Compliance Manual
This manual establishes the compliance framework for OpenInsure’s MGA operations. Compliance is not a back-office function — it is embedded in every operational process. All staff with regulatory responsibilities must be trained on these procedures and maintain currency with state law changes.
1. Producer Licensing Requirements
Section titled “1. Producer Licensing Requirements”1.1 Licensing Framework
Section titled “1.1 Licensing Framework”Insurance producers must hold a valid license in every state where they transact insurance business. “Transact” includes soliciting, negotiating, or effecting insurance — not just binding. The MGA is responsible for confirming and maintaining evidence of producer licensing for every appointed producer.
1.2 License Types Required
Section titled “1.2 License Types Required”| Activity | Required License Type |
|---|---|
| Selling commercial lines (GL, WC, Auto) | Property & Casualty Producer License |
| Selling surplus lines | Surplus Lines Broker License (separate from P&C license in most states) |
| Selling life or health | Life & Health Producer License (separate program; not currently offered) |
1.3 Resident vs. Non-Resident Licensing
Section titled “1.3 Resident vs. Non-Resident Licensing”Producers must hold:
- A resident license in their state of domicile
- A non-resident license in every additional state where they transact business
Non-resident licensing typically requires only completion of the reciprocity application (no exam) for states that have adopted the NAIC Producer Licensing Model Act (PLMA). Most states have adopted PLMA.
1.4 License Verification and Monitoring
Section titled “1.4 License Verification and Monitoring”- Upon producer appointment application, verify licenses via the NIPR (National Insurance
Producer Registry) Producer Database at
nipr.com2. Confirm licenses are active and cover the lines of business being transacted 3. Enter all license numbers, states, and expiration dates into the producer record in the portal 4. Configure automatic alerts: 90 days before expiry, 60 days before expiry, 30 days before expiry 5. Upon receiving a license expiration alert, notify the producer immediately 6. If a license lapses, immediately suspend the producer’s binding authority for the affected state 7. Restore binding authority only upon receipt of the renewed license and verification in NIPR
1.5 License Monitoring Tool
Section titled “1.5 License Monitoring Tool”The compliance portal integrates with NIPR to pull license status nightly. The Producer Licensing Dashboard in the compliance portal shows:
- All producer licenses by state and line
- Days until expiration (color-coded: green > 90, yellow 30–90, red < 30)
- Any licenses that have lapsed (shown in red with alert)
- Automated alert history for each producer
2. Producer Appointment Filing
Section titled “2. Producer Appointment Filing”2.1 Appointment Filing Requirements
Section titled “2.1 Appointment Filing Requirements”Most states require the insurer (or MGA, where the MGA holds the license) to file a formal producer appointment with the state DOI before the producer may transact business in that state.
