• the general process by which a supervisor, according to its identification, understanding and assessment of risks, allocates its resources to AML/CFT supervision; and
• the specific process of supervising institutions (ie insurers and intermediaries, as applicable) that apply an AML/CFT RBA.

The supervisor should have a thorough and comprehensive understanding of the ML/TF risks to which insurers and intermediaries are exposed arising from the activities undertaken and products and services offered by insurers and intermediaries.

In the context of ML/TF, “risk” encompasses threats, vulnerabilities, and consequences in relation to products (including services and transactions), geography, customers and delivery channels.

Some of the examples of attributes included below can be expected over the course of a long-term insurance contract and are not necessarily inherently suspicious, but rather should be viewed as factors to consider with respect to AML/CFT RBA.

• acceptance of very high value or unlimited value payments or large volumes of lower value payments;
• acceptance of non-traceable payments such as cash, money orders, cashier cheques, or virtual assets;
• acceptance of frequent payments outside a normal premium or payment schedule;
• allowance of withdrawals at any time or early surrender, with limited charges or fees;
• products that allow for high cash values;
• products that accept high amount lump sum payments, coupled with liquidity features;
• products with provisions that allow a policy to be cancelled within a stipulated timeframe and the premiums paid to be refunded; and
• products that allow for assignment without the insurer being aware that the beneficiary of the contract has been changed until such time as a claim is made.

• products with features or services which make it possible for customers to use the product in a way that is inconsistent with its purpose (for example, an insurance policy intended to provide long term investment opportunity but which allows frequent or low fee deposit / withdrawal transactions);
• customer is not the payer or recipient of the funds;
• products with features that allow loans to be taken against the policy (particularly if frequent loans can be taken and/or repaid with cash);
• acceptance to be used as collateral for a loan and/or written in a discretionary or other increased risk trust;
• payment source or recipient of funds are outside of the jurisdiction (eg insurer in jurisdiction A and payment source in jurisdiction B); and
• significant, unexpected, or unexplained change in customer’s pattern of payment, withdrawal, or surrender.​

• jurisdictions identified by credible sources as having weak governance, law enforcement and regulatory regimes, including jurisdictions identified by FATF statements as having weak AML/CFT regimes;
• jurisdictions identified by credible sources as having significant levels of organised crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking, smuggling and illegal gambling; and
• jurisdictions subject to sanctions, embargoes, or similar measures issued by international organisations (such as the United Nations).

• structure of a legal entity that is a customer, policyholder, or beneficiary obscures or makes it difficult to identify the ultimate beneficial owner or controlling interests;
• customer is reluctant to provide identification; exhibits difficulty producing identification; or provides identification documents of questionable authenticity;
• involvement of a gatekeeper or a third party apparently unrelated to the customer;
• higher risk business or occupation (such as those that are cash-intensive);
• mismatch between wealth and income of the customer and proposed premium amounts, deposit amounts or policy limits;
• customer is associated with negative news which may affiliate the customer with allegations of criminal behaviour; or has ties to or is on a designated sanctions list; and
• customer is considered a politically exposed person.

• non face-to-face sales without adequate safeguards for confirmation of identification or to mitigate the risks of identity fraud; and
• payments via intermediary that may obscure the source of payment (eg long chain of intermediaries).

The supervisor should assess the main ML/TF risks to the insurance sector in its jurisdiction. Such risk assessments may provide for recommendations on the allocation of responsibilities and resources at the jurisdictional level based on a comprehensive and up-to-date understanding of the risks. These assessments will change over time, depending on how circumstances develop, and how risks evolve. For this reason risk assessments should be undertaken on a regular basis and kept up to date.

While the FATF Recommendations require the basic obligations of customer due diligence (CDD), record keeping and the reporting of suspicion to be set in primary legislation, the more detailed elements for technical compliance may be set in primary legislation or enforceable means (ie regulations, guidelines, instructions or other documents or mechanisms) that set out enforceable requirements in mandatory language with sanctions for non-compliance.

In some jurisdictions the supervisor, while an AML/CFT competent authority, may not be empowered to issue enforceable means; in that case the supervisor should cooperate and coordinate with the relevant authority holding such power.

The supervisor should require insurers and/or intermediaries to take appropriate steps to identify, assess and understand their ML/TF risks in relation to products (including services and transactions), geography, customers and delivery channels. The supervisor should also require insurers and intermediaries to manage and mitigate the ML/TF risks that have been identified.

The supervisor should promote a clear understanding by insurers and intermediaries of their AML/CFT obligations and ML/TF risks. This may be achieved by engaging with insurers and intermediaries and by providing information on supervision. For example, the supervisor may provide guidance on issues covered under the relevant FATF Recommendations (as implemented in primary legislation or enforceable means) including possible techniques and methods to combat ML/TF and any additional measures that insurers and/or intermediaries could take to ensure that their AML/CFT measures are effective. Such guidance may not necessarily be enforceable but will assist insurers and/or intermediaries to implement and comply with AML/CFT requirements.

Examples of appropriate feedback mechanisms used by the supervisor may include information on current ML/TF techniques, methods and trends (typologies), sanitised examples of actual ML/TF cases, examples of failures or weaknesses in AML/CFT systems by insurers and intermediaries, and lessons to be learned. It may be appropriate for the supervisor to refer to guidance or contribute to feedback from other sources, for example industry guidance and resources made available by the FATF.

