This document contains best practice tips from several experts on anti-money laundering (AML) and sanctions compliance. Some of the key tips discussed include developing a standardized framework for assessing risks and controls across different business units; tailoring compliance training to specific roles and business areas; understanding business operations in depth to design effective screening processes; and clearly communicating compliance risks and implications to senior management.
2. Laura Heeger
Assistant Vice President Global
Anti-Corruption Unit at MetLife
conducted based upon risk. This standardized approach to
risk definition, key controls, monitoring and testing allows a
global program to measure risk between countries and
focus scarce resources most effectively.
Best Practice Tips
To ensure robust compliance with trade and economic
sanctions, as well as the timely identification of politically
exposed persons, we have developed a framework for
compliance oversight. This framework is a checklist of
activities to be conducted on a daily, weekly, monthly,
quarterly and annual basis to ensure consistency of our
global compliance program. It provides easy to follow
guidance for local teams as well as a framework against
which our global program may be audited.
When charged with oversight of a global program,
evaluating risk among widely differing compliance programs
is a tremendous challenge. Compliance programs differ
according to products, customers, distribution methods and
even geography. Our team has created a standard template
for use in every country which identifies each risk and
establishes key controls. Ongoing monitoring of these
controls is required and defined with standardized testing
#AMLandOFAC
3. Kymberly Kochis
Partner at Nelson Levine de Luca &
Hamilton, LLC.
Best Practice Tips
The adverse reputational risk, coupled with possible
criminal and civil penalties, for AML/OFAC violations
requires insurers to have a formal and robust compliance
program. As part of that program, a sufficient enterprise risk
management structure needs to be in place to ensure that
appropriate AML/OFAC issues are addressed. During
AML/OFAC training, it is imperative that the company’s
AML/OFAC risk management structure be explained to
ensure that employees understand what they need to
report, who they need to report it to and how it should be
reported. This formal structure must or the timely escalation
of issues to key individuals/groups within the company.
•
•
•
•
•
Determining whether an issue warrants further action;
Deciding to conduct an internal investigation;
Engaging outside counsel to conduct an internal
investigation;
Engaging outside counsel to represent the company or
individuals within the company; and
Determining whether the company has an obligation to
report the issue to a government agency.
These key individuals/groups should also receive regular
AML/OFAC compliance training.
These individuals/groups need to be empowered to make
decisions quickly. Some of the key issues these individuals/
groups need to be empowered to address include:
#AMLandOFAC
4. Brian L. Mannion
Managing Counsel Office of Privacy,
Technology, Information & Contract
Services (OPTICS) at Nationwide Mutual
Insurance Company
determining if the controls make sense at your institution,
and then implementing them is a sound way of ensuring
your program is reasonable.
Best Practice Tips
The AML Program regulations require you to have a
program "reasonably designed to prevent the insurance
company from being used to facilitate money laundering or
the financing of terrorist activities." Reasonable design is
not a defined term and the meaning of a "reasonable
person" reminds me of many a law school discussion (it
also brings back the feeling of finger nails on a
chalkboard). Clearly a regulator could provide some
guidance as to what are “reasonable” controls.
Another strong indicator is the program your peers have
implemented. It is critical to identify the typical practices,
procedures, or controls that are used at other life insurance
companies and then determine if they are applicable to your
company. This last piece is very important because what
works for one company may not mitigate the AML risk at
your company. However, at the end of the day, completing
this exercise of understanding what everyone else is doing,
#AMLandOFAC
5. L. Brent Kessler
Asst. VP, Asst. General Counsel &
Compliance Manager at SCOR
Reinsurance Company
to provide substantive guidance. Don’t let your clients come
away thinking that compliance is another road block to
doing their business.
Best Practice Tips
A “one size fits all” approach to OFAC/AML training for your
company rarely will achieve the level of compliance desired.