| State | Appointment Filing Required | Timeframe | Fee |
|---|---|---|---|
| Georgia | Yes | Within 30 days of first transaction | $20/line |
| South Carolina | Yes | Prior to first transaction | $25/line |
| North Carolina | Yes | Prior to first transaction | $10/line |
| Tennessee | Yes | Within 15 days of appointment | $15/line |
| Virginia | Yes | Prior to first transaction | $15/line |
| Florida | Yes | Within 15 days of appointment | $25/line |
2.2 Appointment Filing Process
Section titled “2.2 Appointment Filing Process”- Receive executed Agency Agreement from newly appointed producer 2. Pull producer’s NPN and confirm active license in all requested states via NIPR 3. Submit appointment through NIPR OPF (Online Producer Filing) system within the required timeframe 4. Pay state filing fee (charged to producer’s account unless otherwise agreed) 5. Confirm appointment approval — NIPR provides real-time confirmation in most states 6. Update the producer record in the compliance portal with appointment date and confirmation
2.3 Appointment Termination Filings
Section titled “2.3 Appointment Termination Filings”When a producer appointment is terminated (for cause or otherwise), the MGA must file a termination of appointment with each applicable state:
- File within 30 days of termination in most states
- If terminated for cause (fraud, license violation, etc.), many states require a reason code and some require a separate investigation report
- Retain documentation of the reason for termination for minimum 7 years
3. Surplus Lines Broker Requirements
Section titled “3. Surplus Lines Broker Requirements”3.1 Surplus Lines Licensing
Section titled “3.1 Surplus Lines Licensing”A surplus lines broker (also called an excess lines broker in some states) holds a special license permitting them to place business with non-admitted (surplus lines) carriers. Requirements:
- Must hold an active P&C producer license in the state
- Must hold a separate surplus lines broker license in each state where they place non-admitted business
- Most states require a minimum of 1–2 years as a licensed P&C producer before qualifying for surplus lines
3.2 Diligent Search
Section titled “3.2 Diligent Search”Before placing surplus lines, the broker must document a diligent search of admitted markets. Requirements vary:
| State | Diligent Search Requirement |
|---|---|
| Georgia | Decline from 3 admitted carriers or prior unavailability |
| South Carolina | Decline from 1 admitted carrier or market unavailability |
| North Carolina | Good faith effort to place with admitted carrier |
| Tennessee | Documentation that coverage not available from admitted carrier |
| Virginia | At least 3 admitted carrier declinations |
| Florida | Signed affidavit of diligent effort (if using export list, no search required) |
The MGA maintains and updates surplus lines export lists (risks eligible for surplus lines without individual diligent search) for states that permit them.
3.3 Surplus Lines Filing and Reporting
Section titled “3.3 Surplus Lines Filing and Reporting”| Requirement | Frequency | Deadline |
|---|---|---|
| Stamping office filing (where required) | Per-policy | Within 30–60 days of binding |
| Surplus lines tax remittance | Per state schedule | See Finance Operations Manual §10 |
| Annual surplus lines affidavit | Annual | March 1 or per-state deadline |
| Annual surplus lines premium report | Annual | March 1 or per-state deadline |
4. State Filing Calendar
Section titled “4. State Filing Calendar”4.1 Annual Regulatory Filing Deadlines
Section titled “4.1 Annual Regulatory Filing Deadlines”| Filing | Due Date | Filed By |
|---|---|---|
| Annual Statement (statutory financials) | March 1 | Finance |
| Annual Premium Tax Return | March 1 (most states) | Finance |
| Annual Producer Appointment Renewal (where required) | Per state | Compliance |
| Annual Surplus Lines Report | March 1 (most states) | Compliance + Finance |
| Annual SIU Report | Per state (typically March 1) | Claims |
| Privacy Notice Mailing | Annual (no specific deadline in most states) | Compliance |
4.2 Quarterly Regulatory Filing Deadlines
Section titled “4.2 Quarterly Regulatory Filing Deadlines”| Filing | Due Date | Filed By |
|---|---|---|
| Quarterly Premium Tax (FL) | 45 days after quarter end | Finance |
| Quarterly Statutory Statement (Q1, Q2, Q3) | 45 days after quarter end | Finance |
| Quarterly Surplus Lines Tax (where required) | Per state | Finance |
4.3 Compliance Calendar
Section titled “4.3 Compliance Calendar”The Compliance Calendar in the compliance portal shows:
- All filing deadlines for the current year
- Assigned owner for each filing
- Status (Upcoming, In Progress, Filed, Late)
- Automated reminders at 60 and 30 days before each deadline
