Consulting Agreement for Insurance

The unique risks of insurance consulting

Three things define insurance consulting risk. First, regulated activity classification. A consultant who tells a customer "this policy covers your situation" or who negotiates settlement of a claim is performing licensed activity. State producer licensing acts (modeled on NAIC PLMA) require resident or nonresident license + carrier appointment to solicit, negotiate, or sell. Independent adjuster licensing acts (modeled on NAIC IALMA, in effect in ~35 states) cover claims adjustment. Public adjuster licensing acts add another layer for first-party representation. Penalties include criminal misdemeanor exposure in some states and cease-and-desist authority everywhere.

Second, data security. NY DFS 23 NYCRR Part 500 — the original 2017 cybersecurity regulation and the November 2023 amendments effective in phases through November 2024 — imposes the strictest insurance-specific cyber regime: written cybersecurity program, CISO designation, independent penetration testing, annual risk assessment, third-party service provider security policy, 72-hour incident notice to DFS, 24-hour ransomware payment notice with statement explaining why payment was necessary. NAIC Insurance Data Security Model Law (#668) is now in 25+ states with similar substance. GLBA and the FTC Safeguards Rule add the federal floor (annual report to Board of Directors, MFA, encryption at rest and in transit, written incident response plan, 30-day FTC notification for incidents affecting 500+ consumers).

Third, AI and algorithmic underwriting. The NAIC Model Bulletin on Use of Artificial Intelligence Systems by Insurers (December 2023, adopted by 22+ states as of mid-2026) requires insurers to maintain an AI Systems program with governance, risk management, testing for bias and disparate impact, and third-party AI system oversight. Colorado SB 21-169 algorithmic anti-discrimination rule effective November 14, 2023 specifically prohibits insurers from using algorithms or external consumer data that unfairly discriminate. New York DFS Insurance Circular Letter No. 1 (2019) on accelerated underwriting and external data sources remains in force. A consultant who builds or tunes an underwriting model is touching all of this.

Fourth, MGA/MGU delegated authority. Managing General Agents and Managing General Underwriters under state MGA Acts (NAIC Model #225) act as the insurer's underwriting agent under delegated authority. A consultant who advises an MGA on rate development, binding authority, or claims handling is one step removed from the carrier's compliance footprint and the contract has to allocate responsibility carefully.

Industry-specific clauses to include

• Licensing Status & No Unlicensed Activity: Either (a) consultant warrants current resident/nonresident producer license and carrier appointment in [states], or independent adjuster license in [states], or (b) consultant is NOT performing licensed activity (no solicitation, negotiation, sale, or claims adjustment), with explicit named-activity carve-outs.
• State Insurance Data Security Compliance: Where the engagement involves the insurer's nonpublic information, consultant maintains a written information security program meeting NY DFS 23 NYCRR Part 500 (if NY-licensed) or applicable state's NAIC #668 implementation, with CISO designation, MFA, encryption, third-party risk assessment, and breach notice within 24 hours to insurer to support 72-hour DFS notice and 24-hour ransomware payment notice.
• GLBA / FTC Safeguards Rule: Consultant complies with 16 CFR Part 314 including the May 2024 amendments requiring 30-day FTC notification of incidents affecting 500+ consumers; maintains qualified-individual designation; annual written report.
• HIPAA BAA (if PHI in scope): Where the consultant accesses PHI (health insurance, workers' comp, disability, accident & health), a HIPAA Business Associate Agreement is signed alongside under 45 CFR 164.504(e), with 60-day breach notice obligation.
• AI Systems Governance (NAIC Model Bulletin 2023): Where consultant develops, tunes, or advises on AI/ML for underwriting, claims, fraud detection, or marketing, consultant supports insurer's AI Systems program with documentation of model lineage, training data sources, bias testing, ongoing monitoring, and third-party AI oversight; complies with applicable state requirements (Colorado SB 21-169, NY DFS Insurance Circular Letter No. 1 (2019)).
• NAIC Market Conduct Cooperation: Consultant cooperates with NAIC market conduct exams (under state Market Conduct Annual Statement and MARS frameworks), preserves records for 5 years (per state Examination Act and applicable record retention statutes like NY 11 NYCRR 243), and provides timely access to working papers and communications.
• MGA/MGU Authority Limits: If consultant advises a delegated underwriting authority entity, contract identifies any limits on binding authority, claims-settlement authority, and reinsurance procurement (per state MGA Act mirrored on NAIC #225).
• Anti-Rebating / Anti-Inducement: Consultant complies with state anti-rebating statutes (e.g., NY Ins Law 4224 for life/health, 2324 for P&C); no offering of inducement outside the policy terms; particularly relevant if consultant is involved in producer compensation design.
• Producer Compensation Disclosure: Where consultant designs or restructures producer compensation, contract supports insurer's disclosure obligations under state insurance producer compensation disclosure laws (varies by state; NY Ins Law 2114, 2115, 2116 require detailed disclosure).
• Insurance Schedule: Professional Liability / E&O $5M+ (higher for actuarial work — $10M+ minimum for FCAS-signed opinions); Cyber Liability $5M+ for any NPI handling; General Liability $1M/$2M.
• OFAC Sanctions Screening: Consultant screens all parties to advised transactions against OFAC SDN list including the 50% Rule; immediate stop-work if a sanctioned party appears.
• Records Retention: Working papers preserved 7 years (or longer per state statute); deliverables and supporting analysis available for regulatory examination through full statutory window.

