A few months back, PropertyCasualty360 published the article, "3 ways to turbocharge the sale of your insurance business." Given the current hot market for independent, middle-market brokerages and agencies, our colleagues wrote that piece setting forth how best to position these assets for acquisition.
Here, we focus on the acquiring party.
If you recently purchased a brokerage or agency, you might be asking yourself, "now what?" No doubt, you enlisted the help of seasoned counsel for guidance throughout the acquisition, and your understanding of the business issues related to your new holding is likely quite sound. Still, questions could arise as to how to move forward in terms of the many compliance requirements imposed upon insurance brokerages and agencies.
Here is a helpful overview.
The insurance industry is subject to strict regulatory oversight (state, not federal) primarily focused on financial regulation and market conduct. That being said, regulatory compliance issues should be front-of-mind.
Some items for you to consider:
— Compliance Handbook: An easy way to keep your business out of trouble is to ensure that employees are aware of any and all applicable legal compliance requirements. A good way to do so is with a comprehensive compliance handbook. If your brokerage or agency does not have one, this should be the first item on your to-do list. And even if the entity you have purchased already has a compliance handbook in place, you should have it reviewed by counsel to make certain that it is complete and that you have not inherited any prior mistakes.
— Insurance Licensing Management: It is essential that you have a centralized system established to track the status of insurance licenses held by your company and employees. This will become even more important as your business grows and the number of licensees in your employ increases. Addressing licensing management early is important to avoid related problems in the future.
— Cybersecurity: By virtue of the ever-changing cybersecurity landscape, even the most tech-savvy brokerage may be behind the times. As such, your attention to cybersecurity is crucial. This is particularly true in light of new cybersecurity guidelines implemented by state insurance regulators over the past few years, which may apply to you depending upon location. If they do, the failure to comply could result in enforcement actions. And even if your brokerage or agency is not yet subject to such regulation, it remains very important to safeguard your electronic data because you could be held liable for any breach of security. Likewise, there is always the potential risk to your reputation in the wake of a cyber event.
If your acquisition results in additional employees in states where you have not previously operated, your compliance obligations will extend beyond insurance regulation to include employment-related issues. To the extent this applies to you, think about taking the following steps:
— State EEO, Wage and Hour and Other Laws: Carefully review the employment laws of each jurisdiction in which you operate to guarantee compliance, as they tend to differ from city-to-city and state-to-state. For example, anti-discrimination laws vary, as do wage and hour statutes that govern the minimum wage, commission payments and exempt status. Indeed, there are several employment-focused laws unique to particular cities and states, including salary inquiry bans (which are in vogue and prohibit employers in certain locales from asking about an applicant’s salary history) and so-called “Ban the Box” laws that make it illegal for employers to inquire about an applicant’s criminal history.
— Employee Handbook and Training: Once familiar with the applicable laws in your areas of operation, you will need to address your various employment policies. In so doing, you may wonder if you should craft individualized policies for each jurisdiction, or might it be better to create a uniform policy that provides for compliance with the broadest range of laws? While there is no perfect answer to this question, your human resources staff must weigh its likely preference for uniformity against the benefits and specificity of an individualized approach.
Training is an important topic to tackle as well. Now is the time to review all of your training materials, including those of your newly acquired business, and tailor programs consistent with applicable federal, state and local employment laws. To the extent possible, training sessions should involve new employees along with existing ones, and be designed to emphasize the importance of legal compliance wherever you do business. Managers and supervisors should be segregated from non-exempt staff, allowing them to focus on their unique and collective responsibility to enforce company policies and protect your organization against liability.
— Employment Agreements: The purchase of a new brokerage or agency should prompt some thought about employment agreements; specifically, who in your expanding organization should have one and what provisions it should include. Typically, employment contracts are entered into between an employer and key personnel – high-level decision-makers and significant revenue producers, among them. You may elect to include in your form of employment agreement a provision regarding the term of employment — be it "at will" or for a specific time period — a confidentiality clause and a restrictive covenant (that is, non-compete and non-solicitation language).
The Health Insurance Portability and Accountability Act (HIPAA) dictates how your company and its agents can use, store and share beneficiary information including their identifying information, claims, treatment, and coverage matters.
HIPAA applies to the following covered products: Major medical, HMO, Dental and vision, most long-term care, Medicare supplemental, Medicare + Choice and specified disease coverage.
Protect yourself by promptly performing training orientation to personnel and agents who joined.
Your own Employee Handbook should also be supplemented to include HIPAA Policies and Procedures. Both attorneys and technology professionals can craft these policies. Without them, you can be liable for higher fines in the event of a privacy or data breach, because ignoring HIPAA raises the fine levels. These policies should provide for:
- Periodic privacy and security risk assessment protocols and forms;
- Permissible and impermissible uses of beneficiary information;
- Appointment of a Privacy Officer and channels for reporting issues;
- Practical administrative and physical safeguards against privacy breaches;
- Investigation, mitigation and reporting of HIPAA violations that occur;
- Caller identity verification;
- User ID and password requirements;
- Workstation, laptop and storage media protections;
- Social media usage;
- Marketing practices;
- Workforce screening protocols; and
- Personnel and agent termination security procedures
While the foregoing overview is by no means exhaustive, the steps suggested should facilitate the smooth integration of your new insurance business.
Christopher D'Angelo is a partner at Michelman & Robinson, LLP. He can be contacted by sending email to firstname.lastname@example.org.
Ron Lebow is counsel in M&R's New York office, where he focuses on business, contract, corporate and regulatory issues, with a particular expertise in compliance. He can be contacted by sending email to email@example.com.
Matthew Lasky is an associate in M&R's Chicago office. He can be contacted by sending email to firstname.lastname@example.org.