Skip Navigation

Legal Compliance

Questions & Answers

Certificates of Insurance

Which producer should sign the Cancellation / LPR form (ACORD 35)?

Interestingly, the answer to this question has changed several times in the last couple of years. In June 2013, ACORD released revised instructions allowing both the current producer and the new one to sign the form. The exact wording is:


“Sign here: Accommodates the signature of the authorized representative (e.g. producer, agent, broker, etc.) completing this form.”


This wording recognizes that the producer can be acting in different capacities, and may draw his authority from the company or from the customer. It is true that, in the past, the current producer (the one losing the account) was the one expected to sign the ACORD 35. However, the number of producers who drag their feet in processing the cancellation has increased in recent years. By allowing both producers to sign the ACORD 35, the cancellation form is valid even if signed by the new producer and can be sent to the carrier for processing if the agent of record is uncooperative.

When in doubt, remember that you always can review the instructions that come with ACORD forms. These instructions can help ensure forms are completed consistently by your staff and also can settle some differences of opinion, if not disputes, that sometimes arise within or between agencies.

back to top

What information should be included in the Description of Operations box on the ACORD 25?

Great question. As you’re well aware, agents are often asked to add all kinds of information to certificates. It's generally recommended the information an agent enters in the Description of Operations box be limited as per the ACORD instructions to include recording "... information necessary to identify the operations, locations and vehicles for which the certificate was issued."

The ACORD 25 Instructions for the Description of Operations/Locations/Vehicles box provide as follows:

Enter text: The Certificate Of Liability Insurance general remarks. The additional comments or special conditions that may exist upon the policy. ACORD 101, Additional Remarks Schedule, may be attached if more space is required. As used here, records information necessary to identify the operations, locations and vehicles for which the certificate was issued.

As long as the information you include, or are being asked to include, in the Description of Operations box isn’t illegal (meaning that it’s not a violation of an insurance or other law, regulations, etc.), and the information you include is not a misrepresentation of any policy terms or conditions, inclusion of such information is not expressly prohibited.

As an added precaution, it may be prudent to include a statement thereafter that the information being provided is "to the extent provided in the attached/enclosed forms" and then provide copies of the applicable policy forms/endorsements. This will assist in limiting the agency's exposure, while also placing the onus on the certificate requester to determine whether or not coverage, etc., afforded by such documents/endorsements meets their requirements.

If the information you intend to reference/add to the certificate falls outside the four corners of the policy and/or applicable endorsements, you should refrain from including/adding it.

Read more on certificates of insurance

back to top

Fees & Rebating

I have a realtor in town who often refers his customers to me. Can I pay him a referral fee?

No, fees should NOT be granted for the referral of a home purchase for home & flood insurance when the referral is made in connection with a real estate settlement. Even the writing of life or disability policies in the context of a settlement is restricted.

The Real Estate Settlement Procedures Act (R.E.S.P.A.) contains several prohibitions against kickbacks and unearned fees:

Under 12 U.S.C. § 2607: “no person shall give and no person shall accept any fee, kickback, or thing of value pursuant to any agreement or understanding, oral or otherwise, that business incident to or a part of a real estate settlement service involving a federally related mortgage loan shall be referred to any person.”

The definition of “settlement services” under the Act focused on services that were real estate in nature. However, the regulation later issued by the US Department of Housing and Urban Development (HUD) further defined settlement services to mean "any service provided in connection with a prospective or actual settlement, including, but not limited to, […] provisions of services involving hazard, flood, or other casualty insurance or homeowner's warranties." A provision similarly restricting transactions involving mortgage life or disability insurance is also included in the definition. The term federally related mortgage loan is also very broad.

Read more about referral fees

back to top

Is it OK to offer a movie ticket to anyone who comes in for a quote?

It depends on the state where you intend to make the offer. Generally, state laws include an insurance rebating prohibition. There are, however, variations both in the language and in the interpretation of what is permissible and what isn’t.