Common mistakes in insurance consulting agreements

• Letting an unlicensed "consultant" handle claims negotiation. A consultant who tells a claimant "we'll settle for $25,000" is acting as an adjuster in the 35 states with independent adjuster licensing acts. Insurer-side, this triggers Unfair Claims Settlement Practices Act exposure for the carrier.
• Skipping NY DFS Part 500 cyber requirements for a vendor with NPI access. 23 NYCRR 500.11 requires written third-party service provider security policy, due diligence, contractual reps, and periodic assessment. Without that, the insurer is in violation.
• Letting an actuarial consultant sign a Statement of Actuarial Opinion without scope clarity. SAO signers face personal liability under state insurance code and ASB Actuarial Standards of Practice. The contract should specify whether the consultant signs as Appointed Actuary, the standard of care, and indemnity for SAO-related claims.
• Forgetting anti-rebating statutes when advising on producer compensation. Creative compensation that crosses into anti-rebating territory exposes both the insurer and the producer. State anti-rebating statutes (e.g., NY 2324, FL 626.572, TX 4005.053) are interpreted broadly.
• No AI governance language for an underwriting model consultant. NAIC Model Bulletin (2023), Colorado SB 21-169, and NY DFS Circular Letter No. 1 (2019) all require insurer governance over AI/ML in underwriting and claims. A model-building consultant has to be inside that governance framework, not outside it.
• Generic "vendor management" boilerplate. Insurance-specific vendor management standards (NAIC #668 Section 6; NY DFS Part 500 Section 500.11; OCC Bulletin 2023-17 if also a banking affiliate) require specific elements that generic vendor language misses.
• No HIPAA BAA when the consultant touches health insurance PHI. Health insurers, workers' comp insurers, disability insurers, and accident & health insurers are typically covered entities or business associates under HIPAA. The BAA must be in place before PHI moves.

Regulatory landscape

Insurance is state-regulated under the McCarran-Ferguson Act (15 USC 1011-1015). Each state has its own insurance code, but NAIC models drive most substantive law convergence. Producer licensing: NAIC Producer Licensing Model Act (#218), adopted in substance by all states. Independent adjuster licensing: NAIC Independent Adjuster Licensing Model Act (#3013), adopted in ~35 states. Public adjuster licensing: NAIC Public Adjuster Licensing Model Act (#228). MGA Act: NAIC Managing General Agents Model Act (#225). Reinsurance: NAIC Credit for Reinsurance Model Law (#785) and Model Regulation (#786) updated for covered agreements with the EU (2017) and UK (2018) eliminating reinsurance collateral for qualified jurisdictions.

