Compliance & trust
Scope of Appointment & TPMO Compliance: The Agent's Operational Guide
Scope of Appointment and TPMO compliance are the two Medicare rules agents violate most. Capture a documented SOA before any sales meeting, generally 48 hours ahead, read the TPMO disclaimer within the first minute, record calls in full, and retain both records for the CMS-required period.
Two mechanics account for a disproportionate share of Medicare secret-shopper complaints: the Scope of Appointment collected at the wrong time, and the TPMO disclaimer read at the wrong time (or not at all). Neither is about whether you sold a good plan. Both are about process. This guide zooms in on those two rules and the third-party obligations wrapped around them.
It is a marketing-operations summary, not legal advice. You are the licensed party; we run marketing. And the rules below move almost every plan year, so treat this as a map to verify against current CMS guidance, not a permanent answer. For the wider rulebook, start with our plain-English walkthrough of the CMS Medicare marketing rules for agents — this article is the deep dive on the two pieces that trip people up most.
Scope of Appointment: the timing is the whole game
The Scope of Appointment (SOA), collected on form CMS-10260 or an approved equivalent, documents which product categories a beneficiary agreed to discuss before you meet. The categories matter: agreeing to talk about Medicare Advantage is not agreement to talk about a standalone drug plan or a supplement.
Where agents get burned is timing. CMS reinstated a rule requiring the SOA to be obtained at least 48 hours before an individual marketing or sales appointment, with limited exceptions such as walk-ins or the end of a valid election period. The classic violation is signing the SOA at the start of the same appointment to satisfy the paperwork — which defeats the entire purpose of a cooling-off window.
The four SOA elements to get right every time
- Product categories — capture exactly what the beneficiary agreed to discuss (MA-PD, PDP, Med Supp), and nothing you were not authorized to raise.
- Timing — obtained 48 hours ahead where required, with the date/time provable.
- Beneficiary agreement — written, electronic, or recorded verbal, with clear consent.
- Retention — archived and retrievable for the CMS-required period (generally cited as 10 years).
TPMO: are you the “third party”? Almost certainly
CMS regulates most Medicare marketing through the Third-Party Marketing Organization (TPMO) category. It is deliberately broad: if you market, sell, or enroll into Medicare Advantage or Part D and you are not the carrier, you are a TPMO. Solo agents, agencies, FMOs, and lead vendors all qualify. You cannot opt out by calling yourself “just an agent.”
TPMO status is what triggers the disclaimer and the recording obligation:
- Disclaimer — the standardized language stating you do not offer every plan in the area, and how many organizations or plans you represent. Read it verbally within the first minute of a call, and display it prominently on any Medicare marketing website and materials. The exact wording has been revised between plan years, so confirm it against current CMS guidance rather than reusing last year’s script.
- Recording — calls related to the sale, marketing, or enrollment of MA and Part D plans must be recorded in their entirety and retained. The frequent error is recording only the application, not the marketing conversation where you describe plans and steer the decision.
SOA vs TPMO disclaimer: two rules, two failure modes
| Requirement | What it documents | Timing | Most common violation |
|---|---|---|---|
| Scope of Appointment | Product types the beneficiary agreed to discuss | Generally 48 hours before the appointment | Signed at the start of the same meeting |
| TPMO disclaimer | That you represent a limited set of plans | Verbally within the first minute of a call; displayed on web/materials | Read late, or omitted on the website |
| Call recording | Full marketing + enrollment conversation | Recorded live, retained for the required period | Only the application is recorded |
| Retention | SOA + call audio archive | Generally 10 years | Records not retrievable on carrier audit |
The third-party layer: carrier oversight of your vendors
TPMO rules do not stop at your own conduct. Carriers are required to oversee the TPMOs in their distribution chain, which means the lead vendors and downlines you work with pull you into their compliance posture too. If you buy leads, the consent trail behind those leads is part of your exposure. This overlaps with federal telemarketing law — the TCPA still governs how you dial and text regardless of CMS — which we cover in TCPA compliance when buying insurance leads.
Practical implications:
- Document where every Medicare lead came from and what the beneficiary consented to.
- Keep the disclaimer and SOA logic baked into scripts, not bolted on.
- Re-approve vendor consent language annually; carriers increasingly ask for it.
Building SOA and TPMO into the funnel, not around it
Agents who treat these as friction cut corners and end up in complaint reports. Agents who build them into the process get something valuable back: a clean paper trail that protects commissions, plus a full-call library that makes coaching real. When we build compliant Medicare marketing systems, disclaimer placement above the fold and explicit consent capture are checklist items, not afterthoughts.
A few ways the rules shape good marketing:
- Landing pages carry the TPMO disclaimer prominently and capture permission explicitly.
- Scripts open with the disclaimer and route the SOA before any product discussion.
- CRM stores the signed SOA next to the call recording, so an audit is a five-minute retrieval, not a scramble.
If you are unsure whether your current Medicare funnel would survive a carrier audit, that is exactly what a free marketing audit is for. For seasonal context, pair this with our Medicare AEP marketing playbook and the Medicare OEP marketing rules for agents.
The one-line summary
Capture the SOA before you meet (generally 48 hours ahead), read and display the TPMO disclaimer, record the whole call, retain everything for the required period — and re-verify all of it against current CMS guidance every plan year, because these two rules move and your license is the one on the line.
This article is marketing guidance, not legal or compliance advice. CMS rules, SOA timing, and TPMO obligations are updated frequently; confirm specifics with official CMS sources, your carrier, and your upline before acting.