AML and Sanctions compliance in Insurance

Life insurance is particularly vulnerable to the laundering of money due to its investment features, which include the capacity for early withdrawal and the potential for third-party beneficiaries. Policies which are characterized by a single premium, investment-linked, transfer of policy ownership, endowment, or high-value are considered to pose significant risks. For instance, individuals engaged in illicit activities may exploit life insurance products to launder money by leveraging the policy's cash value through loans or by transferring policy ownership to third parties. These actions serve to disguise the financial trail, thereby facilitating the conversion of proceeds derived from unlawful activities into funds that appear to be legitimate.

These vulnerabilities have been identified by several institutional bodies, including the Financial Action Task Force (FATF), which, in its 2018 Guidance for a Risk-Based Approach,⁶ categorizes the typologies of risks (customer and product) and due diligence measures to prevent money laundering in this sector.

While the FATF acknowledges that the risk of money laundering in non-life insurance is comparatively low, it emphasizes that it is not immune. Fraudulent claims, refund manipulation, and third-party premium payments can be used to launder money. In the European Union, AML Regulations apply broadly across the insurance sector but assign higher risk weightings to life insurance or other investment-related insurance products. Nevertheless, non-life insurers are still required to implement appropriate AML measures, including customer due diligence and transaction monitoring, to detect and prevent potential money laundering activities.

According to European frameworks, insurance companies must perform Customer Due Diligence (CDD) on their clients at the start of a policy and at other key points. For life insurance policies, EU law requires identification and verification of the customer’s identity before or during the establishment of the business relationship. This means collecting the customer’s personal data (name, date of birth, address, official identification number, etc.) and verifying it using reliable, independent sources, for example, examining a government-issued ID document and proof of address. For insurance products, there is typically no monetary threshold that excuses CDD. Any new policy will generally trigger identification requirements.

Conversely, in other jurisdictions such as Switzerland, the law requires insurers to verify customer identity whenever a policy’s premiums exceed a considerable financial value⁷ determined by regulators, and even below that threshold if there is suspicion of money laundering. In the EU, simplified due diligence may be allowed for certain low-risk contracts (e.g., small life insurance policies or pension schemes with no early surrender option), but as a rule, insurers are expected to know their customer (KYC), which includes identifying the customer’s beneficial owner if the policyholder is a legal entity. For example, when underwriting a policy for a corporation or trust, the insurer must identify and verify its beneficial owner. EU requirements obligate verification of anyone owning directly or indirectly 25% or more of the shares or voting rights or other ownership interest in the corporate entity. Likewise, if a policy is taken out via an intermediary or a third-party payer is involved, the insurer should identify those parties and assess their relationship with the policyholder.

Under the EU framework, insurers must also gather and record information on the beneficiaries (the persons who will receive payouts upon claim or maturity) of life insurance policies. While verification of a beneficiary’s identity can be done at the time of payout (since beneficiaries may not be named until later), the insurer is required to include these beneficiary details in its AML records and treat a beneficiary as a relevant risk factor. If the beneficiary of a life policy is a Politically Exposed Person⁸ (PEP) or high-risk party, the insurer must inform senior management before paying out the policy and apply Enhanced Due Diligence.

Insurance companies are expected to conduct ongoing due diligence and monitor the relationship over time. They should keep CDD information up to date and periodically refresh identification documents for long-term policies and scrutinize transactions throughout the life of the policy. For instance, if a life insurance customer suddenly increases their premium contributions considerably, the insurer should review the account for consistency with the customer’s known profile. In non-life insurance, ongoing CDD might involve monitoring for suspicious claims or refunds. In all cases, if the customer’s risk profile changes (e.g., they move to a high-risk country or become a PEP during the term of the policy), the insurer must update its due diligence measures accordingly.

