HHS OIG documented the pattern in 2024: bad actors enrolled consumers in ACA Marketplace plans without their knowledge, using fabricated SEP triggers and listing real broker NPNs on the applications. The consumers received APTC. The brokers received compliance reviews.
Unauthorized Marketplace enrollment is not a theoretical risk. It is a documented enforcement and compliance issue that has affected brokers whose NPNs appeared on fraudulent applications they never submitted. The broker's culpability is not the initial question CMS asks. The initial question is whether the broker's records can separate their legitimate enrollments from the unauthorized ones.
Key Takeaways
- HHS OIG has documented unauthorized Marketplace enrollments where consumers were enrolled or switched without consent, sometimes using fabricated SEP triggers.
- A broker's NPN appearing on an unauthorized enrollment can trigger a CMS FFM certification review regardless of whether the broker was involved.
- CMS CTR requirements mandate written client consent before brokers submit or modify Marketplace applications.
- NPNs can be audited through the CMS agent and broker dashboard. Discrepancies between what the broker submitted and what appears in the dashboard require prompt reporting.
- Agency SOPs that confirm enrollment with clients directly, rather than relying on platform confirmation alone, catch unauthorized activity before it escalates.
How unauthorized enrollments work
The Marketplace submission process processes applications without requiring real-time consumer confirmation before the enrollment goes through. An application submitted with a consumer's personal information, a valid SEP trigger, and a broker's NPN can generate an active policy and APTC without the consumer ever seeing the application until they receive the insurance card.
Bad actors obtained consumer personal information through various means and used it to submit applications with fabricated qualifying life events. Common fabricated triggers included loss of prior coverage and household changes. The APTC issued covered the premium, and the enrollee often had no idea a policy existed in their name until a tax reconciliation notice or an unexplained plan change surfaced the issue.
The NPNs used in these schemes sometimes belonged to legitimate brokers who had no involvement. In other cases, the NPN field contained fabricated identifiers or belonged to brokers who had been coerced or whose credentials had been misappropriated. Either way, the presence of an NPN on an unauthorized enrollment generates an association between the broker and the fraud that the broker then has to disprove.
What the consent-to-represent requirement covers
CMS consent-to-represent (CTR) requirements mandate written client consent before a broker submits or modifies a Marketplace application on the client's behalf. The CTR must document that the consumer authorized the broker to act, the scope of that authorization, and the date of consent. CMS requires brokers to retain CTR documentation for 10 years.
The practical function of the CTR is evidentiary. In a compliance review, a broker who can produce a signed CTR for each enrollment attributed to their NPN has a clear record that separates their legitimate work from unauthorized submissions. A broker who cannot produce CTR documentation for a client, legitimate or not, has limited documentation to offer during the review.
Agencies that use a standard CTR form signed at the first client meeting and scanned into a document management system cover this requirement mechanically. The form itself is not complex. The discipline is consistent execution for every client, every time, including clients the broker has worked with for years.
Warning signals agencies should track
| Signal | What It Means | Action |
|---|---|---|
| Client reports receiving an insurance card or coverage letter they did not expect | Someone may have enrolled the client using a fabricated SEP or without their knowledge | Pull the enrollment record from the Marketplace or carrier, identify the NPN, contact CMS Agent/Broker Help Desk |
| NPN dashboard shows enrollments the agency did not submit | NPN credentials may have been used by a third party or there is a data entry error | Verify enrollment dates and SEP triggers against agency records; report discrepancies to CMS immediately |
| Client's APTC changes unexpectedly mid-year | An AOR change or plan modification may have been submitted by someone other than the broker of record | Confirm the AOR designation with the carrier and Marketplace, request an AOR reassignment if needed |
| Carrier chargeback notice referencing an enrollment the agency does not recognize | A carrier may have attributed an enrollment lapse or SEP fraud to the NPN on the application | Pull the original enrollment record, confirm the submission source, dispute the chargeback with documentation |
Illustrative scenarios. Specific response steps depend on carrier and CMS procedures in effect at the time. Contact the CMS Agent/Broker Help Desk at 1-855-CMS-1515 for guidance on reported discrepancies.
How to audit your NPN
The CMS agent and broker dashboard within the MLMS system shows enrollments attributed to a broker's NPN. Brokers with dashboard access can pull enrollment records and compare them against the agency's records of client engagements. The comparison is straightforward: any enrollment in the dashboard without a corresponding client record in the agency system is a discrepancy that needs investigation.
Carriers generate enrollment reports showing the NPN on each active policy. Running carrier reports quarterly and comparing them to agency records provides a second data point. Enrollment-submission platforms like Inshura or GetInsured maintain broker-specific enrollment logs that serve as a third check for agencies that use those platforms.
Discrepancies between what the agency submitted and what appears in the dashboard or carrier reports should be reported to the CMS Agent/Broker Help Desk at 1-855-CMS-1515. CMS has a documented process for brokers to report unauthorized use of their NPN, and early reporting creates a record that protects the broker in any subsequent compliance review.