5. Cancellation and Non-Renewal Notice Requirements by State
Section titled “5. Cancellation and Non-Renewal Notice Requirements by State”5.1 Mid-Term Cancellation Notice Requirements
Section titled “5.1 Mid-Term Cancellation Notice Requirements”| State | Non-Pay Notice | Other Cause Notice | Notice Method |
|---|---|---|---|
| Georgia | 10 days | 30 days | First class mail |
| South Carolina | 10 days | 30 days | First class mail or hand delivery |
| North Carolina | 10 days | 30 days | First class mail |
| Tennessee | 10 days | 30 days | First class mail |
| Virginia | 14 days | 45 days | First class mail |
| Florida | 10 days | 45 days | First class mail or certified mail |
5.2 Non-Renewal Notice Requirements
Section titled “5.2 Non-Renewal Notice Requirements”| State | Minimum Notice | Notice Method | Additional Requirements |
|---|---|---|---|
| Georgia | 45 days | First class mail | Reason required if requested |
| South Carolina | 45 days | First class mail | Reason required if requested |
| North Carolina | 60 days | First class mail | Reason required |
| Tennessee | 60 days | First class mail | Reason required if requested |
| Virginia | 60 days | First class mail | Reason required |
| Florida | 90 days | First class mail | Reason required; specific statutory reasons permitted |
5.3 Notice Content Requirements
Section titled “5.3 Notice Content Requirements”All cancellation and non-renewal notices must include:
- Policy number and named insured
- Effective date of cancellation or non-renewal
- Reason for the action (required in many states)
- The policyholder’s right to file a complaint with the DOI
- Information on how to obtain replacement coverage (in some states)
The system generates state-compliant notice templates automatically. Compliance must review and approve notice templates annually.
5.4 Notice Verification
Section titled “5.4 Notice Verification”After issuance:
- Document the date and method of notice in the policy file
- For certified mail notices, retain the return receipt card
- For first-class mail notices, retain a certificate of mailing
- Do not rely on producer notification to the insured as a substitute for direct notice
6. OFAC Sanctions Screening
Section titled “6. OFAC Sanctions Screening”6.1 OFAC Overview
Section titled “6.1 OFAC Overview”The Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals (SDN) list of individuals, entities, and vessels subject to sanctions. Transacting with SDN-listed parties is a federal violation regardless of insurance regulatory requirements.
6.2 Automated Screening
Section titled “6.2 Automated Screening”OpenInsure screens all of the following against the OFAC SDN list using the OpenSanctions API:
| Screening Point | When Screened |
|---|---|
| Named insured | Submission received |
| Principals (owners, officers) | Submission received |
| Additional insureds | Upon endorsement request |
| Claimants | FNOL receipt |
| Payment recipients | Before disbursement |
| Producers | At appointment |
6.3 Match Scoring and Decision
Section titled “6.3 Match Scoring and Decision”The system uses a three-tier decision model:
| Score | Decision | Action |
|---|---|---|
| ≥ 0.85 | Block | Transaction blocked; Compliance Director notified immediately |
| 0.60–0.84 | Review | Transaction paused; compliance officer reviews within 24 hours |
| < 0.60 | Pass | Transaction proceeds automatically |
6.4 Block Resolution Procedure
Section titled “6.4 Block Resolution Procedure”- Upon a block, the system suspends the transaction and generates a compliance alert 2. Compliance Director is notified by email and Teams message within 5 minutes 3. Compliance Director reviews the match within 4 hours 4. If a true match (confirmed SDN), do not proceed; consult OFAC counsel and potentially contact OFAC 5. If a false positive (common name, similar name, different DOB/address), document the analysis and clear the block 6. Retain all screening records and match analyses for minimum 5 years
6.5 Screening Record Retention
Section titled “6.5 Screening Record Retention”Retain the following for each screening transaction:
- Input data (name, address, country used for screening)
- Screening result (score, match details)
- Decision (block/review/pass)
- If review: analyst name, analysis notes, and outcome
- Date and time of screening
7. Privacy and Data Security
Section titled “7. Privacy and Data Security”7.1 GLBA Safeguards Rule
Section titled “7.1 GLBA Safeguards Rule”The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, including insurance companies and MGAs, to protect customer nonpublic personal information (NPI). The GLBA Safeguards Rule (16 CFR Part 314) requires a comprehensive written information security program (WISP).