Rather, consider conducting separate OFAC/AML training
sessions according to department or responsibility (e.g.,
claims, underwriting,
reinsurance, directors, risk
management, by line of business, etc.) and tailoring the
material to focus on compliance issues specific to the
audience. By customizing your company’s training programs
to groups of shared interest, increased time and attention
may be spent addressing day-to-day compliance challenges
and scenarios otherwise considered too granular to be
included in a more general presentation.
Compliance training should always facilitate discussion and
be used as an opportunity for all parties to learn from each
other. The more you understand about your organization
and the compliance challenges facing your colleagues on a
daily basis, the better equipped you will be
#AMLandOFAC
6. Robert P. Walsh
Jerry Danielson
Global Financial Crime Officer
at AXA Group
Assistant Vice President, Compliance
Audit Director at Lincoln Financial Group
Best Practice Tips
Best Practice Tips
Know your business. I mean, really know your business.
Don't be afraid to ask stupid questions. Don't be afraid to
ask about acronyms and market conventions that everyone
else takes for granted. You will actually be respected for it
by the business-side, you will do a better job, you can't
advance in your career without knowing these things, and,
best of all, it can be very interesting!
Every tester is going to expect to see a fairly
comprehensive, non-generic risk assessment. Failure to
provide that will get you off on the wrong foot. Beyond
that, they will expect to see your controls to mitigate that
risk mapped to the risk, plus evidence of testing of those
controls.
Mark Twain famously said “I didn’t have time to write you a
short letter, so I wrote you this long one instead.”
Compliance officers universally bemoan the lack of top
management support. Well, if you want their support, help
them do their jobs. They are busy with a broad spectrum of
important responsibilities. Focus on key issues, be succinct
and communicate well.
The independent auditor needs to be qualified. Skimping
on training for in-house personnel doing the audit, or hiring
unqualified external auditors will ultimately cost in terms of
credibility and overall results.
#AMLandOFAC
7. Judith A. Lee
Partner & Chair at
Gibson, Dunn & Crutcher, LLP
regime. For example, in June 2013, New York’s Department
of Financial Services (“NY DFS”) sent letters to non-U.S.
reinsurance companies demanding extensive information
relating to potentially sanctionable activities. Known for its
aggressive enforcement of U.S. sanctions on Iran, NY DFS’s
actions should put insurers on notice that both state and
federal regulators will be closely examining their activities.
Best Practice Tips
Regarding any potential relaxation of the Iranian sanctions
regime, insurers should not assume that prohibitions on the
provision of insurance and re-insurance will be lifted. Under
Section 1246 of the Iran Freedom and Counter-Proliferation
Act of 2012 (“IFCPA”), insurers cannot knowingly provide
insurance or reinsurance that covers Iran-related activity for
which sanctions have already been imposed under IFCPA
or other prior U.S. sanctions laws targeting Iran. While the
United States may lift sanctions on Iran in exchange for
concessions related to Iran’s nuclear program, insurers
should pay close attention to which sanctions the United
States suspends; the United States will likely only lift some
of its sanctions, thus permitting insurers to provide coverage
to some—but only some—types of activity.
In addition, insurers should pay close attention to state
insurance agencies’ enforcement of the Iranian sanctions
#AMLandOFAC
8. Damian V. Sepanik
Chief Compliance Officer at Zurich North
America
or other sanctions violation can be even more devastating.
It is helpful to use real examples when discussing this risk
with management and ask “what would happen if this
happened in your unit?” so they can understand the
business implications of a violation.
Best Practice Tips
I think it is imperative to truly understand business
processes and sub-processes to create a sanctions
screening solution that is effective and efficient. A “one size
fits all” approach rarely works and can create risky gaps
that can come back to haunt even a well-intentioned
organization. Multiple sanctions regimes may be applicable
within one international insurance program and constantly
changing and evolving sanctions requirements increase the
complexity of such transactions. Constant testing and
monitoring is needed to understand if the process
developed in the past is still effective today.
Understanding and communicating the scope of the risk of
sanctions violations is necessary to ensure the correct
funding and level of priority is placed on your sanctions
program. While fines and penalties are often staggering, the
reputational impact to an organization related to an OFAC
#AMLandOFAC