Business Analysis - A Handout to the Company

Transcription

1 THE COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION DIVISION OF INSURANCE Report on the Comprehensive Market Conduct Examination of The Savings Bank Life Insurance Company of Massachusetts Woburn, Massachusetts For the Period January 1, 2008 through December 31, 2008 NAIC COMPANY CODE: EMPLOYER ID NUMBER:

2 TABLE OF CONTENTS PAGE SALUTATION 3 SCOPE OF EXAMINATION 4 EXAMINATION APPROACH 4 EXECUTIVE SUMMARY 5 COMPANY BACKGROUND 11 COMPANY OPERATIONS/MANAGEMENT 12 COMPLAINT HANDLING 24 MARKETING AND SALES 28 PRODUCER LICENSING 39 POLICYHOLDER SERVICE 44 UNDERWRITING AND RATING 53 CLAIMS 62 SUMMARY 71 ACKNOWLEDGMENT 72 2

3 COMMONWEALTH OF MASSACHUSETTS Office of Consumer Affairs and Business Regulation DIVISION OF INSURANCE 1000 Washington Street, Suite 810 Boston, MA (617) DEVAL L. PATRICK GOVERNOR TIMOTHY P. MURRAY LIEUTENANT GOVERNOR GREGORY BIALECKI SECRETARY OF HOUSING AND ECONOMIC DEVELOPMENT BARBARA ANTHONY UNDERSECRETARY OF CONSUMER AFFAIRS AND BUSINESS REGULATION JOSEPH G. MURPHY COMMISSIONER OF INSURANCE June 25, 2010 Honorable Joseph G. Murphy Commissioner of Insurance Commonwealth of Massachusetts Division of Insurance 1000 Washington Street, Suite 810 Boston, Massachusetts Dear Commissioner Murphy: Pursuant to your instructions and in accordance with Massachusetts General Laws, Chapter 175, Section 4, a comprehensive examination has been made of the market conduct affairs of at their home offices located at: One Linscott Road Woburn, MA The following report thereon is respectfully submitted. 3

4 SCOPE OF EXAMINATION The Massachusetts Division of Insurance (the Division ) conducted a comprehensive market conduct examination of The Savings Bank Life Insurance Company of Massachusetts ( SBLI or the Company ) for the period January 1, 2008 to December 31, The examination was called pursuant to authority in Massachusetts General Laws Chapter ( M.G.L. c. ) 175, Section 4. The market conduct examination was conducted at the direction of, and under the overall management and control of, the market conduct examination staff of the Division. Representatives from the firm of Rudmose & Noller Advisors, LLC ( RNA ) were engaged to complete certain agreed upon procedures. EXAMINATION APPROACH A tailored audit approach was developed to perform the examination of the Company using the guidance and standards of the 2008 NAIC Market Regulation Handbook, ( the Handbook ) the market conduct examination standards of the Division, the Commonwealth of Massachusetts insurance laws, regulations and bulletins, and selected federal laws and regulations. All procedures were performed under the management, control and general supervision of the market conduct examination staff of the Division, including procedures more efficiently addressed by the concurrent Division financial examination. For those objectives, market conduct examination staff discussed, reviewed and used procedures performed by the Division s financial examination staff to the extent deemed necessary, appropriate and effective, to ensure that the objective was adequately addressed. The following describes the procedures performed and the findings for the workplan steps thereon. The basic business areas that were reviewed under this examination were: I. Company Operations/Management II. Complaint Handling III. Marketing and Sales IV. Producer Licensing V. Policyholder Service VI. Underwriting and Rating VII. Claims In addition to the processes and procedures guidance in the Handbook, the examination included an assessment of the Company s internal control environment. While the Handbook approach detects individual incidents of deficiencies through transaction testing, the internal control assessment provides an understanding of the key controls that Company management uses to run their business and to meet key business objectives, including complying with applicable laws and regulations related to market conduct activities. The controls assessment process is comprised of three significant steps: (a) identifying controls; (b) determining if the control has been reasonably designed to accomplish its intended purpose in mitigating risk (i.e., a qualitative assessment of the controls); and (c) verifying that the control is functioning as intended (i.e., the actual testing of the controls). For areas in which controls reliance was established, sample sizes for transaction testing were accordingly adjusted. The form of this report is Report by Test, as described in Chapter 15, Section A of the Handbook. 4