The supervisor should take into account the risk of ML/TF at each stage of the supervisory process, where relevant, including the licensing stage.

The supervisor should have adequate financial, human and technical resources to combat ML/TF. Staff of the supervisor should be appropriately skilled and provided with adequate and relevant training for assessing and combating ML/TF risks, including the necessary skills and knowledge to assess the quality and effectiveness of an insurer’s and intermediary’s AML/CFT systems and controls.

The supervisor should subject insurers and/or intermediaries to supervisory review (off-site monitoring and/or on-site inspection) of their compliance with the AML/CFT requirements and, on the basis of the information arising from such monitoring and any other information acquired, assess the ML/TF risk profile of the insurer or intermediary.

• the ML/TF risks present in the jurisdiction including as identified in an NRA, if applicable, or other jurisdiction-wide risk assessment;
• the characteristics of insurers and/or intermediaries, in particular their number and diversity and the degree of discretion allowed to them under the RBA;
• the ML/TF risks and the policies, internal controls and procedures of each insurer and/or intermediary, as identified by the supervisor’s assessment of their ML/TF risk profile; and
• the inherent and residual risks in relation to the particular insurer or intermediary based on the firm’s own RBA of its ML/TF risks.

The supervisor should require insurers and/or intermediaries to undertake AML/CFT assessments on a regular basis, and to develop ML/TF risk profiles of their products (including services and transactions), geography, customers and delivery channels. The supervisor should require insurers and intermediaries to put in place risk management and control measures to effectively address identified risks.

The supervisor should have the power and resources to take proportionate, dissuasive and effective measures (including sanctions and other remedial and corrective measures) where insurers and intermediaries do not implement AML/CFT requirements effectively.

The supervisor should also require insurers and intermediaries to provide regular and timely training in AML/CFT to Board Members, Senior Management and other staff as appropriate, which is supported by a communication strategy which ensures that notification of significant changes in AML/CFT policies are regularly and timely provided.

Reviews should include regular assessment by the supervisor of the effectiveness of implementation by insurers and/or intermediaries of AML/CFT requirements and of its supervisory approach, including the extent to which the supervisor’s actions have an effect on compliance by insurers and/or intermediaries.

• the ML/TF risks of a particular insurer and/or intermediary and whether these are adequately addressed by the firm’s RBA;
• the adequacy of resources and training of both the supervisor and the insurance sector;
• whether AML/CFT off-site monitoring is adequate;
• whether the number and content of on-site inspections relating to AML/CFT measures is adequate;
• the findings of off-site monitoring and on-site inspections, including the effectiveness of training and implementation by insurers and intermediaries of AML/CFT measures;
• measures and sanctions taken by the supervisor against insurers and/or intermediaries;
• input from other AML/CFT authorities and the FIU on the insurance sector, such as the number and pattern of suspicious transaction reports made by insurers and/or intermediaries;
• the number and nature of requests for information from other authorities concerning AML/CFT matters;
• the adequacy of the requirements, guidance and other information provided by the supervisor to the insurance sector and feedback received from the insurance sector; and
• the number and type of ML/TF prosecutions and convictions in the insurance sector.

The supervisor should maintain records on the frequency of off-site monitoring and number of on-site inspections relating to AML/CFT and on any measures it has taken or sanctions it has issued against insurers and/or intermediaries with regard to inadequate AML/CFT measures or non-compliance with AML/CFT requirements.

• operational cooperation and, where appropriate, coordination ; and
• policy cooperation and, where appropriate, coordination.

Where the supervisor identifies suspected ML/TF in insurers or intermediaries, it should ensure that relevant information is provided in a timely manner to the FIU, any appropriate law enforcement agency and other relevant authorities.

The supervisor should take all necessary steps to cooperate, coordinate and exchange information with the other relevant authorities. The supervisor should communicate with the FIU and appropriate law enforcement agency to ascertain any concerns it has and any concerns expressed on AML/CFT compliance by insurers and intermediaries, to obtain feedback on trends in reported cases, and to obtain information regarding potential ML/TF risks to the insurance sector.

To promote an efficient exchange of information, the supervisor should consider identifying within its office a point of contact for AML/CFT issues and to liaise with other relevant authorities.

The exchange of information for AML/CFT purposes is subject to confidentiality considerations (see ICP 3 Information Sharing and Confidentiality Requirements).

Effective prevention and mitigation of ML/TF is enhanced by close cooperation within a supervisor’s organisation and among supervisors, the FIU, law enforcement agencies and other relevant authorities. Mechanisms of cooperation, coordination and exchange of information among relevant authorities should be documented and normally address operational cooperation and, where appropriate, coordination.

When the supervisor becomes aware of information on ML/TF risks, it should provide relevant information to the designated AML/CFT competent authority. When the supervisor identifies suspected ML/TF in insurers and/or intermediaries, it should ensure that relevant information is provided to the FIU, appropriate law enforcement agencies and any relevant supervisors.

As part of its cooperation with the designated AML/CFT competent authority, the supervisor should provide input into the effectiveness of the AML/CFT framework. This may help the designated competent authority in its consideration of the framework’s effectiveness.

The exchange of information for AML/CFT purposes is subject to confidentiality considerations (see ICP 3 Information Sharing and Confidentiality Requirements).