SMS Compliance For Insurance

What Is Insurance SMS Compliance?

If your brokerage is thinking about texting clients, here's what you need to know about TCPA, CASL, and RIBO before you send a single message.

Texting is the fastest way to reach insurance customers. Open rates sit around 98%, compared to roughly 20% for email. But for brokerages and carriers, texting comes with a layer of regulatory complexity that most industries don't have to worry about.

Insurance professionals are licensed. The conversations they have with clients touch on coverage, liability, and personal financial information. That means texting in insurance isn't just a marketing compliance question. It's a professional conduct question too.

This guide breaks down the three regulatory frameworks that matter most if you're a brokerage operating in Canada, the US, or both: TCPA, CASL, and RIBO's AI guidance.

The Three Frameworks That Apply to Insurance Texting

Most brokerages operate under at least two of these. If you're in Ontario and serve US clients, all three apply.

TCPA (Telephone Consumer Protection Act) governs SMS in the United States. It sets the rules for consent, opt-outs, and penalties.

CASL (Canada's Anti-Spam Legislation) is the Canadian federal law covering commercial electronic messages, including text messages sent to or from Canadian devices.

RIBO (Registered Insurance Brokers of Ontario) doesn't have a texting-specific rule, but their 2025 guidance on AI use has direct implications for any brokerage using automated messaging tools.

TCPA: What US-Facing Brokerages Need to Know

The TCPA is the big one for any brokerage texting clients in the United States. Here's what it requires.

You need written consent before sending marketing texts. This is called Prior Express Written Consent (PEWC). It has to be clear and documented, typically through a web form, signed document, or digital opt-in. A verbal "sure, text me" is not enough for promotional messages.

Informational texts have a lower bar, but still need consent. If you're texting a client about their existing policy, a claim update, or a renewal reminder, that falls under Prior Express Consent (PEC). This can be oral or implied through an existing business relationship, but having it in writing is strongly recommended.

Every text must include opt-out instructions. The standard is "Reply STOP to unsubscribe," but as of April 2025, the FCC requires businesses to honor opt-out requests made through any reasonable method. That includes email, phone calls, website forms, or even in-person requests. You can't limit opt-outs to just the STOP keyword anymore.

Opt-outs must be processed within 10 business days. This changed in 2025. It used to be 30 days. If a client opts out, you need systems in place to stop messaging them fast.

Penalties are steep. Violations carry fines of $500 to $1,500 per text, per violation. That adds up quickly across a client book, and class-action lawsuits in this space are common.

What This Means in Practice

If your brokerage is collecting phone numbers through a quote form on your website, you need a clear consent checkbox (not pre-checked) that specifically mentions text messaging. Generic "contact me" consent doesn't cover SMS under TCPA.

CASL: The Canadian Rules

CASL applies to any commercial electronic message sent to or from a Canadian device. That includes text messages.

You need consent, and CASL recognizes two types. Express consent means the person specifically agreed to receive texts from you. Implied consent exists when you have an existing business relationship, defined as a purchase, transaction, or formal agreement within the last two years.

Implied consent has a shelf life. If a client bought a policy from you 18 months ago, you have implied consent. If it's been more than two years since their last transaction, that consent expires. You'd need to get express consent to keep texting them.

Every message must identify you and include an unsubscribe option. Your brokerage name and contact info need to be clear, and there has to be a working opt-out mechanism in every commercial text.

The penalties are significantly higher than TCPA. Individuals face fines up to $1 million per violation. Companies face up to $10 million per violation. Directors and officers can be held personally liable.

Where CASL Gets Tricky for Brokerages

Renewal reminders are a gray area. If the reminder is purely informational ("your policy expires March 30"), it's likely not a commercial electronic message. But if it includes a pitch ("renew now and save 15%"), it crosses into commercial territory and CASL applies fully. When in doubt, treat it as commercial.

RIBO's AI Guidance: Why It Matters for Automated Texting

In May 2025, RIBO published guidance specifically about AI use by licensed brokers in Ontario. If your brokerage uses any automated messaging tool, chatbot, or AI agent to communicate with clients, this applies to you.

Clients must know when they're talking to AI. If your texting platform uses AI to generate or send messages, RIBO expects transparency. Customers should understand when they're engaging with an automated system rather than a human broker.

A licensed broker must review AI-generated content before it reaches the client. This is the "human in the loop" requirement. Anything generated or altered by an AI tool needs oversight from a licensed member before it's presented to a client. This is about professional responsibility. The license holder is accountable for what goes out, regardless of whether a person or a machine wrote it.

Client data can't flow through open AI systems. Brokerages need to vet vendors to make sure client information processed through AI tools doesn't leave the firm's control, isn't stored by the vendor, and isn't used for training purposes.

Brokers need training to understand AI risks. RIBO doesn't require technical expertise, but licensees should be able to identify when AI is being used in their workflows and understand the associated risks.

What This Means for Your SMS Platform Choice

If you're evaluating AI-powered texting tools for your brokerage, RIBO's guidance means you need to ask vendors specific questions: Where is client data stored? Is it used for model training? Can a licensed broker review messages before they send? Does the platform clearly disclose AI use to the customer?

Any vendor that can't answer these clearly is a compliance risk.

A Practical Compliance Checklist

Before your brokerage starts texting clients, walk through this list.

Consent collection. Are you capturing explicit, documented consent for SMS at every point where you collect a phone number? Is the consent language specific to text messaging, not buried in general terms?

Opt-out handling. Can your system process opt-outs within 10 business days? Does it honor opt-outs from multiple channels (not just STOP replies)?

Message identification. Does every outbound text clearly identify your brokerage? Does it include an unsubscribe option?

Implied consent tracking. If you're relying on implied consent under CASL, do you have a system to track when that consent expires (two years from last transaction)?

AI transparency. If you're using automated or AI-driven messaging, are clients aware? Is a licensed broker reviewing content before it reaches customers?

Data handling. Is client data staying within your control? Have you vetted your SMS vendor's data storage and training practices?

Record keeping. Are you documenting consent records, opt-out requests, and message logs in case of an audit or complaint?

Why This Matters More Than You Think

The insurance industry is moving toward text-first communication fast. Clients prefer it. Response times drop. Conversion rates go up. But the regulatory environment isn't optional, and the fines for getting it wrong can be devastating, especially under CASL.

The brokerages that win here won't be the ones that avoid texting out of fear. They'll be the ones that adopt it with compliance built in from day one.

General Magic's Cell agent is built for regulated insurance communication. Every message is compliant by design, with consent management, opt-out handling, AI transparency, and data protection built into the platform. Learn more