing practices at any time

Nonpublic personal information may be disclosed in certain situations permitted by law. For example, disclosure is allowed when the information is necessary to process, administer, or enforce a transaction authorized by the consumer; when information must be provided to insurance rate advisory organizations; or when disclosure is required to comply with local, state, or federal laws and regulations.

If a financial institution changes its privacy policy or information-sharing practices, it must provide consumers with an updated privacy notice. Consumers must also be given a renewed opportunity to exercise their right to opt out of applicable information-sharing practices.

Safeguards Rule

Financial institutions are required to establish a written information security program outlining the policies, procedures, and safeguards used to protect consumers' nonpublic personal information. The security plan must explain how the institution maintains confidentiality standards, uses appropriate encryption and security measures, and protects consumer information against reasonably anticipated threats, unauthorized access, misuse, or disclosure.

Telemarketing Sales Rule

The Federal Trade Commission (FTC) enforces laws related to consumer privacy and protection against telephone fraud through the Telemarketing Sales Rule. This rule establishes disclosure requirements, sales practice standards, and restrictions on when and how telemarketers may contact consumers.

Do Not Call (DNC) Registry

One of the most important features of the Telemarketing Sales Rule is the creation of the National Do Not Call Registry, which allows consumers to choose whether they want to receive telemarketing and sales calls. Consumers may place their residential and wireless telephone numbers on the Do Not Call List to reduce or stop most unsolicited telemarketing calls. Certain types of calls are exempt from these restrictions, including calls made by political organizations, nonprofit organizations, legitimate debt collectors, and organizations conducting surveys or research rather than sales solicitations.

Telemarketers and sellers are required to review the National Do Not Call Registry and update their calling lists at least once every 31 days to ensure compliance with Do Not Call regulations. The regulations also prohibit telemarketers from placing calls to consumers before 8:00 a.m. or after 9:00 p.m. local time at the consumer's location.

CAN-SPAM Act

The CAN-SPAM Act is a federal law that establishes rules and requirements for unsolicited commercial emails, commonly referred to as spam. These emails may impose unwanted costs on recipients, contain offensive or inappropriate material, or mislead consumers about the message's content, sender, or purpose. The Act is administered and enforced by the Federal Trade Commission (FTC) and is intended to protect consumers from deceptive and abusive email marketing practices.

Federal regulations for commercial emails require the following:

  • Identification – Commercial emails must clearly disclose that the message is a solicitation or advertisement for products or services.
  • Opt-Out Option – The email must provide recipients with a clear, legitimate, and free method for unsubscribing or opting out of future communications from the sender.
  • Return Address Information – The email must include a valid return email address as well as a legitimate physical postal address for the sender.

Penalties

Violations of the CAN-SPAM Act may result in significant penalties, including actual damages and civil fines of up to $16,000 for each unlawful email violation, with no overall limit on the total amount of penalties that may be imposed. Individuals who engage in fraud-related violations under the Act may also face criminal penalties, including imprisonment ranging from one to five years.

Terrorism Risk Insurance Act (TRIA)

Terrorism is frequently excluded as a covered peril under property and casualty insurance policies because the potential losses may be too severe and catastrophic for private insurers to safely underwrite. In addition, including terrorism coverage in standard policies could significantly increase insurance premiums and make coverage less affordable for consumers. Because of these challenges, government involvement and financial support programs are often necessary to help make terrorism coverage available.

The Terrorism Risk Insurance Act (TRIA) was enacted in response to the terrorist attacks of September 11, 2001. The law established a federal reinsurance program that allows the federal government to share terrorism-related losses with private insurers when a certified act of terrorism occurs. TRIA was designed to stabilize the insurance market by reducing disruptions and helping ensure the continued availability and affordability of commercial property and casualty insurance coverage for terrorism-related risks.

The Terrorism Risk Insurance Act (TRIA) was established as a temporary federal program and has been continued through several reauthorization acts passed by Congress. The program is currently scheduled to expire on December 31, 2027.

Authority

The Terrorism Risk Insurance Act authorized the U.S. Department of the Treasury to establish the Terrorism Risk Insurance Program, which is administered by the Secretary of the Treasury. Under the legislation, an act of terrorism is defined as an act certified by the Secretary of the Treasury, in consultation with the Secretary of Homeland Security and the Attorney General, that is dangerous to human life, property, or infrastructure. Originally, the law required the act to be committed by an individual or group acting on behalf of a foreign person or foreign interest. The 2007 reauthorization expanded the definition to also include acts committed by individuals or groups without foreign affiliation. In addition, an event must result in at least $5 million in insured property and casualty losses in order to qualify for certification as an act of terrorism under the program.