Crucially, if the insurance company cannot complete CDD, for example, if the customer refuses to provide adequate identification or information about the source of funds, the insurer must not issue the policy or must terminate the relationship. Proceeding with an insurance contract in the absence of satisfactory due diligence is prohibited under EU Regulation and national laws. In such situations, the insurer should consider filing a Suspicious Activity Report (SAR)⁹ and must refrain from paying out any policy proceeds or accepting further premiums until the CDD issues are resolved.

The level of risk presented by insurance customers and beneficiaries is not homogenous. The term 'Enhanced Due Diligence' (EDD) refers to the additional measures that insurers must apply when dealing with customers or scenarios that are considered to be of a higher risk. Both EU and national regulations enumerate certain situations that automatically require EDD. In the insurance context, these typically include:

1. when the customer or beneficial owner is a PEP,
2. when the customer is based in or has relevant links to a high-risk country identified for money laundering/terrorism financing
3. when a transaction or policy feature is unusually large, complex, or has no obvious economic purpose
4. any case that the insurer’s own risk assessment deems high risk

In higher-risk situations, insurers must apply Enhanced Due Diligence (EDD) to strengthen AML/CFT controls. According to the Joint Consultation¹⁰ by the European Insurance and Occupational Pensions Authority (EIOPA) on AML supervision, insurers should first ensure that identity verification is fully completed before refunding premiums during a "cooling-off" or “free-look” period, particularly where premium values are large or transaction patterns appear unusual. If funds are refunded, they must be sent back only to the original source account, and the insurer should assess whether the cancellation itself raises grounds for suspicion and merits a Suspicious Activity Report (SAR).

EDD must also go beyond standard checks by gathering more comprehensive information on the customer, beneficial owner, and beneficiaries. This includes verifying the identity of third-party payers and understanding the rationale for their involvement. Where feasible, insurers should identify and verify beneficiaries and their beneficial owners at the policy’s inception rather than at payout.

Further EDD measures involve:

• Verifying identities using multiple independent sources
• Obtaining source of wealth and funds documentation (e.g., employment, inheritance)
• Determining whether the customer or beneficiary is a PEP
• Requiring first payments through a bank account held in the customer’s name

EDD also includes heightened and more frequent monitoring. Unusual behavior, such as large top-ups, early surrenders, or changes to beneficiaries, should prompt further investigation. Ultimately, EDD aims to ensure that the insurer fully understands the customer relationship, mitigating misuse of insurance products for illicit financial activity.

Beyond their AML obligations, insurance companies operating in Europe are also required to comply with international sanctions frameworks¹¹. The European framework prohibits doing business with certain individuals, entities, or countries that are subject to economic sanctions. Sanctions compliance is typically handled by conducting thorough screening of clients and transactions against the relevant sanctions lists. The key sanctions lists that European insurers need to consider are from the:

• European Union¹²
• United Nations¹³
• United Kingdom¹⁴
• US OFAC¹⁵

Sanctions screening in practice involves comparing the names of customers (and other relevant parties) against the above lists at onboarding and regularly thereafter. Insurers typically use automated screening software to flag potential matches. This includes screening the names of policyholders, beneficiaries, named insured parties, payers of premiums (if different), and even claimants or loss payees in the case of property insurance. In the context of the Russia/Ukraine sanctions since 2022, European insurers had to ensure compliance with measures like the EU ban on insuring certain Russian state-owned companies and the prohibition on providing insurance for the transport of Russian oil¹⁶. Ensuring none of their clients fall under those prohibitions requires robust screening and client due diligence.

In summary, insurance companies must prioritise sanctions compliance alongside AML. This involves screening all relevant parties against EU/UN, national and, where applicable, OFAC lists at the time of onboarding and on an ongoing basis. The importance of robust sanctions controls in the insurance sector has been emphasised by regulatory actions, and European regulators also monitor insurers' compliance with sanctions, particularly given the role of insurance in global trade and asset protection. If not properly controlled, this could facilitate the circumvention of sanctions.