As global commerce, terrorism and financial crimes continue to rise in number and scope, it is critical for financial institutions and insurers to have adequate compliance programs in place to prevent inadvertent violations of the law.
In addition to being subject to a myriad of industry rules and regulations, insurance companies are obligated to comply with the rules promulgated under the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC).
One of OFAC’s rules is a requirement to screen proposed policy-holders, existing customers, employees and business partners by checking names against the list of Specially Designated Nationals (SDN). The SDN list, which is updated regularly, contains thousands of names of individuals, organizations, companies and countries with whom U.S. persons (including insurers) may not conduct business.
Insurers, or their service providers, who fail to comply with these screening requirements or who issue a policy or otherwise violate OFAC’s rules may find themselves subject to civil penalties to the tune of $250,000 or twice the amount of each underlying transaction (up to $1,075,000 per violation), whichever is greater.
In addition to civil penalties, criminal penalties are also possible, ranging from $50,000 to $20,000,000 in fines and the potential for up to 30 years imprisonment.
While the penalties are clear and are very real, many insurers struggle with the ambiguity of OFAC’s rules. For example, insurers are told they must ensure they are not doing business with, employing or otherwise partnering with people, organizations or countries on the SDN list, however OFAC rules do not proscribe how frequently insurers need to compare their databases to the ever-changing list. Instead, guidance issued by OFAC says that the frequency and methods of checking the SDN list are up to each insurer and their regulator(s).
Two recent enforcement actions for insurance companies illustrate the seriousness of the OFAC rules and the risk of noncompliance: On August 2, 2016, OFAC announced that AXA Equitable Life Insurance Company was the subject of an enforcement action because the company maintained insurance policies and facilitated payments for persons on the SDN list, in violation of OFAC rules. Humana, Inc., as the parent company for Third-Party Administrator (TPA), was the subject of a related enforcement action.
It did not matter that in 1992, when the insurance policies in question were issued, the policyholders were not on the SDN list; they were not added to the list until 2009. The investigation found that neither the insurer nor the TPA screened the existing policy-holders against the SDN list; the rule violations were not discovered until a new TPA took over in 2011.
In this case, although the companies in question were sophisticated organizations and failed to have mechanisms in place to detect this type of violation, OFAC did not impose monetary penalties. This decision not to impose fines stemmed from the fact that neither AXA Equitable Life Insurance Company nor Humana, Inc. had prior OFAC violations and both companies cooperated fully with the investigation. The fact that the investigation found no evidence that any company personnel had any actual knowledge of the rule violations also played a role in OFAC’s decision not to impose monetary penalties.
However, just because there was no immediate financial impact to AXA Equitable Life Insurance Company or to Humana, Inc. does not mean there are no consequences. First, both companies must deal with the potential fallout of the negative publicity, as both of these enforcement findings were public announcements. And, in the event that either company is found to have violated OFAC rules again within the next five years, significant financial penalties and other repercussions are likely.
To avoid finding themselves in similar circumstances, insurers should follow these best practices:
- Review and adjust compliance programs as necessary. Every insurer should have a written policy outlining its OFAC SDN screening program and how matches will be handled. Having the policy in place is only the first step; insurers need to clearly communicate policy requirements to employees and business partners, both at the start of the employee/business relationship and then periodically throughout the relationship.
- Determine the appropriate frequency for scrubbing databases against the OFAC list. Insurers must check the OFAC SDN list for new policyholders before issuing a policy. For existing policyholders, each insurer will need to review its business to determine how frequently it will compare its data against the SDN list. This determination should be memorialized in the written policy and clearly communicated to all stakeholders.
- Don’t forget about service providers. The enforcement action taken against AXA Equitable Life Insurance Company occurred, in large part, because the TPA failed to screen policyholder names against the SDN list. Insurers may wish to obtain periodic certifications from TPAs and other service providers, confirming OFAC compliance and compliance with the insurer’s SDN policies.
- Maintain documentation. It’s not enough to have a policy and procedures in place; insurers should maintain documentation of their compliance with OFAC rules.
- In the event a violation is uncovered, follow OFAC’s rules. If a match is uncovered for a prospective policyholder, insurers may not issue the policy. For a policy that is already in place, insurers can contact OFAC for guidance on next steps.
By implementing these best practices and following OFAC rules, including SDN requirements, insurers and other financial institutions play a key role in helping to stop or limit threats to U.S. national security, foreign policy or the U.S. economy.