---
title: "California 10 CCR 2698: the SIU compliance walkthrough for CDI requirements"
description: "California 10 CCR 2698 is 14 sections that turn 'we have an SIU' into documented, examinable obligations. The hardest to satisfy at scale is 2698.36 - a documented decision on every referral."
date: "2026-07-07"
lastModified: "2026-07-07"
author: "Pankaj Dhariwal"
tags: ["Guides"]
canonical: "https://gethesperai.com/blog/california-10-ccr-2698-siu-compliance/"
---

# California 10 CCR 2698: the SIU compliance walkthrough for CDI requirements

> **TL;DR** California Code of Regulations Title 10, Sections 2698.30 through 2698.43, are the Special Investigative Unit rules the CDI Fraud Division enforces on more than 1,100 insurers each year. They implement Insurance Code 1875.20-24 and specify SIU staffing, detection, investigation, referral, training, and annual reporting. The requirement that scales worst is 2698.36: a concise written investigation summary on every referral and a documented reason on every decline. Penalties run up to $5,000 per act and $10,000 per willful act. Manual SIU at ~25% coverage can fully document only a minority of referrals; the rest are the exam-risk surface.
>
> - 14 sections (2698.30-2698.43) enforced by the CDI Fraud Division
> - Penalties reach $5,000 per act, $10,000 per willful act
> - 2698.36 needs a documented decision on every referral, not just the ~25% opened

- **14** - Sections in Article 2 (2698.30-2698.43 (Cornell LII))
- **$5K / $10K** - Penalty per act / willful act (10 CCR 2698.42)
- **1,100+** - Insurers filing SIU reports yearly (CDI SIU Compliance Review Program)
- **Sept 15, 2026** - 2025 SIU annual report deadline (CDI eSIUAR portal)

California 10 CCR 2698 is not a filing formality - it is 14 sections that convert 'we have an SIU' into documented, examinable obligations, and the one that scales worst is 2698.36's requirement to document an investigation decision on every referral. More than 1,100 insurers file SIU annual compliance reports with the California Department of Insurance each year, and penalties run up to $5,000 per act of non-compliance, up to $10,000 for a willful act. The rule reaches essentially the entire licensed property-casualty market.

This walkthrough is written for the compliance officer who owns the antifraud filing with CDI and asks the literal question - does the output satisfy 10 CCR 2698.36 - and for the SIU director who has to produce the referrals, training records, and investigation summaries the regulation requires. It maps all 14 sections to their compliance obligation, isolates why 2698.36 quietly becomes the hardest requirement at scale, shows what CDI enforcement looks like in practice, and explains where an audit-trail-native investigation layer fits without replacing the SIU or the officer's perjury sign-off.

It sits in our regulatory cluster. For the national frame this rule sits inside, read [the NAIC Model Act 680 implementation guide](/blog/naic-model-act-680-implementation-guide/); California 10 CCR 2698 is California's dedicated-SIU build on top of that scaffolding. For the vendor-evaluation companion aimed at the same compliance-officer seat, read [the compliance officer's guide to AI investigation deployment](/blog/compliance-officer-ai-investigation-deployment/).

## What 10 CCR 2698 actually is

10 CCR 2698 is California Code of Regulations Title 10, Sections 2698.30 through 2698.43 - Article 2, Subchapter 9 - the Special Investigative Unit regulations enforced by the CDI Fraud Division. They implement California Insurance Code Sections 1875.20 through 1875.24, which require every insurer licensed in California to establish and maintain an SIU that detects, investigates, and refers suspected insurance fraud. The statute mandates the SIU; the regulation specifies how it must run.

The distinction between statute and regulation is the one to keep straight. The Insurance Code creates the obligation; the 14 regulatory sections operationalize it into concrete, auditable requirements - staffing, communication with the Fraud Division, detection, investigation, referral, training, an annual report, examinations, and penalties. The full section index is published by the [Cornell Legal Information Institute](https://www.law.cornell.edu/regulations/california/title-10/chapter-5/subchapter-9/article-2), which lists all 14 sections of Article 2 from 2698.30 Definitions through 2698.43 Hearings.

Enforcement is not theoretical. The CDI runs an [SIU Compliance Review Program](https://www.insurance.ca.gov/0300-fraud/0100-fraud-division-overview/12-siu/Review-Program.cfm) that inspects insurers on the establishment, staffing, training, and operation of their units, and risk-scores each filer. More than 1,100 insurers file SIU annual compliance reports with the Department every year. So this is not a boutique rule that applies to a handful of carriers - it is the operating standard for the licensed market in the largest state insurance market in the country.

