NAIC Model Act 680 implementation: a state-by-state SIU compliance guide

NAIC Model Act #680 builds the legal scaffolding for state insurance fraud programs, but it does not require every insurer to run a dedicated Special Investigations Unit - that mandate lives in individual state laws built on top of it. This is the single distinction most compliance content gets wrong, and getting it wrong sets a carrier up to either over-build or under-document. The model creates a state-level fraud bureau and requires insurers to maintain antifraud initiatives; the prescriptive SIU staffing, structure, and reporting rules come from statutes like New York Regulation 95, not from the model itself.

This guide is written for the compliance officer who owns the antifraud-plan filing with a state Department of Insurance, and the SIU director who owns the documented trail behind it. It walks through what Model 680 actually requires across its 13 sections, how state adoptions diverge from plan-filing requirements to fully prescribed SIUs, a worked example of a mandatory-SIU state, the enforcement path through market-conduct examinations, and where an audit-trail-native investigation layer fits the documentation burden the statute creates.

It sits inside our SIU operations cluster. For the broader operating model, start with how Special Investigation Units run in 2026; for the AI-governance overlay, read the compliance officer's guide to AI claims investigation deployment. Insurance fraud is a $308.6 billion annual problem in the US, per the Coalition Against Insurance Fraud - the stake that this entire regulatory apparatus exists to address.

NAIC Model Act #680 is the Insurance Fraud Prevention Model Act, the National Association of Insurance Commissioners' template legislation for combating insurance fraud. The current consolidated version was adopted in 2003, has 13 sections, and replaced three earlier models from 1980 to 1990. It is scaffolding for state law: it builds a state fraud bureau, requires mandatory reporting, grants immunity for good-faith reporting, and requires insurers to maintain antifraud initiatives. It does not, by its own text, require every carrier to stand up a dedicated SIU.

The full model text is published by the NAIC as document MO-680. The 2003 version consolidated and replaced three earlier models - the Model Insurance Fraud Statute (1980), the Model Legislation Creating a Fraud Unit (1980), and the Model Immunity Act (1983/1990). That history matters because it explains the structure: the model braids together a criminal-act definition, a state enforcement bureau, and immunity protections into one statute that a state legislature can adopt as a package.

The 13 sections at a glance

The clearest way to read the model is by what each section does. Two distinctions drive the entire compliance analysis: Section 9 creates the state's fraud bureau, while Section 11 sets the carrier-facing obligation. Conflating those two is the most common error in this area, because Section 9's powers - subpoenas, oaths, records inspection - belong to the state, not to the insurer's internal unit.

Section 11 is worth quoting in spirit because it is the hook for everything a carrier files. It requires insurers to maintain antifraud initiatives "reasonably calculated to detect, prosecute and prevent fraudulent insurance acts," and those initiatives may take the form of fraud investigators (employees or contractors) or an antifraud plan submitted to the commissioner. Antifraud plans filed under the model are treated as privileged and confidential - not public, not subject to discovery or subpoena. The NAIC also publishes a companion Antifraud Plan Guideline (#1690) that standardizes what a plan should contain, which is the practical template for operationalizing Section 11.

According to the NAIC list cited by IRMI, 48 states have adopted the Insurance Fraud Prevention Model Act or some variation thereof, and the Insurance Information Institute reports that all 50 states plus the District of Columbia criminalize insurance fraud. The qualifier matters: the 48 figure counts both verbatim adoptions and substantially similar state legislation, so operational requirements diverge sharply between plan-filing states and mandatory-SIU states.

The "or some variation thereof" language is not a hedge - it is the whole story. Barry Zalma's expert commentary on IRMI reports the NAIC list at 48 states adopting the model "or some variation thereof," and notes separately, citing the Insurance Information Institute, that all 50 states and DC have statutes defining insurance fraud as a crime. So a carrier writing in multiple states cannot rely on a single national rule. The right question is never "are we 680-compliant" in the abstract; it is "what does our adopted statute require in each state where we write business." The NAIC maintains a per-state legal-citation chart for the model (document ST-680) for exactly that lookup.

The variation falls into two broad buckets. In plan-filing states, the carrier obligation is closer to the model itself: maintain antifraud initiatives and, where required, file an antifraud plan with the commissioner. In mandatory-SIU states, the statute goes further - it prescribes a separate investigative unit, minimum staffing, investigator qualifications, and a fixed annual-reporting deadline. The same carrier can owe a plan in one state and a fully staffed, separately budgeted SIU in another. The table below shows three commonly cited examples of how far the prescriptions diverge.

The state-by-state SIU and antifraud-plan requirements are catalogued by the Coalition Against Insurance Fraud, which documents the concrete variations above. New Jersey's 1-investigator-per-30,000-auto-policies ratio and California's 30-day information-release window are the kind of specifics that never appear in the model text - they are state inventions on top of the scaffolding. A compliance program that treats "680" as a single uniform standard will, by construction, under-document in the states that prescribe more.

Across the states that built on Model 680, six obligations recur for carriers: a written antifraud plan or documented initiative, SIU staffing and structure where mandated, mandatory reporting of suspected fraud, investigator training and qualifications, recordkeeping and chain of custody, and annual SIU reporting. The thresholds, ratios, and deadlines are set by each state, not by the model - but the categories are stable enough to build a program against.

The first obligation, the antifraud plan, traces to Section 11 and is operationalized by NAIC Guideline #1690. A plan describes how the carrier detects, investigates, and reports fraud, who staffs the function, and how cases move. The second, SIU staffing, only binds where the state mandates it - and where it does, it can prescribe everything from a separate budget line to a minimum investigator ratio. The third, mandatory reporting, traces to Section 6: a person in the business of insurance with knowledge or reasonable belief of a fraudulent insurance act shall report it to the commissioner in the prescribed manner.