Yes. In Maryland, the program contemplated would be permissible, since an allowance is made in the law for gifts that are under $25 as long as 1) there is no obligation to purchase and 2) the gift is either educational or promotional material, or articles of merchandise. Note that the maximum allowable previously was $9.99, but it was increased to $25 in 2009.

No. In Pennsylvania, the program described would be a violation of the Producer Licensing statute and its “Inducements prohibited” provision. Even though the scenario only contemplates a quote and the value is limited to the price of one movie ticket, the relevant section of the law is broadly written. There is no threshold dollar amount that is acceptable, and even with no obligation to purchase, tying the gift to a quote is considered a quid pro quo.

Maybe. In Delaware, the Department of Insurance’s position is in flux. If you are contemplating any such program, we would encourage you to call us to discuss your scenario in more detail.

If you do business in multiple states
The program needs to comply with the state where the insured is located and the policy is written. Make sure your program accounts for that, and either is not offered where prohibited, or contains proper disclaimers about applicability.

back to top

What can I pay a realtor who refers business to my agency?

The most likely answer is nothing. Interestingly, this is not driven by a state statute but by a federal one, the Real Estate Settlement Procedures Act (RESPA). This law contains prohibitions against kickbacks and unearned fees, and makes it a violation both for the person receiving the payment (in this case, the realtor) and for the person making it (you).

Under 12 U.S.C. § 2607: “No person shall give and no person shall accept any fee, kickback, or thing of value pursuant to any agreement or understanding, oral or otherwise, that business incident to or a part of a real estate settlement service involving a federally related mortgage loan shall be referred to any person.”

The definition of “settlement services” provided in the Housing and Urban Development (HUD) regulation expressly includes “provisions of services involving hazard, flood, or other casualty insurance or homeowner's warranties."

As a result, fees should not be granted for the referral of a home purchase to an insurance producer for hazard or flood insurance, including homeowners' insurance policies. Even the writing of life or disability policies in the context of a settlement is restricted.

While this may look self-serving to your realtor friend, you may take referrals and provide insurance to the individual customers; what you may not do is pay for those referrals. While he (or she) will surely cringe at the response, he will cringe less than he would at a HUD or Federal Trade Commission investigation. In short, reminding him of the RESPA restrictions is doing him a favor.

There are some limited exceptions for certain “affiliated business arrangements.” However, any agency wanting to avail itself of such exceptions should tread carefully and have an attorney who is familiar with RESPA examine the circumstances and determine whether it is a viable option. Know that any affiliated business arrangement will include:

  • The existence of an affiliate relationship through common ownership or control; and
  • A written disclosure form meeting a specific format, including the referral fee paid, for each referral.

While in many states, the ability to pay referral or finder’s fees has relaxed somewhat after enactment of revised Producer Licensing Laws, restrictions continue to exist for realtors, mortgage brokers, lenders or any other professionals involved in the settlement of a real estate purchase.

back to top

Can a bank that's extending a loan strong-arm that customer into switching his insurance?

This is an interesting question. While the answer is relatively straightforward, enforcement of applicable laws can be hard to achieve. The situation described is generally referred to as tying. While some types of tying may be permissible, what you describe is seen as coercion and is prohibited. The prohibition is derived from federal law, as well as state statutes.

Federal law addresses this issue in 12 U.S. Code Section 1972, which provides in part:

(1) A bank shall not in any manner extend credit, lease or sell property of any kind, or furnish any service, or fix or vary the consideration for any of the foregoing, on the condition or requirement

(A) that the customer shall obtain some additional credit, property, or service from such bank other than a loan, discount, deposit, or trust service; or

(B) that the customer shall obtain some additional credit, property, or service from a bank holding company of such bank, or from any other subsidiary of such bank holding company.

Meanwhile, Delaware statutes address tying arrangements in the Banking Code 5 Del.Code Section 929 and the Insurance Code 18 Del.Code Section 2304(23)(a). Maryland Code speaks to coerced or tie-in sales in Title 27, which governs Unfair Trade Practices (MD Code, Section 27- 214(a)), and Title 12 – Commercial Law (MD Code, Sections 12-124(a)(2) and (5)).

