ICP 22 Anti-Money Laundering and Combating the Financing of Terrorism

The supervisor requires insurers and intermediaries to take effective measures to combat money laundering and terrorist financing. The supervisor takes effective measures to combat money laundering and terrorist financing.

[ + ] 22.0

Introductory Guidance

22.0.1

The insurance sector is potentially at risk of being misused for money laundering and terrorist financing. This exposes the insurance sector to legal, operational and reputational risks.

22.0.2

Money laundering (ML) is the processing of criminal proceeds to disguise their illegal origin. When criminal activity generates substantial profits, the individual or group involved must find a way to control and “legitimize” funds without attracting attention to the underlying activity or the persons involved. Criminals do this by disguising the sources, changing the form, or moving the funds to a place where they are less likely to attract attention, and therefore may use the financial sector, including the insurance sector, to do so. Examples of criminal activity which may generate large profits and lead to money laundering include embezzlement, tax evasion, insider trading, bribery, cyber-crimes, illegal arms sales, smuggling, drug trafficking, prostitution, human trafficking, as well as corruption and organised crime.

22.0.3

Terrorist financing (TF) is the financing of terrorist acts, and of terrorists and terrorist organisations. It refers to the wilful provision or collection of funds by any means, directly or indirectly, with the unlawful intention that they should be used, or in the knowledge that they are to be used, in full or in part to carry out a terrorist act by a terrorist organisation or by an individual terrorist, or to support terrorists or terrorist organisations. Terrorist financing offenses may constitute predicate offenses for the crime of money laundering, in accordance with applicable law.

22.0.4

The Financial Action Task Force (FATF) is an inter-governmental body, established to set international standards for anti-money laundering (AML) and combating the financing of terrorism (CFT). The FATF standards are comprised of its individual recommendations together with interpretive notes and the applicable definitions in the FATF glossary. In this ICP the term FATF Recommendations encompasses all of these components of the FATF standards. The FATF Recommendations are directed at jurisdictions and supervisors should therefore reference their own national risk assessment, applicable laws and regulations with respect to AML/CFT.

22.0.5

The IAIS is a FATF Observer Organisation and, accordingly, endorses the FATF Recommendations. This ICP is intended to be consistent with the FATF Recommendations; however, compliance with the FATF Recommendations does not necessarily imply observance of ICP 22 nor does observance of ICP 22 necessarily imply compliance with the FATF Recommendations.

22.0.6
According to the FATF:
  • the ML/TF risks associated with the insurance sector are generally lower than those associated with other financial products (such as loans or payment services) or other sectors (such as banking); and
  • many life insurance products are not sufficiently flexible to be the first vehicle of choice for money launderers.
However, as with other financial products, there is a risk that the funds used to purchase life insurance may be the proceeds of crime.
22.0.7

This ICP applies to the underwriting and placement of life insurance and other investment-related insurance. Depending upon the jurisdiction’s assessment of the ML/TF risk posed by the non-life sector, the jurisdiction should consider whether and to what extent to apply this ICP to that sector as well.

22.0.8

The FATF Recommendations require jurisdictions to designate a “competent authority” or authorities to have responsibility for ensuring that financial institutions (including insurers and intermediaries) adequately comply with the jurisdiction’s approach to implementing the FATF Recommendations to combat ML/TF. The AML/CFT competent authority is often designated by a jurisdiction’s legislation. There may be jurisdictions where several authorities have AML/CFT responsibilities for the insurance sector. Competent authorities may include supervisors, law enforcement agencies and a financial intelligence unit (FIU) which serves as a jurisdictional centre for receiving and analysing information (such as suspicious transaction reports) and disseminating information regarding potential ML/TF.

22.0.9

In some jurisdictions, the supervisor may not be designated as an AML/CFT competent authority, but nevertheless all supervisors must understand the risk of ML/TF to the insurance sector and take steps to help combat such risk.

22.0.10

The standards and guidance related to ICP 22 are divided into two parts. Part A applies where the supervisor is a designated AML/CFT competent authority, or acts on behalf of such designated competent authority. Part B applies where the supervisor is not a designated AML/CFT competent authority. To demonstrate observance of this ICP the supervisor must meet the requirements of the standards in either Part A or Part B, or both, according to the circumstances of its jurisdiction. In jurisdictions where the supervisor for insurers is different from the supervisor of intermediaries, both Part A and Part B may apply, depending on whether they are also the respective ALM/CFT competent authority.