> **Statute mandates, regulation specifies, program enforces**
>
> Three layers, and confusing them muddies compliance work. Insurance Code 1875.20-24 is the statute that requires an SIU. 10 CCR 2698.30-2698.43 is the regulation that prescribes how the SIU detects, investigates, refers, trains, and reports. The SIU Compliance Review Program is the CDI Fraud Division mechanism that inspects filings, risk-scores them, runs on-site audits, and refers findings toward penalties. When a market-conduct exam lands on your desk, it is the program testing your compliance with the regulation - not the abstract statute.

## The section-by-section walkthrough

The cleanest way to read 10 CCR 2698 is to group its 14 sections into four functional blocks: establishing and staffing the SIU (2698.31-2698.33), the detect-investigate-refer chain (2698.34-2698.38), anti-fraud training (2698.39), and reporting plus enforcement (2698.40-2698.43). Each block maps to a distinct compliance artifact an examiner can request, and one of them - the detect-investigate split - is where the whole documentation burden concentrates.

### Establishing and staffing the SIU (2698.31-2698.33)

Sections 2698.31 through 2698.33 set the insurer's baseline responsibility: the carrier must establish an SIU, staff it, and govern how contracted or outsourced SIU functions are handled. In manual programs the pain point here is that SIU headcount is tied to claim volume - as flagged-claim volume rises, staffing has to rise with it or coverage falls. This is the structural constraint that makes the investigation-record requirement further downstream so hard to satisfy at scale.

### Detecting, investigating, and referring (2698.34-2698.38)

This block is the core of the regulation, and the split between two of its sections is the single most important thing a compliance officer should internalize. Section 2698.34 governs communication with the Fraud Division. Section 2698.35 governs detecting suspected fraud - identifying red flags. Section 2698.36 governs investigating suspected fraud, which is a separate, heavier obligation. Sections 2698.37 and 2698.38 govern the referral itself and the required content of that referral.

The 2698.35 versus 2698.36 distinction is deliberate and load-bearing. Detecting a red flag is not investigating it. A detection score is a signal under 2698.35; the investigation under 2698.36 requires a written summary, evidence preservation, and a documented outcome. A carrier can be fully covered on detection and still exposed on the investigation record. That is the gap the next section unpacks in detail.

### Anti-fraud training (2698.39)

Section 2698.39 sets concrete, auditable training deadlines that examiners verify against personnel records. Per the [regulation text](https://www.law.cornell.edu/regulations/california/10-CCR-2698.39), newly hired employees must receive anti-fraud orientation within 90 days of commencing duties, integral anti-fraud personnel must receive annual in-service training, and SIU personnel must receive at least 5 hours of continuing anti-fraud training per calendar year. This is a human obligation - it is unaffected by whatever investigation tooling a carrier runs, and it stays the SIU's responsibility to track and evidence.

### Annual report and enforcement (2698.40-2698.43)

Section 2698.40 sets the SIU Annual Report. Per the [regulation](https://www.law.cornell.edu/regulations/california/10-CCR-2698.40), it is due no later than 90 days after the Department mails its notification, which the Department issues in June each year - putting the practical deadline around September. It must be signed under penalty of perjury by a company officer and must include written detection, investigation, and reporting procedures; training plans; SIU structure and staffing; claims-processed and fraud-referral statistics; and copies of any SIU contracts. For the 2025 report cycle, the CDI set the [eSIUAR portal](https://www.insurance.ca.gov/0300-fraud/0100-fraud-division-overview/12-siu/Annual-Report.cfm) deadline at September 15, 2026, 11:59 PM.

Sections 2698.41 through 2698.43 are the enforcement tail: examinations, penalties, and hearings. The penalty section is the one carriers watch. Per [10 CCR 2698.42](https://www.law.cornell.edu/regulations/california/10-CCR-2698.42), the Commissioner may impose up to $5,000 for each act of non-compliance and up to $10,000 for each willful act, with authority drawn from Insurance Code 1875.24. Inadvertent violations tied solely to SIU maintenance and operation are treated as a single act capped at $5,000. Because penalties accrue per act, a systemic gap - missing investigation summaries across many referrals - can compound.

| Section | Obligation | Manual pain point | Where AI investigation helps |
| --- | --- | --- | --- |
| 2698.32 | SIU staffing | Headcount tied to volume | Capacity uncoupled from headcount (800+ cases per investigator per month) |
| 2698.35 | Detecting fraud | Red-flag identification | Detection layer - FRISS, Shift, Verisk |
| 2698.36 | Investigating + documenting | Written summary per case; decline reasons | Audit-trail-native record on 100% of referrals |
| 2698.37/.38 | Referral + content | Timely, complete referrals | Structured evidence pack ready to referral standard |
| 2698.39 | Anti-fraud training | 90-day orientation, 5-hr SIU CE tracking | Human obligation - unchanged |
| 2698.40 | Annual report | Referral stats, procedures, perjury sign-off | Reportable stats as a byproduct of logged cases |
| 2698.41/.42 | Exams / penalties | $5K-$10K per act exposure | Reconstructable trail reduces exam findings |