5 EXECUTIVE SUMMARY This summary of the comprehensive market conduct examination of the Company is intended to provide a high-level overview of the examination results. The body of the report provides details of the scope of the examination, tests conducted, findings and observations, recommendations and, if applicable, subsequent Company actions. Managerial or supervisory personnel from each functional area of the Company should review report results relating to their specific area. The Division considers a substantive issue as one in which corrective action on part of the Company is deemed advisable, or one in which a finding, or violation of Massachusetts insurance laws, regulations or bulletins was found to have occurred. It also is recommended that Company management evaluate any substantive issues or findings for applicability to potential occurrence in other jurisdictions. When applicable, corrective action should be taken for all jurisdictions, and a report of any such corrective action(s) taken shall be provided to the Division. The following is a summary of all substantive issues found, along with related recommendations and required actions and, if applicable, subsequent Company actions made, as part of the comprehensive market conduct examination of the Company. All Massachusetts laws, regulations and bulletins cited in this report may be viewed on the Division s website at The comprehensive market conduct examination resulted in no recommendations with regard to complaint handling or underwriting and rating. Examination results showed that the Company is in compliance with all tested Company policies, procedures and statutory requirements addressed in these sections. Further, the tested Company practices appear to meet industry best practices in these areas. SECTION I -COMPANY OPERATIONS/MANAGEMENT STANDARD I-1 Observations: The internal audit plan and reports reviewed by RNA provided detailed information on the plans, procedures performed, findings, actions taken and recommendations. Recommendations: The Company should assign the responsibility for non-financial compliance to the board of directors or a committee thereof. The Company should also consider requiring the internal audit department to complete periodic audits regarding replacement compliance, agent termination, and general agent oversight. Subsequent Actions: The board of directors has assigned the responsibility to oversee the Company s non-financial compliance efforts to the Audit Committee. Further, a new Vice- President Senior Compliance Officer will report to the Audit Committee on non-financial compliance matters. Duties of this position include supervising the Company s compliance and internal audit functions. The Company plans to conduct the recommended internal audits. 5

6 STANDARD I-6 Observations: The Company should enhance oversight monitoring of the growing number of independent brokerages and producers, to ensure that the requirements contained in their contracts are met. Required Action: The Company shall enhance oversight monitoring of its independent brokerages and producers by ensuring that they meet their contract requirements. The monitoring shall include desk audit and other sufficient audit procedures, to confirm that controls are properly functioning in compliance with contractual requirements. Subsequent Action: The Company states that it plans to implement this required action. SECTION III-MARKETING AND SALES STANDARD III-1 Observations: Based upon testing, the Company s process for approving advertising and sales materials prior to use is functioning in accordance with its policies, procedures and statutory requirements. RNA noted inconsistent documentation of required changes to advertising and sales materials prior to their use. RNA further noted that the Company s web-based sales guide does not reference certain compliance requirements such as those related to replacements and suitability. The Company s website disclosure complies with Division Bulletin Finally, the results of new business testing showed no evidence of the Company s or its agents use of unapproved advertising and sales materials. Recommendations: The Company should implement a procedure to document that all required changes are made to advertising and sales materials prior to their use. The Company s internal audit department should independently monitor the effectiveness of these new procedures. Further, the Company should amend the web-based sales guide to address compliance matters including, but not limited to, replacement and suitability requirements, to ensure that compliance guidelines are assigned equal value to sales training. Subsequent Actions: The Company states that it plans to implement these recommendations and that the internal audit function will monitor the effectiveness of these new procedures.. STANDARD III-4 Observations: The replacement questions on all life insurance and fixed annuity replacement applications tested were properly answered. The replacement disclosure forms were properly signed by the applicants on the application dates in accordance with statutory requirements. The sales files for 21 life insurance replacements documented that the replacement sales were in the applicants best interests; however, the sales files for 18 external and three internal life insurance 6