​22.0.11

 In implementing this ICP, the supervisor may consider as relevant various guidance available from the FATF, including its “Guidance for a Risk-Based Approach for the Life Insurance Sector” (FATF Guidance). The FATF Guidance, which is non-binding, aims to support the design and implementation of a Risk-Based Approach (RBA) to AML/CFT for the life insurance sector, taking into account applicable ML/TF risk assessments and legal and regulatory frameworks to combat money laundering and terrorist financing. The RBA concept is related to, but distinct from, the overarching concept of risk-based supervision that applies to all ICPs.

​22.0.12

As described in the ICP Introduction, this ICP applies to the supervision of insurance legal entities and, unless otherwise specified, to insurance groups. The supervisor may also consider FATF Guidance concerning supervision and mitigation of ML/TF risks at the group-wide level.

​22.0.13

Certain FATF Recommendations require that supervision be applied to the implementation of targeted financial sanctions (TFS) related to terrorism, terrorist financing and financing of proliferation of weapons of mass destruction. Adherence to TFS is not subject to the RBA described in this ICP and TFS is not further addressed in this ICP. Whether insurance supervisors have responsibilities for TFS will depend upon the particular jurisdictional arrangements in place.

[ + ] 22.1
The supervisor:
  • has a thorough and comprehensive understanding of the ML/TF risks to which insurers and/or intermediaries are exposed;
  • uses available information to assess the ML/TF risks to the insurance sector in its jurisdiction on a regular basis; and
  • applies a Risk-Based Approach (RBA) consistent with FATF Recommendations.
22.1.1
Consistent with the FATF Recommendations, RBA refers to:
  • the general process by which a supervisor, according to its identification, understanding and assessment of risks, allocates its resources to AML/CFT supervision; and
  • the specific process of supervising institutions (ie insurers and intermediaries, as applicable) that apply an AML/CFT RBA.
22.1.2

The supervisor should have a thorough and comprehensive understanding of the ML/TF risks to which insurers and intermediaries are exposed arising from the activities undertaken and products and services offered by insurers and intermediaries.

22.1.3

In the context of ML/TF, “risk” encompasses threats, vulnerabilities, and consequences in relation to products (including services and transactions), geography, customers and delivery channels.

22.1.4

Some of the examples of attributes included below can be expected over the course of a long-term insurance contract and are not necessarily inherently suspicious, but rather should be viewed as factors to consider with respect to AML/CFT RBA.

22.1.5
Product-related risk refers to the vulnerability of a product to ML/TF based on its design. The following are examples of product attributes which may tend to increase the ML/TF risk profile:
  • acceptance of very high value or unlimited value payments or large volumes of lower value payments;
  • acceptance of non-traceable payments such as cash, money orders, cashier cheques, or virtual assets;
  • acceptance of frequent payments outside a normal premium or payment schedule;
  • allowance of withdrawals at any time or early surrender, with limited charges or fees;
  • products that allow for high cash values;
  • products that accept high amount lump sum payments, coupled with liquidity features;
  • products with provisions that allow a policy to be cancelled within a stipulated timeframe and the premiums paid to be refunded; and
  • products that allow for assignment without the insurer being aware that the beneficiary of the contract has been changed until such time as a claim is made.
22.1.6
Product-related risk also encompasses the vulnerability of a product to use by a third party or to unintended use based on the methods of transactions available (ie service- and transaction-related risk). The following are examples of service and transaction attributes which may tend to increase the ML/TF risk profile:
  • products with features or services which make it possible for customers to use the product in a way that is inconsistent with its purpose (for example, an insurance policy intended to provide long term investment opportunity but which allows frequent or low fee deposit / withdrawal transactions);
  • customer is not the payer or recipient of the funds;
  • products with features that allow loans to be taken against the policy (particularly if frequent loans can be taken and/or repaid with cash);
  • acceptance to be used as collateral for a loan and/or written in a discretionary or other increased risk trust;
  • payment source or recipient of funds are outside of the jurisdiction (eg insurer in jurisdiction A and payment source in jurisdiction B); and
  • significant, unexpected, or unexplained change in customer’s pattern of payment, withdrawal, or surrender.​
22.1.7
Geographic-related risk refers to the risk that a market’s or customer’s geographic location or connections will enhance vulnerability to ML/TF. The following are examples of geographic attributes which may tend to increase the ML/TF risk profile:
  • jurisdictions identified by credible sources as having weak governance, law enforcement and regulatory regimes, including jurisdictions identified by FATF statements as having weak AML/CFT regimes;
  • jurisdictions identified by credible sources as having significant levels of organised crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking, smuggling and illegal gambling; and
  • jurisdictions subject to sanctions, embargoes, or similar measures issued by international organisations (such as the United Nations).
22.1.8
Customer-related risk refers to the risk that the insurer is doing business with a customer who is not adequately identified or may be involved with ML/TF. Customer-related risk factors include: customer identity; third-party involvement; customer source of wealth and funds; politically exposed customers; and known criminals or terrorists. The following are examples of customer attributes which may tend to increase the ML/TF risk profile:
  • structure of a legal entity that is a customer, policyholder, or beneficiary obscures or makes it difficult to identify the ultimate beneficial owner or controlling interests;
  • customer is reluctant to provide identification; exhibits difficulty producing identification; or provides identification documents of questionable authenticity;
  • involvement of a gatekeeper or a third party apparently unrelated to the customer;
  • higher risk business or occupation (such as those that are cash-intensive);
  • mismatch between wealth and income of the customer and proposed premium amounts, deposit amounts or policy limits;
  • customer is associated with negative news which may affiliate the customer with allegations of criminal behaviour; or has ties to or is on a designated sanctions list; and
  • customer is considered a politically exposed person.
​22.1.9
Delivery channel refers to the method offered to or used by a customer to start a new policy or account. Delivery channel-related risk refers to the vulnerability of the delivery channel to ML/TF based on attributes that may make it easier to obscure customer identity or the source of funds. The following are examples of delivery channel attributes which may tend to increase the ML/TF risk profile:
  • non face-to-face sales without adequate safeguards for confirmation of identification or to mitigate the risks of identity fraud; and
  • payments via intermediary that may obscure the source of payment (eg long chain of intermediaries).
​22.1.10

