A Carrier’s Playbook: Oversight of Managing General Agents (MGAs)

As the insurance industry continues to evolve, carriers are increasingly relying on Managing General Agents (MGAs) to expand their reach, write new insurance products,streamline operations, and enhance underwriting capabilities. However, this delegation of authority introduces a complex web of regulatory, operational, and technological risks, especially as carriers navigate oversight responsibilities in a rapidly digitizing environment. The 2025 NAIC Financial Condition Examiner’s Handbook provides clear guidance on how regulators assess a carrier’s governance over MGAs, emphasizing the importance of robust controls, transparent data practices, and emerging risk awareness, particularly around artificial intelligence (AI). Understanding these expectations is critical for carriers aiming to maintain compliance, protect policyholder interests, and preserve their reputational integrity.

How Does the NAIC View a Carrier’s Oversight of an MGA?

The 2025 NAIC Financial Condition Examiner’s Handbook (i.e., the Handbook) outlines certain requirements as they relate to carrier oversight of an MGA. Oftentimes, carriers who rely on multiple MGAs as a critical component of their value chain may be at higher risk, especially if policyholder data is stored in a commingled IT environment or data is in a format that does not facilitate timely and efficient data transfer.

The specific qualifications and procedures for managing general agents to follow, as well as the duties of insurers, are outlined in the Managing General Agent’s Act (i.e., Model Audit Rule No. 225). A financial examiner may perform the following when performing a financial exam of a carrier that relies heavily on MGAs. 

Carrier Financial Exam Focus Areas Specific to MGAs

As outlined in the Handbook, the following procedures are followed when a carrier undergoes a financial exam performed by its domiciliary state regulator:

• Review the Licenses of all MGAs: Noting the effective and expiration date and whether the MGA is licensed to represent the carrier domiciled in that state.

• Review Contracts between MGAs and Insurance Companies: Each contract should indicate that the insurance company may cancel the contract for any reason, upon written notice to the MGA.  All contracts should note the limitations regarding the amount of risk insured, any other geographical location of risk, or any other limitations detailed in the contract. Also, the contract should specifically prohibit the MGA from binding the carrier to any reinsurance.

• Sample Policies Produced by each MGA: Each policy must fall within the financial and geographical limitations imposed by each contract with the respective insurance companies. 

• Sample Financial Accounts Submitted by the MGA: All accounts must be submitted at least quarterly and within a reasonable amount of time after each quarter. They should be in a format and contain information that will enable an insurance company to properly complete its annual statement.

• Review Internal Controls over Cash Transactions between the Insurance Companies and MGAs: All funds collected by the MGA must be deposited in a separate fiduciary account in a bank that is a member of the Federal Reserve System. This account should be owned and controlled by the carrier.  All funds owed to the insurance company by the MGA should be paid on a timely basis. The MGA may retain no more than three months’ worth of losses and allocated loss adjustment expense payments in the aforementioned fiduciary account.

• Review the Carrier’s Procedures for Monitoring Each MGA’s Activities: The carrier should obtain, at least annually, a certified public accountant’s report on the business produced by each MGA, as well as an opinion of an actuary attesting to the adequacy of loss reserves produced by each MGA if they have claims-paying authority.

Furthermore, as recommended controls, the carrier should have processes in place to ensure that policy information is correctly captured for direct and assumed business by the MGA, and the carrier has a process in place to ensure that the MGA provides the required data for the carrier to include in their systems. 

Also, the carrier should have comfort that the MGA has a process to properly identify claims eligible for reinsurance and that the MGA (or a third-party administrator) is processing claims handling standards in accordance with the signed claims services agreement.

Emphasis on Evaluating Artificial Intelligence Risk

In September 2025, A.M. Best highlighted in its Best Review magazine that AI is the number one emerging risk currently identified for delegated underwriting authority enterprises (DUAEs).  One misstep in the inadvertent use of AI could have negative implications on a carrier’s relationship with its policyholders. Some of the reasons highlighting why AI is viewed as an emerging risk include:

• DUAEs may be considering but have not yet implemented a formalized governance framework, appropriate oversight, or employee training surrounding their AI-model inventory. 
• There is a lot of regulatory uncertainty surrounding the use of AI-driven underwriting and claims adjudication, with regulatory guidance surrounding AI being released in a “patchwork” fashion on a state-by-state basis.
• Increased use of AI amplifies exposure of potentially sensitive policyholder data to misuse and cyber threats. This includes cyber threats where AI may be used as an attack vector (ex., deepfakes). Accidentally exposing policyholder data could result in potential fines and negative reputational consequences for those states where a policyholder has requested their personal data be removed (in California, for example).
• AI’s operational effectiveness could become a key component in A.M. Best’s DUAE Assessment for insurance enterprises.

Carrier Audits: On-site or Remote?

One last recommended control noted in the guidance is that the carrier has a process in place to monitor the activities of the MGA. This is often accomplished by performing regular audits or reviews, obtaining and reviewing a SOC-1 report, or requiring periodic reporting (ex., bordereaux submissions) by the MGA. These audits may be accomplished by either performing an on-site or remote audit or review.

There is no “silver-bullet answer,” and it varies based on the carrier’s domiciliary state regulator and whether the MGA has physical workspace. Oftentimes, an MGA may be fully virtual and leverage a shared temporary workspace, which inevitably lends itself to the audit being performed remotely.     

The map below of the United States is based on regulatory statute at the domiciliary state level, the preferred mode of conducting the review of the MGA in cases where the MGA maintains physical operations. In some instances, the regulation is silent,  in which case it defers to Model Audit Rule No. 225.  Section 5C of the Model Audit Rule indicates the following: “The insurer shall periodically (at least semi-annually) conduct an on-site review of the underwriting and claims processing operations of the MGA.”

How Centri Can Help

Centri supports insurance carriers by strengthening oversight of MGAs through tailored compliance, risk management, and operational strategies. We help ensure contracts, financial reporting, and data governance align with regulatory expectations, while also advising on emerging risks like AI and cybersecurity. Whether through audit support, process evaluation, or control enhancements, Centri provides the expertise carriers need to maintain regulatory confidence and safeguard policyholder trust. Contact us to learn how we can support your organization.