7 replacements did not include such documentation. While the Surrender & Exchange Form is to document that internal life insurance replacements are in the applicants best interests, there is no form to similarly document such conclusions for external replacements. Required Actions: The Company shall re-emphasize to all producers that life insurance and fixed annuity replacement sales must be in the applicants best interests. Producers must support such conclusions by completing the Company-required form. Subsequent Actions: The Company plans to require that its producers use the NAIC model replacement disclosure form to document that all replacement sales are in the applicants best interests. STANDARD III-5 Observations: Based upon testing, all replacement sales were properly included on the Company s replacement register. Notices to replaced carriers were timely provided, although for portions of two sales shown as replacements, it was unclear whether the applicants were replacing two other carriers coverage or simply adding coverage. The Company reduced commissions on internal replacements in compliance with Company policy. RNA noted that the underwriting or new business departments did not consistently review and challenge as necessary the Surrender & Exchange Forms submitted with the life insurance replacement applications. Finally, RNA noted that the Company has not yet developed adequate procedures to monitor replacement activity by producer. Required Actions: The Company s underwriting or new business department shall thoroughly review and challenge each submitted Company-required replacement form to ensure that the life insurance replacement is in the applicant s best interest, and to ensure that statutory requirements including notice to replaced carriers are met. In addition, the Company shall develop procedures for monitoring replacement activity by producer, and completing appropriate and timely investigations when unusual activity is noted. The Company shall implement such procedures as soon as practicable. Finally, the Company s internal audit department shall independently monitor all replacement required actions noted, to ensure that the Company s new policies and procedures are timely and effective. The results of the audit reported shall be reported to the Division by December 31, Subsequent Actions: The Company states that it plans to implement these required actions. SECTION IV-PRODUCER LICENSING STANDARD IV-1 Observations: RNA tested 95 life insurance and 14 fixed annuity sales during the examination period. For those sales which were sold by agents appointed in 2008, the appointment dates on the Division s and the Company s databases that matched within a few days. Further, all the producers who sold policies during the examination period were properly licensed, and all but two producers were included on the Division s database of the Company s appointed agents at the time the contracts were issued. Both producers were subsequently appointed as agents. As a 7

8 result of the examination, the Company is in the process of comparing the Division s and the Company s agent appointment records. The Company also plans to contract with a third party to frequently and electronically compare and reconcile the Division s and Company s agent records. Required Actions: The Company shall review its appointment procedures to ensure that the process for originating and maintaining agent appointments is effective, and provides reasonable assurance that all agent appointments are completely and timely processed. Further, the Company shall contract as soon as is practicable with the third party that will perform the frequent agent database comparisons. Finally, the Company s internal audit department shall independently monitor the appointment transmission procedures, and the contracted agent database comparison process, to ensure that they are timely and effective. Subsequent Actions: The Company states that it plans to implement these required actions. STANDARD IV-3 Findings: RNA noted that each of the nine agent terminations tested was not timely reported to the agents in violation of M.G.L. c. 175, 162T. As a result of this examination, in August 2009 the Company began providing timely written notice to agents whose termination occurred in Observations: It appears that each of the nine agent terminations tested was timely reported to the Division. However, testing further noted that the Division s termination records did not always match the NAIC, National Insurance Producer Registry ( NIPR ) and Company records. As a result of this examination, the Company is in the process of implementing a monthly procedure to compare the most recent month s terminations as reflected in the Company s and Division s databases, and to correct any inconsistencies between the two databases. The Company also plans to contract with a third party to frequently and electronically compare and reconcile the Division s and Company s agent appointment records. Required Actions: The internal audit department shall conduct an audit of the new agent termination process to ensure that timely notice is given to Massachusetts terminated agents. The results of the audit shall be reported to the Division by December 31, Further, the Company shall work with the Division to ensure that the Division s agent appointment and termination records are accurate and complete. Finally, as soon as is practicable, the Company shall contract with the third party that will complete the frequent agent database comparisons. Subsequent Actions: The Company states that it plans to implement these required actions and will work with the Division to ensure that the Division s agent appointment and termination records are accurate and complete. SECTION V-POLICYHOLDER SERVICE STANDARD V-6 Observations: The Company appears to have processes for locating missing policyholders, contract holders and beneficiaries, and appears to make reasonable efforts to locate such individuals in most instances. The Company appears to report unclaimed items and escheat them as required by statute, when the Company is made aware of such escheatable items. The 8

