1) NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES Criminal Investigations Unit ‐ Insurance Frauds Bureau Guidelines for Insurer’s Fraud Prevention Plans & Special Investigations Units (SIUs)(Rev. 9/22/15) Instructions:  The Fraud Prevention Plan (Plan) must comply with NYIL §409 and Reg. 95, §86.6, and must indicate compliance with §405. If a fraud warning is shown in the Plan, the warning must comply with §403 and Reg. 95, §86.4(a) for non-auto warnings and Reg. 95 §86.4(b) for auto warnings.  Insurers operating in states other than New York that have developed a multi-state Plan may submit the multi-state Plan. An addendum to address specific, unique New York requirements may be included with the Plan.  Insurers should include any other information pertinent to the SIU or anti-fraud program deemed special, significant or informative.  A copy of this document (or substitute document) indicating where the items are located in the Plan, is requested to be submitted along with the Plan. 1. Management of SIU, Reg. 95 §86.6(b) Provide the name, title, mailing address, e-mail address and telephone number of the SIU Manager. Provide the name, title, mailing address, e-mail address and telephone number of the executive responsible for the SIU. Confirm that this executive has reviewed & approved the Plan. 2. Implementation of Plan NYIL §409(b) NYIL §409(b)(1) requires that the Plan provide for the time and manner of implementation. 3. Overview of SIU and Relationship of Claims and Underwriting to SIU per NYIL §409(b) A. Type of SIU – Indicate the relationship of the SIU to the insurer (check all that apply): ï‚· ï‚· ï‚· ☐Internal If internal (staffed by the insurer’s employees), complete item #6 below. ☐Affiliated If the SIU function is performed by an affiliate, complete sections #6 and #7. ☐External If the insurer contracts with a vendor to perform SIU functions, complete #8 below. Sections 6, 7, and 8 address the relationship of the SIU to the insurer. Plans should include all sections of this form that are relevant to the SIU’s structure. For example, if the SIU has internal staff, affiliated staff and an external vendor performing SIU investigations, the Plan should address sections 6, 7 and 8. B. Performance of Claims and Underwriting Functions: Does the insurer use any vendor(s), agent(s) or TPA(s) to perform claims or underwriting services? If yes, respond to #5, below. ☐Yes ☐No If the insurer uses a vendor(s), agent(s) or TPA(s) to perform claims or underwriting services, does that vendor perform the SIU services or does that vendor contract with a 3rd party to perform SIU services? ☐Yes, vendor performs SIU or vendor contracts for investigatory services. If yes, respond to #8 ☐No, insurer performs SIU (If insurer contracts SIU services respond to #8 ) .         

2) 4. Relationship of SIU to Claims & Underwriting Departments NYIL §409(b) & (c) The Company must have a Fraud Detection and Procedures Manual for claims and underwriting personnel, as required by NYIL §409(c)(6). This manual should include the “red flags” used to detect fraud and procedures that should be followed when a fraud is suspected. Please check the appropriate box that indicates how the manual maintained: ☐ Electronic ☐ Hard Copy ☐ Both Describe the relationship of the SIU with the claims department to include the following: a. The procedure for detecting fraud, including “red flags.” If the company writes private or commercial automobile insurance, workers’ compensation, or accident and health insurance, the Plan must specifically address these lines of insurance. b. The criteria for referral of a case to the SIU. c. The individual authorized to make referrals to the SIU. d. The referral process to the SIU (e.g., medium is used, is supervisor approval required?). e. The procedures for the periodic review of claims practices. f. Describe the in-service training program for identification and evaluation of suspected insurance fraud. Include the titles of training courses with hours of devotion. Are records retained that describe the training? g. Does the SIU (or other unit) perform post-payment claims analysis? Is this analysis performed electronically via data mining to identify potentially fraudulent claims? Describe the relationship of the SIU with the underwriting department to include the following: a. The procedure for detecting fraud including “red flags.” b. The criteria for referral of a case to the SIU. c. The individual authorized to make referrals to the SIU. d. The referral process to the SIU (e.g., medium is used, is supervisor approval required?) e. The procedures for the periodic review of underwriting methods. f. The in-service training programs for identification and evaluation of suspected insurance fraud. Include the titles of training courses with hours of devotion. Are attendance records retained? g. Provide an assessment of the company’s vulnerability to fraud, considering the lines of business written, underwriting standards and marketing strategy. h. Are automated techniques employed to verify information provided in the application at the time of issuance and subsequent to issuance of the policy? Does the insurer use external vendors/TPAs/MGAs for claims processing and/or underwriting? ☐Yes ☐No If yes, provide information pertaining to #5 below. 