Four Steps to Implementing Robust AML Risk Management for U.S. Insurers

Four Steps to Implementing Robust AML Risk Management for U.S. Insurers

Insurance companies’ money laundering and terrorist financing risks are often overshadowed by risks of fraud and sanctions violations, which are commonly perceived to be the highest financial crime risks to insurers.1 However, data paints a different picture. In Table 1, the Financial Crimes Enforcement Network’s (FinCEN)2 data for the U.S. insurance industry show that suspicious activity reports (SARs) filed for money laundering were substantially higher than SARs filed for fraud between 2014 and 2020.

Table 1: Number of SAR filings by U.S. insurers by type of suspicious activity

FinCEN’s “Insurance Industry Suspicious Activity Reporting” assessment3 illustrates classic examples of the money laundering stages of layering and integration. In one example, “[A] company filed a report on a woman who made multiple structured premium payments totaling $100,000, with cashier’s checks and money orders with values from $200 to $9,000, ‘for the purchase of what are, essentially, lump-sum premium annuity products.’” In another example, a SAR described a man who purchased a $2.5 million annuity that he said was from “lottery winnings,” but was issued by a check from an unknown corporation, not a state lottery entity. He then withdrew more than $2.1 million within nine months, despite a 10% penalty, claiming he wanted the money to fund a business acquisition.

This article outlines four key steps for insurers’ implementation of a risk-based Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program.

Step 1: Establish When BSA/AML Program Requirements Are Relevant for Insurance Companies

A critical factor in determining BSA/AML program requirements for insurance companies is that they are product-based, unlike banks or other financial institutions

The first step is to determine if BSA/AML program requirements apply to the insurer by understanding regulatory definitions in regulation and guidance promulgated by FinCEN, such as Title 31 of the Code of Federal Regulations (CFR) Chapter X Part 1025 and “Frequently Asked Questions Anti-Money Laundering Program and Suspicious Activity Reporting Requirements for Insurance Companies.” A key regulatory term is “covered products,” as BSA/AML program requirements only apply if an insurance company offers covered products. According to 31 CFR Chapter X Part 1025 Subpart A §1025.100(b), covered products4 are defined as:​

  • A permanent life insurance policy, other than a group life insurance policy
  • An annuity contract, other than a group annuity contract
  • Any other insurance product with features of cash value or investment

A critical factor in determining BSA/AML program requirements for insurance companies is that they are product-based, unlike banks or other financial institutions (FIs) where program requirements are entity-based. As illustrated in Figure 1, the insurance company offering covered products is subject to Bank Secrecy Act (BSA) program requirements and does need to implement a BSA/AML compliance program. Where no covered products are offered, the insurance company is not subject to BSA program requirements. Irrespective of whether an insurer offers covered products, as U.S. persons, U.S. domiciled insurance companies must comply with OFAC’s regulations.5

Figure 1: Determining if BSA/AML program requirements apply to an insurer

Moreover, BSA/AML requirements are also relationship-based between agents and principal insurers. The Financial Action Task Force (FATF) guidance6 notes the following,

“A significant proportion of life insurance policies are sold through intermediaries where the life insurer will have limited or no direct contact with the policy holder. In a number of cases, the intermediaries have the initial interaction with the customer…. When identifying and evaluating the ML/TF risk associated with the method through which the product is sold, the life insurer and supervisors, should consider the risks related to the intermediary used and the nature of their relationship with the life insurer and the customer.”

If the insurance company is a subsidiary or affiliate of an FI, such as a bank or holding company, or if the bank acts as an agent for covered insurance product sales, different regulatory requirements may apply as illustrated in Figure 2. For example, an insurance company registered with the Securities and Exchange Commission (SEC) as a broker-dealer in securities would not be required to establish a duplicate program. Broker-dealers in securities are subject to an independent AML program obligation under 31 Title CFR 103.120; therefore, the insurance company would not be required to establish a separate AML program.

Figure 2: Determining the relationship structure of an insurance company

A thoughtful assessment approach will help determine which subsidiaries have BSA/AML program requirements, what products trigger the program requirements and where the material risk lies

Step 2: Understand the Differences in Legal/Regulatory Requirements for Insurers

Second, regulatory BSA/AML obligations for insurance companies differ from those of depository institutions. An AML professional implementing a BSA program for insurance should understand the differences. For example, Regulation H §208.63(b) requires a bank’s BSA compliance program to be reduced to writing, approved by the board of directors and noted in the minutes. However, FinCEN’s 31 CFR Chapter X Part 1025.210(a) only requires the insurance company’s written BSA program to be approved by senior management.

Similarly, according to FinCEN guidance FIN-2006-G010, insurance companies are not subject to 31 CFR § 1020.220—thus, they are not required to implement a customer identification program and obtain minimum mandatory information verifying the identity of a customer. Nevertheless, other applicable BSA regulations require insurance companies to obtain and retain identifying information from customers in certain situations. For example, insurance companies must obtain all relevant and appropriate customer-related information necessary to administer an effective AML program. In addition, the Final Customer Due Diligence (CDD) Rule7 does not apply to insurance companies offering covered products. While obtaining sufficient customer information to understand the customer’s risk profile has always been implicit in establishing a risk-based BSA/AML compliance program, it is not an explicit legal requirement for insurance companies.