9 Company has not developed a procedure for locating unreported deceased policyholders by periodically checking its in-force databases against the Social Security Death Index. Recommendations: RNA recommends that the Company periodically compare its in-force policy listing with the Social Security Death Index, to ensure that the Company is aware of deceased policyholders and annuitants even if the beneficiaries have not reported deaths to the Company. Further, the comparison procedure should also include checking all contracts that are pending lapse, and those approaching maturity, against the Social Security Death Index. The Company s internal audit department should independently monitor these new procedures to ensure that they are timely performed and effectively implemented. Subsequent Actions: The Company states that it plans to implement these recommendations. SECTION VII-CLAIMS STANDARD VII-2 Observations: Although the Company believes that it regularly conducts multi-policy searches as required by Division Bulletin , RNA s review of 55 claim files determined that the Company did not consistently document its performance of these in-force multi-policy searches. However, testing of the 55 claim files noted no evidence of other in-force policies which were excluded from the claims adjudication process. Testing otherwise showed that the Company s processes for investigating claims are functioning in accordance with its policies, procedures and statutory requirements. Required Actions: The Company shall ensure that its claim files contain documentation of the claim representative s performance of in-force multi-policy searches at the time a death claim is reported. The Company shall perform an internal audit of its in-force multi-policy search procedures, to ensure that it performs and documents such searches on all life and annuity death claims. The Company shall report the findings of this internal audit to the Division by December 31, Subsequent Actions: The Company states that it has implemented new procedures to document the performance of in-force multi-policy searches when a death is reported. The Company states that it plans to conduct the required internal audit. STANDARD VII-3 Findings: A disbursement processing error resulted in the Company settling one of 108 claim transactions tested 412 days after it received all the necessary information, in violation of M.G.L. c. 176D, 3(9)(f). The Company states that it has implemented new automated claim processing procedures and supervisory reviews to ensure timely settlement of pending claims. Observations: Based upon the results of testing, it appears that the Company s processes for investigating claims are generally functioning in accordance with its policies, procedures and statutory requirements. However, more rigorous follow-up with beneficiaries or of pending tasks would have resolved eight of the tested claims more timely. For example, a claim representative did not check the social security death index for the beneficiary as required by Company procedure, causing the claim to remain open approximately 17 months until it was determined 9

10 that the beneficiary had died. The claim representative on another claim erroneously deleted a follow-up task in the automated claim work flow system, causing an approximate 14 month delay in the claim investigation. The Company states many of the delays noted by RNA were attributable to a lack of timely follow-up during a claim systems conversion. The Company further states it has implemented new automated claim processing procedures and supervisory reviews, to monitor pending claims for follow-up with beneficiaries and other pending tasks, to ensure timely resolution of claims. Required Actions: The Company shall ensure that its follow-up with beneficiaries and on pending tasks are timely on all claims. The Company shall perform an internal audit of the timeliness of its claim resolutions and settlements, and shall report the findings of such monitoring to the Division by December 31, Subsequent Actions: The Company states that it has implemented new automated claim processing procedures and supervisory reviews to ensure timely settlement of pending claims. In addition, the Company is in the process of merging all identical clients under one client number and attaching all policies to the single client number. Finally, the Company states that it plans to conduct the required internal audit. 10

11 COMPANY BACKGROUND The Company primarily offers traditional individual term life insurance, and to a lesser extent, whole life and fixed annuity products. The Company s predecessor entities began in 1907 as mutual savings banks that were permitted by Massachusetts law to establish life insurance departments to provide low cost life insurance to bank customers. In 1990, Massachusetts law was amended via Chapter 178A to abolish these savings bank life insurance departments and convert them into the Company. Today, the stock company is owned by various banks, while a Policyholder Protection Board ( PPB ) appointed by the Governor has the statutory authority to review the financial operations of the company on a continuing basis and make such recommendation to the company as they deem appropriate to insure the ability of the company to offer safe, low cost insurance. The Company s Board of Directors consists of 15 members, with only the CEO being a member of management, and the PPB includes seven members appointed by the Governor. One person is common to both boards. Annually in June, a letter is filed with the Division summarizing the PPB s actions over the past year. The Company uses a home office sales strategy where sales are made directly by licensed and appointed employee agents. In addition, the Company uses direct mail, internet marketing, radio and television, print media, and telemarketing efforts to generate sales leads. In addition the Company uses a brokerage distribution channel in which the Company has selling agreements with depository institutions, independent general agents, experienced producers and third party marketing organizations, such as internet aggregators. Historically, much of the Company s business was sold in Massachusetts; however the Company in recent years has expanded its geographical footprint to 37 other states and the District of Columbia. The privately held stock company is rated A+ (Superior) by A.M. Best. The Company has $2.1 billion in assets and $158.2 million in surplus as of December 31, For 2008, premiums and annuity considerations were $187.8 million and the net loss was $28.6 million, primarily due to investment impairments as a result of the worldwide financial turmoil in late The key objectives of this examination were determined by the Division with emphasis on the following areas. 11

