California 10 CCR 2698 is not a filing formality - it is 14 sections that convert 'we have an SIU' into documented, examinable obligations, and the one that scales worst is 2698.36's requirement to document an investigation decision on every referral. More than 1,100 insurers file SIU annual compliance reports with the California Department of Insurance each year, and penalties run up to $5,000 per act of non-compliance, up to $10,000 for a willful act. The rule reaches essentially the entire licensed property-casualty market.
This walkthrough is written for the compliance officer who owns the antifraud filing with CDI and asks the literal question - does the output satisfy 10 CCR 2698.36 - and for the SIU director who has to produce the referrals, training records, and investigation summaries the regulation requires. It maps all 14 sections to their compliance obligation, isolates why 2698.36 quietly becomes the hardest requirement at scale, shows what CDI enforcement looks like in practice, and explains where an audit-trail-native investigation layer fits without replacing the SIU or the officer's perjury sign-off.
It sits in our regulatory cluster. For the national frame this rule sits inside, read the NAIC Model Act 680 implementation guide; California 10 CCR 2698 is California's dedicated-SIU build on top of that scaffolding. For the vendor-evaluation companion aimed at the same compliance-officer seat, read the compliance officer's guide to AI investigation deployment.
What 10 CCR 2698 actually is
10 CCR 2698 is California Code of Regulations Title 10, Sections 2698.30 through 2698.43 - Article 2, Subchapter 9 - the Special Investigative Unit regulations enforced by the CDI Fraud Division. They implement California Insurance Code Sections 1875.20 through 1875.24, which require every insurer licensed in California to establish and maintain an SIU that detects, investigates, and refers suspected insurance fraud. The statute mandates the SIU; the regulation specifies how it must run.
The distinction between statute and regulation is the one to keep straight. The Insurance Code creates the obligation; the 14 regulatory sections operationalize it into concrete, auditable requirements - staffing, communication with the Fraud Division, detection, investigation, referral, training, an annual report, examinations, and penalties. The full section index is published by the Cornell Legal Information Institute, which lists all 14 sections of Article 2 from 2698.30 Definitions through 2698.43 Hearings.
Enforcement is not theoretical. The CDI runs an SIU Compliance Review Program that inspects insurers on the establishment, staffing, training, and operation of their units, and risk-scores each filer. More than 1,100 insurers file SIU annual compliance reports with the Department every year. So this is not a boutique rule that applies to a handful of carriers - it is the operating standard for the licensed market in the largest state insurance market in the country.
Statute mandates, regulation specifies, program enforces
Three layers, and confusing them muddies compliance work. Insurance Code 1875.20-24 is the statute that requires an SIU. 10 CCR 2698.30-2698.43 is the regulation that prescribes how the SIU detects, investigates, refers, trains, and reports. The SIU Compliance Review Program is the CDI Fraud Division mechanism that inspects filings, risk-scores them, runs on-site audits, and refers findings toward penalties. When a market-conduct exam lands on your desk, it is the program testing your compliance with the regulation - not the abstract statute.
The section-by-section walkthrough
The cleanest way to read 10 CCR 2698 is to group its 14 sections into four functional blocks: establishing and staffing the SIU (2698.31-2698.33), the detect-investigate-refer chain (2698.34-2698.38), anti-fraud training (2698.39), and reporting plus enforcement (2698.40-2698.43). Each block maps to a distinct compliance artifact an examiner can request, and one of them - the detect-investigate split - is where the whole documentation burden concentrates.
Establishing and staffing the SIU (2698.31-2698.33)
Sections 2698.31 through 2698.33 set the insurer's baseline responsibility: the carrier must establish an SIU, staff it, and govern how contracted or outsourced SIU functions are handled. In manual programs the pain point here is that SIU headcount is tied to claim volume - as flagged-claim volume rises, staffing has to rise with it or coverage falls. This is the structural constraint that makes the investigation-record requirement further downstream so hard to satisfy at scale.
Detecting, investigating, and referring (2698.34-2698.38)
This block is the core of the regulation, and the split between two of its sections is the single most important thing a compliance officer should internalize. Section 2698.34 governs communication with the Fraud Division. Section 2698.35 governs detecting suspected fraud - identifying red flags. Section 2698.36 governs investigating suspected fraud, which is a separate, heavier obligation. Sections 2698.37 and 2698.38 govern the referral itself and the required content of that referral.