Finally, in Pennsylvania, the producer licensing law provides a provision that prohibits tying by a financial institution (40 P.S. Section 310.76). The same section requires that those purchasing required insurance through the financial institution sign a form acknowledging that they were properly advised that the “purchase of the insurance from the financial institution was not a condition for receiving the loan and would not affect current or future credit decisions.”

Notwithstanding the ample federal and state prohibitions, enforcement of the laws can be elusive, primarily because:

  • Affected customers are often reluctant to file a complaint.
  • Absent a customer complaint, it’s unlikely that you’d independently have sufficient evidence to establish and support a violation.
  • As a third party, you likely lack standing to file a complaint. As a rule, the affected customer is the one who would be required to do so, and more often than not, consumers lack the will to file an action against their bank and challenge a financial transaction they have just negotiated.
back to top

Premium Funds

Can I place the premiums I'm holding in a money market fund "sweep account" to collect interest?

Probably not, and for two reasons: 1) your duties as a fiduciary and 2) the nature of the funds.

1) Your duties as a fiduciary

When handling premium funds, you have to make sure you comply with state law and regulation. As a producer, your agency must hold the funds as a fiduciary. What that means is simple:

  • The funds are not yours
  • You are responsible for the funds as long as you are holding them

While you generally can invest in interest-bearing accounts, the way you invest is restricted. Generally, you need to:

  • Have consent from the principal (e.g. the carrier)
  • Invest in a prudent manner. For Delaware and Pennsylvania, that clearly means that you can only invest in accounts that are insured by the U.S. Government or in instruments that are secured by the U.S. Government, and where no penalty can be levied against the original investment for early withdrawal. In Maryland, the language is not as clear, but the same standards can be followed.

2) The nature of the funds

It is important to distinguish money market accounts from money market funds. A money market fund is a mutual fund, and as a result is not insured by the Federal Deposit Insurance Corporation (FDIC). It may or may not be backed (secured) by the U.S. Government depending on how those funds are invested; but to be sure, you would have to discuss this directly with your financial institution and receive a definitive answer. If their answer is not clear, it is best to stay away and find a different investment vehicle.

For more information on the restrictions and opportunities that stem from your fiduciary duties, review our online Fiduciary Responsibilities resources.

Access our resources

back to top

Can I transfer premiums into a sweep account that uses a money market fund?

It depends. While money market deposit accounts are acceptable, because they are insured by the Federal Deposit Insurance Corporation (FDIC), money market mutual funds may or may not be backed by the U.S. government depending on how they are invested. You will need to address this directly with your financial institution to verify whether the funds would be considered secured by the U.S. government.

Remember that under Delaware and Pennsylvania state regulations, acceptable investment vehicles for premiums held in a fiduciary capacity are those where:

  • The funds are placed in an account where no penalty can be levied against the principal for early withdrawal, and
  • The funds are placed in an account insured by the U.S. government (e.g. FDIC) or instruments secured by the U.S. government (e.g. Treasury bonds, bills or notes).

While the Maryland regulation is less specific and instead makes reference to placing the funds in an “appropriate account,” the language could be interpreted to follow the “prudent-person rule.” The prudent-person rule is a standard that requires a fiduciary to invest the funds only in financial instruments that any reasonable individual interested in receiving a good return of income while preserving his or her capital would purchase. The above bullet points could be used as reasonable safeguards for a “prudent person.” Note that Maryland also expressly requires the agency to have written consent from the carriers before investing the funds (a specific form must be used).

For more information on permissible – and impermissible – practices regarding your fiduciary responsibilities, review our complete resource.

back to top


I noticed that one of my carriers is requiring me to notify them promptly when one of my staff is leaving: Is that standard?