The supervisor should assess the main ML/TF risks to the insurance sector in its jurisdiction. Such risk assessments may provide for recommendations on the allocation of responsibilities and resources at the jurisdictional level based on a comprehensive and up-to-date understanding of the risks. These assessments will change over time, depending on how circumstances develop, and how risks evolve. For this reason risk assessments should be undertaken on a regular basis and kept up to date.

​22.1.11

The supervisor should consider the potential ML/TF risks alongside other risk assessments (for example, governance and market conduct) arising from its wider duties.

​22.1.12

When a jurisdiction-wide risk assessment has been conducted (for example, during a National Risk Assessment (NRA) process as contemplated in FATF Recommendations, if applicable), the supervisor should have access to the results and take them into account. The supervisor should participate in such an assessment to inform the assessment and to improve its understanding of the risks.

[ + ] 22.2
The supervisor:
  • issues to insurers and/or intermediaries enforceable means on AML/CFT obligations consistent with the FATF Recommendations, for matters which are not in primary legislation;
  • establishes guidance that will assist insurers and/or intermediaries to implement and comply with their respective AML/CFT requirements; and
  • provides insurers and/or intermediaries with adequate and appropriate feedback to promote AML/CFT compliance.
22.2.1

While the FATF Recommendations require the basic obligations of customer due diligence (CDD), record keeping and the reporting of suspicion to be set in primary legislation, the more detailed elements for technical compliance may be set in primary legislation or enforceable means (ie regulations, guidelines, instructions or other documents or mechanisms) that set out enforceable requirements in mandatory language with sanctions for non-compliance.

22.2.2

In some jurisdictions the supervisor, while an AML/CFT competent authority, may not be empowered to issue enforceable means; in that case the supervisor should cooperate and coordinate with the relevant authority holding such power.

22.2.3

The supervisor should require insurers and/or intermediaries to take appropriate steps to identify, assess and understand their ML/TF risks in relation to products (including services and transactions), geography, customers and delivery channels. The supervisor should also require insurers and intermediaries to manage and mitigate the ML/TF risks that have been identified.

22.2.4

The supervisor should promote a clear understanding by insurers and intermediaries of their AML/CFT obligations and ML/TF risks. This may be achieved by engaging with insurers and intermediaries and by providing information on supervision. For example, the supervisor may provide guidance on issues covered under the relevant FATF Recommendations (as implemented in primary legislation or enforceable means) including possible techniques and methods to combat ML/TF and any additional measures that insurers and/or intermediaries could take to ensure that their AML/CFT measures are effective. Such guidance may not necessarily be enforceable but will assist insurers and/or intermediaries to implement and comply with AML/CFT requirements.