The 2698.35 versus 2698.36 distinction is deliberate and load-bearing. Detecting a red flag is not investigating it. A detection score is a signal under 2698.35; the investigation under 2698.36 requires a written summary, evidence preservation, and a documented outcome. A carrier can be fully covered on detection and still exposed on the investigation record. That is the gap the next section unpacks in detail.
Anti-fraud training (2698.39)
Section 2698.39 sets concrete, auditable training deadlines that examiners verify against personnel records. Per the regulation text, newly hired employees must receive anti-fraud orientation within 90 days of commencing duties, integral anti-fraud personnel must receive annual in-service training, and SIU personnel must receive at least 5 hours of continuing anti-fraud training per calendar year. This is a human obligation - it is unaffected by whatever investigation tooling a carrier runs, and it stays the SIU's responsibility to track and evidence.
Annual report and enforcement (2698.40-2698.43)
Section 2698.40 sets the SIU Annual Report. Per the regulation, it is due no later than 90 days after the Department mails its notification, which the Department issues in June each year - putting the practical deadline around September. It must be signed under penalty of perjury by a company officer and must include written detection, investigation, and reporting procedures; training plans; SIU structure and staffing; claims-processed and fraud-referral statistics; and copies of any SIU contracts. For the 2025 report cycle, the CDI set the eSIUAR portal deadline at September 15, 2026, 11:59 PM.
Sections 2698.41 through 2698.43 are the enforcement tail: examinations, penalties, and hearings. The penalty section is the one carriers watch. Per 10 CCR 2698.42, the Commissioner may impose up to $5,000 for each act of non-compliance and up to $10,000 for each willful act, with authority drawn from Insurance Code 1875.24. Inadvertent violations tied solely to SIU maintenance and operation are treated as a single act capped at $5,000. Because penalties accrue per act, a systemic gap - missing investigation summaries across many referrals - can compound.
10 CCR 2698 splits detecting fraud (2698.35) from investigating it (2698.36). Detection scores a red flag; investigation requires a written summary, preserved evidence, and a documented decision on every referral - including the ones the SIU declines.
Where 2698.36 becomes the hardest requirement
Section 2698.36 requires a concise and complete written summary of the entire investigation, separate from any other document, evidence preservation, and a documented reason in the file whenever the SIU declines to treat a red flag as suspected fraud. In plain terms it demands a documented decision on every referral - whether the SIU investigates or declines - and that is the requirement that scales worst under a capacity-constrained manual workflow.
The precise language matters. Per the regulation, the SIU must produce a written summary that is specific to the case and separate from any other document prepared in connection with it, must preserve the documents and evidence obtained during the investigation, and when it decides a red flag is not the result of suspected fraud, must document in the claim file or SIU file the reasons supporting that conclusion. There is no shortcut where a detection score stands in for the summary. The summary is a distinct artifact the regulation names.
Here is where the math becomes a compliance problem rather than a loss-cost one. A manual investigator carries 200+ cases and each investigation takes 14+ days, so a manual SIU fully investigates only about 25% of the claims it flags. On the ~75% it never opens, it structurally cannot produce a real 2698.36 investigation summary - it can only paper a decline. That connection is a Hesper-framed derivation from the coverage fact, not a CDI-published statistic, but the arithmetic is plain: a documented-decision requirement on 100% of referrals, met by a workflow that reaches 25% of them, leaves a large undocumented remainder.
This is exactly the artifact a defensibility standard operationalizes: an evidence chain and a decision trail that reconstruct on demand. We walk through what defensible output actually contains in the fraud investigation AI defensibility standard. The 2698.36 summary is the regulatory name for that same record.
What CDI enforcement looks like in practice
CDI enforcement runs through the SIU Compliance Review Program, which risk-scores each carrier's annual filing and conducts on-site audits, with findings that can escalate to penalties. The program does not sample at random - it prioritizes filers by prior findings, filing discrepancies, referral quality, complaint history, and market share, which means a carrier with thin referral documentation and large market share is a natural audit target.