5. Use of External Claims & Underwriting Vendors NYIL §409(b) & (c) a. Provide a list of the vendors by name and describe the duties performed by the vendors. Indicate if claims, underwriting, or investigations are performed. b. Do the external claims processors receive training to recognize “red flags” and report fraud? Are records of attendance and courses taken retained? c. Do the external claims processors review transactions and documents for “red flags”? d. Do the external underwriters receive training to recognize “red flags” and report fraud? Are records of attendance and courses taken retained? e. Do the external underwriters review transactions and documents for “red flags”? f. What is the procedure for reporting fraud to the SIU if the underwriters and/or claims processors detect a potentially fraudulent transaction? Do the vendors, MGAs, or TPAs, performing the underwriting and/or claims processing functions also perform fraud investigations or contract with a 3rd party to perform fraud investigations in New York State? ☐Yes ☐No If yes, Respond to #8, below         

3) 6. Staffing of SIU - Internal and Affiliated Entity SIU, NYIL §409(b), Reg. 95, §86.6 The SIU must be separate from underwriting and claims. The SIU expenses must be listed as a separate open budget. The staffing level for SIU must be full-time. Provide an organization chart (description) of internal SIU showing lines of control. Provide an organization chart (description) of the SIU showing line(s) of control to general management. Provide the number of investigators and a justification for the number of investigators. Provide an assessment of optimal caseload per investigator or other metric to assess investigator productivity. Provide job descriptions for investigators. Demonstrate that each investigator meets the educational or employment qualifications for a fraud investigator as stated in NYIL §409(b)(3) and §86.6(c) of Regulation 95: ï‚· ï‚· ï‚· an associate's or bachelor's degree in criminal justice or a related field; or five years of insurance claims investigation experience or professional investigation experience with law enforcement agencies; or seven years of professional investigation experience involving economic or insurance-related matters; or an authorized medical professional to evaluate medical-related claims. ï‚· Provide the percentage of New York insurance fraud investigations as a percentage of total investigations. Provide the names, titles and resumes of the investigators (summary of qualifying experience) who will be conducting insurance fraud investigations in NYS. Provide the geographical location and assigned territories for each investigator. Describe the training program for investigators as required by §86.6(b)(6) of Reg. 95. Include the titles of training courses with hours of devotion including any and all training provided by external entities that investigators participated in. Provide the names and job titles of the SIU support staff, not qualified as investigators (e.g., data analysts, translators, clerical staff, etc.).   7. Affiliated Entity SIU Reg. 95 §86.6(b) Provide the name of the affiliated entity that performs SIU services. Provide a copy of the executed service agreement(s) indicating the performance of investigative and other SIU functions as required by §86.6(b)(1) of Regulation 95. Does the service agreement specify that SIU/ Investigative services will be performed? The following information is requested to assist the insurer in accurately reporting data in column 6 of the Annual SIU Report: Does the SIU perform SIU services for affiliates other than the NY insurer? Provide the percentage of the SIU’s resources dedicated to New York investigations versus all affiliated companies (including New York). Provide the following based on the amount of expenses allocated to New York based on the percentage indicated above (or other metric deemed appropriate). a. SIU Budget b. Total number of investigators               

4) 8. External SIU/Investigative Vendor(s) NYIL §409(b), Reg. 95, §86.6 Provide the following pertaining to SIU vendors: a. A list of the vendors by name b. A copy of each executed agreement(s) between the vendor and the insurer as required by §86.6(b)(1) of Reg. 95 c. Reg. 95 86.6(b)(1)The agreement(s) must state that the SIU will provide any and all assistance requested by the Criminal Investigations Unit and any other law enforcement agency in the investigation and prosecution of insurance fraud and related crimes and cooperate with the Department of Financial Services in any examination of the implementation of the fraud plan For each agreement, provide the following: Brief Description of services performed e.g. all SIU functions, on street only Does the MGA/TPA/vendor perform all or a portion of the fraud investigations? Name of the person at the insurer who the vendor reports to. Name, address and telephone number of the contact person at the vendor. Provide an organization chart (or description) showing the reporting lines within the SIU. The percentage of time that the vendor spends on the insurer’s NY fraud investigations. Does the vendor use a third-party administrator (TPA) for any portion of fraud investigations? If yes, provide a copy of the agreement detailing the investigative services provided by the TPA. Describe the procedure for claim examiners, underwriters and other personnel to refer suspicious claims to the SIU. Address who makes the referral to the SIU TPA and how the referral is made (e.g., directly to case management system, phone, email, etc.). Does the MGA/TPA/vendor provide the insurer with periodic reports concerning referrals and cases? If claims or underwriting vendors are used, does the company review all referrals and/or cases sent to the SIU vendor from MGA/TPA/vendor? Provide the number of investigators who will be conducting insurance fraud investigations in New York, including the names, titles and resumes of the investigators. Provide an assessment of the optimal caseload per investigator or other metric to assess investigator productivity. Justify the number of investigators, preferably via metrics such as optimal caseload. Demonstrate that each investigator meets the educational and employment qualifications for a fraud investigator as stated in NYIL §409(b)(3) and §86.6(c) of Regulation 95: ï‚· ï‚· ï‚· ï‚· an associate's or bachelor's degree in criminal justice or a related field; or five years of insurance claims investigation experience or professional investigation experience with law enforcement agencies; or seven years of professional investigation experience involving economic or insurance-related matters; or an authorized medical professional to evaluate medical-related claims. Provide job descriptions for investigators. Provide the geographical location and assigned territories for each investigator assigned to New York. Describe the training program for investigators as required by §86.6(b)(6) of Reg. 95. Provide the titles of training courses with hours of devotion, including training that was provided by external entities. Provide the names and job titles of SIU support staff, (e.g., data analysts, translators, and clerical).               

5) 9. SIU Investigations and SIU procedures, NYIL §409(c) Describe the SIU’s case management system. Describe the procedures for case investigations. How is the manual for investigators maintained? Hard copy or electronic? Provide a list of databases used by investigators (e.g., ISO, DMV). Describe the relationship of the SIU with law enforcement agencies and prosecutors required by NYIL §409(c)(1), including: a. Description of relationship between the SIU and the IFB. b. Criteria for referral of a case to IFB and law enforcement. c. Name of the individual authorized to make referrals to the IFB. d. Description of the policy to avoid duplication (without notification) of concurrent referrals by SIU to more than one law enforcement agency,. Indicate the SIU’s compliance with NYIL §405(a) {emphasis added}: “(a) Any person licensed or registered pursuant to the provisions of this chapter… who has reason to believe that an insurance transaction or life settlement act may be fraudulent, or has knowledge that a fraudulent insurance transaction or fraudulent life settlement act is about to take place, or has taken place shall, within thirty days after determination by such person that the transaction appears to be fraudulent, send to the superintendent on a form prescribed by the superintendent, the information requested by the form and such additional information relative to the factual circumstances of the transaction and the parties involved as the superintendent may require. The superintendent shall accept reports of suspected fraudulent insurance transactions or fraudulent life settlement acts from any self insurer, including but not limited to self insurers providing health insurance coverage or those defined in section fifty of the workers' compensation law, and shall treat such reports as any other received pursuant to this section.” 10. Restitution and Recoveries NYIL §409(c) The Plan must contain a provision that addresses savings and recoveries, including court-ordered restitution. NYIL §409(c)(4) states that the Plan shall provide for: “Coordination with other units of an insurer for the investigation and initiation of civil actions based upon information received by or through the special investigations unit.” 11. Internal/Employee Fraud The Plan should include a section to address employee fraud. Internal fraud should be reported to the DFS Criminal Investigations Unit per Section 405. 12. Public Awareness Program - NYIL §409(c)(5) Has the insurer joined the National Health Care Anti-Fraud Association (NHCAA)? Has the insurer joined the New York Alliance Against Insurance Fraud (NYAAIF)? If developing an in-house program, provide the following: ï‚· Description of the media (e.g., radio, television, print, website, etc.). ï‚· Budget for the next year. ï‚· Target audience (must include general public). ï‚· Sample hard/electronic copies, 800 number, company website. 13. Fraud Data Reporting Requirement NYIL §409(c) NYIL §409(c)(2) requires that the Plan provide for the reporting of fraud data to a collection firm designated by the Department. Currently, no organization has been established; however, the Plan must contain a statement to comply with §409(c)(2).