AML in insurance: How to detect & combat money laundering

To combat global financial crime, governments and international authorities implement a range of anti-money laundering and countering of terrorist financing (AML/CFT) regulations that impact the insurance sector. Penalties for compliance failures can include heavy fines, and failures to catch internal criminal activity can result in imprisonment. It’s crucial that insurance companies understand their AML/CFT obligations and how to implement them in a risk-based manner.

How does money laundering work in the insurance industry?

Money laundering in the insurance industry typically involves the exploitation of various products and mechanisms to obscure the origins of illicit funds. One common method is through the purchase of insurance policies, such as life insurance or annuities, with the use of dirty money. Criminals may overpay premiums, surrender policies prematurely, or make fictitious claims to cycle the illicit funds back as legitimate payouts. Reinsurance arrangements can also be manipulated where criminals establish offshore entities to overpay for coverage, channeling dirty money into reinsurers that eventually reach the primary insurance companies.

Examples of money laundering in insurance 

Some additional forms of money laundering in the insurance industry include:

• Premium fraud: Criminals may purchase insurance policies with illicit funds, paying the premiums with dirty money. They subsequently cancel the policies and request refunds, effectively laundering the money through the insurance company.
• Shell companies: Criminals can set up fake insurance companies or agencies to funnel illegal money through seemingly legitimate transactions. These fictitious entities generate policies and premiums to obscure the source of funds.
• Trade-based money laundering (TBML): Some insurance companies are involved in international trade insurance, which can be exploited to launder money by inflating invoices or manipulating trade documents.
• Collusion with agents and brokers: Unscrupulous insurance agents or brokers can aid money launderers by creating policies or modifying coverage to facilitate the movement of illicit funds.

AML insurance regulations

International authorities impose a range of AML regulations and standards that affect insurance companies. 

Financial Action Task Force (FATF)

The Financial Action Task Force (FATF) is an international watchdog that sets out AML/CFT guidance to be implemented within its member states. Its core guidelines are set out in its 40 Recommendations, against which it benchmarks member states in its periodic mutual evaluation reports (MERs). These MERs help galvanize individual countries’ AML/CFT regulatory efforts and ensure they are effective and adaptive to changing risks. Member states use these reports as starting points for improving their anti-financial crime oversight and resources.

The international body also provides industry-specific guidance, including for the life insurance industry. Even though the FATF is not a regulator, firms would be wise to familiarize themselves with its industry- and country-specific guidance, as this will likely inform local AML/CFT regulations and contains valuable information regarding key sectoral risks useful for firms.

For example, in October 2018, after a consultation period, the FATF released Guidance for a Risk Based Approach in the life insurance sector. The guide discusses identifying, evaluating, and responding to financial crime risks effectively – especially through ongoing customer due diligence (CDD) and regulatory reporting. It also discusses key sectoral risks and vulnerabilities firms should be familiar with.

United States regulations

Introduced in 1970, the Bank Secrecy Act (BSA) is the United States’ foundational anti-money laundering and countering the financing of terrorism (AML/CFT) regulation. The BSA imposes AML/CFT compliance obligations on financial institutions operating in the US. These include implementing a risk-based anti-money laundering program with appropriate CDD and screening measures and carrying out reporting and record-keeping when dealing with suspicious transactions and customers.

Insurance companies qualify as “financial institutions” under the BSA. In 2001, the USA PATRIOT Act required all BSA-defined financial institutions to establish an AML/CFT program. In accordance with this requirement, the Financial Crimes Enforcement Network (FinCEN) implemented a final rule in 2005 requiring qualifying insurance companies to establish BSA-compliant AML/CFT programs and file suspicious activity reports (SARs). As of April 1, 2013, all SARs must be filed through the regulator’s e-filing portal.

The final rule defines an insurance company as “any person engaged within the United States as a business in the issuing or underwriting of ‘covered products.’ ” These products include:

• Permanent, non-group life insurance.
• Non-group annuity contracts.
• Insurance products with investment features or cash value.

These products are the focus of the final rule because their investment or cash value creates a greater risk of use in money laundering or terrorist financing (ML/TF) activities.

European Union (EU) regulations

The EU insurance industry is regulated at a national level, with partial union-wide oversight from the European Insurance and Occupational Pensions Authority (EIOPA). AML/CFT is overseen by national regulators based on national legislation conforming to the EU’s standards, and AML Directives (AMLDs) apply exclusively to life and investment-related insurance. The EU is proposing reforms that don’t imply extending obligations to non-life insurance products. However, Insurance Europe is concerned about broadening coverage requirements. 

Additionally, the EU has established its autonomous sanctions regime, with extensive measures in response to the Russian invasion of Ukraine. Restrictions require European insurance firms not to provide services that facilitate designated commerce.

