6.4 Fraud, Claims Practices, and Privacy
Key Takeaways
- Hard fraud is a manufactured or staged loss (arson for profit, staged collision); soft fraud is the exaggeration or padding of an otherwise legitimate loss — both are crimes under state insurance fraud prevention acts
- Fair-claims regulations commonly require acknowledgement within 10–15 days and a written accept-or-deny decision within 30–40 days of receiving a complete proof of loss
- Gramm-Leach-Bliley requires an initial privacy notice and an opt-out before sharing nonpublic personal information with unaffiliated third parties for marketing; the FAST Act (2015) eliminated the annual notice in defined no-change, no-sharing cases
- The Fair Credit Reporting Act requires a written adverse-action notice whenever a credit-based insurance score or CLUE report leads to a denial, cancellation, non-renewal, or surcharge
- GINA and state UTPAs bar insurers from using genetic information in underwriting; CLUE (LexisNexis) is the standard loss-history report
Insurance Fraud
The Coalition Against Insurance Fraud estimates US insurance fraud at roughly $308 billion per year. The exam draws a clean line between two types:
| Type | Description | Examples |
|---|---|---|
| Hard fraud | The loss is manufactured or staged | Arson for profit, staged collision, fabricated theft |
| Soft fraud | A genuine loss is exaggerated or padded | Inflating contents after a fire, claiming a pre-existing dent, premium fraud (misstating mileage/garaging) |
State Insurance Fraud Prevention Acts
Most states adopted the NAIC Insurance Fraud Prevention Model Act (MDL-680). Common features:
- Mandatory reporting of suspected fraud to the state fraud bureau (often within 60 days of detection).
- Civil immunity for good-faith reports.
- A fraud warning required on every application and claim form ("Any person who knowingly files a false claim... is guilty of a crime").
- A Special Investigations Unit (SIU) required for insurers above a stated size; some states (e.g., CA, NY) require an annual anti-fraud plan.
- Penalties: restitution, fines, imprisonment, and license revocation.
A producer cannot quietly settle suspected fraud with a claimant — failure to report is itself a violation.
Fair Claim Settlement Practices
State regulations (modeled on California CCR §2695 or the NAIC UCSPA) set deadlines. Numbers vary by state, but the typical pattern is:
| Step | Typical limit |
|---|---|
| Acknowledge the claim | 10–15 days |
| Begin investigation | 15 days from notice |
| Provide proof-of-loss forms | 15 days from request |
| Accept or deny in writing | 30–40 days after a complete proof |
| Pay an accepted claim | 30 days after acceptance |
| Send extension notices | Every 30 days, in writing, with the reason |
A single late payment is rarely a violation; the conduct becomes an unfair practice when it occurs with a frequency showing a general business practice.
Bad Faith
Most states recognize a tort of bad faith when an insurer fails to investigate reasonably, denies a clearly covered claim without a basis, forces the insured to sue, or fails to settle a third-party claim within policy limits when settlement was possible. Damages can exceed policy limits and may include emotional distress, attorney fees, and punitive damages.
Gramm-Leach-Bliley Act (1999)
GLBA is the core federal privacy law for nonpublic personal information (NPI); the NAIC implements it through Model #672. Requirements:
- An initial privacy notice at the start of the customer relationship.
- An opt-out right before the insurer shares NPI with unaffiliated third parties for marketing.
- No opt-out is needed to share with affiliates, service providers, or to process the transaction.
- A Safeguards Rule requiring a written information-security program.
- The annual privacy notice: historically required, but the FAST Act of 2015 added an exception — an institution that has not changed its sharing policy and does not share NPI in a way that triggers opt-out is no longer required to send the annual notice.
HIPAA
HIPAA mainly governs health insurance, with a narrow personal-lines effect: a bodily-injury liability claim may surface Protected Health Information (PHI). The insurer must obtain a HIPAA-compliant authorization before requesting medical records and must then safeguard that PHI. HIPAA does not bar non-medical auto-application questions such as DUI history.
Fair Credit Reporting Act (FCRA)
FCRA governs consumer reports, including credit-based insurance scores and loss-history reports. When an insurer takes adverse action — denial, cancellation, non-renewal, surcharge, or a less-favorable tier — based on a consumer report, it must send an adverse-action notice that identifies the consumer reporting agency, tells the consumer how to obtain a free copy, and discloses the right to dispute. States may restrict use of credit further (e.g., CA prohibits credit scoring for personal auto). The standard loss-history report is CLUE (Comprehensive Loss Underwriting Exchange), maintained by LexisNexis.
GINA (2008)
The Genetic Information Nondiscrimination Act limits genetic information in health-insurance underwriting. Its direct personal-lines effect is narrow, but the NAIC Genetic Information Model and state UTPAs prohibit personal-lines insurers from asking about genetic test results, charging more based on genetic information, or using it in underwriting or claims. Violations are unfair trade practices.
Producer Duties When Fraud Is Suspected
Producers are often the first to see warning signs ("red flags") of fraud: a claim filed shortly after coverage begins, a loss with no police report, an insured unusually eager to settle for cash, or inconsistent dates. The producer's duty is to report the suspicion through the insurer's anti-fraud channel and, where the statute requires, to the state fraud bureau — not to investigate independently, accuse the insured, or quietly deny the claim. The good-faith immunity in MDL-680 protects a producer who reports honestly; the failure-to-report penalty falls on one who looks the other way.
CLUE and the Underwriting File
Because loss-history data drives personal-lines underwriting, the exam expects familiarity with the reports involved:
| Report | Purpose |
|---|---|
| CLUE (LexisNexis) | Property and auto loss history, typically 5–7 years |
| MVR (motor vehicle record) | Driving violations and license status from the DMV |
| Credit-based insurance score | Statistical predictor of future loss frequency, where allowed |
Every one of these is a consumer report under the FCRA, so the adverse-action notice obligation attaches whenever any of them produces a denial, surcharge, non-renewal, or less-favorable tier.
Putting the Privacy Laws Together
Students confuse the four privacy regimes, so match each to its trigger:
- GLBA — financial privacy of NPI; initial notice and opt-out before sharing with unaffiliated third parties for marketing.
- HIPAA — protected health information; authorization needed before pulling medical records on a bodily-injury claim.
- FCRA — consumer reports; adverse-action notice after a credit/CLUE/MVR-based adverse decision.
- GINA — genetic information; cannot be requested or used in underwriting.
Worked Scenario: Multiple Laws at Once
An insurer non-renews a homeowners policy after a CLUE report shows three water losses, then sells the policyholder's contact data to an affiliated lender. Two separate rules apply: the FCRA adverse-action notice is required for the non-renewal based on the CLUE report, while the GLBA analysis turns on whether the lender is an affiliate (no opt-out needed) or an unaffiliated third party for marketing (opt-out required). A single fact pattern can test two statutes, so read carefully for the words "affiliate" and "consumer report."
Under a typical state Fair Claims Settlement Practices regulation, after receiving a complete proof of loss from a homeowners insured, the insurer must accept or deny the claim in writing within approximately:
An insurer obtains a CLUE report on a homeowners applicant and, based on three prior water-damage losses, issues the policy with a 25% surcharge. Under the FCRA, the insurer must: