Financial crime risk management: Best practices for insurtechs

Although insurtechs bring innovation, efficiency, and convenience to the insurance market, they are not exempt from the critical need to address financial crime risks and regulatory requirements. Customers expect an efficient, automated experience from online-first organizations like insurtechs, which means a dynamic approach to risk management is critical. 

In chapter four of our Insurtech Financial Crime Guide, firms can score their programs against our fincrime checklist. Based on the list, this article explores five best practices that insurtechs can use to manage financial crime risks and regulatory compliance effectively.

1. Adopt a truly risk-based approach

A risk-based approach is foundational to financial crime risk management for insurtech companies. Instead of relying on a generic regulations checklist, insurtechs should embrace a more holistic strategy that assesses the specific risks they face and tailors their controls accordingly.

To embark on a risk-based approach, insurtechs should undertake an annual enterprise-wide risk assessment (EWRA). This comprehensive evaluation should encompass:

• Inherent financial crime risks: Identify the inherent risks associated with the insurtech’s operations, considering factors such as the types of insurance products offered, customer demographics, and distribution channels.
• Control effectiveness: Assess the effectiveness of existing controls in mitigating financial crime risks. Evaluate how well current practices align with the identified risks.
• Residual risks: Calculate the residual risks that remain after applying current controls. This step is crucial in determining where additional measures are necessary.
  

By conducting an EWRA, insurtechs can gain a deep understanding of their specific risk profile and make informed decisions about risk management strategies.

Building on insights from the EWRA, insurtechs can develop a framework for managing financial crime risks. This framework should include calibrated policies, procedures, and controls tailored to the actual levels of risk. A practical example of this approach can be found in the Wolfsberg Group’s Guidance on a Risk Based Approach for Managing Money Laundering Risks. This framework has been successfully applied across multiple sectors and can serve as a reference for insurtechs looking to fine-tune their risk management strategies.

2. Conduct a gap analysis to identify vulnerabilities

Comprehensive anti-financial crime programs encompass a wide range of activities, including the appointment of senior compliance officers, the establishment of governance structures, and the formulation of policies and procedures. While these elements are critical, other core activity areas that insurtechs must address to meet their obligations and identify risks effectively include:

• Identity verification (IDV): Insurtechs must collect, verify, and securely store sensitive personal data that confirms the client’s identity. Robust IDV processes are essential to prevent identity theft and fraud.
• Customer due diligence/know your customer (CDD/KYC): This involves collecting, assessing, and securely storing documentation and data on the client’s financial circumstances. It creates a baseline understanding of how clients will likely use insurance products.
• Customer screening: To identify potential risks, insurtechs should conduct a thorough screening of client names against sanctions lists, politically exposed person (PEP) data, and adverse media sources.
• Fraud detection: Detecting and preventing fraud during applications, claims processing, or policy changes is a critical ongoing activity. It includes verifying the identity of the claimant or beneficiary and assessing the validity of the claim.
• Transaction monitoring: Regularly reviewing client transactions, such as premium payments and claims histories, can help identify unusual or suspicious behavior.
• Ongoing screening: Monitoring existing client names for updates to relevant sanctions lists, PEP status, and adverse media is necessary to stay informed about evolving risks.

While the Financial Action Task Force (FATF) and national regulators do not prescribe specific processes for these activities, they encourage firms to develop responses tailored to their business and risk profile. In practice, insurtechs must decide how much they should automate and digitize traditionally paper-based and face-to-face activities. Given the scale and growth of the insurance market, rising customer expectations, and the need to control costs, technology is often seen as the solution. However, challenges exist in adopting regulatory technology (regtech) solutions, particularly for digitally native firms like insurtechs.

3. Confront implementation challenges

Insurtechs need to be confident that the AML and anti-fraud measures they implement will mitigate risks to a level that will prevent criminals from taking advantage of them and their customers and satisfy the exacting demands of regulators. When it comes to implementing these measures, several common challenges require attention: 

• Remote access: Insurtech operations are often conducted online, and employees may never have direct contact with clients. This presents the risk of impersonation or using fake documentation to support fraudulent claims.
• Incomplete risk data: Many firms rely heavily on vendors for risk information. While reputable vendors provide valuable data, some may exaggerate the scope and scale of their information, leaving clients with significant risk coverage gaps during onboarding and ongoing monitoring.
• Time gaps: The dynamic nature of sanctions lists, with rapid changes, can pose challenges for insurtechs. Many vendors offer updates every six to 12 hours, but some firms only run batch checks once a day or overnight. This time lag can result in payments that should be blocked passing through due to delays in updating.
• False positives: Many automated platforms for fraud, money laundering, and sanctions detection rely on hard-coded, rules-based triggers and basic name-matching techniques. However, criminal behaviors are sophisticated and agile. Rules-based systems often generate many false positives, making the processes resource-intensive and inefficient.
• Lack of flexibility and integration: Legacy platforms may function as standalone offerings, struggling to interact with other systems within a firm’s technology suite. Siloed financial crime platforms and processes have, in the past, led to the oversight of real risks.
  

Insurtechs must address these challenges to ensure that the measures they implement effectively mitigate risks and satisfy regulatory demands. This requires a thoughtful and dynamic approach to risk management.

4. Explore advanced solutions offered by RegTech providers

To overcome these challenges and optimize financial crime risk management, insurtechs must explore innovative solutions and leverage the capabilities offered by RegTech providers. But not all vendors are created equal. Capabilities to assess vendors for include:

• Cloud computing for real-time risk data and screening: Distributed cloud computing allows the secure storage of extensive risk data, eliminating physical storage limitations. Additionally, it enables real-time data updates in all locations simultaneously, ensuring that screening lists are always up-to-date.
• Machine learning (ML) for pattern recognition: ML algorithms are increasingly effective in identifying discrepancies in client documentation during onboarding. They can also detect subtle changes in client behavior, making it easier to spot potential fraud and other financial crimes. ML can significantly reduce false positives, lowering the costs associated with unnecessary alerts and unjustified payouts. Furthermore, ML can be employed for fuzzy matching of equivalent names in screening and to assess the likelihood of a match. These tools can identify duplicate records, resolve gaps, match names in multiple languages and scripts, and allow characters to be inserted, omitted, or replaced.
• APIs for flexibility and integration: Platforms that incorporate application programming interfaces (APIs) are well-suited for enabling flexible and integrated systems. APIs facilitate the pooling of risk data from multiple sources and allow different platforms to communicate important information promptly. This prevents missed opportunities that could lead to financial crime risks falling through the gaps.
  

Insurtechs should carefully evaluate these solutions and ensure that they align with their specific needs. It is crucial to select regtech vendors capable of delivering the most effective and appropriate technology for each particular task. By leveraging these innovative solutions, insurtechs can significantly enhance their financial crime risk management processes.

5. Play to the inherent strengths of insurtech business models

While it’s easy for insurtechs to focus on the risks their innovative business models pose, it’s important not to overlook some of the advantages too. For financial crime risk management, these include:

• Cultural familiarity with technology: Insurtech companies are inherently tech-savvy and have a cultural appreciation for the value of technology. This cultural alignment allows for smoother integration of technology solutions into their operations.
• Richer and cleaner data sets: Insurtechs often benefit from more extensive and cleaner data sets compared to legacy insurance companies. This enhanced data quality can improve the accuracy and effectiveness of financial crime risk management systems.
• Agile technology: Insurtechs are typically more agile in their technology adoption and implementation. They can readily pivot to implement advanced regtech solutions, responding swiftly to emerging risks and compliance requirements.

Incorporating these advantages into their approach to financial crime risk management positions insurtechs as regtech adopters who can efficiently manage risks and meet regulatory demands. Their ability to innovate and stay at the forefront of technology adoption is a competitive advantage in the insurance industry.

By following these five best practices, insurtechs can build a strong foundation for financial crime risk management, ensuring their operations are both secure and compliant. As the insurtech industry evolves, staying committed to effective risk management is essential for building trust with customers and regulatory authorities while achieving long-term success.