12 I. COMPANY OPERATIONS/MANAGEMENT Evaluation of the Standards in this business area is based on (a) an assessment of the Company s internal control environment, policies and procedures, (b) the Company s response to various information requests, and (c) a review of several types of files at the Company. Standard I-1. The regulated entity has an up-to-date, valid internal, or external, audit program. Objective: This Standard addresses the audit function and its responsibilities. Controls Assessment: The following controls were noted in review of this Standard: The Company s statutory financial statements are audited annually by an independent auditor. The Company s internal audit plan is annually approved by the audit committee of the board of directors ( Audit Committee ). Key business risks and mitigating controls are identified, and a two-year rolling audit plan has been developed with high risk areas audited annually. Information technology and underwriting audits have been outsourced to third parties. Internal audit reports are provided to the Audit Committee, including recommendations and management s responses. The Audit Committee is updated quarterly on the status of in-process audits. The internal audit department verifies that audit recommendations have been implemented by management. The Company has a Chief Compliance Officer who is responsible for compliance processes, controls and monitoring. In addition, the Company engaged a third party to complete a 2008 assessment of compliance processes and controls, and has implemented several recommendations as a result of the assessment. The statutorily created PPB annually reviews the Company s operations to ensure that the Company adheres to its mission to offer low cost life insurance to consumers. The PPB annually reports to the Division on its activities. Transaction Testing Procedure: RNA reviewed internal audit plans, internal audit reports and discussed reported findings with management. Issues noted in such reports were further investigated and reviewed. Observations: The internal audit plan and reports reviewed by RNA provided detailed information on the plans, procedures performed, findings, actions taken and recommendations. Recommendations: The Company should assign the responsibility for non-financial compliance to the board of directors or a committee thereof. The Company should also consider requiring the internal audit department to complete periodic audits regarding replacement compliance, agent termination, and general agent oversight. Subsequent Actions: The board of directors has assigned the responsibility of overseeing the Company s non-financial compliance efforts to the Audit Committee. Further, a new Vice-President Senior Compliance Officer will report to the Audit Committee on non-financial compliance matters. Duties of this position include supervising the compliance and internal audit functions. The Company plans to 12

13 conduct the recommended internal audits. Standard I-2. The regulated entity has appropriate controls, safeguards and procedures for protecting the integrity of computer information. No work performed. All required activity for this Standard is included in the scope of the recently completed statutory financial examination of the Company. Standard I-3. The regulated entity has antifraud initiatives in place that are reasonably calculated to detect, prosecute, and prevent fraudulent insurance acts. 18 U.S.C. 1033; Division of Insurance Bulletins and Objective: This Standard addresses the effectiveness of the Company s antifraud plan. Pursuant to 18 U.S.C of the Violent Crime Control and Law Enforcement Act of 1994 ( Act ), it is a criminal offense for anyone engaged in the business of insurance to willfully permit a prohibited person to conduct insurance activity without written consent of the primary insurance regulator. A prohibited person is an individual who has been convicted of any felony involving dishonesty or breach of trust or certain other offenses, and who willfully engages in the business of insurance as defined in the Act. In accordance with Division Bulletins and , any entity conducting insurance activity in Massachusetts must notify the Division in writing of all employees and producers affected by this law. Individuals prohibited under the law may apply to the Commissioner for written consent, and must not engage or participate in the business of insurance unless and until they are granted such consent. Controls Assessment: The following key observations were noted in conjunction with the review of this Standard: The Company has a written anti-fraud plan, which requires that the Company take all reasonable precautions to prevent, detect and thoroughly investigate potential insurance fraud. The anti-fraud plan defines the duties of employees, agents and independent contractors to report suspected fraud to the Compliance Officer in the Company s Special Investigation Unit. The policy states that adverse action will not be taken against those who report such suspected fraud. The anti-fraud plan details specific investigation procedures to be undertaken by the Special Investigation Unit. The Company completes criminal, financial and post-secondary education background checks for prospective employees. The Company s policy is to not hire a prohibited person as defined above. Transaction Testing Procedure: RNA reviewed Company policies and procedures to address anti-fraud initiatives and employee hiring due diligence. 13

