Effective Internal Control Frameworks for MGA-Driven Premium Growth

In 2025, managing general agents (“MGAs”) continue to drive premium growth in the specialty marketplace. On June 5, 2025A.M, Best released its latest Market Segment report, which revealed that MGAs and other delegated underwriting authority enterprises (DUAEs) achieved a 15% year-over-year increase in direct premiums written (DPW), reaching $89.9 billion in 2024 with six MGAs binding over $1 billion in DPW. MGAs often contract with an insurance carrier for their specialized expertise in a specialized and niche book of business, without increasing overhead expenses to the carrier. This book of business is referred to as a “program” in the insurance industry’s vernacular.

The formal definition of an MGA under the Managing General Agents Model Act of the National Association of Insurance Commissioners (NAIC) is that an MGA either manages all or part of the insurance business of an insurer or acts as an agent for such an insurer, with or without authority, either separately or together with affiliates, produces directly or indirectly underwrites an amount of gross DPW equal to or greater than 5% of the policyholder surplus as reported in the last annual statement of the insurer in any one quarter or year. Furthermore, an MGA may have claims paying authority on behalf of the carrier, where the MGA adjusts or pays claims more than $10,000 per claim or negotiates reinsurance on behalf of the insurer. This definition may be further tailored based on the domiciliary state of the carrier, as it could vary. The rules governing the insurance carrier and MGA relationship can be found in a Program Administrator Agreement (PAA), which includes the commission methodology used to compensate an MGA for acting on behalf of the carrier. 

However, the insurance carrier is ultimately responsible for policyholder claims and oversight of all activities performed by the MGA, as well as for reporting to their domiciliary regulator. Like any profitable business partnership, mitigating inherent and potential emerging risks is crucial to maximizing the return on investment from the relationship.

The following highlights some best practices of internal controls that we’ve seen in industry relating to internal controls implemented by the MGA or recommended by the Carrier for the MGA to implement:

• Robust Cyber-Resilience: An effective social engineering program should be in place with sufficient monitoring and escalation protocols for MGA employees and any subcontracted relationships, such as sub-producers, accountants, premium collections, etc. A current cyber risk assessment should be readily available, continuously refreshed, and reported to those charged with governance. An in-force cyber insurance from at least an “A- “rated carrier (without a negative outlook) from A.M Best should be obtained by the MGA and kept current. Appropriate limits and deductibles of the cyber-insurance policy should be commensurate with the industry and program’s size. Also, certain MGAs might be subject to specific cyber regulations issued by various states. As part of the cyber-resilience plan, as well as general IT controls, the following are some example areas to ensure controls are in place:
  • System end-user access
  • Logical access, Business continuity planning, and disaster recovery planning
  • Third-party risk management that relates to cyber resilience and data privacy
  • Cloud-based backups and restorations
• Artificial Intelligence (AI): Whether it be through data ingestion engines, automation of rating processes, or renewal evaluations, it’s becoming more common that MGAs are considering artificial intelligence to remain competitive for program business. An AI Governance policy should be formally implemented, accompanied by sufficient training on the proper use of generative artificial intelligence, and outlining compliance with the Property and Casualty Model Rating Law (Model #1780). This includes considering any state-by-state AI regulations as they are formally issued. Additionally, proper internal controls should be designed and implemented, involving the management of change in the underlying source code to mitigate any potential bias or discrimination in the underwriting or claims adjudication process. If AI is accessed via a third-party hosting arrangement or provider, a SOC-2 report and bridge letter should be obtained and reviewed annually, with complementary end-user considerations examined and addressed by Management. Lastly, the Corporate Governance Annual Disclosure of an insurer will need to be updated if AI is being used for the governance of an insurer’s core functions as outlined in the NAIC’s Model Bulletin: Use of Artificial Intelligence by Insurers.

Controls to Ensure Completeness and Accuracy of Program Transaction Activity: The following are the key areas where controls should be in place-

• Rating and Underwriting
• Accounting (including policyholder invoicing, cash collections, receivables, banking entitlements)
• Bordereaux reporting
• Prohibited transactions- i.e., writing outside of the executed program administration agreement

• Continuous Monitoring of MGA transactions:Through the use of robotics process automation and data feeds, carriers now have the technology to formally identify transactions that may be non-compliant with the executed PAA on a real-time basis.  This monitoring is performed with the population, and not a sample, of an MGA’s transactions.  Any exceptions are communicated in a timely manner via automated notifications to the MGA for further investigation. Given their immutable nature, blockchain feeds are becoming more common as the underlying data for these processes.
• A.M. Best DUAE Performance Assessments: One area that is becoming more prevalent in the DUAE marketplace is to willingly ask A.M. Best to provide a non-credit rating on an MGA.  The rationale behind this is that it gives potential carriers comfort on the MGA’s operations.   Governance and internal controls are one aspect of this rating, with the highest rating being an “Exceptional” rating. Those MGAs that are rated “Exceptional” continuously monitor any changes in the requirements by A.M. Best and have readiness plans in place; they continually “battle test” those plans to ensure the highest rating is maintained. 

How Centri Can Help

Achieving success in evaluating the design and operating effectiveness of the internal control framework requires a trusted advisor that is seasoned with the nuances of Program Business and the intricacies of the carrier to MGA relationship. Centri has multiple credentialed professionals who were former executives in the insurance industry that can act as your trusted advisor for both Carriers and MGAs.  Furthermore, we have Certified Internal Auditors,  and experienced professionals in the insurance industry within our Risk Advisory Services team that can perform the financial, underwriting quality, and TPA claims aspects, as well as IT and Cyber elements of assessments. 

In addition to serving you as a trusted advisor to outsourced or co-sourced program assessment needs, we also can assist you with the below, leveraging automation tools where practical in our approach:

• Underwriting quality reviews for primary and excess risks
• Premium and claims quality reviews
• Reinsurance cession billing and agreement compliance evaluations
• Transactional review services, including intercompany activity and reinsurance between affiliates and third parties

Centri’s insurance industry professionals are here to guide your internal control journey—driving confidence, compliance, and premium growth. Contact us to discover how Centri can best support your business needs.