During the more recent analyses of agency agreements that IA&B has completed, we have become aware that the above notification provision is becoming more and more standard. It likely has less to do with the appointment process, and more to do with information security and due diligence in preventing data breaches. It’s important to pay attention to this provision for various reasons:

1. YOUR BEST INTEREST -- Quite frankly, it’s in your customers’ and your best interest to manage passwords and access to company Web services (that include both company and customer information) in a timely fashion.

2. LEGAL REQUIREMENTS -- With more federal and state laws and regulations on the books, the web of legal requirements grows larger every year, and some of these requirements could easily be overlooked. You may have implemented training and procedures to protect your customer information, but failing to shut down password access to a departing employee, whether disgruntled or not, could be the famous “weakest link.”

  • For example: Under the HIPAA/HITECH Security rule, password management is one of various “standards” that have to be examined and for which a proper risk management technique must be applied. As part of their risk assessment, companies (and agencies as their business associates) must implement procedures for creating, changing and safeguarding passwords. You must also ensure that staff members are trained on how to safeguard the information and establish guidelines for changing passwords periodically. Your plan should include answers to the following questions:
    - Are there policies in place that prevent staff members from sharing passwords with others?
    - Is staff advised to commit their passwords to memory?
    - Are commonsense precautions taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others?
    - Are guidelines established to change passwords periodically? What frequency or criteria determines change cycles?


  • Another standard that must be reviewed applies to terminated employees, and there again, it addresses password management. For example:
    - Does the agency’s Security Program include the deletion of a terminated employee’s user name and password as part of the termination procedure, along with retrieving any office key or changing a door access code?

3. AVOIDING A BREACH OF CONTRACT -- Based on the increase in agency agreements containing such language, you could simply be in breach of contract when failing to address these requirements.

We have many resources on information security plans required under the Gramm-Leach-Bliley Act and under HIPAA/HITECH.

Read more on privacy-related requirements
Access our Agency Agreement Analysis tool and completed reviews

back to top

How can someone without a Power of Attorney ask questions and make policy changes on behalf of a named insured?

Let's use the example of an elderly named insured whose daughter takes care of her finances but does not have a Power of Attorney (POA). The proper way to handle such a situation is for the daughter to secure a true POA from the named insured and provide you with a copy. The daughter is not the named insured, is not a party to the contract, and cannot make policy changes without a Power of Attorney. If your insured wants to secure a POA, the best would be to suggest she contact her attorney.

Asking questions” is a different matter, which speaks to your privacy obligations: You may be able to share information with the daughter if you have secured consent from the named insured. A POA would not be necessary for that purpose. Any other way of evidencing her consent would be acceptable (although we would encourage you to get it in writing).

Although not directly related to this question, if this were a commercial risk where the producer may be discussing coverage with a risk manager rather than an officer of the corporation, we have developed a form that enables the officer of the corporation to delegate authority to discuss insurance and make certain changes. Along with the sample, we provide a guide identifying who should be signing the delegation of authority based on the customer’s business structure (sole proprietorship, partnership, corporation, etc.).

Access our resources (select "Granting authority to sign insurance documents")

back to top

What type of information are we required to encrypt?

A simple question, with a not-so-simple answer. Various laws and regulations address the need for privacy and safeguarding of customer information, from collection to disposal and beyond, to what you must do in case of a breach of that information. At this time, however, these laws and regulations do not clearly identify a pre-determined set of information that you are required to encrypt, nor do they technically require you to encrypt anything.

Generally, the laws and regulations:

  • Broadly identify the information that needs to be protected,
  • Require you to have a security program in place for protection, and
  • Address encryption not as a mandate, but as a standard to include in your Information Security Program and as a safe harbor for agencies (more on this below).

How is encryption addressed?
As part of your Information Security Program, you must consider how customer information is protected:

  • When in storage (e.g. on your server or on the cloud), and
  • When in transit (circulating via email, carrier-agency portals or other systems).

