Back to Sia Partners A Sia product
Back to RegAI Book a demo
RegAI  /  Blog  /  NAIC Model Laws
Practical guide · Insurance

NAIC Model Laws — US insurance compliance for multi-state carriers.

Published April 30, 2026 10-minute read By Sia

Insurance in the US is regulated by states, not by the federal government. Fifty different state insurance commissioners with overlapping but non-identical authority. The NAIC Model Laws are how the 50 states almost-coordinate — and "almost" is where the work lives. Multi-state carriers face the same obligation in 30 different statutes, none of them quite identical. Here's the working framework for mapping it.

This guide is for compliance leads at multi-state carriers — life, P&C, health, and reinsurance — running US programs under NAIC Model Laws. Companion to our ORSA in practice guide for European insurers; the structural parallels and divergences across the Atlantic come up throughout.

What the NAIC actually does

The National Association of Insurance Commissioners is the standard-setting and regulatory-support organization for state insurance regulators. Despite the name and the clout, it has no direct legal authority over insurers — it can't issue binding rules. What it does:

  • Drafts Model Laws and Model Regulations that states then adopt (or don't, or modify, or pre-empt).
  • Maintains accreditation standards that effectively require states to enact certain Models if the state wants its insurance department accredited.
  • Operates the Financial Examiners Handbook, the Market Regulation Handbook, and other operational materials.
  • Runs the SERFF (System for Electronic Rate and Form Filing) and other shared infrastructure.
  • Coordinates multi-state market conduct exams and financial exams.

The Models are the substantive output. They are templates; states write their own statutes and regulations, often with NAIC Model text as the starting point and state-specific drafting after.

Why "Model" doesn't mean "uniform"

A NAIC Model Law gets adopted by 50 states (and DC, plus a few territories) at different speeds, in different versions, with different state-specific carve-outs. The same obligation can therefore exist:

  • In its NAIC-Model form, mostly intact, in 25 states.
  • With material drafting changes in 15 states (e.g., different threshold, different effective date, different exemption).
  • Not adopted at all in 8 states.
  • Pre-empted or partially superseded by federal law in some cases.

Multi-state carriers therefore can't write one policy that satisfies "the NAIC Model" — they have to know which state applies which version.

The Models that matter most

For most multi-state carriers, four NAIC Models drive the bulk of the compliance program:

Model Audit Rule (MAR) — Model #205

The "Annual Financial Reporting Model Regulation" (a.k.a. Model Audit Rule). Insurers above the premium threshold must obtain an annual independent financial audit, file CPA reports, designate qualified actuaries, and (for large insurers) a SOX-style internal-control reporting regime including management's assertion on the effectiveness of internal control over financial reporting (ICFR).

Adopted in some form in nearly all states — but the threshold ($500M direct written and assumed premium) and certain requirements (e.g., audit committee composition) vary by state. A typical multi-state insurer maps MAR-equivalent obligations across 30+ jurisdictions.

Risk Management and Own Risk and Solvency Assessment Model Act — Model #505

The US version of Solvency II's ORSA. Insurers above premium thresholds must maintain a risk management framework and submit an annual ORSA Summary Report to the lead state regulator. Adopted by 49 states at the time of writing.

Material differences from EU Solvency II ORSA:

  • Lead-state-only filing (vs. one filing per Member State in the EU).
  • No prescribed risk-based capital model in the same way as Solvency II SCR; ORSA discusses risks vs the existing US RBC regime.
  • Less prescribed structure than the EIOPA Guidelines; more flexibility on report format.

Insurance Data Security Model Law (IDSML) — Model #668

The cybersecurity model law, building on the New York DFS Cybersecurity Regulation (23 NYCRR Part 500). Requires insurers to implement an information security program, designate a CISO, conduct risk assessments, manage third-party service providers, and report cybersecurity events.

Adopted by ~25 states at the time of writing, but adoption rates are accelerating after several major insurance-data breaches. Multi-state carriers that operate in any IDSML state often choose to apply it firm-wide — easier than maintaining state-by-state cybersecurity programs.

Model Bulletin on the Use of Artificial Intelligence Systems by Insurers — adopted 2023

The newest of the four. Not technically a Model Law (it's a Model Bulletin — softer instrument), but it's becoming functionally enforceable in many states. Establishes governance, testing, validation, and reporting expectations for insurers using AI in underwriting, claims, fraud detection, marketing, etc. Aligns broadly with NIST AI RMF principles, with insurance-specific operational expectations.

Adoption: ~20 states have issued bulletins or guidance referencing the Model Bulletin. Coverage will accelerate.

