top of page

AML & Sanctions Compliance for Insurance: The Reality by Line of Business

  • Writer: FinScan
    FinScan
  • 1 day ago
  • 12 min read

A reference for AML Officers, Chief Compliance Officers, and financial crime teams at life, P&C, and health insurers




Introduction

Most AML compliance content treats "insurance" as a single category. The regulations don't. A life insurer, a property and casualty carrier, and a health plan operate under three fundamentally different compliance regimes, with different regulators, different obligations, different list ecosystems, and different daily pain points.



This reference lays out what's required for each line of business, with citations to the underlying regulations and guidance. It's written for compliance leaders who need to brief a board, train a new team member, defend a program decision to an examiner, or evaluate a screening vendor.


The short version: Life and annuity carriers carry a full BSA/AML obligation under FinCEN. P&C carriers have no AML program requirement but face the heaviest historical OFAC enforcement of any insurance segment. Health plans operate in a screening world dominated by exclusion lists (OIG LEIE, GSA SAM, state Medicaid) that don't apply to the other two at all.


A brief note on where these obligations come from. US insurance AML rules flow from the Financial Action Task Force (FATF), an intergovernmental body based in Paris whose 40 Recommendations set the international AML and counter-terrorist financing standards. FinCEN, the US Financial Intelligence Unit, implements those standards through the Bank Secrecy Act framework. The FATF Recommendations are why PEP screening, suspicious activity reporting, and risk-based customer due diligence look broadly similar across jurisdictions, even though the specific implementation details differ. FATF also conducts mutual evaluations of member countries and maintains lists of higher-risk jurisdictions that compliance teams use as a screening input (covered later in this reference).


Each section below covers one line of business: who regulates it, what's required, where the daily work happens, and where compliance programs most often get burned.

 

Life & Annuity Insurance

Who regulates it

Life and annuity carriers offering "covered products" are subject to the Bank Secrecy Act and its implementing regulations under FinCEN (31 CFR Chapter X, Part 1025), as well as OFAC sanctions administered by the U.S. Department of the Treasury. State insurance departments examine the AML program as part of routine financial condition examinations. Depending on the insurance company’s structure, e.g. insurance holding companies, they may also be regulated by the Federal Reserve.


What counts as a "covered product"

Under 31 CFR § 1025.100(b), a covered product is:

  • A permanent life insurance policy, other than a group life insurance policy

  • An annuity contract, other than a group annuity contract

  • Any other insurance product with features of cash value or investment

 

Variable products (e.g. variable universal life and variable annuities) are included in this list and are considered securities.  In addition to AML rules, they are subject to securities industry regulation including rules around suitability and fraud.  Individuals who sell these products are subject to additional licensing requirements and SEC and FINRA Rules.

 

Term life insurance is not a covered product. Group life and group annuity products are not covered. Property, casualty, workers' compensation, and health insurance also fall outside this definition.


What's required

Insurance companies offering covered products must, under 31 CFR § 1025.210, develop and implement a written anti-money laundering program that includes:

  • Policies, procedures, and internal controls designed to detect suspicious activity

  • Designation of a compliance officer

  • Ongoing training of company employees, agents, and brokers

  • Independent testing of the program

  • Suspicious Activity Report (SAR) filing obligations under 31 CFR § 1025.320

 

Customer Identification Program (CIP) requirements that apply to banks do not formally apply to insurers. FinCEN nonetheless expects insurers to obtain and retain identifying information sufficient to support their AML program and SAR obligations. (See FinCEN FAQ guidance on insurance company AML programs.)


Insurers are also subject to the information-sharing provisions of the USA PATRIOT Act. Section 314(a) authorizes FinCEN to compel insurers to search their records in response to law enforcement requests for information on specific persons reasonably suspected of money laundering or terrorist financing. Section 314(b) permits insurers to voluntarily share information with other financial institutions, under a statutory safe harbor, to identify and report activities that may involve money laundering, all predicate offenses, and/or terrorist financing. Carriers that have not registered for 314(b) participation are foreclosed from a useful operational tool, particularly during investigations of suspected criminal activity involving multiple institutions.


Sanctions screening is a separate obligation under OFAC. Insurers must screen policyholders, beneficiaries, and payers against the SDN List and other OFAC-administered lists. OFAC FAQ 62 establishes that an insurer cannot issue a policy to a person on the SDN List, and any deposit received must be blocked and reported to OFAC within 10 business days.


Where life and annuity programs most often get burned

Failure to re-screen.

OFAC has cited multiple insurers for failure to re-screen pre-existing insureds against OFAC list updates. Routine re-screening of the in-force book is an explicit OFAC expectation.

