Weathering the Storms of Regulatory Risk

Going rogue. Paving the way. Being a change agent…For many entrepreneurs, establishing themselves as brazen, smart, and transformative innovators is the thing (other than profit) that elicits success. This ‘trailblazer’ sentiment is why many people go into business in the first place. It’s to provide a practical, useful service or product that didn’t exist before. But herein lies the rub. This “something new” still needs to fall within the confines of industry regulation. The proverbial and literal rulebooks established for industries across the board are created over time, improving (at least in theory) and morphing as new learnings emerge. But what happens when businesses continue to operate outside established rules, especially as these rules change? What if, in the name of “innovation,” rules are broken? What if people get hurt? The truth is, there are countless examples of where non-compliance has led to less-than-favorable outcomes for otherwise successful businesses. Organizations might scramble to “make good” with the buying public by offering incentives or create elaborate PR campaigns to convince stakeholders that everything is under control...that the rules weren’t broken, but perhaps merely bent. But this scrambling, as we’ve all seen, can come with hefty financial costs. So how does a business navigate a crowded market with something new while still following regulations? How would one weather the storms of regulatory risk? Alternative risk planning, by way of a captive insurance company, could provide answers.

Captive Insurance & Regulatory Risk

The Issues at Hand by Industry

Regulatory risk is defined as a change in laws and regulations that will materially impact a security, business, sector, or market (Source: To translate simply, it’s the risk of rules changing, and businesses failing to change with them. But regulatory changes are ubiquitous across industries and there’s no getting around them. But the types of rules and regulations differ greatly between industries--a business’s ability to adhere to new rules can vary greatly too.

When organizations unintentionally fail to move in tune with a new regulatory environment (which results in a loss), captive insurance coverages may offer financial support. A captive is an insurance company that has been specifically created to insure the risks of an affiliated company or companies. The captive works in tandem with an existing commercial policy, providing specialized coverages for the operating business. Tax-advantaged premiums are paid to the captive where they accumulate as earned surplus. Captive insurance companies can provide financial benefits such as a 0% Federal income tax rate on the captive’s underwriting profits, dividends, and secured loans. Ultimately, the premiums are there to pay for losses—even those related to regulatory risk / regulatory changes.

Here, we’ve pulled together relevant issues and news affecting mid-market businesses from a regulatory perspective. We’ll provide specific examples of how the formation of a captive insurance company might help to curtail any financial backlash from the regulatory issues highlighted.


Manufacturing Law Concerning the Internet of Things

The Internet of Things (IoT)—the interconnectivity between the internet and machines—is being adopted by manufacturing companies around the globe. From Nest thermostats and Google Home Assistants to self-driving cars, the IoT is in-demand in a major way. But inherently, as with all tech, there are security risks involved. Because of this, California Governor Jerry Brown signed into law a new bill aimed at regulating the security of IoT devices in September 2019 (Source:

The statutory change calls for “smart things” manufacturers to include a “reasonable security feature” as part of the devices they sell. Devices should have a pre-programmed password that is unique to each product unit. The bill clearly defines these connected devices as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” The security feature requires a user to generate a new means of authentication before access is granted to the device for the first time.” The language as to how businesses should enable this security feature is arguably vague. This ambiguity combined with a business’s potential inability to comply with what’s required could cause them to inadvertently become non-compliant. If this were to happen, California could levy big fines which they may not be prepared for.

It goes without saying that manufacturers in California should do all they can to gain clarity on what they should change about their specific products so that that they remain in good standing with authorities.

But if somehow regulatory risk gives way to a loss event, the formation of a captive insurance company can offset the financial damage. Costs related to fines, product recall, legal representation and more can be written into a captive insurance policy. If a commercial policy exists, captive coverages can kick in to cover any additional losses associated with regulatory changes. If a loss event does not occur, undistributed earned surplus (i.e., funds that have accumulated within the captive insurance company) can be reinvested into the company. It’s a financial benefit unseen with conventional commercial policies. Regulatory coverage underwritten by a captive in this regard depends on how the policy is written. The policy used by Capstone Associated Services is written to cover new legislation (statutes) and regulatory actions. Other policies may be written for a narrower coverage.

Less Regulation = More Security Risk for eCommerce

Cash is arguably “old school.” Whether we want to accept it or not, we live in the age of PayPal, Zelle, Venmo, and online banking. And they all link to our credit cards—the primary means of payment. But businesses that accept credit cards have to comply with regulations. The PCI DSS, or Payment Card Industry Data Security Standard, is the compliance standard that eCommerce organizations have to follow. The rules ensure that customer information is kept private and secure. Specifically, The PCI Data Security Standard specifies twelve requirements for compliance, which include configuring passwords and settings, encryption during transmission of cardholder data, patching and updating systems, and more.

The reality is, compliance with PCI DSS is down.