The other Models you encounter

Beyond the big four, multi-state carriers regularly map:

  • Holding Company Model Act (Model #440) and Regulation (#450) — Form A / Form B / Form D / Form E / Form F filings, supervisory college coordination, ERM reporting (Model #440 §4F).
  • Unfair Trade Practices Act (Model #880) — long-standing rules on advertising, claims handling, marketing.
  • Suitability in Annuity Transactions Model Regulation (#275) — the model that's been amended to reflect best-interest standard in many states.
  • Privacy of Consumer Financial and Health Information Regulation (#672) — the GLBA-aligned privacy regulation, layered with state-specific privacy laws (CCPA/CPRA, etc.).
  • Producer Licensing Model Act (#218) — state-specific producer licensing.
  • Credit for Reinsurance Model Law (#785) and Regulation (#786) — covered agreement, certified reinsurer rules.

The multi-state mapping problem

The compliance team's actual work, day to day:

  1. Identify which states the carrier writes business in (often 30–50).
  2. For each line of business in each state, identify which Models apply.
  3. For each applicable Model, identify the state-specific statute / regulation that implements it.
  4. For each state-specific statute, identify the deltas from the NAIC Model: thresholds, exemptions, effective dates, drafting variants.
  5. Map each delta to internal policy / procedure / control adjustments.
  6. Maintain that mapping as states amend their statutes (each state's legislative cycle is different).

For a carrier in 35 states with 8 active Models, that's 280 Model × State combinations, each potentially nontrivial. Manual maintenance is a 4–6 FTE compliance program.

Where AI compresses the work

NAIC Model Laws are well-suited to AI-assisted compliance because:

  • The Models themselves are publicly available, structured, and stable.
  • State implementations are public regulatory text accessible via state legislatures and insurance department websites.
  • Side-by-side Model vs. state-implementation comparison is exactly what semantic mapping is good at.
  • The "delta" output (Model says X; this state says X' with these specific differences) is a structured artifact useful for compliance, audit, and exam prep.

Sia RegAI ingests:

  • The NAIC Model Laws (current versions).
  • Each state's enacted statute / regulation that implements the Model.
  • State-specific bulletins, guidance, and FAQs from the insurance department.
  • Federal-law overlays (Dodd-Frank, GLBA, ACA, etc.) where they pre-empt or modify state authority.

For each carrier, the platform produces:

  • A Model × State matrix showing which Models apply where.
  • For each Model × State cell: applicability, the delta from the Model, and a mapping to the carrier's internal policies.
  • Drafted policy / procedure language that satisfies all-state requirements (or state-specific overlays where uniformity isn't possible).
  • An audit trail of when each state's statute was last reviewed and what changed.

Multi-state exam coordination

NAIC coordinates multi-state market-conduct and financial exams. A carrier exposed to multi-state action (e.g., a market-conduct issue affecting policyholders in multiple states) may face a coordinated exam led by one or more states, with other states either piggybacking or running parallel exams.

The coordinated-exam process tests how well the carrier can produce evidence across jurisdictions consistently. Inconsistent state-level documentation is the most common cause of MCM exam findings. AI-assisted documentation that maintains the same control narrative across all-state implementations dramatically reduces exam friction.

How this compares to Solvency II

For carriers operating in both the US and EU, the obvious question: how do these regimes overlap?

  • Capital regime: NAIC RBC vs. Solvency II SCR. Different mechanics, similar intent.
  • ORSA: NAIC ORSA Model Act vs. Solvency II Article 45 ORSA. Functionally similar; different filing structure (lead-state in US vs. per-Member-State in EU).
  • Group supervision: NAIC Holding Company Model vs. Solvency II Group Solvency. Different supervisory architectures.
  • Disclosures: NAIC RBC reports + state-specific filings vs. SFCR / QRTs. Different formats; significant data overlap.
  • IFRS 17: US carriers don't run IFRS 17 (US GAAP applies); but many global insurers running both face the dual-reporting challenge covered in our Solvency II + IFRS 17 guide.

Common pitfalls

  • Treating NAIC Model = state law. The Model is a template. The state statute is what binds. Cite the statute, not the Model.
  • Stale state-by-state documentation. States amend at different cycles. A control narrative that was right for State X two years ago may not be right today.
  • Lead-state vs. domiciliary-state confusion. ORSA filing goes to the lead state, which may differ from the domiciliary state, which may differ from the largest-premium state.
  • Underestimating the AI Model Bulletin. "Model Bulletin" sounds optional. In states that have adopted bulletin-level guidance referencing it, examiners are using the Bulletin's expectations as the working standard.
  • Single-shot exam prep. The Models, the state implementations, and the regulator priorities all evolve. Exam prep needs to live on a system that updates with the source.

Closing

The US insurance regulatory landscape is structurally fragmented in a way that European insurers don't have to think about. The NAIC Models give carriers a unifying spine; the state implementations give carriers the actual obligations. Multi-state compliance is the work of mapping the two faithfully, every year, across every state and Model.

It's well-suited to AI assistance because the source material is public, structured, and amenable to semantic comparison. Carriers that adopt that tooling spend their compliance budget on judgment — exam responses, board reporting, market-conduct strategy — instead of paper-pushing across 35 states.

Related reading

Run Sia RegAI on your multi-state map.

A 45-minute walkthrough on a Model × State slice of your scope. We bring the platform.

Book a demo More on insurance