Insurance Companies Required to Establish Anti-Money Laundering Programs
Pursuant to expanded oversight granted the U.S. Department of the Treasury under the USA PATRIOT Act, the Financial Crimes Enforcement Network ("FinCEN") has issued two final rules requiring certain insurance companies to implement anti-money laundering ("AML") compliance programs and file Suspicious Activity Reports as of May 2, 2006. These new rules also affect a company's corporate governance and are impacted by the Sarbanes-Oxley Act of 2002 ("SOX"). Significant lead time is required for the development and implementation of an AML program, education of personnel and the Board, as well as satisfying the corporate governance aspects (including SOX) of these new rules.
The final rules apply to those insurance companies in the U.S. in the business of issuing or underwriting certain products that FinCEN has determined "present a high degree of risk for money laundering or the financing of terrorism or other illicit activity." The "covered products" include:
Permanent life insurance policies other than group life insurance policies that contain a cash value or investment element;
Annuity contracts, other than group annuity contracts; and
Any other insurance products with features of cash value or investment features.
Insurers that issue only property or casualty policies or certain types of insurance such as reinsurance, amongst others, are not required to establish an AML program so long as those products do not contain an investment feature. There is no definition in the regulations of a product which has an investment feature and companies will need to scrutinize non-traditional products to see if they come within the scope of the regulations. FinCEN has determined that products without an investment feature pose little risk of being used for money laundering.
Accordingly, by no later than May 2, 2006, each insurance company issuing or underwriting a "covered product" must develop and implement a risk-based AML policy reasonably designed to prevent the company from being used to facilitate money laundering or the financing of terrorist activities based on that company's risk profile. At a minimum, insurance companies subject to these rules must establish a program that includes the four basic elements of money laundering programs already required by FinCEN for other regulated financial institutions. These include:
A compliance officer responsible for insuring that the AML program is implemented effectively;
A written policy, procedure and internal controls reasonably designed to control the risks of money laundering, terrorist financing, and other financial crimes associated with the insurance company's products;
Ongoing training of appropriate personnel regarding their responsibilities under the program; and
Independent testing to monitor and maintain an adequate program.
In developing the required risk-based AML program, an insurance company must consider all relevant factors affecting the risks inherent in its covered products. For example, an insurance company should consider the extent and circumstances to which a customer uses cash or cash equivalents to purchase its covered policies, and whether the insurance company issues or underwrites covered products in jurisdictions identified by the State Department or other government agencies as sponsors of international terrorism or are non-cooperative in international anti-money laundering efforts. A copy of the AML program shall be available to FinCEN or its designee upon request and must be approved by senior management of the insurance company.
Rules Applicable to Company, Not Its Agents
Under the rules, an "insurance company" is defined to exclude its insurance agents and/or brokers. The AML program of a covered insurance company, however, must encompass the activities of its agents or brokers that sell its covered products: "[b]ecause insurance agents and brokers are an integral part of the insurance industry due to their direct contact with customers, the final rule requires each insurance company to establish and implement policies, procedures and internal controls that are reasonably designed to integrate its agents and brokers into its anti-money laundering program and to monitor their performance with its program." Correspondingly, the insurance company's program must include procedures for obtaining all relevant customer related information for effective customer identification necessary to ensure an effective anti-money laundering policy, whether obtained through their agents and brokers or from other third party sources.
While certain elements of a covered insurance company's program may best be performed by agents or brokers, effective implementation of the program itself remains the responsibility of the company, and the company must ensure that appropriate government examiners have access to information and records and are able to inspect any agents, brokers, or third parties for purposes of compliance.
Suspicious Activity Reports ("SARs")
As with the requirement to adopt an anti-money laundering program, the requirement to identify and report suspicious transactions applies only to insurance companies selling "covered products" and not its agents and/or brokers. In order to prepare and file appropriate SARs, however, insurance companies are required to obtain client information from all relevant sources including its agents and/or brokers, and to report suspicious activity based on such information. FinCEN is preparing and will issue a new Suspicious Activity Report form specifically for insurance companies. Covered insurance companies are required to file an insurance SAR to report any suspicious transactions that are "conducted or attempted by, at, or through the institution" (whether in an individual transaction or in the aggregate). FinCEN has established a $5,000 threshold amount for the required reporting of a suspicious transaction under the new regulations. The threshold amount is satisfied by the involvement of $5,000 in other funds or other assets determined by either the premium payment or the potential payout.
In addition to the relatively nominal threshold amount, insurance companies are strongly encouraged to voluntarily file insurance SARs where appropriate even for lower dollar or value amounts. As with other regulated industries required to file SARs, insurance companies that file a SAR either voluntarily or pursuant to a requirement of this rule are theoretically insulated from civil liability for their filing. Insurance companies may not notify any individual involved in a transaction for which a SAR has been filed. Compliance with these new rules will be overseen by FinCEN, or its designee.
"These rules represent key steps in ensuring that the Bank Secrecy Act is applied appropriately to these businesses and in protecting the insurance industry from potential abuse by those seeking to launder money or finance terrorism or other illicit activity," said William J. Fox, Director of the Financial Crimes Enforcement Network. "The rules enhance the protection of the U.S. financial system generally, given that the characteristics of financial products, including certain insurance products, can make those products vulnerable to those seeking to launder money or finance terrorism or other illicit activity."
The above rules and their implementation will require affected companies to review their corporate governance policies and internal controls to be sure they have the appropriate governance policies in place, as well as procedures to assure compliance with SOX and the SEC's rules and regulations implementing SOX. Those companies required to comply with the provisions of the SOX, the Securities & Exchange Commission's ("SEC's") rules and regulations implementing SOX and the rules of either the NYSE, AMEX or NASDAQs should be mindful of the additional compliance implications that may result from these new rules. For example, Section 404 of SOX requires a company's internal control over financial reporting to include a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. Applicability to Section 302 and 906 (of SOX) Certifications also requires review and evaluation.
Further, the Audit Committee, or another acceptable committee of the board, should assume oversight responsibility with regard thereto, including but not limited to the establishment of a policy that not only complies with the new rules, but also SOX. Some companies required to comply with SOX may already have AML requirements which would simplify compliance with these new rules.
Blank Rome LLP has long concentrated its practice in assisting financial institutions to navigate the regulatory shoals of AML and SAR reporting. It has represented banks, broker dealers, and mutual funds among others when similar rules were issued for these industries.
Blank Rome contacts:
Anti-Money Laundering Programs, including Suspicious Activity Reports
Ian Comisky (215) 569-5646 (firstname.lastname@example.org)
Corporate Governance and Sarbanes-Oxley
Barry Genkin (215) 569-5514 (email@example.com)