14 Observations: RNA confirmed that the Company has a written anti-fraud plan which requires that the Company take all reasonable precautions to prevent, detect and thoroughly investigate potential insurance fraud. RNA also confirmed that the Company completes criminal and financial background checks for new employees. Based upon our review of the Company s policies and procedures, it appears that the Company has anti-fraud initiatives in place that are reasonably calculated to detect, prosecute, and prevent fraudulent insurance acts. Standard I-4. The regulated entity has a valid disaster recovery plan. No work performed. All required activity for this Standard is included in the scope of the recently completed statutory financial examination of the Company. Standard I-5. Contracts between the regulated entity and entities assuming a business function or acting on behalf of the regulated entity, such as, but not limited to, MGAs, GAs, TPAs and management agreements must comply with applicable licensing requirements, statutes, rules and regulations. Objective: This Standard addresses the Company s contracts with entities assuming a business function and compliance with licensing and regulatory requirements. Controls Assessment: The following controls were noted in review of this Standard and Standard I-6: The Company uses third parties to conduct medical examinations of applicants. These contracts designate responsibilities and duties, restrictions, general confidentiality and privacy requirements for all medical information and lab specimens. The Company uses independent agents and general agents to sell the Company s products. The independent and general agent contracts describe the duties of the parties, licensing and appointment requirements, limitations of authority, compensation, terminations and reappointments, compliance with the Company s replacement requirements and errors and omissions coverage requirements. The Company uses third parties to perform information technology and underwriting audits. Transaction Testing Procedure: RNA interviewed management about its use of third parties to perform Company functions, and reviewed a sample of agent contracts and documents explaining the process for conducting medical examinations. RNA also reviewed audits performed by third parties. Observations: Based upon testing, it appears that the Company s contracts with entities assuming a business function on their behalf comply with statutory and regulatory requirements. 14

15 Standard I-6. The regulated entity is adequately monitoring the activities of any entity that contractually assumes a business function or is acting on behalf of the regulated entity. Objective: This Standard addresses the Company s efforts to adequately monitor the activities of the contracted entities that perform business functions on its behalf. Controls Assessment: See Standard I-5. Transaction Testing Procedure: RNA interviewed management about its monitoring of third parties who perform Company functions. Observations: The Company should enhance oversight monitoring of the growing number of independent brokerages and producers, to ensure that the requirements contained in their contracts are met. Required Action: The Company shall enhance oversight monitoring of its independent brokerages and producers by ensuring that they meet their contract requirements. The monitoring shall include desk audit and other sufficient audit procedures, to confirm that controls are properly functioning in compliance with contractual requirements. Subsequent Action: The Company states that it plans to implement this required action. Standard I-7. Records are adequate, accessible, consistent and orderly and comply with record retention requirements. Objective: This Standard addresses the adequacy and accessibility of the Company s records. Controls Assessment: The Company has adopted written record retention requirements, including the length of time specific documents must be retained. Transaction Testing Procedure: RNA inquired about the Company s record retention policies and evaluated them for reasonableness. 15

16 Observations: The Company s record retention policies appear reasonable. Testing results relating to documentation evidence are also noted in the various examination standards. Standard I-8. The regulated entity is licensed for the lines of business that are being written. M.G.L. c. 175, 32 and 47. Objective: This Standard is concerned with whether the lines of business written by a Company are in accordance with the authorized lines of business. Pursuant to M.G.L. c. 175, 32, domestic insurers must obtain a certificate authorizing it to issue policies or contracts. M.G.L. c. 175, 47 sets forth the various lines of business for which an insurer may be licensed. Controls Assessment: Due to the nature of this Standard, no controls assessment was performed. Controls Reliance: Not applicable. Transaction Testing Procedure: RNA reviewed the Company s certificate of authority, and compared it to the lines of business which the Company writes in the Commonwealth. Observations: The Company is licensed for the lines of business being written. Standard I-9. The regulated entity cooperates on a timely basis with examiners performing the examinations. M.G.L. c. 175, 4. Objective: This Standard is concerned with the Company s cooperation during the course of the examination conducted in accordance with M.G.L. c. 175, 4. Controls Assessment: Due to the nature of this Standard, no controls assessment was performed. Controls Reliance: Not applicable. Transaction Testing Procedure: The Company s level of cooperation and responsiveness to examiner requests was assessed throughout the examination. 16