*Figure: 10 CCR 2698 splits detecting fraud (2698.35) from investigating it (2698.36). Detection scores a red flag; investigation requires a written summary, preserved evidence, and a documented decision on every referral - including the ones the SIU declines.*

## Where 2698.36 becomes the hardest requirement

Section 2698.36 requires a concise and complete written summary of the entire investigation, separate from any other document, evidence preservation, and a documented reason in the file whenever the SIU declines to treat a red flag as suspected fraud. In plain terms it demands a documented decision on every referral - whether the SIU investigates or declines - and that is the requirement that scales worst under a capacity-constrained manual workflow.

The precise language matters. Per the [regulation](https://www.law.cornell.edu/regulations/california/10-CCR-2698.36), the SIU must produce a written summary that is specific to the case and separate from any other document prepared in connection with it, must preserve the documents and evidence obtained during the investigation, and when it decides a red flag is not the result of suspected fraud, must document in the claim file or SIU file the reasons supporting that conclusion. There is no shortcut where a detection score stands in for the summary. The summary is a distinct artifact the regulation names.

Here is where the math becomes a compliance problem rather than a loss-cost one. A manual investigator carries 200+ cases and each investigation takes 14+ days, so a manual SIU fully investigates only about 25% of the claims it flags. On the ~75% it never opens, it structurally cannot produce a real 2698.36 investigation summary - it can only paper a decline. That connection is a Hesper-framed derivation from the coverage fact, not a CDI-published statistic, but the arithmetic is plain: a documented-decision requirement on 100% of referrals, met by a workflow that reaches 25% of them, leaves a large undocumented remainder.

> The regulation does not ask whether you flagged the claim. It asks for a written summary of the investigation, the preserved evidence, and - when you decline - the documented reason. A decline memo on a claim nobody investigated is not the same artifact as an investigation summary, and an examiner sampling the file can tell the difference.
>
> - Hesper AI product research

This is exactly the artifact a defensibility standard operationalizes: an evidence chain and a decision trail that reconstruct on demand. We walk through what defensible output actually contains in [the fraud investigation AI defensibility standard](/blog/fraud-investigation-ai-defensibility-standard/). The 2698.36 summary is the regulatory name for that same record.

## What CDI enforcement looks like in practice

CDI enforcement runs through the SIU Compliance Review Program, which risk-scores each carrier's annual filing and conducts on-site audits, with findings that can escalate to penalties. The program does not sample at random - it prioritizes filers by prior findings, filing discrepancies, referral quality, complaint history, and market share, which means a carrier with thin referral documentation and large market share is a natural audit target.

The scale of the system is worth grounding in the fraud volume it exists to address. Per the [CDI Automobile Insurance Fraud Program](https://www.insurance.ca.gov/0300-fraud/0100-fraud-division-overview/10-anti-fraud-prog/Automobile.cfm), in Fiscal Year 2023-24 that one program alone received 12,559 suspected fraudulent claims with a potential loss of $207,629,944, assigned 602 new cases, made 272 arrests, and referred 354 cases to prosecution. That is a single program in a single line of business. For national context, the [Coalition Against Insurance Fraud](https://insurancefraud.org/fraud-stats/) estimates insurance fraud costs about $308 billion a year in the US, and roughly 10% of property-casualty claims involve some element of fraud.

The visible exposure is the penalty schedule - $5,000 per act, $10,000 per willful act. The quieter and more common exposure is a thin investigation record that does not hold up when the program samples it. Because 2698.42 penalties accrue per act, a documentation gap that spans many referrals is not one finding; it is potentially many. A carrier that flags well and documents its investigations inconsistently is carrying an exam-risk surface proportional to the number of flags it raised and did not fully work.

> **Risk-scoring means market share is a variable**
>
> The SIU Compliance Review Program weights market share in its risk-scoring. That means a large carrier does not get to treat compliance-review odds as low. The bigger the book, the more claims flagged, the larger the undocumented remainder if coverage sits at ~25%, and the higher the audit priority. Scale amplifies both the exposure and the likelihood of being sampled.