Member states

EU-member states are subject to both local and EU-wide regulations, including the Solvency II Directive, which codifies and harmonizes EU insurance regulations. However, regarding AML regulations and compliance, there are some nuances in how certain countries implement these directives. 

• France
  In France, the Autorité de Contrôle Prudentiel et de Résolution (ACPR) oversees insurance companies and other financial institutions (FIs) to ensure compliance with the country’s AML/CTF requirements. These requirements strongly focus on firms being able to accurately identify and verify the identity of policyholders and beneficial owners – particularly for life insurance products, which are considered at a higher risk for money laundering. France requires insurance companies to implement strong internal controls and to report suspicious activities to Tracfin, the French unit tasked with combating money laundering and terrorism financing.
• Luxembourg
  The Commissariat aux Assurances (CAA) oversees Luxembourg’s insurance sector. As one of the largest financial hubs in the world, Luxembourg has a significant number of international insurance undertakings. Therefore, the country requires insurance companies to have robust AML policies, particularly regarding assessing risk associated with their customers. They must also monitor transactions and report suspicious activities to the country’s financial intelligence unit (FIU).
• Belgium
  The National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) regulate the Belgian insurance sector. Belgium’s main AML law is the Law of 18 September 2017 on the Prevention of Money Laundering and Terrorist Financing, which transposes the details of the EU’s AMLDs. According to FSMA, insurance firms, including branches and ancillary sellers from other EEA states operating in Belgium, must adhere to a comprehensive set of rules aimed at “protecting the general good.” This includes promptly reporting suspicious transactions to the country’s Financial Intelligence Processing Unit (CTIF-CFI).

United Kingdom regulations

The UK insurance industry is overseen by the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA). While only life and investment providers are subject to the AML/CFT regulations, all insurers must follow the Senior Management Arrangements, Systems, and Controls (SYSC) framework, the Proceeds of Crime Act (POCA) 2002, and the Sanctions and Money Laundering Act (SAMLA) 2018. The FCA advises all insurers to establish strong controls, regardless of whether they are covered by the UK Money Laundering Regulations (MLRs).

Singapore regulations

The Monetary Authority of Singapore (MAS) regulates the insurance sector and sets AML/CFT obligations. Only life insurers are subject to these requirements through Notice 314, but all insurers must assess AML/CFT risks and implement risk-appropriate measures. MAS supports innovation and encourages insurers to use regtech, machine learning, and advanced techniques for AML/CFT compliance. In a circular issued in February 2022, MAS emphasized the use of Singapore’s national digital ID systems for CDD and highlighted biometrics, liveness detection, and document authenticity checks.

Australia regulations

Insurers in Australia are regulated by the Australian Prudential Regulation Authority (APRA). Australian Securities and Investment Commission (ASIC) issues Australian Financial Services License (AFSL) to insurance intermediaries. The Australian Transactions Report and Analysis Centre (AUSTRAC) supervises AML/CFT compliance using a thematic approach, and firms providing designated services must conform to AUSTRAC’s general AML/CFT program model. Life insurers, sinking fund providers, and those offering advice on such products must comply with the AML/CFT Act. All companies must also meet sanctions regulations, including the Autonomous Sanctions Act of 2011, which includes a Magnitsky-style program aimed at human rights abuses. 

Penalties for non-compliance with AML regulations in insurance

Specific penalties and fines for non-compliance with AML regulations in the insurance sector can vary depending on the regulatory authority and the severity of the violations. Some examples include:

• United States – FinCEN:
  Civil monetary penalties for AML violations can range from thousands to millions of dollars, depending on the violation’s seriousness.
  Criminal charges can lead to fines and imprisonment for individuals involved.
• European Union – EIOPA:
  Penalties for AML non-compliance can include fines and regulatory sanctions.
  The fines may be based on a percentage of the company’s annual turnover and can be substantial.
• United Kingdom – The FCA:
  Fines imposed by the FCA can be substantial, ranging from thousands to millions of pounds.
  The FCA can also take other actions, such as imposing restrictions on an insurance company’s activities or revoking its license.
• Singapore – MAS:
  Penalties can range from thousands to millions of Singaporean dollars, depending on the nature and severity of the non-compliance.
  MAS also has the authority to issue prohibition orders, revoke licenses, and impose additional regulatory requirements on non-compliant entities.
• Australia – AUSTRAC:
  AUSTRAC can issue infringement notices and initiate legal actions against non-compliant insurance companies.
  Infringement notice penalties can range from thousands to millions of Australian dollars.