17 Observations: The Company s level of cooperation and responsiveness to examiner requests was very good. Standard I-10. The regulated entity has procedures for the collection, use and disclosure of information gathered in connection with insurance transactions to minimize any improper intrusion into the privacy of applicants and policyholders. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard is concerned with the Company s policies and procedures to ensure it minimizes improper intrusion into the privacy of consumers of life insurance. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313, set forth requirements for proper notice to consumers and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt-out requirements, and the consumer has not elected to opt out of such disclosure. Controls Assessment: The following controls were noted in conjunction with the review of this Standard and Standards I-11 through I-17: The Company s definitions of adverse underwriting decision, personal information and pretext interview appear to comply with Massachusetts law. Company policy prohibits pretext interviews except as allowed by law. The Company s policy is to provide the abbreviated notice of privacy practices at the application date as part of the policy application. The notice states that personal information may be collected from other persons; that information may in certain circumstances be disclosed to third parties without authorization; that a right of access and correction exists; and that the Comprehensive Notice of Information Practices ( CNIP ) shall be furnished upon request. The CNIP is provided with the insurance policy or annuity contract, and each year with the annual statement. For reinstatements where new underwriting procedures are completed, the CNIP is provided at the application date. The CNIP states that the personal information collected or maintained, and the source of such information, are available to the individual to whom it refers within 30 days of receipt of a written request for such information by such individual. The CNIP also discloses how a consumer can correct, amend or delete such information. The Company shares personal information with business partners who perform a function on behalf of the Company. The Company does not share nonpublic personal financial information with anyone for marketing purposes, and thus no opt out right is necessary for such information sharing. Company policy is to provide the Notice of Adverse Underwriting Decision, including all statutory requirements, as required by law. Company policy does not base an adverse underwriting decision on the existence of a previous adverse underwriting decision, and the Company s policy prohibits seeking information concerning any previous adverse underwriting decision experienced by an individual, unless the inquiry also requests the reasons for the previous adverse underwriting decision. The Company has summarized certain privacy policies on their website. Company policy is to disclose nonpublic personal information only as required or permitted by law to regulators and law enforcement agencies. 17

18 Company policy requires that its information technology security practices safeguard nonpublic personal financial and health information. The Company annually conducts information systems risk assessments to consider, document and review information security threats and controls, and to continually improve information systems security. Only individuals approved by Company management are granted access to the Company s key electronic and operational areas where nonpublic personal, financial and health information is located. Access is frequently and strictly monitored. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed documentation supporting its privacy policies and procedures. RNA also reviewed life claims documentation for any evidence of the use of pretext interviews. RNA tested compliance with requirements to provide the Notice of Adverse Underwriting Decision in Standard VI-7. Observations: The Company s privacy practices appear to minimize any improper intrusion into applicants and policyholders privacy, and are disclosed to policyholders in accordance with the Company s policies and procedures. Further, based upon the results of life claims testing, RNA noted no evidence of the use of pretext interviews. Standard I-11. The regulated entity has developed and implemented written policies, standards and procedures for the management of insurance information. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. The objective of this Standard relates to privacy matters and is included in Standards I-10 and I-12 through I-17. Standard I-12. The regulated entity has policies and procedures to protect the privacy of nonpublic personal information relating to its customers, former customers and consumers that are not customers. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard addresses policies and procedures to ensure privacy of nonpublic personal information. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313, set forth requirements for proper notice to consumers, and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt out 18

19 requirements, and the consumer has not elected to opt out of such disclosure. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed documentation supporting its privacy policies and procedures. As part of life underwriting and claims testing, RNA sought any evidence that the Company improperly provided personal information to parties other than the applicant. Observations: It appears from RNA s review that the Company s policies and procedures adequately protect consumers nonpublic personal information. RNA noted no instances where the Company improperly provided personal information to parties other than the applicant. Standard I-13. The regulated entity provides privacy notices to its customers and, if applicable, to its consumers who are not customers regarding treatment of nonpublic personal financial information. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard addresses requirements to provide privacy notices. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313, set forth requirements for proper notice to consumers and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt-out requirements and the consumer has not elected to opt out of such disclosure. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA reviewed the Company s policies and procedures for providing privacy notices to all applicants, and annually thereafter to policyholders. Further, RNA evaluated compliance with these privacy disclosure requirements in conjunction with testing of 95 life insurance applications and 14 fixed annuity applications submitted during the examination period. Observations: The abbreviated notice of privacy practices was provided with each of the applications tested. RNA also noted that the Company has procedures for providing the CNIP 19