## How AI investigation maps to the documentation rules

An audit-trail-native investigation agent maps directly to the documentation-heavy sections of 10 CCR 2698: it produces the 2698.36 investigation summary and decline-reason record on 100% of referrals, generates the structured content the 2698.37/.38 referral requires, and makes the 2698.40 annual-report statistics a byproduct of logged cases. It does not replace the SIU, the 2698.39 training obligation, or the officer's perjury sign-off. The investigator still reviews and decides; the record is built underneath.

Hesper is audit-trail-native by design: every agent decision is logged with sources, reasoning, and timestamps, which is the exact form a documented-decision requirement like 2698.36 and an SIU annual-report filing both need. Running 15+ investigation phases in parallel, an AI investigation layer returns a complete, timestamped record in 2-4 hours instead of 14+ days, which lifts flagged-claim coverage from ~25% toward 100% at roughly $150 per case against ~$2,500 manual. For a compliance officer the speed is secondary; the point is that every referral arrives as a documented investigation, not a decline memo on a claim nobody opened. This is the move from fraud detection to fraud resolution.

The positioning has to stay honest about the layers. Detection vendors - FRISS, Shift Technology, Verisk - operate at 2698.35: they identify and score red flags. None of them produce the 2698.36 investigation summary or the decline-reason documentation; a score is a signal under .35, not the investigation under .36. Detection is upstream; investigation is downstream. Hesper sits downstream of those tools and produces the investigation record the flag triggers. It is complementary to FRISS, Shift Technology, and Verisk - not a replacement. The one incumbent at the investigation layer is the manual SIU, and that is the workflow the coverage-and-documentation math is measured against.

| Dimension | Manual SIU | AI-assisted (Hesper) |
| --- | --- | --- |
| Coverage of flagged claims | ~25% | 100% |
| Time per case | 14+ days | 2-4 hours |
| 2698.36 summary per referral | On opened cases only | On every referral |
| Decline-reason documentation | Often thin/inconsistent | Logged with sources + timestamps |
| Cost per case | ~$2,500 | ~$150 |

| 2698.36 documentation coverage: manual SIU vs AI-assisted investigation | Value | Share |
| --- | --- | --- |
| Flagged-claim coverage, manual SIU | ~25% | 25% |
| Flagged-claim coverage, AI-assisted | 100% | 100% |
| Investigation phases run in parallel | 15+ | 75% |
| Cost per case reduction, manual to AI | ~94% | 94% |

The layered picture - where a detection score ends and an investigation record begins - is the same map a compliance officer should apply when vetting any vendor against these rules. We lay out that vetting process for this persona in [the compliance officer's guide to AI investigation deployment](/blog/compliance-officer-ai-investigation-deployment/), and the national regulatory frame this California rule sits inside is covered in [the NAIC Model Act 680 implementation guide](/blog/naic-model-act-680-implementation-guide/).

## Key takeaways

- California 10 CCR 2698 is 14 sections - 2698.30 through 2698.43 - that implement Insurance Code 1875.20-24 and specify how every licensed insurer's SIU must detect, investigate, refer, train, and report; more than 1,100 insurers file SIU annual compliance reports with CDI each year.
- The regulation deliberately separates detecting fraud (2698.35, where FRISS, Shift, and Verisk operate) from investigating it (2698.36), which requires a written investigation summary, preserved evidence, and a documented reason on every decline - a distinct artifact a detection score does not satisfy.
- Penalties under 2698.42 reach $5,000 per act of non-compliance and $10,000 per willful act, and because they accrue per act, a documentation gap spanning many referrals can compound into many findings rather than one.
- The hardest requirement to meet at scale is 2698.36's documented decision on every referral: a manual SIU at ~25% coverage and 14+ days per case can produce a real investigation summary on only a minority of referrals and papers a decline on the rest, which is the exam-risk surface the Compliance Review Program samples.
- An audit-trail-native AI investigation layer produces the 2698.36 summary and decline-reason record on 100% of referrals in 2-4 hours with every decision logged - generating 2698.40 statistics as a byproduct - while remaining complementary to detection vendors and leaving the officer's perjury sign-off intact.

## Frequently asked questions

### What is California 10 CCR 2698 and who does it apply to?

California Code of Regulations Title 10, Sections 2698.30 through 2698.43 (Article 2, Subchapter 9), are the Special Investigative Unit regulations enforced by the California Department of Insurance Fraud Division. They implement California Insurance Code Sections 1875.20-24, which require every insurer licensed in California to establish and maintain an SIU that detects, investigates, and refers suspected insurance fraud. The 14 sections cover SIU staffing, communication with the Fraud Division, detecting and investigating fraud, referral procedures, anti-fraud training, an annual report to CDI, examinations, and penalties. More than 1,100 insurers file SIU annual compliance reports with CDI each year, so the rule reaches essentially the entire licensed property-casualty market.