22.2.5

Examples of appropriate feedback mechanisms used by the supervisor may include information on current ML/TF techniques, methods and trends (typologies), sanitised examples of actual ML/TF cases, examples of failures or weaknesses in AML/CFT systems by insurers and intermediaries, and lessons to be learned. It may be appropriate for the supervisor to refer to guidance or contribute to feedback from other sources, for example industry guidance and resources made available by the FATF.

[ + ] 22.3

The supervisor has an effective supervisory framework to monitor and enforce compliance by insurers and/or intermediaries with AML/CFT requirements.

22.3.1

The supervisor should take into account the risk of ML/TF at each stage of the supervisory process, where relevant, including the licensing stage.

22.3.2

The supervisor should have adequate financial, human and technical resources to combat ML/TF. Staff of the supervisor should be appropriately skilled and provided with adequate and relevant training for assessing and combating ML/TF risks, including the necessary skills and knowledge to assess the quality and effectiveness of an insurer’s and intermediary’s AML/CFT systems and controls.

22.3.3

The supervisor should subject insurers and/or intermediaries to supervisory review (off-site monitoring and/or on-site inspection) of their compliance with the AML/CFT requirements and, on the basis of the information arising from such monitoring and any other information acquired, assess the ML/TF risk profile of the insurer or intermediary.

22.3.4
The frequency and intensity of supervisory review should be based on:
  • the ML/TF risks present in the jurisdiction including as identified in an NRA, if applicable, or other jurisdiction-wide risk assessment;
  • the characteristics of insurers and/or intermediaries, in particular their number and diversity and the degree of discretion allowed to them under the RBA;
  • the ML/TF risks and the policies, internal controls and procedures of each insurer and/or intermediary, as identified by the supervisor’s assessment of their ML/TF risk profile; and
  • the inherent and residual risks in relation to the particular insurer or intermediary based on the firm’s own RBA of its ML/TF risks.
22.3.5

The supervisor should require insurers and/or intermediaries to undertake AML/CFT assessments on a regular basis, and to develop ML/TF risk profiles of their products (including services and transactions), geography, customers and delivery channels. The supervisor should require insurers and intermediaries to put in place risk management and control measures to effectively address identified risks.

22.3.6

The supervisor should have the power and resources to take proportionate, dissuasive and effective measures (including sanctions and other remedial and corrective measures) where insurers and intermediaries do not implement AML/CFT requirements effectively.

22.3.7

The supervisor should also require insurers and intermediaries to provide regular and timely training in AML/CFT to Board Members, Senior Management and other staff as appropriate, which is supported by a communication strategy which ensures that notification of significant changes in AML/CFT policies are regularly and timely provided.

[ + ] 22.4

The supervisor regularly reviews the effectiveness of the measures that insurers and/or intermediaries and the supervisor itself are taking on AML/CFT. The supervisor takes any necessary action to improve effectiveness.

22.4.1

Reviews should include regular assessment by the supervisor of the effectiveness of implementation by insurers and/or intermediaries of AML/CFT requirements and of its supervisory approach, including the extent to which the supervisor’s actions have an effect on compliance by insurers and/or intermediaries.

22.4.2
These reviews may cover aspects such as:
  • the ML/TF risks of a particular insurer and/or intermediary and whether these are adequately addressed by the firm’s RBA;
  • the adequacy of resources and training of both the supervisor and the insurance sector;
  • whether AML/CFT off-site monitoring is adequate;
  • whether the number and content of on-site inspections relating to AML/CFT measures is adequate;
  • the findings of off-site monitoring and on-site inspections, including the effectiveness of training and implementation by insurers and intermediaries of AML/CFT measures;
  • measures and sanctions taken by the supervisor against insurers and/or intermediaries;
  • input from other AML/CFT authorities and the FIU on the insurance sector, such as the number and pattern of suspicious transaction reports made by insurers and/or intermediaries;
  • the number and nature of requests for information from other authorities concerning AML/CFT matters;
  • the adequacy of the requirements, guidance and other information provided by the supervisor to the insurance sector and feedback received from the insurance sector; and
  • the number and type of ML/TF prosecutions and convictions in the insurance sector.
Such reviews should enable the supervisor to identify any necessary actions which need to be taken to improve effectiveness of the AML/CFT measures being taken by insurers, and/or intermediaries and the supervisor itself.
22.4.3

The supervisor should maintain records on the frequency of off-site monitoring and number of on-site inspections relating to AML/CFT and on any measures it has taken or sanctions it has issued against insurers and/or intermediaries with regard to inadequate AML/CFT measures or non-compliance with AML/CFT requirements.