Data security and privacy: NAIC Insurance Data Security Model Law (#668, 2017) now in 25+ states; New York DFS Cybersecurity Regulation 23 NYCRR Part 500 (original 2017, amended November 2023 with phased compliance through November 2024 — 72-hour notice, 24-hour ransomware payment notice, CISO designation, MFA, encryption, vendor management); GLBA Title V (15 USC 6801) with the NAIC Privacy of Consumer Financial and Health Information Regulation Model #672; FTC Safeguards Rule (16 CFR Part 314, amended 2021 and 2024) for non-bank financial institutions including some insurance-adjacent entities; HIPAA (45 CFR Parts 160, 162, 164) for health insurance; state insurance privacy laws including NAIC Insurance Information and Privacy Protection Act Model #670.

Market conduct & consumer protection: NAIC Market Regulation Handbook; state Unfair Trade Practices Acts (modeled on NAIC #880) and Unfair Claim Settlement Practices Acts; NAIC Suitability in Annuity Transactions Model Regulation #275 (best interest standard since 2020, in effect in 45+ states); DOL fiduciary rule reverberations for life and annuity sales; state best-interest standards for life and annuities. NAIC Property and Casualty Model Regulations; state Auto Insurance Reform Acts (Michigan, Florida no-fault overhauls); state Workers' Comp Acts.

AI/ML in insurance: NAIC Model Bulletin on Use of Artificial Intelligence Systems by Insurers (December 2023, adopted by 22+ states as of mid-2026); Colorado SB 21-169 algorithmic anti-discrimination rule (effective November 14, 2023, with implementing regulations promulgated 2024); NY DFS Insurance Circular Letter No. 1 (2019) on accelerated underwriting; pending state legislation in California (AB 2930), Illinois, Texas. EU Solvency II directive and IFRS 17 for international reinsurance work. EU AI Act high-risk system designations for credit-scoring and certain insurance pricing.

Solvency & financial reporting: NAIC Accounting Practices and Procedures Manual (Statutory Accounting Principles); NAIC Risk-Based Capital framework; ORSA (NAIC Own Risk and Solvency Assessment Model Act #505); CAT modeling; appointed actuary requirements (NAIC #745, P&C #786, Life and Health #822); RBC Forecast Model.

Sample fee structure

US insurance consulting fee benchmarks for 2025–2026:

• Actuarial consultant (FCAS, MAAA, FSA): $400–$900/hour; Statement of Actuarial Opinion $80,000–$500,000 per opinion; full pricing study $100,000–$600,000.
• Claims TPA / consultant: $150–$350/hour; or per-claim fee $50–$500 depending on complexity; full claims operations diagnostic $80,000–$350,000.
• Reinsurance consultant / treaty broker advisory: $300–$700/hour for advisory; brokerage commissions on treaty placement typically 2.5–10% of premium ceded.
• Insurance regulatory compliance / state filings: $250–$500/hour; full SERFF rate filing support $25,000–$120,000 per state per product.
• AI/ML model governance consultant: $300–$650/hour; full AI Systems program build per NAIC Model Bulletin $80,000–$300,000.
• Cybersecurity / NY DFS Part 500 advisory: $200–$500/hour; full 23 NYCRR 500 readiness $80,000–$300,000.
• MGA / MGU set-up & operations consulting: $250–$500/hour; full MGA build $250,000–$1.5M.
• Actuarial transformation (IFRS 17, LDTI implementation): $400–$900/hour; full implementation $500,000–$15M depending on insurer size.
• Bermuda / Cayman captive consulting: $300–$700/hour; new captive formation $75,000–$250,000.
• Insurance M&A advisory: Retainer + 1–3% success fee at close (subject to state broker-dealer analysis where transaction involves securities).

Statement of Actuarial Opinion engagements require special attention to the Appointed Actuary's signature obligation under state insurance code and ASOPs. The contract should be explicit about whether the consultant signs the SAO (and the indemnity that goes with it) or only provides analytical support to an in-house signing actuary.

How to draft this in Word with LexDraft

Open the LexDraft add-in inside Word and start from the consulting agreement template, then insert state-specific licensing representations, the NY DFS Part 500 / NAIC #668 cybersecurity compliance clauses, NAIC AI Model Bulletin governance language, HIPAA BAA (where PHI is in scope), and anti-rebating compliance from the clause library. For early-stage MGA, reinsurance, or capital-raise discussions, the NDA template covers pre-engagement confidentiality. The broader templates library covers structuring across line-of-business and multi-state engagements. Comparing drafting tools? See LexDraft vs Spellbook.

Frequently asked questions