### What are the penalties for SIU non-compliance in California?

Under 10 CCR 2698.42, the Insurance Commissioner may impose a monetary penalty of up to $5,000 for each act of non-compliance and up to $10,000 for each willful act, with authority drawn from California Insurance Code Section 1875.24. For inadvertent violations tied solely to SIU maintenance and operation, multiple violations are treated as a single act capped at $5,000. Because penalties accrue per act, systemic gaps - for example, missing investigation summaries across many referrals - can compound. Findings typically originate from the SIU Compliance Review Program, which risk-scores annual filings and conducts on-site audits based on prior findings, filing discrepancies, referral quality, complaint history, and market share.

### When is the California SIU Annual Report due?

Under 10 CCR 2698.40, the SIU Annual Report is due no later than 90 days after the Department mails its notification, and the Department issues that notification in June each year - which puts the deadline around September. For the 2025 report cycle, CDI set the eSIUAR portal deadline at September 15, 2026. The report must be signed under penalty of perjury by a company officer and includes written detection, investigation, and reporting procedures; anti-fraud training plans; SIU organizational structure and staffing; claims-processed and fraud-referral statistics; and copies of any SIU service contracts. It is filed electronically through the eSIUAR system.

### What does 10 CCR 2698.36 require for documenting an investigation?

Section 2698.36 requires the SIU to produce a concise and complete written summary of the entire investigation that is specific to the case and separate from any other document prepared in connection with it. It also requires preservation of the documents and other evidence obtained during the investigation. Critically, when the SIU decides not to investigate a red flag, it must document in the claim file or SIU investigation file the reasons supporting its conclusion that the red flag is not the result of suspected fraud. In other words, the regulation demands a documented decision on every referral - whether the SIU investigates or declines - which is the requirement that scales poorly under manual, capacity-constrained workflows.

### What is the difference between detecting fraud and investigating fraud under these regulations?

The regulation deliberately separates the two. Section 2698.35 governs detecting suspected fraud - identifying red flags - which is the layer where scoring tools like FRISS, Shift, and Verisk operate. Section 2698.36 governs investigating suspected fraud, which requires a written investigation summary, evidence preservation, and documented decisions. A detection score is not an investigation record. A carrier can have strong detection coverage and still be exposed on the 2698.36 investigation and documentation requirement, because a flag or score does not satisfy the obligation to investigate and document the outcome. Closing that gap is a distinct workflow from detection.

### How does AI-assisted claims investigation help meet 10 CCR 2698 requirements?

Audit-trail-native AI investigation directly addresses the documentation-heavy sections. Manual SIU teams investigate roughly 25% of flagged claims at 14+ days per case, so a real 2698.36 investigation summary only exists for a fraction of referrals. An AI investigation agent runs 15+ phases in parallel and can produce a documented investigation record - sources, reasoning, and timestamps - on 100% of referrals in 2-4 hours at roughly $150 per case versus about $2,500 manually. That produces the 2698.36 summary, supports the 2698.37/.38 referral content, and turns the 2698.40 annual-report statistics into a byproduct of logged cases. It does not replace the SIU, the training obligation, or the officer's perjury sign-off - the investigator still reviews and decides.

### How much insurance fraud does the California Fraud Division handle each year?

The California Department of Insurance Fraud Division publishes program-level data. In Fiscal Year 2023-24, its Automobile Insurance Fraud Program alone received 12,559 suspected fraudulent claims with a potential loss of $207,629,944, assigned 602 new cases, made 272 arrests, and referred 354 cases to prosecuting authorities. Those figures cover one program in one line of business; the Division also runs workers' compensation, disability and healthcare, and property, casualty, and life programs. For national context, the Coalition Against Insurance Fraud estimates insurance fraud costs about $308 billion a year in the United States, and roughly 10% of property-casualty claims involve some element of fraud.

### Do detection vendors like FRISS or Shift satisfy California SIU regulations on their own?

Not fully. Detection and scoring vendors operate at the 2698.35 detecting layer - they identify red flags. The California SIU regulations also require, under 2698.36, that the insurer investigate and produce a written investigation summary, preserve evidence, and document the reasons when it declines to investigate a flag. A detection score does not generate that investigation record. These tools are complementary to, not substitutes for, the investigation and documentation workflow. Carriers typically run detection alongside either a manual SIU or an AI investigation layer that produces the 2698.36 record downstream of the flag. The company officer still signs the annual report under penalty of perjury regardless of which detection tools are deployed.