Red flags at surrender and claim time.

Early policy surrender for a penalty, lump-sum annuity purchases funded by structured payments, third-party premium funding, premium overpayments followed by refund requests, and income-policy mismatches are the patterns FinCEN highlights as SAR-worthy in its industry SAR assessment.

PEP handling. 

Unlike the UK and EU, which define politically exposed persons (PEPs) prescriptively in regulation, the US takes a principles-based approach grounded in FinCEN guidance and FATF Recommendation 12. Insurers are expected to identify senior foreign political figures, their immediate family members, and close associates, and to apply enhanced scrutiny to relationships and transactions. The lack of a single statutory definition means examiners assess the reasonableness of a carrier's PEP identification methodology, not its literal compliance with a checklist. Programs that rely on a vendor list without an articulated risk-based framework are a common audit target.

Acquired books. 

Carriers that acquire blocks of business inherit policyholders, beneficiaries, and producers screened against different lists, with different tuning, under different AML programs. Day-1 re-screening of the acquired book against the acquirer's standards is rarely completed in the first 90 days post-close. 

Beneficiary screening gaps. 

Programs commonly screen policyholders at issuance but fail to screen beneficiaries, additional insureds, or assignees, particularly when beneficiaries are added or changed after the policy is in force.


Property & Casualty (P&C) Insurance

Who regulates it

P&C carriers are not subject to the BSA AML program requirement under FinCEN's insurance rules. Traditional P&C products do not have cash value or investment features and therefore do not fall under the definition of "covered products" in 31 CFR § 1025.100(b). State insurance departments and NAIC requirements still apply for general operations.


OFAC sanctions law applies fully. P&C insurers, reinsurers, brokers, agents, foreign branches, and certain foreign subsidiaries are barred from doing business with persons or entities on the SDN List or otherwise blocked under OFAC-administered programs.


The historical OFAC reality for P&C

Between January 2006 and July 2013, OFAC opened 331 case files involving insurers. More than half, approximately 186, involved P&C carriers. An additional 55 involved reinsurance, much of it covering P&C risks. P&C is the most heavily examined insurance segment in OFAC enforcement history despite having no BSA AML obligation.


Notable enforcement examples include everything from large, global insurers to specialty lines where coverage extended to property or interests in property of sanctioned parties.


What's required for OFAC compliance

OFAC expects P&C insurers to screen at every meaningful touchpoint in the policy lifecycle. Under OFAC FAQ 65 and related guidance, screening should occur at:

  • Policy issuance

  • Policy renewal

  • Policy amendment, including the addition of insured parties, additional insureds, lienholders, or beneficiaries

  • Claim submission

  • Claim payment

  • Updates by OFAC to its sanctions lists (so-called "delta screening" of the in-force portfolio against new designations)

  • Any other event that exposes the insurer to sanctions risk

 

If a policyholder becomes sanctioned after policy issuance, the policy is considered "blocked." OFAC FAQ 62 permits the insurer to notify the policyholder of the blocked status without obtaining a specific license. Premium payments received from a blocked person must be blocked and reported.


OFAC FAQ 63 (updated 2024) provides the most operationally important guidance: the steps an insurer must take when an existing policyholder or named beneficiary becomes sanctioned, and how to evaluate whether the provision of insurance services is authorized or exempt.


OFAC has clarified that the compliance obligation is shared across all participants in the insurance ecosystem, including underwriters, brokers, agents, MGAs, and coverholders. A broker cannot rely on the carrier and vice versa.


Where P&C programs most often get burned

Touchpoint coverage. 

Screening at policy issuance is universal. Screening at renewal, amendment, additional-insured addition, lienholder updates, claim payment, and SDN delta updates is uneven. Examiners look specifically at the gaps between these touchpoints.

Global policies. 

Aviation, marine, energy, and multinational property policies create exposure when coverage extends to property, persons, or activities in sanctioned jurisdictions even when the named insured is not sanctioned. OFAC recommends explicit exclusionary language in global policies for sanctioned-party and sanctioned-jurisdiction risks.

Reinsurance counterparties. 

A reinsurance contract with a sanctioned reinsurer is a violation regardless of the underlying policies. Treaty renewal season requires counterparty screening that many primary carriers underinvest in.

Claim payments. 

The "last mile" of paying a claim to a beneficiary, lienholder, or vendor who has become sanctioned since policy issuance is a frequent enforcement subject.


Health Insurance

Who regulates it

Health insurance is the line where screening obligations come from the most sources and the AML framework matters the least. The primary regulators and obligation sources are:

  • HHS Office of Inspector General (OIG). Maintains the List of Excluded Individuals and Entities (LEIE) under sections 1128 and 1156 of the Social Security Act.