The fourth obligation, investigator qualification, is where states diverge most sharply. New York requires SIU investigators to have five years of claims or law-enforcement investigation experience or a criminal-justice degree. The fifth, recordkeeping and chain of custody, is the obligation most exposed in an examination, because it is the one that has to be reconstructable months later. The sixth, annual reporting, runs on a state-set calendar - New York's annual SIU report is due no later than March 15 each year through the DFS portal. A carrier running across several mandatory-SIU states is tracking multiple deadlines, qualification standards, and report formats at once.

On generating that reconstructable trail at speed, we walk through the artifact itself in how to generate an audit-ready fraud investigation report in under an hour. The 15+ investigation phases that go into a defensible file - document forensics, statement cross-reference, timeline reconstruction, financial-pattern analysis - are exactly the contents a chain-of-custody record has to capture for it to hold up on exam.

New York is the clearest example of what "mandatory SIU" actually means in practice. Under New York Insurance Law Section 409 and Regulation 95, a qualifying insurer must file a fraud prevention plan and maintain a separate SIU with its own budget line. Investigators need five years of claims or law-enforcement investigation experience or a criminal-justice degree, and the annual SIU report is due no later than March 15 each year. None of these specifics appear in Model 680 - they are New York's build on top of it.

The specifics are laid out in the New York Department of Financial Services FAQ on Fraud Prevention Plans and SIUs. Three features make New York instructive. First, the SIU must be "separate" - a distinct unit with its own budget line, not a function bolted onto general claims. Second, the qualification standard is concrete and auditable: five years of relevant investigation experience or a criminal-justice degree, which an examiner can verify against personnel records. Third, the March 15 annual report is a hard deadline filed through the DFS portal, which means the documented output of the SIU has a fixed calendar obligation attached to it.

The lesson for a multi-state carrier is structural. A program designed only to the model would file a plan and call it done. A program designed to New York has to demonstrate a separately budgeted unit, qualified personnel, and a complete annual record - and then has to do the equivalent, with different specifics, in New Jersey, California, and every other mandatory-SIU state where it writes. The compliance burden is not the model; it is the union of every state's build on the model.

Non-compliance with 680-derived state law generally surfaces in two ways: a market-conduct examination, or the DOI's review of a carrier's filed antifraud plan. Under Section 13 of Model 680, penalties include suspension or revocation of the license or certificate of authority, civil penalties per violation, and restitution to aggrieved parties. Criminal violations of the fraud provisions carry classifications matching the state's penal code for theft offenses.

The penalty schedule is the visible part. The more common exposure is quieter: a thin or unsupported antifraud program that does not hold up when an examiner samples it. This is where the coverage gap becomes a compliance problem, not just a loss-cost one. A program that fully investigates only about 25% of its flagged claims is, by construction, leaving roughly 75% of its own fraud signals without a complete investigation trail. That is a Hesper-derived framing rather than a cited statistic, but the math is plain: every flag a carrier raises and does not work is a row an examiner can pull and find undocumented.

For a compliance officer, the implication is that coverage and documentation are not separate problems. The exam does not ask whether you own a detection tool; it asks whether the investigation behind a sampled set of flags is complete and reconstructable. A 25% coverage rate means three out of four sampled flags can land in the undocumented pile. Closing the coverage gap and producing a consistent record are, on exam, the same task.

Detection vendors satisfy the "detect" verb in Section 11; the harder bar is the documented, consistent, complete investigation across 100% of flags that a market-conduct examiner actually samples. That is the gap an autonomous AI investigation layer addresses. Hesper is audit-trail-native by design: every agent decision is logged with sources, reasoning, and timestamps, which is the form a documented-decision requirement like California 10 CCR 2698.36 and an antifraud-plan filing both need.

The layering matters for getting the positioning right. FRISS, Shift Technology, and Verisk are detection tools - they help a carrier satisfy the "detect" half of "detect, prosecute and prevent" by flagging suspicious claims. Detection is upstream; investigation is downstream. Rules-based detection also runs a 60-85% false-positive rate, which is precisely why a flag is a question, not a finding. Hesper sits downstream of those tools and runs the investigation the flag triggers. It is complementary to FRISS, Shift Technology, and Verisk - not a replacement. The investigation layer is the one no detection vendor occupies; the only incumbent there is the manual SIU.

Against the manual SIU, the compliance-relevant change is documentation at coverage. A manual case takes 14+ days, an investigator carries 200+ cases, and the practical result is that only about 25% of flagged claims get a full investigation. Running the investigation autonomously in 2-4 hours - 15+ phases in parallel on every claim - lifts flagged-claim coverage from ~25% toward 100%, at roughly $150 per case against ~$2,500 manual. For a compliance officer the speed is secondary; the point is that every one of those investigations arrives as a complete, timestamped record rather than a backlog of flags nobody worked. This is the move from fraud detection to fraud resolution.

A practical readiness check maps each Model 680 or state obligation to an artifact the carrier should be able to produce on demand. The test for each item is not whether a policy exists but whether the underlying record can be reconstructed when an examiner pulls a sample. The eight items below are ordered the way an exam tends to move - from the filed plan down to the individual case file.

The two highlighted rows - investigation recordkeeping and coverage of flagged claims - are where AI changes the math. A manual program produces those artifacts inconsistently because investigator attention is the bottleneck; an autonomous layer produces a consistent, timestamped file for every flag it works, which makes both the recordkeeping and the coverage artifacts reproducible rather than aspirational. The other six items are governance and structure a carrier sets up once and maintains; these two are the ongoing operational test, and they are the ones that scale with claim volume.