NAIC Model Laws — one model, fifty different adoptions.
The NAIC drafts model laws and regulations; states adopt, modify, or ignore them. For a multi-state carrier, the Model Audit Rule looks one way in New York, another in California, another in Texas. Compliance is the act of running 30+ versions of the same obligation simultaneously.
The model laws that matter
- Annual Financial Reporting Model Regulation (#205) — the Model Audit Rule. Statutory financial-reporting requirements, internal-control over financial reporting (ICFR-equivalent), audit-committee requirements.
- Risk Management and Own Risk and Solvency Assessment Model Act (#505) — US ORSA. Annual filing for insurers above a premium threshold; covers risk-management framework, risk assessment, group capital.
- Insurance Data Security Model Law (#668) — IDSML. Information-security programme requirements, third-party oversight, incident-reporting timelines.
- Privacy of Consumer Financial and Health Information Model Regulation (#672) — privacy notice, opt-out rights.
- NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers — adopted late 2023; programme requirements, governance, third-party AI risk.
- Unfair Trade Practices Act (#880) — discriminatory practices, including algorithmic discrimination.
Why state-by-state matters
NAIC adoption tracking is a moving target. Some states adopt the model verbatim. Some adopt it with material modifications. Some don't adopt it at all. The IDSML, for example, is in 25+ states with materially different definitions of "personal information", "cybersecurity event", and "notification timelines".
For a carrier writing in 30 states, the operative compliance question is not "does the model law apply"; it is "which version of the model law applies in each state, and what are the deltas".
The AI Model Bulletin, in practice
States are adopting the Bulletin's expectations through their existing market-conduct authority. Programme expectations include:
- Written AI Systems Programme — board-approved governance, roles, accountability.
- Model risk management — testing, monitoring, model documentation.
- Third-party AI oversight — vendor due diligence, contract language, ongoing monitoring.
- Consumer outcome testing — disparate-impact analysis where applicable.
Where Sia RegAI fits
Sia RegAI ingests the NAIC model law, every state adoption, every state regulation that implements it, and your filing-state list. The obligation tree is normalised across all adopting states, with the deltas surfaced as a structured diff. A 30-state matrix that used to take 12 weeks of consulting time compresses into a few days of review.
Related guides
- NAIC Model Laws — US insurance compliance for multi-state carriers
- ORSA in practice — automating Solvency II Pillar II
- Solvency II + IFRS 17 — two frameworks, one compliance workflow