  • General Services Administration (GSA). Maintains the System for Award Management (SAM) exclusion records.

  • State Medicaid agencies. Each state maintains its own Medicaid exclusion list; more than 40 states publish one.

  • OFAC. Sanctions screening obligations apply to health insurers as they do to any U.S. person.

  • CMS. For Medicare Advantage, Part D, Medicaid managed care, and related federal programs.

  • State insurance departments. For licensing, market conduct, and financial condition examinations.

 

Traditional health insurance is not a "covered product" under FinCEN's insurance AML rule, so the BSA AML program requirement does not apply.


What's required

Exclusion screening, not sanctions screening, is the daily compliance reality for health insurers.


Under federal law and OIG guidance, federal health care programs (Medicare, Medicaid, and others) cannot pay for items or services furnished, ordered, or prescribed by an individual or entity on the LEIE. This applies to employees, contractors, vendors, board members, network providers, and any party whose work touches federal program reimbursement.


OIG guidance, including the September 1999 Special Advisory Bulletin on the effect of exclusion from federal health care programs, establishes that:

  • LEIE screening should occur prior to hire or contract execution

  • LEIE screening should be performed monthly thereafter for all employees, contractors, and vendors

  • State Medicaid exclusion lists should be screened for the states in which the organization operates

  • GSA SAM should be screened for federal contractors and vendors

  • Failure to screen does not require intent. Penalties apply for both negligent and inadvertent violations.

 

For health insurers and managed care organizations, the screening population extends well beyond direct employees to include the entire provider network, delegated entities, downstream vendors, and PBMs.


OFAC sanctions screening applies separately and additionally. A sanctioned person on the SDN List cannot be a policyholder, provider, vendor, or claim payee regardless of any LEIE status.


Where health plan programs most often get burned

The list inventory problem. 

A health plan operating in multiple states must screen against LEIE, SAM, OFAC, and 40+ state Medicaid exclusion lists. There is no central feed. Lists publish in different formats, on different update cycles, with different data quality. Maintaining the inventory is itself a compliance function.

The monthly cadence. 

OIG's monthly screening expectation is non-negotiable but operationally demanding when applied across employees, contractors, vendors, providers, and delegated entities, often tens of thousands of records.

Reinstatement status. 

Removal from the LEIE is not automatic when an exclusion period ends. Reinstatement requires a formal application and written confirmation. Until the OIG issues that letter, the person remains excluded. Programs that screen on exclusion-period end-dates rather than confirmed reinstatement create exposure.

Acquired provider networks. 

Health plan and PBM M&A activity means inheriting thousands of providers, vendors, and downstream contractors who must be LEIE-screened from acquisition close. Day-1 screening of the acquired network is rarely completed inside the first month.

Name-matching across lists. 

Common provider and vendor names produce high false-positive rates. Without identifier-based matching (NPI, license number, DOB, EIN), screening teams spend the majority of their time clearing alerts.


Cross-Line Obligations

Some obligations cut across all three lines.


OFAC applies to everyone.  Every U.S. person, including every insurer regardless of line, is subject to OFAC sanctions law. The SDN List is the universal floor.

State insurance department oversight.  All licensed insurers, regardless of line, are subject to state insurance department examination, market conduct reviews, and licensing requirements.

Beneficial ownership obligations.  Carriers with commercial customers may face beneficial ownership identification obligations under FinCEN's CDD Rule (applicable to covered financial institutions) and the Corporate Transparency Act framework (applicable to reporting companies). The specifics depend on the customer relationship and the carrier's other regulated activities.

Group holding company structures.  Many insurance groups operate across multiple lines under a single holding company. Compliance failures at one entity can create reputational and regulatory exposure for affiliated entities, even when the regulatory obligations differ.

FATF high-risk jurisdiction lists as a screening input. FATF maintains two lists of higher-risk jurisdictions: the "black list" of Jurisdictions Subject to a Call for Action (currently including Iran, North Korea, and Myanmar) and the "grey list" of Jurisdictions Under Increased Monitoring. The grey list changes regularly as countries address identified deficiencies; jurisdictions like Vietnam, Croatia, and others have moved on and off in recent cycles. Insurance compliance programs should reflect grey list status in their country risk scoring, in EDD triggers for higher-risk geographies, and in re-screening cadence when a country's status changes. FinCEN issues advisories that translate FATF list movements into US supervisory expectations.