Another key distinction is in filing currency transaction reports (CTRs). The IRS, as a federal functional regulator of insurance companies, promulgates requirements for completing a Form 8300 for cash transactions exceeding $10,000 involving insurance companies. These requirements differ from CTR filing obligations for banks and other FIs. Moreover, there is no exemption process for Form 8300 like the CTR exemption provisions.8

Lastly, Section 314(a) of the USA PATRIOT Act obligates insurance companies to comply with information sharing between government agencies and FI requirements as implemented by 31 CFR § 1010.520. Similarly, insurance companies, like banks, may also participate in the voluntary information-sharing program under section 314(b).

Step 3: Determine the Universe of Risk

Third, consider performing a product and service-level coverage assessment. It is prudent to identify covered products, services and entities where BSA/AML program requirements and/or money laundering and terrorist financing risks may be applicable. A thoughtful assessment approach will help determine which subsidiaries have BSA/AML program requirements, what products trigger the program requirements and where the material risk lies.

Next, identify delivery channels for these products and services to ensure transaction monitoring and screening of covered products occurs across all channels. Understand agent/broker relationships and consider covering the markets/regions/countries in which such entities are located to assess domestic versus international obligations. Finally, determine whether common red flags9 are incorporated into suspicious activity monitoring protocols, which highlight typologies relevant to the insurance industry. Identifying applicable products, channels and entities helps determine the most resource-efficient and risk-based organizational structure to support an integrated financial crimes compliance program.

Step 4: Determine the Compliance Program Structure

Finally, similar to other FIs, insurance companies have discretion as to how to structure and manage the BSA/AML compliance program(s). The BSA/AML compliance program or some parts of it may be managed within a legal entity, like an insurance subsidiary, or with some degree of consolidation across entities within an organization, as part of an enterprise-wide program. Regardless of how the compliance program is organized, it should address the money laundering and terrorist financing risks specifically associated with covered insurance products and BSA program requirements, as applicable. Table 2 identifies helpful questions to understanding how BSA/AML, fraud and sanctions compliance may be managed within an organization. Understanding the answers to these questions and ultimately the structure of the BSA/AML, fraud and sanctions compliance programs may assist with ensuring specific roles and responsibilities are appropriately structured within the organization’s first, second and third lines of defense and adequately governed by the board or senior management.

Table 2: Questions relevant to aligning roles and responsibilities for an insurer’s BSA/AML, fraud and sanctions compliance program within the organization

Conclusion

Despite the insurance industry’s focus on fraud and sanctions risks, the data shows that money laundering and terrorist financing risks are material enough in covered insurance products to warrant U.S. insurers’ attention to developing AML compliance programs. This article summarizes four key steps for insurers’ implementation of a risk-based BSA/AML compliance program. Once management understands the law and associated rules and regulations and is aware of nuances unique to the insurance sector, an effective product-based program can be established.

Raja Qasim, CAMS, CFE, CISA, senior risk examiner (BSA/AML), Federal Reserve Bank of Dallas, TX, USA, Raja.Qasim@dal.frb.org

The views and opinions expressed herein are those of the author and do not represent an official position of the Federal Reserve Bank of Dallas or the Federal Reserve System.

  1. Sanctions refers to the Office of Foreign Assets Control (OFAC) at 31 CFR Chapter V.
  2. FinCEN is a bureau of the U.S. Treasury Department that has delegated authority from the department to administer the BSA and examine institutions for compliance with the BSA. FinCEN, in turn, has delegated this examination authority for insurance companies to the IRS.
  3. “Insurance Industry Suspicious Activity Reporting: An Assessment of Suspicious Activity Report Filings,” Financial Crimes Enforcement Network, April 2008, https://www.fincen.gov/sites/default/files/shared/Insurance_Industry_SAR.pdf
  4. A permanent life insurance policy is an agreement that contains a cash value or investment element and obligates the insurer to indemnify or confer a benefit upon the insured or beneficiary to the agreement contingent upon the insured’s death. An annuity contract is any agreement between the insurer and the contract owner whereby the insurer promises to pay out a fixed or variable income stream for a period of time.
  5. All U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the U.S., all U.S. incorporated entities and their foreign branches.
  6. “Guidance for a Risk-Based Approach for the Life Insurance Sector – October 2018,” Financial Action Task Force, October 25, 2018, https://www.fatf-gafi.org/documents/riskbasedapproach/documents/rba-life-insurance.html?hf=10&b=0&s=desc(fatf_releasedate)
  7. According to FinCEN guidance FIN-2016-G003, “For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.”
  8. “Guidance for the Insurance Industry on Filing Form 8300,” IRS, https://www.irs.gov/businesses/small-businesses-self-employed/guidance-for-the-insurance-industry-on-filing-form-8300. Refer to the section on filing regulatory reports and the aforementioned guidance for further details.
  9. “Frequently Asked Questions Anti-Money Laundering Program and Suspicious Activity Reporting Requirements for Insurance Companies,” Financial Crimes Enforcement Network, March 20, 2008, https://www.fincen.gov/sites/default/files/guidance/fin-2008-g004.pdf. This features a list of common red flags in insurance transactions.

Leave a Reply