The scale of the system is worth grounding in the fraud volume it exists to address. Per the CDI Automobile Insurance Fraud Program, in Fiscal Year 2023-24 that one program alone received 12,559 suspected fraudulent claims with a potential loss of $207,629,944, assigned 602 new cases, made 272 arrests, and referred 354 cases to prosecution. That is a single program in a single line of business. For national context, the Coalition Against Insurance Fraud estimates insurance fraud costs about $308 billion a year in the US, and roughly 10% of property-casualty claims involve some element of fraud.
The visible exposure is the penalty schedule - $5,000 per act, $10,000 per willful act. The quieter and more common exposure is a thin investigation record that does not hold up when the program samples it. Because 2698.42 penalties accrue per act, a documentation gap that spans many referrals is not one finding; it is potentially many. A carrier that flags well and documents its investigations inconsistently is carrying an exam-risk surface proportional to the number of flags it raised and did not fully work.
Risk-scoring means market share is a variable
The SIU Compliance Review Program weights market share in its risk-scoring. That means a large carrier does not get to treat compliance-review odds as low. The bigger the book, the more claims flagged, the larger the undocumented remainder if coverage sits at ~25%, and the higher the audit priority. Scale amplifies both the exposure and the likelihood of being sampled.
How AI investigation maps to the documentation rules
An audit-trail-native investigation agent maps directly to the documentation-heavy sections of 10 CCR 2698: it produces the 2698.36 investigation summary and decline-reason record on 100% of referrals, generates the structured content the 2698.37/.38 referral requires, and makes the 2698.40 annual-report statistics a byproduct of logged cases. It does not replace the SIU, the 2698.39 training obligation, or the officer's perjury sign-off. The investigator still reviews and decides; the record is built underneath.
Hesper is audit-trail-native by design: every agent decision is logged with sources, reasoning, and timestamps, which is the exact form a documented-decision requirement like 2698.36 and an SIU annual-report filing both need. Running 15+ investigation phases in parallel, an AI investigation layer returns a complete, timestamped record in 2-4 hours instead of 14+ days, which lifts flagged-claim coverage from ~25% toward 100% at roughly $150 per case against ~$2,500 manual. For a compliance officer the speed is secondary; the point is that every referral arrives as a documented investigation, not a decline memo on a claim nobody opened. This is the move from fraud detection to fraud resolution.
The positioning has to stay honest about the layers. Detection vendors - FRISS, Shift Technology, Verisk - operate at 2698.35: they identify and score red flags. None of them produce the 2698.36 investigation summary or the decline-reason documentation; a score is a signal under .35, not the investigation under .36. Detection is upstream; investigation is downstream. Hesper sits downstream of those tools and produces the investigation record the flag triggers. It is complementary to FRISS, Shift Technology, and Verisk - not a replacement. The one incumbent at the investigation layer is the manual SIU, and that is the workflow the coverage-and-documentation math is measured against.
2698.36 documentation coverage: manual SIU vs AI-assisted investigation
The layered picture - where a detection score ends and an investigation record begins - is the same map a compliance officer should apply when vetting any vendor against these rules. We lay out that vetting process for this persona in the compliance officer's guide to AI investigation deployment, and the national regulatory frame this California rule sits inside is covered in the NAIC Model Act 680 implementation guide.
Key takeaways
- California 10 CCR 2698 is 14 sections - 2698.30 through 2698.43 - that implement Insurance Code 1875.20-24 and specify how every licensed insurer's SIU must detect, investigate, refer, train, and report; more than 1,100 insurers file SIU annual compliance reports with CDI each year.
- The regulation deliberately separates detecting fraud (2698.35, where FRISS, Shift, and Verisk operate) from investigating it (2698.36), which requires a written investigation summary, preserved evidence, and a documented reason on every decline - a distinct artifact a detection score does not satisfy.
- Penalties under 2698.42 reach $5,000 per act of non-compliance and $10,000 per willful act, and because they accrue per act, a documentation gap spanning many referrals can compound into many findings rather than one.
- The hardest requirement to meet at scale is 2698.36's documented decision on every referral: a manual SIU at ~25% coverage and 14+ days per case can produce a real investigation summary on only a minority of referrals and papers a decline on the rest, which is the exam-risk surface the Compliance Review Program samples.
- An audit-trail-native AI investigation layer produces the 2698.36 summary and decline-reason record on 100% of referrals in 2-4 hours with every decision logged - generating 2698.40 statistics as a byproduct - while remaining complementary to detection vendors and leaving the officer's perjury sign-off intact.