It is important to note that specific penalties can differ based on the laws and regulations of each jurisdiction and the unique circumstances of the case. In many cases, regulatory authorities have the discretion to determine the fines and penalties, considering factors such as the scale of the violations, the company’s cooperation, and its compliance history. To avoid such penalties, insurance companies must adhere to AML regulations and maintain robust compliance programs.

AML/CFT red flags in the insurance industry

Insurers should consider a range of red flags that could indicate money laundering in the insurance sector or terrorism financing activities. According to FinCEN, these include:

• Unusual payments – for example, via cash.
• A customer buys an insurance product that doesn’t align with their needs.
• The customer terminates the product at a loss to themselves or sends the refund check to someone else.
• Customers appear especially interested in terminating their product early but not in its investment performance.
• Irregularities in a customer’s identifying information at onboarding or reluctance to provide requested documentation.

It’s important to note that red flags are best considered in the context of a wider risk-scoring framework. Many red flags may have a legitimate explanation once the broader context is considered, but signs may equally be overlooked if a firm fails to holistically evaluate a customer’s risk indicators. The best approach is to develop a risk scoring system tuned to a firm’s unique risks and execute targeted due diligence on customers based on their risk tiers. Customers deemed to be at higher general ML/TF risk should undergo enhanced due diligence (EDD) when red flags are encountered. Lower-risk customers may only require standard due diligence in those instances. This helps a firm ensure the bulk of its resources target the riskiest activity.

How can insurance companies establish a robust AML/CFT program?

According to FinCEN rule 31 CFR § 1025.210, insurance companies must establish several core features as a minimum foundation for a sound and compliant AML/CFT program. These include:

• Risk-based internal controls, procedures, and policies – The firm’s AML/CFT framework must be based on the risks it has deemed its products to be associated with. It must ensure compliance with FinCEN requirements, as well as those of subchapter II in US Code Title 31, Chapter 53 (the Bank Secrecy Act.)
• A designated compliance officer – this person must take responsibility for overseeing effective AML program implementation. They should monitor the firm’s insurance brokers and agents for compliance with the program’s requirements. The compliance officer is also responsible for ensuring the AML program is kept up-to-date and that personnel are trained according to FinCEN requirements.
• Ongoing personnel training – A firm must verify all team members understand their AML/CFT responsibilities under the program. This knowledge can be derived from the firm’s in-house training or an appropriate third party. Regardless, the training must pertain to the insurance company’s covered products – this means it cannot be generic.
• Independent testing – Regular testing is required to confirm the program’s adequacy and team member compliance. The frequency and scope should be risk-based in light of the covered products’ inherent risks rather than generically determined.

If an insurance company is registered with – and therefore regulated by – the Securities and Exchange Commission (SEC), its compliance with SEC AML/CFT regulations for registered products will satisfy FinCEN’s final rule requirements.

Cutting edge AML solutions for insurance companies

AML and anti-fraud solutions are critical for insurance companies to maintain compliance and effectively manage risk. The following list outlines essential software that firms should consider including in their compliance program. It also highlights the key features and capabilities to consider when evaluating potential vendors.

• Transaction Monitoring:
  • Detection of unusual activity: Transaction monitoring software can track and analyze insurance transactions for any unusual or suspicious patterns. This helps identify potentially fraudulent or money laundering activities, such as large, unexplained premium payments or unusual claims.
  • Real-time alerts: These systems can generate real-time alerts for suspicious transactions, enabling insurance companies to take immediate action and investigate potentially risky activities.
• Payment Screening:
  • Blocking illicit payments: By screening payments against various databases, these solutions can prevent the acceptance of funds from sanctioned individuals or entities, reducing the risk of inadvertent involvement in money laundering.
  • Enhanced due diligence: Payment screening enables insurers to conduct enhanced due diligence on high-risk transactions, ensuring they are fully aware of the sources of funds.
• Fraud Detection:
  • Alert explainability: Robust fraud detection solutions not only generate alerts but also provide detailed explanations for why an alert was triggered. By providing context and transparency, alert explainability helps insurers make informed judgments about potential fraud, improving their ability to manage risk effectively and reduce false positives. 
  • Pattern recognition: Machine learning and data analytics help identify patterns of behavior that may indicate fraud, allowing insurance companies to take prompt action.
• Sanctions & Watchlist Screening:
  • Global compliance: This software helps insurance companies comply with international regulations by screening against global watchlists, reducing the risk of inadvertently doing business with prohibited parties.
  • Automated processes: These screening solutions automate the process of checking customers and transactions against watchlists, ensuring efficient and consistent compliance

Incorporating these AML and anti-fraud solutions into their operations allows insurance companies to protect their businesses from legal and reputational risks while ensuring that they operate within the bounds of regulatory compliance. These tools help identify and prevent money laundering, fraud, and exposure to sanctioned entities, ultimately safeguarding the industry’s integrity.