If the communication contains personally identifiable information, is it encrypted or otherwise secured? If not, what alternatives are used in the agency to protect the privacy and integrity of that information? Encryption is one of the methods that can be used to guard against unauthorized access.

Safe harbor 
Most laws and regulations that discuss encryption present it, directly or indirectly, as a safe harbor, protecting your agency if someone claims that the data was breached. For example, under our state data breach laws (in Delaware, Maryland and Pennsylvania) and under the Health Insurance Portability and Accessibility Act (HIPAA)’s Data Breach Notification Rule, if the information that is accessed without authorization is encrypted, the unauthorized access will generally not be considered a “breach.” Therefore, you won’t need to send notification letters to affected insureds.

What information?
To help you navigate the different types of federal and state requirements, and decide how your agency will address encryption and for what information, we have developed state-specific cheat sheets. Setting aside Social Security numbers, which should never be sent via email without being redacted, the cheat sheets will help you identify the types of information targeted by each law or regulation, and help you decide how to set your own policies and procedures.


back to top

What do we need to consider if we want to offer quotes on our website?

Using your website in a more dynamic way is a good idea, and there are many options available to make for a more engaging experience. However, there are a number of items to address.

One of the first things that comes to mind is making sure that any page that collects personally identifiable information (PII) is secured. Information prospects enter for a quote would definitely qualify as PII. The proper method to secure web pages varies depending on your system. It is, however, generally simple to do. Your web developer should be able to point you in the right direction and help select the right protocol and security certificate. 

Note that:

  • It is easy to know if your web page has been secured (the URL will show “https” instead of “http” and/or a Lock icon with embedded security details will be visible).
  • It is not uncommon for E&O carriers to take a look at your website before providing coverage and place conditions if you failed to secure a page that gathers your customers’ personal information.

We focus here on securing a quote page. When building or rebuilding a website, other items should be carefully weighed, including finding the right balance between painting the agency in a positive light while not increasing an agency’s standard of care. Be engaging, but do not promise on something you cannot or will not deliver.

The Agents’ Council for Technology (ACT) has a myriad of resources to help you build a more effective website. Both marketing and E&O considerations are addressed. Feel free to consult their resources or contact us for more information. 

back to top

Records Retention

Are insurance agencies required to have procedures in place to comply with Anti-Money-Laundering rules?

The short answer is yes, assuming you fall within the scope of the regulation based on the "covered products" you sell (described below).

Where does the requirement come from? Anti-Money-Laundering (AML) requirements are addressed in the Code of Federal Regulations (initially at 31 CFR Part 103, now transferred to 31 CFR Chapter X). The original mandate stems from the U.S. Patriot Act, which was passed in 2001 and aims at thwarting money-laundering in the financial world.

What is the requirement? Insurance companies writing “covered products” must develop an Anti-Money-Laundering program. For insurance companies, covered products are permanent life insurance policies (other than group life), annuity contracts (other than group annuity) and any other insurance product with cash value or investment features.

The program will apply to the covered products and must contain the following parts:

  • Designating a compliance officer responsible for the program’s implementation
  • Defining policies, procedures and internal controls
  • Providing or monitoring that ongoing training of appropriate individuals take place based on their responsibilities
  • Monitoring the program through independent testing

While the PATRIOT Act does not directly apply to insurance agencies, insurance producers are impacted by the Anti Money-Laundering (AML) program, because carriers are required to train their employees and producers as needed and must monitor compliance.

Who needs to be trained? It depends. The carrier is the one setting up the AML program, including who should be trained. If the carrier requires that everyone - including all agency staff, follow the training program, the mandate will not stem from the law or implementing rules, but from the company.

Frequency of training: The regulation only requires that the training be done "periodically." It is, there again, up to the company to define the frequency in their AML program.

To review the regulation in more detail, visit the U.S. Government Printing Office website. The AML program is more specifically described in Subpart B-Programs, under §1025.210. The definition of “covered products” is found under §1025.100.

back to top

Do I need to witness the shredding of MVRs and other consumer reports?