Insurance Limits

The Terrorism Risk Insurance Program includes a coverage trigger that applies only to certified acts of terrorism. Beginning in 2015, the trigger required insured terrorism losses to exceed $100 million before federal participation would apply. The trigger amount then increased by $20 million each year until reaching $200 million in 2020, where it remains for subsequent years. When insured losses exceed the trigger amount but remain below the program cap of $100 billion, the resulting losses are shared between private insurers and the federal government under the program.

Under the Terrorism Risk Insurance Program, insurers are responsible for a deductible equal to 20% of their covered losses. After the deductible has been satisfied, losses are shared between private insurers and the federal government through a coinsurance arrangement, often referred to as a coshare. Beginning in 2015, insurers were responsible for 15% of covered losses above the deductible, while the federal government paid 85%. This insurer share gradually increased over time until reaching 20% in 2020, where it remains for subsequent years. As a result, the federal government currently pays 80% of covered losses above the deductible, while insurers are responsible for the remaining 20%.

USA PATRIOT Act

The USA PATRIOT Act was enacted to help prevent currency smuggling, money laundering, and the financing of terrorism. The law amended the Bank Secrecy Act by expanding recordkeeping and reporting requirements for banks, financial institutions, and certain non-financial businesses involving specific financial transactions and customer financial records.

Fraud and False Statements (18 USC 1033–1034)

Congress enacted federal laws imposing penalties for fraud and false statements in matters falling within federal jurisdiction, including activities involving the insurance industry. Any person engaged in the business of insurance whose activities affect interstate commerce may violate federal law if they intentionally make material misrepresentations, falsify information, or omit important facts on financial reports or other documents with the intent to deceive an insurance professional or regulatory authority. Such conduct is considered an unfair and deceptive practice under federal law. Examples of prohibited acts include:

  • Intentional embezzlement, theft, or misappropriation of money, premiums, funds, or credits
  • Making false entries in company books, records, reports, or financial documents
  • Using threats, intimidation, or force to influence, obstruct, or interfere with lawful business practices
  • Materially overstating the value of land, property, or securities

Interstate commerce refers to business activities conducted within or between U.S. states, the District of Columbia, Puerto Rico, and the territories or possessions of the United States.

Note

U.S. territories include areas such as Guam and the Northern Mariana Islands.

Criminal penalties for committing these prohibited acts may include fines, imprisonment, or both. In most cases, imprisonment may not exceed 10 years. However:

  • If the amount embezzled or misappropriated is $5,000 or less, imprisonment may be limited to up to 1 year.
  • If the unlawful activity threatens or endangers the financial security or stability of an insurer, imprisonment may extend up to 15 years.

Violent Crime Control and Law Enforcement Act of 1994 – Prohibited Persons

The application of federal fraud and false statement laws to the insurance industry stems from the Violent Crime Control and Law Enforcement Act. This law prohibits individuals convicted of felonies involving dishonesty or breach of trust from participating in the business of insurance or financial services when those activities affect interstate commerce.

To lawfully work in the insurance industry after such a conviction, the individual must obtain a consent waiver, commonly known as a 1033 Waiver, from the appropriate state regulatory authority. A person who engages in the business of insurance without obtaining the required waiver may be subject to criminal penalties, including fines, imprisonment for up to five years, or both.

Individuals subject to these restrictions may include those acting on behalf of an insurance agency or insurance company in activities involving interstate commerce, such as:

  • Executive officers, directors, or employees of an insurance company or insurance agency
  • Insurance agents, solicitors, brokers, consultants, third-party administrators, managing general agents, or subcontractors

Insurance institutions are required to make a diligent effort to identify individuals who may be prohibited from participating in the business of insurance before hiring or employing them.

Individuals who engage in prohibited conduct, such as committing federal unfair or deceptive practices or participating in the business of insurance without obtaining a required 1033 Waiver, may also face civil penalties. These penalties may be up to $50,000 or the amount of compensation received as a result of the prohibited activity, whichever amount is greater. The U.S. Attorney General has the authority to pursue appropriate civil or criminal actions against individuals who violate these federal laws.