AOR designations and broker-of-record transfers
The agent-of-record designation on a Marketplace policy determines which NPN is associated with the enrollment. AOR changes can be submitted through the Marketplace platform, and unauthorized AOR changes are a documented variant of the same fraud pattern. A client whose existing coverage has been switched to a different broker without their knowledge may continue receiving the same plan but has lost their original broker relationship without consent.
Agencies that confirm AOR status directly with clients at renewal, rather than relying only on carrier confirmation, catch unauthorized AOR changes before they affect the client relationship. A quick annual check during renewal calls, confirming that the broker of record on the client's policy matches the agency's records, takes minimal time and surfaces any discrepancy early.
Agency policies that reduce exposure
Three policies cover most of the risk without adding significant operational overhead.
The first is consistent CTR documentation. A signed CTR form for every client, filed in a retrievable system, before any application is submitted. The form does not need to be complicated. It needs to be signed, dated, and stored somewhere the agency can access in 10 years.
The second is direct enrollment confirmation. After each enrollment or modification, the broker or a staff member contacts the client directly, either by email or phone, confirms what was submitted and when, and logs that the client acknowledged the enrollment. A client who received a confirmation call cannot later claim they had no idea an enrollment was submitted.
The third is a quarterly NPN audit. Pulling the CMS dashboard and carrier reports every quarter and comparing them to the agency's client records. An agency that runs 200 enrollments per year and audits quarterly will find an unauthorized enrollment within 90 days. An agency that audits annually may not discover the problem until the carrier chargeback arrives months later.
The anti-rebating rules that govern broker compensation carry their own compliance requirements, but they operate separately from the enrollment fraud exposure. An agency can be fully compliant with anti-rebating requirements and still face NPN fraud if enrollment records are not maintained properly.
FAQ
How do unauthorized ACA Marketplace enrollments happen?
HHS OIG reporting has documented several mechanisms. In some cases, bad actors obtained consumer personal information including Social Security numbers and dates of birth and submitted Marketplace applications using fabricated special enrollment period triggers such as loss of coverage or household changes. The applications listed an NPN, sometimes belonging to a real broker who had no involvement, and APTC was issued to cover the premium. In other cases, existing enrollments were modified by submitting a broker-of-record change or a plan switch using similar methods. The Marketplace's online submission process does not require real-time consumer confirmation before an enrollment is processed, which created an opportunity for this activity. CMS has introduced consent-to-represent requirements and additional enrollment verification steps in response.
What are the CMS consent-to-represent requirements for brokers?
CMS requires brokers to obtain written consent from a consumer before submitting or modifying a Marketplace application on their behalf. The consent-to-represent must document that the consumer authorized the broker to act on their behalf, the scope of that authorization, and the date of consent. CMS regulations require brokers to retain CTR documentation for 10 years. Brokers who cannot produce CTR documentation for a client enrollment during a CMS audit or enforcement action face compliance exposure regardless of whether they were involved in the unauthorized enrollment. Some agencies use a standard CTR form signed at the first client meeting and scanned into their records management system.
How can a broker audit their NPN for unauthorized enrollments?
The CMS agent and broker dashboard within the MLMS system shows enrollments attributed to a broker's NPN. Brokers with access to their dashboard can review enrollment records and compare them against their own records of client interactions. Discrepancies, meaning enrollments that appear in the dashboard but do not match any client the broker worked with, should be reported to the CMS Agent/Broker Help Desk at 1-855-CMS-1515. Carriers also generate enrollment reports that show the NPN on each policy. Running carrier reports quarterly and comparing them to agency records is a practical second check. Enrollment-submission platforms like Inshura or GetInsured may also provide broker-specific enrollment logs that can serve as a third data point.
What happens if a broker's NPN appears on an unauthorized enrollment?
CMS may initiate a compliance review if a broker's NPN appears on enrollments that show patterns consistent with fraud, such as large volumes of SEP enrollments with similar triggers or enrollments for clients the broker has no record of serving. The review can result in FFM certification suspension or revocation, which would prevent the broker from assisting with Marketplace enrollments during the review period. Carriers may also issue chargebacks if APTC was paid on fraudulent enrollments attributed to the broker's NPN. The broker's defense is documentation: CTR records, client communication logs, and a clear record of which clients the agency actually served. Agencies that do not maintain these records have limited ability to dispute a compliance action.
What agency policies reduce exposure to NPN fraud?
Three policies cover most of the risk. First, obtain and file a signed CTR form before submitting any Marketplace application, without exception. Second, send a direct confirmation to the client after each enrollment or modification, either a summary email or a confirmation call, and log that the client acknowledged the enrollment. Third, run a quarterly NPN audit by pulling the CMS dashboard and carrier reports and comparing them to the agency's records of client engagements. An agency that runs 200 enrollments per year and audits quarterly will catch an unauthorized enrollment within 90 days rather than at year end when the chargeback arrives.