It depends. First, let’s review the basics. The disposal of MVRs and other consumer reports is governed by the federal Disposal Rule (the “Rule”), which requires agencies to take reasonable steps to protect against unauthorized access to, or use of, consumer information in connection with its disposal.

What constitutes “consumer information”? The Rule defines consumer information as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” For our purposes, MVRs, credit or insurance scores and C.L.U.E. reports are all “consumer reports.”  

Who must comply with the Rule? The Rule applies to individuals and organizations that use consumer reports. Among those required to comply are: consumer reporting agencies; lenders, insurers and their agents; employers; and government agencies.

Does the Rule have guidelines associated with the choosing of a shredding company? When choosing shredding as the method of destruction and disposal, the Rule’s due diligence requirements are flexible, and could include the agency doing any one of the following:

  • Reviewing an independent audit of the shredding company’s operations and/or its compliance with the rule;
  • Obtaining information about the shredding company from several references or other reliable sources;
  • Taking appropriate measures to determine the competency and integrity of the shredding company; or
  • Requiring that the shredding company be certified by a recognized trade association or similar third party.

Is there an easy way to do this? Yes, there is. If your agency is looking for a simple and efficient method of conducting due diligence, you could use a shredding company which has been AAA-certified by the National Association for Information Destruction (NAID). NAID is the international trade association for companies that provide information destruction services. The NAID AAA-certification is designed to validate and monitor ongoing compliance with critical data protection and related regulatory specifications.

Read more and view a list of NAID AAA-certified shredding companies

While not a requirement of the Rule, agencies should request the shredding company provide a Certificate of Destruction (COD) upon completion of the shredding process. While there is no uniform COD in the marketplace, a COD should include: The name of your agency; the date and location of destruction/disposal; the method of destruction/disposal; a description of the destroyed/disposed of records; and names and signatures of the individuals conducting and witnessing the destruction/disposal.

As a final related thought: Because your agency will be entering into a contract with a third-party service provider (the shredding company) which will have access to your customer information, the contract should include provisions whereby the vendor acknowledges customer information may not be used in a manner inconsistent with the limited services they intend to provide.

Access sample language to include as part of an information protection addendum for third-party service contacts

back to top

Is an audio file attachment a sufficient substitute for a signed acknowledgement to reduce or delete coverage?

Many new phone systems allow an agency to receive emails with audio file attachments, which are attached easily to a client file -- and which beg the question of whether or not voice instruction is sufficient. Upon doing some research and bouncing this request off one of our E&O programs, here is our perspective:

As long as the availability, quality and “legibility” of the file are maintained throughout the life of the policy, the audio file should be a viable substitute for the signed acknowledgment. Legibility implies that any software upgrades should not prevent the ability to “read” prior versions.

The agency would need to retain the audio file until the insured's file is discarded. The agency will need to address whether this could create any storage issues. The convenience or feasibility may depend on how customer files are retained in the agency. For example, if the agency currently identifies the types of documents to retain in the system from year to year from the ones you keep longer, it would be essential to identify the audio file or email properly so that it is retained. If you keep everything for the life of the policy, this issue would be moot.

In all circumstances, you may want to identify/name these audio files clearly so that you know what they contain, are easy to retrieve, and as mentioned above, are not discarded too early.

Another option which can complement the filing of the audio file is to provide a confirmation letter (upon receipt of the request or when sending the amended policy). For example, you could attach a letter with the endorsement delivery that:

  • confirms the customer's request to delete, reduce or modify coverage, and
  • suggests the customer read the amended policy in detail and contact the agency if anything is not consistent with his request, if he changed his mind or has questions. This could be an additional piece of evidence if the customer challenges the change down the road.
back to top


Meet Our Experts

IA&B Vice President - Advocacy Claire Pantaloni, CIC, CISR

800-998-9644, ext. 604

Email Claire

IA&B Legal & Corporate Affairs Director Don Bankus

800-998-9644, ext. 603

Email Don