(c) Audit committee means a committee (or equivalent body) established by the board of directors of a company for the purpose of overseeing the accounting and financial reporting processes of a company or group of companies, the internal audit function of a company or group of companies, if applicable, and [auditing] external audits of financial statements of the company or group of affected companies, provided that:

(1) for a holding company that controls a group of companies, the audit committee of the holding company may be deemed to be the audit committee for one or more of those controlled companies solely for the purposes of this Part, even if all members of the holding company audit committee are not residents of this State;

(2) for a United States branch of an alien company, the audit committee may be comprised of the audit committee of the person that controls the United States branch; and

(3) for a company that does not otherwise designate an audit committee, the company's entire board of directors shall constitute the audit committee.

*****

(t) SOX compliant company means [a company] an entity that either is required to be compliant with, or voluntarily is compliant with, all of the following provisions of the Sarbanes-Oxley Act of 2002:

(1) the pre-approval requirements of section 201 of SOX (section 10A(i) of the Securities Exchange Act of 1934, 15 U.S.C. section 78j-1(i));

(2) the audit committee independence requirements of section 301 of SOX (section 10A(m)(3) of the Securities Exchange Act of 1934, 15 U.S.C. section 78j-1(m)(3)); and

(3) the internal control over financial reporting requirements of section 404 (item 308 of SEC Regulation S-K).

*****

Section 89.12(a) is amended as follows:

(a)(1) The audit committee shall be directly responsible for the appointment, compensation and oversight of the work of any CPA (including resolution of disagreements between management and the CPA regarding financial reporting) for the purpose of preparing or issuing the audited financial report or related work pursuant to this Part. Every CPA shall report directly to the audit committee.

(2) The audit committee shall be responsible for overseeing the company’s internal audit function and granting the person or persons performing the function suitable authority and resources to fulfill their responsibilities if required by section 89.16 of this Part.

Section 89.12(i) is amended as follows:

(i) This section shall not apply to:

(1) a domestic life insurer [that is subject to Insurance Law, section 1202(b)(2)] if its holding company or parent corporation is a foreign or domestic insurer, a mutual insurance holding company established pursuant to the laws of the United States, or a publicly held corporation incorporated in the United States, having a board of directors and committees thereof that meet the same requirements as have been established for a domestic stock life insurer pursuant to Insurance Law section 1202(b)(1) and (2);

(2) a foreign insurer or an alien insurer not entered into this State through a United States branch; or

(3) a company that is a SOX compliant company or a directly or indirectly wholly-owned subsidiary of a SOX compliant company.

Section 89.16 is renumbered as section 89.17 and a new section 89.16 is added as follows:

(1) the company has annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of less than $500 million; and

(2) the company is a member of a group of companies and the group has annual direct written and unaffiliated assumed premium, including international direct and assumed premium, but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of less than $1 billion.

1. Statutory authority: Financial Services Law Sections 202 and 302 and Insurance Law Sections 301, 307(b), and 1202(b).

Financial Services Law Section 202 establishes the office of the Superintendent of Financial Services (“Superintendent”).

Financial Services Law Section 302 and Insurance Law Section 301, in material part, authorize the Superintendent to effectuate any power accorded to the Superintendent by the Financial Services Law, Insurance Law, or any other law, and to prescribe regulations interpreting the Insurance Law.

Insurance Law Section 307(b) requires an authorized insurer to file an annual financial statement with an opinion thereon by an independent certified public accountant.

Insurance Law Section 1109 authorizes the Superintendent to promulgate regulations in effectuating the purposes and provisions of the Insurance Law and Public Health Law Article 44.

Insurance Law Section 1202(b) sets forth requirements for independent directors of domestic life insurers and exempts these insurers from Section 1202(b) if the holding company or parent corporation is a domestic insurer, a mutual insurance holding company established pursuant the laws of the U.S., or a publicly held corporation incorporated in the United States, having a board of directors and committees thereof that meet the same requirements established for a domestic stock life insurer pursuant to Insurance Law Section 1202(b)(1) and (2). In that case, the directors of the holding company or parent corporation will be subject to the Insurance Law in the same manner as the directors of a domestic stock life insurer.

2. Legislative objectives: Insurance Law Section 307(b) requires an authorized insurer to file an annual financial statement with an opinion thereon by an independent certified public accountant. The former Insurance Department originally promulgated 11 NYCRR 89 (Insurance Regulation 118) in 1984 to implement Insurance Law Section 307(b). In 2011, the Department of Financial Services (“Department”) repealed and replaced the regulation. The new Regulation 118 implemented Insurance Law Section 307(b) and the Sarbanes-Oxley Act of 2002, codified at 15 U.S.C. Section 7201 et seq. (“SOX”). SOX imposes a comprehensive regime of audits and internal management controls and reports designed to ensure greater transparency and accountability. Insurance Regulation 118 is closely patterned upon a National Association of Insurance Commissioners (“NAIC”) model regulation (“model regulation”).

This rule accords with the public policy objectives that the Legislature sought to advance in Insurance Law Section 307(b) by requiring authorized insurers, fraternal benefit societies, and managed care organizations (collectively, “companies”) that meet a certain premium threshold to establish and maintain internal audit functions.