20 with the policy or contract issued, and annually thereafter to policyholders and contract holders. Standard I-14. If the regulated entity discloses information subject to an opt out right, the company has policies and procedures in place so that nonpublic personal financial information will not be disclosed when a consumer who is not a customer has opted out, and the company provides opt out notices to its customers and other affected consumers. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard addresses policies and procedures with regard to opt out rights. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313, set forth requirements for proper notice to consumers, and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt-out requirements and the consumer has not elected to opt out of such disclosure. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed documentation supporting its privacy policies and procedures. Observations: The Company does not share nonpublic personal financial information with anyone for marketing purposes. Thus, the Company is not required to offer an opt-out for such information sharing. Standard I-15. The regulated entity s collection, use and disclosure of nonpublic personal financial information are in compliance with applicable statutes, rules and regulations. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard is concerned with the Company s collection and use of nonpublic personal financial information. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313, set forth requirements for proper notice to consumers, and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer 20

21 information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt out requirements, and the consumer has not elected to opt-out of such disclosure. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed documentation supporting its privacy policies and procedures. RNA also sought evidence that the Company improperly collected, used or disclosed nonpublic personal financial information in conjunction with testing of underwriting and claims. Observations: It appears from RNA s review that the Company s policies and procedures provide reasonable assurance that the Company properly collects, uses and discloses nonpublic personal financial information. Standard I-16. In states promulgating the health information provisions of the NAIC model regulation, or providing equivalent protection through other substantially similar laws under the jurisdiction of the insurance department, the regulated entity has policies and procedures in place so that nonpublic personal health information will not be disclosed except as permitted by law, unless a customer or a consumer who is not a customer has authorized the disclosure. M.G.L. c. 175I, 1-22; Health Insurance Portability & Accountability Act of 1996 ( HIPAA ) Public Law ; 45 CFR Parts 160 and 164. Objective: This Standard addresses efforts to maintain privacy of nonpublic personal health information. M.G.L. c. 175I, 1-22 and the HIPAA Public Law and 45 CFR Parts 160 and 164 set forth proper procedures for inquiry, release, disclosure and maintenance of non-public personal health information. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed supporting documentation. RNA also sought evidence that the Company improperly disclosed nonpublic personal health information in conjunction with testing of life underwriting and claims. Finally, RNA reviewed compliance with HIPAA authorization disclosure requirements in conjunction with testing of 95 life insurance applications submitted during the examination period. Observations: Based upon testing, RNA noted that the HIPAA authorization disclosure was 21

22 signed by life insurance applicants when necessary, in compliance with company policy. RNA noted no instances where the Company improperly disclosed nonpublic personal health information in conjunction with testing of life underwriting and claims. Standard I-17. Each licensee shall implement a comprehensive written information security program for the protection of nonpublic customer information. M.G.L. c. 175I, 1-22; Gramm-Leach-Bliley Act, 502, 503, 504 and 505; 16 CFR Part 313. Objective: This Standard is concerned with the Company s information security efforts to ensure that nonpublic consumer information is protected. M.G.L. c. 175I, 1-22 and the Gramm-Leach-Bliley Act, 502, 503, 504 and 505 and 16 CFR Part 313 set forth requirements for proper notice to consumers, and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Further, a financial institution must provide its customers with a written notice of its privacy policies and practices. In addition, a financial institution is prohibited from disclosing nonpublic personal consumer information to nonaffiliated third parties, unless the institution satisfies various disclosure and opt-out requirements and the consumer has not elected to opt out of such disclosure. Controls Assessment: See Standard I-10. Controls Reliance: See Standard I-10. Transaction Testing Procedure: RNA interviewed Company personnel with responsibility for privacy compliance, and reviewed documentation supporting its privacy policies and procedures. Review of information technology access and authorization controls is also included in the scope of the recently completed statutory financial examination of the Company. Observations: Based upon RNA s review of the Company s information security policies and procedures, it appears that the Company has implemented an information security program which provides reasonable assurance that its information systems protect nonpublic customer information. Standard I-18. The regulated entity files all certifications with the insurance department as required by statutes, rules, and regulations. 211 CMR Objective: This Standard addresses the Company s efforts to file certifications with the Division as required. 211 CMR requires that the illustration actuary annually file certifications with the Division for life 22