The Financial Crimes Enforcement Network ("FinCEN") of the Treasury Department recently issued long-awaited rules requiring life insurance companies to come into compliance with the anti-money laundering ("AML") requirements of the USA Patriot Act. Title III of the Patriot Act - which was enacted in the immediate wake of the terrorist attacks of September 11, 2001 - includes numerous provisions designed to enhance the U.S. AML regime. Since the Patriot Act's enactment, FinCEN has subjected banks, broker-dealers and other financial institutions to numerous new AML requirements. With its new rules, FinCEN has now brought insurance companies into the Patriot Act's framework.
The new rules require covered insurance companies to:
establish AML programs similar to those required at banks and securities broker-dealers (the "AML Program Rule"); and
file suspicious activity reports ("SARs") with the federal government (the "SAR Rule").
Companies covered by the rules will be required to come into compliance no later than May 2, 2006; FinCEN (or its designee) will examine insurance company compliance with these rules.
Which Insurance Companies Are Covered by the Rules?
The new rules apply only to those insurance companies engaged within the United States in the business of issuing or underwriting "Covered Products." Covered Products are those insurance products that FinCEN believes have features, such as cash surrender values, that pose money laundering and terrorist financing risks. Covered Products include:
Permanent life insurance policies, other than group life insurance policies;
Annuity contracts, other than group annuity contracts; and
Other insurance products with features of cash value or investment.
Covered Products do not include reinsurance or group life insurance or group annuities. Term life (including credit life), property and casualty, health and other kinds of insurance that do not have cash value or investment features also are not Covered Products.
Importantly, insurance companies that offer Covered Products as an incidental part of their non-insurance business (e.g., tax-exempt organizations offering charitable gift annuities) are not subject to the rules. Additionally, the rules are not directly applicable to insurance agents or brokers. Nevertheless, insurance companies covered by the rules must take responsibility for their agents and brokers' actions and secure compliance by those brokers and agents (which means that, when necessary, they may need to terminate business relationships with brokers and agents who do not cooperate with insurance company AML efforts).
What Does the AML Program Rule Require?
Under the AML Program Rule, insurance companies must develop and implement AML programs reasonably designed to prevent the companies from being used to facilitate money laundering or financing terrorist activities. The AML program must be in writing and approved by senior management and, at a minimum, must:
incorporate polices, procedures, and internal controls based on an internal risk assessment;
designate a competent compliance officer responsible for administrating the AML program;
provide on-going training for appropriate employees, agents, brokers and others; and
provide for independent testing of the program on a periodic basis.
Insurance companies have discretion to devise specific AML procedures. A risk assessment is key to developing an effective, individualized AML program. Accordingly, insurance companies are expected to take reasonable steps to identify those aspects of their operations that may be vulnerable to money laundering and should use such assessments to develop and implement their AML programs.
Insurance companies are responsible for integrating agents and brokers into their AML programs, for obtaining customer information from agents and brokers, and for using such information to assess risks and identify money laundering "red flags." Although insurance companies may require their agents to perform aspects of their AML programs, the companies themselves are responsible for the effectiveness of their programs and for ensuring that FinCEN examiners have access to information and records relating to their AML programs.
The AML Program Rule's training obligations may be met through various means. For example, insurance companies may train brokers and agents directly or, alternatively, may verify that agents and brokers have received training from another insurance company or a competent third party with respect to the Covered Products offered by the insurance company.
FinCEN also notes that the AML program's required independent review does not mandate hiring an outside party. FinCEN does require that, whether internal or external testing is used, such testing constitute a fair and unbiased appraisal of the functioning of an AML program. The testing must result in a written report, including improvement recommendations. Insurance companies have discretion to determine the frequency of testing.
One immediate benefit results from coverage under the AML Program Rule: Insurance companies required to establish AML programs also become eligible to share information concerning terrorist financing and money laundering with other financial institutions (such as banks and broker dealers) that also have been required to establish AML programs under the Patriot Act. Such information may be shared under the Patriot Act, notwithstanding the usual privacy and other safeguards that apply to nonpublic personal information.
What Are The Requirements Of The SAR Rule?
Insurance companies covered by the AML Program Rule also are subject to SAR requirements. This means that these insurance companies must establish and implement procedures reasonably designed to detect activity that gives rise to suspicions of money laundering, terrorist financing, and other illegal activities and to report such activity. Specifically, an insurance company is required to report transactions involving $5,000 or more if the firm "knows, suspects, or has reason to suspect" that a transaction:
involves funds derived from illegal activities or is intended to hide funds derived from illegal activities;
is designed to evade other reporting requirements (such as those that apply to large cash transactions under the Bank Secrecy Act);
has no business or lawful purpose; or
involves the use of the insurance company to facilitate criminal activity.
FinCEN's release accompanying the SAR Rule contains several examples of "red flags" that might indicate suspicious activity in the insurance context. These include a customer's purchase of a product appearing to be inconsistent with that customer's needs or a customer's show of little concern for the investment performance of a product but much concern about the product's early termination features.
Suspicious transactions generally must be reported to FinCEN no later than 30 days after initial detection. Reporting will take place on a new form (SAR-IC) that FinCEN is developing and that is expected to resemble the SAR forms used by banks to report suspicious transactions. FinCEN has issued a draft SAR-IC, and this form is available for public comment. Until the SAR-IC form is finalized, insurance companies are directed to file necessary reports on SAR-SFs, which are the forms used by securities firms.
The SAR obligation is limited in certain important ways. Insurance companies are only required to file SARs with respect to transactions involving Covered Products. Firms also are not required to report submissions of false or fraudulent information to obtain a policy or make a claim unless a company believes that the activity relates to money laundering or terrorist financing.
Complying with the new FinCEN AML Program and SAR Rules will require attention to detail, reasonable risk-based diligence, and a recognition that the federal government is looking to life insurance companies to become a partner in the fight against money laundering and terrorist financing.
Published April 1, 2006.