According to Tech Republic, Verizon’s 2018 report on PCI DSS revealed that just more than a third (36.7%) of organizations were actively maintaining PCI DSS programs. The report said that “many companies create programs that only look good on paper but cannot withstand the scrutiny of a professional security assessment. Programs that have failed as inadequate or overly complex and stem from a lack of proficiency in designing, implementing, monitoring and evaluating a data protection compliance program (DPCP).”

This is a prime example of how regulatory risk can lead to a loss event. If there is a security breach, and/or it is discovered that a business hasn’t complied with the industry standard, there could be financial repercussions.

Having a captive in play can help a business remain afloat financially – the funds can be used to pay fines, losses associated with business interruption, lawsuits, and more. Businesses should do all they can to comply before new regulations are mandated but forming a captive insurance company can provide an extra layer of security if anything falls through the cracks.


A Lack of Oversight for eCigarette Makers

In November of 2019, the Center for Disease Control (CDC) released data on the number of reported cases of lung illnesses officials believe is linked to e-cigarette use and vaping. For that year, the number reached 2,290. There have been 47 confirmed deaths related to the vaping-illness reported in 49 states, Washington, D.C., and two U.S. territories. Many believe that the increase in vaping illnesses and casualties are due to a lack of regulatory adherence and oversight. The changes are making it difficult for businesses to keep up.

In October of 2019, Washington state placed a temporary ban on flavored vape products. In addition, legislation is being proposed that would eliminate bulk sales and cap nicotine levels in non-cannabis vaping products. Manufacturers would need to go back to their labs to manipulate their products’ nicotine while still maintaining quality and potency. The Boston Globe reports that sales of nicotine and cannabis vaping products have boomed since Sept. 24, 2019 when Massachusetts Governor Charlie Baker banned both amid an outbreak of vaping-related lung injuries.
Among other requirements, manufacturers of e-cigarettes, vaping products, and other tobacco-derived products must submit Applications for Premarket Review of New Tobacco Products to the FDA before selling to the public or to a 3rd party vendor.

All of this translates into regulatory risk and the very real possibility that businesses that manufacture or sell e-cigarettes may not be in compliance. But all is not lost--those that opt for alternative risk planning can pay premiums to their captive (formed under IRC 831(b)), earning a 0% federal income tax rate on the captive’s underwriting profits. Instead of stowing away cash for a rainy day in a standard savings account, insureds can put their premium dollars to work while still maintaining a solid risk management plan for an unexpected loss. As seen in the vaping/e-cigarette industry, regulations are in flux. Forming a captive could be a way to keep operations intact on the off-chance that businesses have not kept in-step with these on-going changes.

Regulatory Challenges Facing Vacation Rental Investors

As of November 2019, the demand for vacation rentals is growing. In the three years prior, the short-term rental market grew by more than 100%. But according to Forbes and many others, the greatest challenge for short-term rental investors is regulatory restrictions. Major cities like New York, San Francisco, Chicago, and Los Angeles have already limited or completely blocked the vacation rental operations. They’re facing backlash from hotels, local governments, and communities that would rather keep things as they are…predictable and safe. The opinions of community members are influencing the regulatory landscape.

captiveinsurance_vacation_rentals_BWNetworking with hotels, speaking with zoning officials, networking with the community at large are viable ways to start up or continue operations (if vacation rentals are allowed). However, if these operations remain without adherence to established regulations, investors can find themselves in hot water. For example, illegal advertising of apartments in New York—defined as a building with three or more units—is subject to fines up to $7,500. In Los Angeles, hosts must register with the city, pay hotel taxes, and keep records for city inspection. They can legally rent out for short stays for no more than 120 days a year. Exceeding the limit will result in a daily fine of at least $2,000. In Washington D.C., hosts may rent out an entire property, but they must first obtain an additional “vacation rental” endorsement. The maximum nights they can rent out an entire property is 90 nights a year. If there’s a violation, hosts are looking at fines between $500 and $6,000.

If the owner doesn’t comply and a loss event associated with regulatory changes is deemed ‘fortuitous’ or ‘unexpected,’ captive insurance coverages could be leveraged. In the commercial market, coverages of this type are limited and may be too expensive for the average mid-market business or investor. Captives ensure that even when regulatory risk is present, businesses can plan their next move if the viability of the business is ever in question due to a loss event.


Rules and regulations are created to keep order, maintain safety, and offer a level of fairness to the marketplace. In turn, businesses look to regulators for a baseline of what has historically been accepted and ultimately, expected. The truth is that organizations have to be flexible and “malleable” enough to change with the times without losing their value propositions. When businesses are unmoving, they often find themselves contending with fines, lawsuits, and a loss of customer loyalty. Alternative risk planning by way of a captive can help to provide financial sustainability when regulatory changes lead to loss. When used as a risk coverage and financial safety net, businesses can use a captive to stave off headwinds that may be far too strong to withstand otherwise.