3. Needs and benefits: In 2014, the NAIC amended the model regulation to require companies that meet a certain premium threshold to establish and maintain an internal audit function. The NAIC noted that an internal audit function generally is considered a key component of an effective internal control framework, and that international standards recognize the importance of an internal audit function within Insurance Core Principles (“ICP”) 8 – Risk Management and Internal Controls.

This internal audit function requirement became an NAIC accreditation standard starting January 1, 2020. NAIC accreditation is a certification that a state receives once it demonstrates that it has met and continues to meet certain legal, financial, and organizational standards. The purpose of the NAIC accreditation program is to ensure effective insurer financial solvency regulation across the United States.

This rule requires companies that meet a certain premium threshold to establish and maintain internal audit functions. It also fixes an error in the definition of “SOX compliant company.”

4. Costs: Certain companies required by this amendment to adopt an internal audit function may incur costs to comply with this amendment. The costs are difficult to estimate and will vary from company to company because of several factors, such as a company’s organizational structure, its size, and whether it already has an internal audit function in place. However, all publicly-held companies already must maintain an internal audit function due to stock exchange listing requirements. In addition, it is a standard industry best practice for large companies to maintain internal audit functions of their own volition. Many companies that are part of holding company systems already have internal audit functions at either the company or holding company level. Thus, compliance costs should be minimal for many companies.

The Department will not incur costs for the implementation and continuation of this amendment.

This rule does not impose compliance costs on local governments.

5. Local government mandates: This rule does not impose any program, service, duty, or responsibility upon a county, city, town, village, school district, fire district, or other special district.

6. Paperwork: This amendment does not impose any reporting requirements, including forms or other paperwork.

7. Duplication: This amendment may duplicate or overlap with federal SOX requirements for publicly-held companies. The amendment does not conflict with any existing state or federal rules or other legal requirements.

8. Alternatives: There were no significant alternatives to consider because the internal audit function requirement became an NAIC accreditation standard starting January 1, 2020 and the Department needs to adopt the language set forth in the model regulation.

9. Federal standards: The rule does not exceed any minimum standards of the federal government for the same or similar subject areas.

10. Compliance schedule: A company that meets the premium threshold must comply with the amendment within 180 days of publication of the Notice of Adoption in the State Register.

The amendment to Insurance Regulation 118 should have no impact on small businesses and local governments. This amendment requires authorized insurers, fraternal benefit societies, and managed care organizations (collectively, “companies”) that meet a certain premium threshold to establish and maintain internal audit functions. In relevant part, the amendment exempts from the internal audit requirement any company where the company has annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of less than $500 million.

Most companies do not fall within the definition of a “small business” as defined by State Administrative Procedure Act § 102(8), because they generally are not independently owned and have fewer than 100 employees. To the extent that there are any companies that meet the definition of a small business, they would likely be exempted from the amendment because of the minimum premium threshold.

The amendment also fixes an error in the definition of “SOX compliant company.”

Because this amendment imposes an internal audit function on companies that meet a certain premium threshold and fixes an error in a definition, it should not impose any adverse economic impact or reporting, recordkeeping, or other compliance requirements on small businesses and local governments.

1. Types and estimated numbers of rural areas: Authorized insurers, fraternal benefit societies, and managed care organizations (collectively, “companies”) affected by this amendment operate in every county in this state, including rural areas as defined by State Administrative Procedure Act § 102(10).

2. Reporting, recordkeeping and other compliance requirements, and professional services: The amendment requires companies that meet a certain premium threshold, including companies in rural areas, to establish and maintain an internal audit function.

A company that meets a certain premium threshold in a rural area may need to retain professional services, such as auditors, to comply with this amendment.

3. Costs: The rule may result in additional costs to companies that meet a certain premium threshold, including companies located in rural areas, because it requires them to adopt an internal audit function. The costs are difficult to estimate and will vary from company to company because of several factors, such as a company’s organizational structure, its size, and whether it already has an internal audit function in place. However, all publicly-held companies already must maintain an internal audit function due to stock exchange listing requirements. In addition, it is a standard industry best practice for large companies to maintain internal audit functions of their own volition. Many companies that are part of holding company systems already have internal audit functions at either the company or holding company level. Thus, compliance costs should be minimal for many companies, including companies in rural areas.

Nevertheless, any additional costs to companies in rural areas should be the same as for companies in non-rural areas.

4. Minimizing adverse impact: This amendment uniformly affects companies that are in both rural and non-rural areas of New York State. The amendment should not have a disparate impact on rural areas.

5. Rural area participation: Companies in rural areas will have an opportunity to participate in the rule making process when the proposed amendment is published in the State Register and posted on the website of the Department of Financial Services.

This rule should not adversely affect jobs or employment opportunities in New York State. This rule requires authorized insurers, fraternal benefit societies, and managed care organizations (collectively, “companies”) that meet a certain premium threshold to establish and maintain internal audit functions. This prudent requirement ensures the solvency and continued operation of companies. The amendment also fixes an error in the definition of “SOX compliant company.”