7.2 WISP Core Requirements
Section titled “7.2 WISP Core Requirements”OpenInsure’s Written Information Security Program includes:
| Requirement | Owner | Review Frequency |
|---|---|---|
| Risk assessment | CISO | Annual |
| Access controls and user authentication | IT/CISO | Quarterly review |
| Encryption of NPI in transit and at rest | Engineering | Continuous |
| Multi-factor authentication (MFA) | IT | All privileged access |
| Incident response plan | CISO + Compliance | Annual test |
| Third-party vendor oversight | Procurement + Compliance | Annual |
| Employee security training | Compliance + HR | Annual + upon hire |
7.3 State Privacy Laws
Section titled “7.3 State Privacy Laws”In addition to GLBA, certain states have enacted additional privacy protections:
| State | Law | Key Requirement |
|---|---|---|
| All states | GLBA Safeguards Rule | WISP, risk assessment, incident response |
| Virginia | CDPA (Consumer Data Protection Act) | Data subject rights, data protection assessments |
| All states | State DOI privacy regulations | Annual privacy notice to policyholders |
7.4 Annual Privacy Notice
Section titled “7.4 Annual Privacy Notice”GLBA requires delivery of an annual privacy notice to all policyholders. The notice must:
- Describe the types of information collected
- Describe how the information is shared (internal uses, third parties)
- Describe the consumer’s opt-out rights for certain types of sharing
- Be delivered annually, or at new policy issuance
The system generates the NAIC model privacy notice. Compliance ensures notices are delivered annually for all active policyholders.
7.5 Data Breach Response
Section titled “7.5 Data Breach Response”If a data security incident involving NPI is discovered:
- Contain the breach — isolate affected systems immediately 2. Notify the CISO and Compliance Director within 1 hour of discovery 3. Preserve evidence — do not wipe affected systems without forensic preservation 4. Assess the scope — what data was affected, for how many individuals, in which states 5. Notify the affected states’ DOIs per state breach notification laws (typically 30–72 hours) 6. Notify affected individuals per state law (typically within 30–60 days) 7. Engage breach response counsel and potentially forensics 8. File required regulatory reports 9. Conduct post-incident review and implement corrective controls
8. Market Conduct Examination Preparation
Section titled “8. Market Conduct Examination Preparation”8.1 What Is a Market Conduct Exam?
Section titled “8.1 What Is a Market Conduct Exam?”State DOIs conduct periodic market conduct examinations to review an insurer’s or MGA’s compliance with insurance laws. Exams may be targeted (specific issue) or comprehensive (all operations). Advance notice is typically 30–60 days but may be shorter.
8.2 Pre-Exam Preparation
Section titled “8.2 Pre-Exam Preparation”Upon receiving notice of an exam:
- Notify the Compliance Director, Finance Director, and CEO immediately 2. Identify the exam scope and the applicable state’s examination standards 3. Assign an internal exam coordinator 4. Gather the required records: policy files, claims files, producer appointment records, consumer complaint logs, financial records 5. Conduct a pre-exam self-audit against the NAIC Market Regulation Handbook standards 6. Remediate any identified compliance gaps before the exam begins
- Brief all staff who may be interviewed by examiners
8.3 During the Exam
Section titled “8.3 During the Exam”- Provide a dedicated workspace for examiners
- Assign a single point of contact (the exam coordinator) who accompanies examiners
- Respond to all document requests within the timeframe specified by the examiner
- Do not provide documents outside the scope of the request without consulting counsel
- Do not allow examiners to work unsupervised with access to live production systems
8.4 Consumer Complaint Log
Section titled “8.4 Consumer Complaint Log”All consumer complaints (regardless of source — DOI, direct, letter, phone) must be logged in the compliance system with:
- Date received and source
- Nature of the complaint
- Policy number and line of business
- Resolution and date resolved
The consumer complaint log is a primary exhibit in market conduct exams. Maintain it meticulously.