 

A Note on Coverage

This reference covers U.S. federal regulatory obligations. State-level requirements add additional layers, particularly for:

  • New York Department of Financial Services (NYDFS) Part 504 transaction monitoring and filtering certification

  • California Department of Insurance market conduct expectations

  • Florida and Texas state-specific insurance regulations

 

Non-U.S. jurisdictions add further complexity. OFSI in the UK, the EU's restrictive measures regime, FATF guidance, and country-specific insurance regulators all apply to carriers with cross-border exposure.

 

FAQ

Do P&C insurance companies need an AML program?

No. Traditional property and casualty insurance products do not have cash value or investment features and are not "covered products" under FinCEN's insurance AML rule (31 CFR § 1025.100(b)). P&C carriers are not required to maintain a BSA AML program. OFAC sanctions law applies fully, and P&C has historically been the most heavily examined insurance segment in OFAC enforcement.

Do life insurance companies need to screen beneficiaries?

Yes. OFAC expects insurers to screen all parties to a policy, including beneficiaries, at policy issuance and at any subsequent change. This includes beneficiary additions or substitutions, claim submission, and claim payment.

How often should an insurance company re-screen existing policyholders?

OFAC has cited insurers (AXA Equitable in 2016, GEICO in 2010, Bupa Florida in 2014) for failure to re-screen pre-existing insureds against sanctions list updates. The expectation is routine ongoing screening of the in-force portfolio against every SDN list update, plus screening at policy renewal, amendment, claim submission, and claim payment.

What is the LEIE and who has to screen against it?

The List of Excluded Individuals and Entities, maintained by the HHS Office of Inspector General, identifies individuals and entities excluded from federal health care programs. Any organization billing or receiving payment from Medicare, Medicaid, or other federal health programs (including health insurers, managed care plans, and PBMs) must screen employees, contractors, vendors, and providers against the LEIE monthly per OIG guidance.

What insurance products are "covered products" under the BSA?

Per 31 CFR § 1025.100(b), covered products are permanent life insurance policies (other than group), annuity contracts (other than group), and any other insurance product with cash value or investment features. Term life, group policies, P&C, workers' compensation, and health insurance fall outside this definition.

Are insurance brokers and agents subject to the BSA AML program requirement?

No. FinCEN's insurance regulations apply to insurance companies, not to brokers and agents independently. Brokers and agents are subject to OFAC sanctions law and frequently participate in the insurance company's AML program as part of the company's compliance obligations. Carriers will generally require brokers and agents to take annual AML training as part of their selling agreement.

What is OFAC FAQ 62 and why does it matter for insurers?

OFAC FAQ 62 provides the most operationally important guidance for insurance sanctions compliance. It establishes that an insurer may not issue a policy to a person on the SDN List, that deposits received from a blocked person must be blocked and reported to OFAC within 10 business days, and that an insurer may notify a policyholder of blocked status without obtaining a specific OFAC license.

How does FATF affect US insurance AML compliance?

FATF (the Financial Action Task Force) sets the international AML and counter-terrorist financing standards through its 40 Recommendations. FinCEN, the US Financial Intelligence Unit, implements those standards through the Bank Secrecy Act framework. FATF also maintains two lists of higher-risk jurisdictions: the "black list" of Jurisdictions Subject to a Call for Action (including Iran, North Korea, and Myanmar) and the "grey list" of Jurisdictions Under Increased Monitoring. Insurance compliance programs should reflect these lists in country risk scoring and enhanced due diligence triggers. FinCEN issues advisories that translate FATF list movements into US supervisory expectations.

How does the US define a politically exposed person (PEP) for insurance compliance?

Unlike the UK and EU, the US does not define PEPs in a single statute. The US takes a principles-based approach grounded in FinCEN guidance and FATF Recommendation 12. Insurers are expected to identify senior foreign political figures, their immediate family members, and close associates, and to apply enhanced scrutiny. Examiners assess the reasonableness of a carrier's PEP identification methodology rather than its literal compliance with a checklist. Programs that rely on a vendor PEP list without an articulated risk-based framework are a common audit finding.

What is USA PATRIOT Act Section 314(b) and should insurers participate?

Section 314(b) of the USA PATRIOT Act permits financial institutions, including insurance companies, to voluntarily share information with one another, under a statutory safe harbor, to identify and report activities that may involve money laundering, all predicate offenses and/or terrorist financing. Participation requires registration with FinCEN and renewal annually. 314(b) is particularly useful when investigating criminal activity that touches multiple institutions. Section 314(a), by contrast, is mandatory and authorizes FinCEN to compel record searches in response to law enforcement requests.


Primary Sources Cited

 

This page is a reference, not legal advice. Insurance compliance obligations depend on specific facts, products, jurisdictions, and corporate structures. Consult qualified counsel for application to your program.

bottom of page