Wes Hampton Joins NOLHGA

Wes Hampton has joined the NOLHGA staff as a Full Stack Developer. For readers who don’t work in the IT field, a full stack developer helps maintain the front-end (the user-facing component) and back-end (the database component) of a website. At NOLHGA, Wes will help build and maintain AssessConnect (NOLHGA’s soon-to-be-launched assessment platform) and will assist with NOLHGA’s back-office reports, automations, and IT support.

Before joining NOLHGA, Wes worked as Senior Software Engineer with Infinite Blue (Audubon, Pennsylvania) and as a Web Developer/Consultant with Rural Sourcing (Oklahoma City). He graduated from the University of Oklahoma with a degree in Electrical Engineering.

Wes will attend next week’s MPC meeting in San Diego, so please be sure to welcome him to the guaranty community.

  Staff Contact - Sean McKenna

Senate Banking Committee Policy Agenda Set

In a finalized policy agenda, Senate Banking Chair Tim Scott (R-SC) announced a several insurance-related priorities for the committee, including:

• Uphold the state-based regulatory system for insurance
  
• Reign in the Consumer Financial Protection Bureau and Federal Insurance Office’s (FIO) encroachment on state regulators
  
• Ensure that insurance remains focused on providing actuarially sound policies
  
• Promote resiliency in repeatedly flooded communities
  
• Increase preparedness for advancements in cyber threats and artificial intelligence
  
• Reauthorize the National Flood Insurance Program
  
• Potentially a new working group focused on flood insurance and other related issues (such as fire insurance)

In addition, Sen. Scott also highlighted non-insurance–related priorities that could generate new working groups, including U.S. national security, building a regulatory framework for digital assets, access to capital for entrepreneurs and small businesses, SEC transparency and accountability, revitalizing and reviewing overregulation in the housing market, and reducing bureaucratic regulations on infrastructure projects, among others.   Staff Contact - Sean McKenna

NAIC Updates

LTC Actuarial Working Group Continues to Workshop Cost-Sharing Formula: On January 13, 2025, the Long-Term Care Actuarial Working Group continued to discuss tweaks to the cost-sharing formula used in the Multi-State Actuarial (MSA) Framework’s Single LTCI Multistate Rate Review Approach. Co-Chair Fred Andersen (MN) unveiled an alternative cost-sharing model that aims to address most regulator comments on a prior proposal. Andersen argued that the alternative approach achieves regulators’ goals better than previous proposals. While the alternative model has not been finalized or formally exposed for comment, the co-chairs asked members to consider and communicate what adjustments, if any, they would make to the proposal. The co-chairs hope to schedule another working group meeting prior to the March national meeting.

G Committee Schedules Two Calls: The International Insurance Relations (G) Committee scheduled two calls in the coming weeks. The committee will meet on January 30 to review and approve submission of NAIC comments on the International Association of Insurance Supervisors’ (IAIS) public consultation on ancillary risk indicators in the Global Monitoring Exercise (GME)—comments are due to the IAIS on February 3. The committee will meet on February 13 to discuss other current and upcoming IAIS public consultations.

  Staff Contact - Sean McKenna

International Developments

EIOPA Holds IRRD Webinar on Recovery Planning: On January 17, 2025, the European Insurance and Occupational Pensions Authority (EIOPA) held a webinar to discuss the recovery planning aspects of the Insurance Recovery and Resolution Directive (IRRD) (text; fact sheet). This was the second webinar in a series of five aimed at providing participants with information about different aspects of the IRRD and answering stakeholder questions. The webinar covered the following key points:

• Contents of the Pre-Emptive Recovery Plan: Generally, the pre-emptive recovery plan needs to include a summary of key elements of the plan, a description of the undertaking or group subject to the plan, a framework of indicators, a description of the governance around the plan, remedial actions and their impact, a communication strategy, and an assessment of the undertaking’s prior recovery plan (if applicable). A consultation on the Regulatory Technical Standard (RTS) related to contents and remedial action will be published in late April; a consultation on guidelines for qualitative and quantitative indicators is expected in late December.
  
• Determination of Companies Subject to Recovery Plans: Insurers, groups, and reinsurance undertakings will be assessed by supervisors on size, business model, risk profile, interconnectedness, substitutability, importance for the economy of the member state in which they operate, and their cross-border activities. The scope will cover at least 60% of the member state’s life insurance and reinsurance market (based on gross technical provisions (i.e., reserves), and at least 60% of its non-life insurance and reinsurance market (based on gross written premium). Any company subject to a resolution plan also will be subject to pre-emptive recovery planning requirements. EIOPA will develop RTSs to provide more information on criteria regarding cross-border activity and the methods to use when determining market shares. Supervisory authorities will have some discretion as to whether to require entity-specific recovery plans if the supervisor determines that a relevant group recovery plan does not sufficiently account for one or more insurance subsidiaries doing business in the supervisor’s jurisdiction.
  