9. E&O Requirements for Producers
Section titled “9. E&O Requirements for Producers”9.1 Minimum E&O Standards
Section titled “9.1 Minimum E&O Standards”All appointed producers must maintain Errors & Omissions (E&O) coverage meeting:
| Requirement | Standard |
|---|---|
| Per-claim limit | $1,000,000 minimum |
| Aggregate limit | $2,000,000 minimum |
| Retroactive date | Must cover prior acts to agency formation |
| Carrier rating | A- (Excellent) or better per A.M. Best |
| Extended reporting | Minimum 12 months available |
9.2 E&O Compliance Monitoring
Section titled “9.2 E&O Compliance Monitoring”- Collect E&O dec page from all producers at appointment and at each renewal 2. Enter E&O policy number, carrier, limits, and expiration date in the producer record 3. Configure alerts: 90, 60, and 30 days before expiry 4. Upon receiving an expiry alert, contact the producer to confirm renewal 5. If E&O expires without renewal: suspend binding authority immediately; notify the producer in writing; restore only upon receipt of renewed dec page
9.3 E&O Lapse Reporting
Section titled “9.3 E&O Lapse Reporting”If a producer’s E&O lapses and they have transacted business during the lapse period, the MGA may have exposure. Report any lapsed-E&O transactions to general counsel for assessment of the MGA’s residual risk.
10. HIPAA Obligations
Section titled “10. HIPAA Obligations”10.1 Applicability
Section titled “10.1 Applicability”HIPAA applies to covered entities and their business associates. As an MGA writing workers’ compensation and any health-adjacent lines, OpenInsure may receive Protected Health Information (PHI) in the course of claims handling and underwriting.
10.2 Minimum Necessary Standard
Section titled “10.2 Minimum Necessary Standard”When receiving medical records or health information in the course of claims handling:
- Only request the minimum information necessary to process the claim
- Do not request records beyond the period of treatment relevant to the claim
- Do not share PHI with parties who do not need it for the specific purpose
- Never use PHI obtained for one claim in underwriting decisions
10.3 Business Associate Agreements (BAAs)
Section titled “10.3 Business Associate Agreements (BAAs)”If OpenInsure shares PHI with vendors or partners who process it on our behalf (e.g., TPA, medical reviewer), a Business Associate Agreement must be in place before any PHI is shared:
- Identify any vendor who will receive, access, or process PHI 2. Execute a BAA with the vendor before sharing PHI 3. Log the BAA in the vendor compliance register with execution date and expiration 4. Review BAAs annually to confirm they meet current HIPAA requirements
10.4 PHI Audit Log
Section titled “10.4 PHI Audit Log”All access to PHI stored in the OpenInsure systems must be logged. The packages/hipaa package provides automated audit logging for all PHI access events. Audit logs are:
- Immutable (cannot be modified or deleted by application users)
- Retained for minimum 6 years (HIPAA requirement)
- Reviewable by the Privacy Officer
- Included in HIPAA compliance assessments
11. Key Compliance Contacts
Section titled “11. Key Compliance Contacts”| Function | Contact |
|---|---|
| Compliance Director | compliance@openinsure.dev |
| OFAC escalation | compliance@openinsure.dev (urgent: phone the Compliance Director directly) |
| Privacy Officer | privacy@openinsure.dev |
| CISO (security incidents) | security@openinsure.dev |
| Legal / General Counsel | legal@openinsure.dev |
| Market conduct exam coordinator | compliance@openinsure.dev |
| State DOI contacts | See the Compliance Calendar in the portal for each state’s contact |
This manual is effective January 1, 2026. Compliance requirements change frequently as states amend their laws. The Compliance Director will issue guidance memos for material regulatory changes. Review this manual in full annually and compare against the NAIC’s current model regulations.