The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), in March 2008, offered insurance companies guidance concerning their anti-money-laundering (AML) obligations. See FIN-2008-G004, Frequently Asked Questions—Anti-Money-Laundering Program and Suspicious Activity Reporting Requirements for Insurance Companies (March 20, 2008), published here. The original FAQs were published October 31, 2005. On April 2, 2008, FinCEN's Director James H. Freis revealed that this guidance is largely the result of a year-long study whereby FinCEN has been reviewing Suspicious Activity Reports (SARs) involving the insurance industry. See Prepared Remarks of James H. Freis, Jr. Director, Financial Crimes Enforcement Network, American Council of Life Insurers, Anti-Money-Laundering and Critical Infrastructure Committee (April 2, 2008), pages 1, 3. According to Mr. Freis, the study reflects FinCEN's commitment to provide "quality written feedback to industries affected by new or changed regulations" and validates the policy decision to include certain insurance companies within the Bank Secrecy Act's (BSA's) definition of "financial institutions." Within this context, FinCEN's March 2008 guidance should be taken not only as a gentle reminder that certain insurance companies are "financial institutions" subject to the BSA, but also as a call to insurance companies to provide comments to help guide FinCEN in the development of new regulations.
The March 20 Guidance
Insurance companies are "financial institutions" covered by the BSA if they offer the following "covered products":
- A permanent life insurance policy, other than a group life insurance policy;
- Any annuity contract, other than a group annuity contract; or
- Any other insurance product with features of cash value or investment.
As financial institutions, these reinsurance companies offering covered products are also subject to the BSA requirements, including:
- Anti-money laundering program (and training) requirements;
- Suspicious activity reporting;
- Currency transaction reporting;
- Information sharing provisions;
- Nondisclosure obligations; and
- Corresponding safe harbor provisions.
However, insurance companies offering covered products are not required to maintain Customer Identification Programs. FinCEN's guidance reminds covered insurance companies that they are responsible for protecting their sector from abuse. FinCEN rules for insurance companies (published October 31, 2005, effective May 5, 2006) generated confusion about whether companies offering covered products had to comply with the range of BSA requirements. See Some Insurance Companies Now Subject to Anti-Money-Laundering Program Requirements, (December 2, 2005). By now, most, if not all, insurance companies offering covered products have installed an AML Compliance Officer. These Compliance Officers will have developed, based on their particular company's clients, products and services, a tailored AML compliance and training program. Because insurance companies' designation as "financial institutions" remains fairly new, both FinCEN and the industry are still developing an understanding of the particular AML risks associated with covered products. The March 2008 guidance offers practical guidance on complying with those obligations.
Red Flags for Identifying Suspicious Activity
In order to assist the insurance industry in identifying "suspicious activity," FinCEN has published some "red flags":
- The purchase of an insurance product inconsistent with the customer's needs;
- Unusual payment methods, such as cash or cash equivalents (when such usage is, in fact, unusual) or structured monetary instruments;
- Early termination of a product (including during the "free look" period);
- The designation of an apparently unrelated third party as a policy's or product's beneficiary;
- A customer who shows little concern for the investment performance of a product, but a great deal of interest in the product's early termination features;
- A customer who is reluctant to provide identifying information when purchasing a product, or who provides minimal or seemingly fictitious information; and
- A customer who borrows the maximum amount available soon after purchasing the product.
An insurance company's AML Compliance Officer would be well advised to monitor these—and also to create additional—red flags geared toward each covered product offered by the company. For example, Director Freis highlights numerous types of suspicious activity identified in a review of SARs filed involving insurance companies and suggests insurance companies continue to monitor FinCEN's periodic SAR Activity Review, Trends, Tips and Issues. The most recent such publication is available here. These red flags should be integrated into periodic training programs and compliance manuals and should be reviewed and updated as appropriate.
Suspicious Activity Reports for a Product that Qualifies as a Mutual Fund
Where an insurance company identifies suspicious activity in a variable product funded by separate accounts that qualifies as a "mutual fund," the insurance company should continue to file a SAR using Form 101 until such time as FinCEN publishes a form specifically for mutual funds. Where a registered broker-dealer is offering the variable product and identifies a suspicious activity, the broker-dealer and the insurance company may both be required to file a SAR. In that instance, the insurance company and the registered broker-dealer may file jointly, so long as each separately retains records of the filing for five years from the date of the filing.
Information Sharing—Safe Harbor and Filing Requirements
FinCEN also reminds insurance companies with covered products that, as "financial institutions," they are permitted to share information on suspicious activities relating to terrorist financing or money laundering with other financial institutions so long as (1) no person involved in the underlying transaction is notified; and (2) the respective financial institutions file a notice with FinCEN. See 31 C.F.R. 103.110. While the "314 letter" is well known amongst other, more traditional, financial institutions (like banks), its application to the insurance industry has not been as widely published. Pursuant to the Bank Secrecy Act's safe harbor provision, financial institutions that share information related to these topics are not liable for such disclosures. See 31 U.S.C. 5318(g)(3).
Additional AML Program Requirements When Relying on Third-Party Training
The BSA regulations require insurance companies offering "covered products" to have in place a written AML program that, in relevant part, provides for ongoing training of employees, agents and brokers 31 C.F.R. 103.137(c)(3). Previous guidance, however, was silent as to whether an insurance company could outsource its training. See FIN-2006-G010, Frequently Asked Questions—Anti-Money-Laundering Program and Suspicious Activity Reporting Requirements for Insurance Companies (May 31, 2006), published here.
FinCEN has now clarified that an insurance company may satisfy the training requirement with respect to these persons by directly training such persons or having a competent third party (including another financial institution) train those persons. Despite this flexibility, FinCEN has cautioned that the insurance company remains solely responsible for maintaining an adequate AML program. FinCEN distinguishes between outsourcing training and attempting to outsource actual compliance. To guarantee the integrity of an AML program and to monitor the adequacy of third-party training programs, FinCEN has recommended that an insurance company's AML program should also maintain policies and procedures to address circumstances where the third party's training program may be deficient. In practice, such procedures seemed less geared toward monitoring the training and its effectiveness and more toward conducting adequate due diligence with respect to business partners, affiliates and consultants. For example, FinCEN suggests that an insurance company using a third party to conduct training should, as part of its AML program, also review publicly available information for indications that an entity may have failed to comply with FinCEN's requirements.
Use Form 108, Not Form 8300, for Filing Suspicious Activity Reports
Insurance companies offering covered products have generally been aware of their obligation to report cash payments over $10,000 using FinCEN's Form 8300. FinCEN has clarified that while the Form 8300 has a box to be checked in instances where the filer identifies suspicious activity, this form does not satisfy an insurance company's obligations to file a SAR under 31 C.F.R. 103.16. Until FinCEN publishes FinCEN Form 108 Suspicious Activity Report—Insurance Companies, insurance companies should continue to use FinCEN Form 101—Suspicious Activity Report by Securities and Futures Industries to report suspicious transactions. To notify appropriate authorities, FinCEN requests that insurance companies enter the words "Insurance SAR" on the first line of the narrative section of that form.