• How IRRD Interacts with Other Plans: There was discussion about how IRRD recovery plans are viewed relative to other insurer requirements such as the Own Risk and Solvency Assessment (ORSA), Solvency II recovery plans, and Liquidity Risk Management Plans (LRMPs). Ultimately, EIOPA views the IRRD recovery plan as a standalone plan that differs in scope and approach from the others. The ORSA and LRMPs can be used to inform the IRRD recovery plan, and the IRRD recovery plan can be helpful in developing the Solvency II recovery plan after a Solvency Capital Requirement breach. They are all, however, treated by EIOPA as separate documents. It will be interesting to see how this plays out for groups that do business in both the United States and the EU, given that the NAIC has specifically said state regulators may consider the ORSA to be sufficient as a recovery plan.

The next webinar, which will be focused on resolution planning and resolvability assessment, is scheduled for January 24 at 5:00 a.m. ET.

BMA Releases 2025 Business Plan: The Bermuda Monetary Authority (BMA) released its 2025 Business Plan on January 16. The strategic plan outlines several key insurance and financial stability initiatives, including the following (some of which already have corresponding consultations):

• Embed ComFrame and the Holistic Framework into the Bermuda regulatory regime and continue participation in the IAIS Holistic Framework Targeted Jurisdictional Assessment.
  
• Strengthen recovery and resolution planning for large, complex financial institutions in consultation with relevant national and cross-border authorities.
  
• Integrate climate and sustainability into the regulatory and supervisory regime, with a focus on climate change and protection gaps. The BMA will consult on a framework for climate risk financial disclosures and assess the need for additional climate risk assessments.
  
• Continue to strengthen the group supervision regime.
  
• Issue further guidance on the application of the prudent person regime for investment management.
  
• Enhance public disclosure requirements on investments for long-term commercial insurers.
  
• Consider enhancements to the treatment of structured products and loans.
  
• Review the Insurance Code of Conduct and Operational Cybersecurity Code of Conduct to consider integrating AI and ML-related guidelines.
  
• Propose legislative enhancements to provide for additional insurer management and governance accountability.

On January 14, the BMA published a Consultation Paper on Operational Resilience for comment until March 14. The consultation (consisting of the Operational Resilience and Outsourcing Code and supporting Guidance Notes) details expectations and standards for financial institutions to ensure critical operations are protected. The consultation also addresses the growing dependence on third-party service providers and sets forth standards to manage those dependencies and mitigate associated risks. Once final, impacted institutions will have until March 31, 2028, to comply with the Code’s requirements.   Staff Contact - Sean McKenna

AI Activity

Colorado Holds Stakeholder Session on Discrimination in Insurance Practices: On January 22, 2025, the Colorado Division of Insurance hosted a stakeholder meeting on unfair discrimination in insurance practices to discuss comments received on proposed revisions to Regulation 10-1-1 Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models. The proposed changes would expand the applicability of the regulation beyond life insurance to include private passenger auto and health insurance.

  Staff Contact - Sean McKenna

Privacy Updates

In state activity, the California Privacy Protection Agency (CPPA) held a public hearing on January 14, 2025, regarding its recent rulemaking package on cybersecurity audits, risk assessments, and automated decision-making technology. In response to the wildfires, the CPPA has expanded the formal public comment period on the rulemaking package to February 19 and will hold an additional public comment hearing in February (details on the hearing are forthcoming).

Texas Attorney General Paxton is suing an insurance carrier under the Texas Data Privacy Security Act. The suit alleges that the carrier unlawfully collected, used, and sold data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps. The suit further alleges that insurance companies then used the covertly obtained information to justify raising Texans’ insurance rates.

The New Jersey Data Privacy Law went into effect on January 15. The law applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either (1) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. Protected health information governed by HIPAA, information and entities subject to the Gramm-Leach-Bliley Act (GLBA), and insurance institutions subject to N.J. Stat. 17:23A are exempt.

In other privacy news, the Consumer Financial Protection Bureau (CFPB) is requesting public comments to better understand how companies that offer or provide consumer financial products or services collect, use, share, and protect consumers’ personal financial data, with a focus on the effectiveness of existing regulations. Comments must be received by April 11, 2025. The CFPB has also proposed an interpretive rule on how the Electronic Fund Transfer Act and Regulation E apply to new and emerging digital payment mechanisms. Comments on the proposed rule are due by March 31, 2025.

  Staff Contact - Sean McKenna