[ + ] 22.5

The supervisor has effective mechanisms in place which enable it to cooperate, coordinate and exchange information for AML/CFT purposes with other domestic authorities as well as with supervisors in other jurisdictions.

22.5.1
Effective prevention and mitigation of ML/TF is enhanced by close cooperation within a supervisor’s organisation and among supervisors, the FIU, law enforcement agencies and other relevant authorities. Mechanisms of cooperation, coordination and exchange of information among relevant authorities should be documented and normally address:
  • operational cooperation and, where appropriate, coordination ; and
  • policy cooperation and, where appropriate, coordination.
22.5.2

Where the supervisor identifies suspected ML/TF in insurers or intermediaries, it should ensure that relevant information is provided in a timely manner to the FIU, any appropriate law enforcement agency and other relevant authorities.

22.5.3

The supervisor should take all necessary steps to cooperate, coordinate and exchange information with the other relevant authorities. The supervisor should communicate with the FIU and appropriate law enforcement agency to ascertain any concerns it has and any concerns expressed on AML/CFT compliance by insurers and intermediaries, to obtain feedback on trends in reported cases, and to obtain information regarding potential ML/TF risks to the insurance sector.

22.5.4

To promote an efficient exchange of information, the supervisor should consider identifying within its office a point of contact for AML/CFT issues and to liaise with other relevant authorities.

22.5.5

The exchange of information for AML/CFT purposes is subject to confidentiality considerations (see ICP 3 Information Sharing and Confidentiality Requirements).

[ + ] 22.6

The supervisor is aware of and has an understanding of ML/TF risks to which insurers and/or intermediaries are exposed. The supervisor liaises with and seeks to obtain information from the designated competent authority relating to AML/CFT by insurers and intermediaries.

22.6.1

The supervisor should have an understanding of the ML/TF risks to which insurers and/or intermediaries are exposed arising from activities undertaken in relation to products (including services and transactions), geography, customers and delivery channels, and the jurisdiction’s approach to assessing and mitigating them.

22.6.2

To enhance such understanding, it is helpful if the supervisor has access to the NRA, if applicable, or other jurisdiction-wide risk assessment.

22.6.3

The supervisor should be able to make a more informed evaluation and judgment on the soundness of insurers and intermediaries by receiving information from the designated AML/CFT competent authority. Such information may be relevant to the risk profile of, or to the effectiveness of risk management by, an insurer or intermediary. The contents of this information may include the level of ML/TF risks to which insurers and/or intermediaries are exposed, and the designated competent authority’s views on the corporate governance, risk management and internal control measures of supervised entities relevant to AML/CFT.

22.6.4

The designated AML/CFT competent authority may have information on breaches of AML/CFT requirements that should be taken into consideration by the supervisor in its supervisory activities, such as when evaluating the suitability of the Board, Senior Management and Key Persons in Control Functions, including when reviewing licence applications.

[ + ] 22.7

The supervisor has effective mechanisms in place which enable it to cooperate, coordinate and exchange information for AML/CFT purposes with relevant domestic authorities as well as with supervisors in other jurisdictions.

22.7.1

Effective prevention and mitigation of ML/TF is enhanced by close cooperation within a supervisor’s organisation and among supervisors, the FIU, law enforcement agencies and other relevant authorities. Mechanisms of cooperation, coordination and exchange of information among relevant authorities should be documented and normally address operational cooperation and, where appropriate, coordination.

22.7.2

When the supervisor becomes aware of information on ML/TF risks, it should provide relevant information to the designated AML/CFT competent authority. When the supervisor identifies suspected ML/TF in insurers and/or intermediaries, it should ensure that relevant information is provided to the FIU, appropriate law enforcement agencies and any relevant supervisors.

22.7.3

As part of its cooperation with the designated AML/CFT competent authority, the supervisor should provide input into the effectiveness of the AML/CFT framework. This may help the designated competent authority in its consideration of the framework’s effectiveness.

22.7.4

The exchange of information for AML/CFT purposes is subject to confidentiality considerations (see ICP 3 Information Sharing and Confidentiality Requirements).