Identity check: an eight-step compliance program will help insurers avoid the consequences of violating OFAC regulations.
To comply with OFAC regulations, insurers must check the identity of persons or entities having, or seeking to have, an interest in an insurance transaction to determine whether such person or entity is "listed" by OFAC. OFAC maintains a database containing the names and aliases of thousands of persons and entities that, for one or more reasons, are subject to economic sanctions by the U.S. government. If the identity of a party to an insurance transaction, such as an application for new business or an addition to an existing policy by endorsement, matches the identity of a person or entity listed by OFAC, the transaction must be stopped and any funds collected by the insurer in connection with the transaction must be held pending further instructions from OFAC. Additionally, no further transactions may be conducted with respect to that policy. "Hold That Policy" on page 77 lists examples of insurance transactions that would be prohibited under OFAC regulations.
Costs of Noncompliance
Penalties for noncompliance with OFAC regulations can be severe. Penalties for each violation generally range from $11,000 to a maximum of $1,075,000. For willful violations, criminal penalties may be imposed, including fines ranging from $50,000 to $10,000,000 per violation and imprisonment from 10 to 30 years. In setting penalties, OFAC considers the totality of the circumstances surrounding the violation, including the quality of the company's OFAC compliance program.
Violations of OFAC regulations also can generate negative publicity for the company. Even cases in which a violation is inadvertent may attract significant public attention. Such occurrences can have a corrosive effect on the violating company's good name.
Here's a step-by-step process for designing and implementing an effective OFAC compliance program:
1. Designate a compliance manager.
Your company's OFAC compliance program should be managed by a designated compliance officer. The person chosen should have ample authority to recommend and implement policy and procedural changes necessary to carry out the program requirements effectively. Since it is recommended that the program be audited periodically, your company's internal auditor(s) should be independent of your compliance officer.
2. Determine your risk profile.
In general, the scope and breadth of your company's OFAC compliance program should be portionate to the relative probability that your company will conduct a transaction with a person or entity subject to OFAC control, the frequency with which OFAC is currently updating its lists and other risk factors. Companies engaging in business activities that make them high risk for OFAC violations should plan to adopt more comprehensive identity-checking procedures than those engaged in only low-risk activities. This risk-based approach enables the company to strike an appropriate balance between the need to comply with OFAC regulations and its need to prioritize and allocate resources toward the goal of operating efficiently and profitably.
3. Create identity-checking procedures.
Once a company's risk profile has been established, the compliance officer should work with all functional areas to develop specific identity-checking procedures. These procedures should be tailored to fit a company's products and business methods. At a minimum, the company should plan to conduct identity checking with respect to the following:
* New Business: All new business should be reviewed and the name, date of birth, and/or address (or location) of each person or entity having an interest in the policy should be checked prior to issue.
* Transactions on Existing Business: Transactions on existing policies that change identifying information, or introduce a new party, such as a third-party claimant or other payee, should be reviewed to assure that the new information or new party does not trigger a match to OFAC lists.
* All Other Business Relationships: OFAC regulations are not specific to policy transactions and generally prohibit any business transactions with listed persons. Therefore, in addition to checking the identity of its insurance customers, a company would be wise to establish procedures to check the identity of its employees, agents, service providers and other parties with whom the company does business.
4. Select OFAC compliance software.
OFAC lists contain the names of more than 5,000 individuals and organizations. In order to effectively and efficiently conduct identity checks against those lists, a company should plan to use one or more automated interdict software packages as part of its OFAC compliance program. This software enables a company to perform name-recognition searches of customer data files, and other data files, in order to identify potential matches to names on the OFAC lists.
Special care should be taken in selecting an interdict software package. In general, what looks like a cost-effective solution may not be when the total cost of administration is considered. Many low-cost name-matching products simply report phonetic or letter-sequential matches. Thus, the customer name "Cuba Bankston" would be matched to government-provided data concerning Cuba or involving a bank. While mismatches such as these are obvious and can be quickly disregarded, numerous employee-hours can be wasted paging through reams of similar output. The large amount of false-positive output generated by simple, low-end solutions not only raises compliance costs significantly but also increases the possibility that actual matches will be overlooked. Therefore, in selecting an interdict package, a company should attempt to balance the up-front costs of available solutions against both the administrative costs associated with running them and the risks of noncompliance.
Consideration also should be given to name-recognition technology that takes into account the culture of a name, and the rules that govern such a name, rather than a program that treats all names in the same way.
5. Handle name-match results.
All records reported as potential matches by your interdict solution should be reviewed and categorized as either a hit (requires further information) or a false positive (can be eliminated as a potential match based on the information provided). All potential hits should be verified by the compliance officer through OFAC before blocking any transactions.
Reports containing hits that are resolved through OFAC should be marked or appended with the following information:
* The date the potential match was discussed with OFAC;
* The name of the OFAC representative who assisted in the review; and
* The outcome of the review.
If a name match is positively identified following appropriate efforts to confirm the match with OFAC, the compliance officer must ensure that all pending and future transactions on the policy are stopped and take the following steps:
* Notify OFAC within 10 business days using the appropriate reporting form.
* Notify the department of insurance of the state where the person or entity is located.
* Notify claims handlers to hold forthcoming claim payments.
* Notify customer service to suspend further activity on the policy and to set up a separate, interest-bearing account to hold future premium payments, premium refunds, payments on policy loans, and any other amounts paid or received on the policy.
The customer also should be notified in the normal course of business. For new business applicants, any adverse action notices should include a clear explanation for the declination of coverage, along with a statement that the person should contact OFAC directly for further information.
Funds received on, or due to be paid or credited on, a blocked policy must be held in the separate account until OFAC instructs the company as to how the funds must be handled. Proceeds due under blocked policies may not be set off against past-due policy receivables or other claims, and must also be paid into the account in full. As appropriate, the company may seek permission (a license) from OFAC to terminate the policy or to maintain the policy in force and make some or all payments on the policy as they occur. While it is unlikely that OFAC would allow a premium refund or policy loan payment to be made to a listed person, it is possible that OFAC would allow payments to innocent third parties.
6. Avoid shortcuts.
While identity checking seems burdensome, a company should avoid the temptation to take shortcuts. OFAC lists contain scores of common names. In order to avoid liability for discrimination and the associated negative publicity, your company should not:
* Refuse all applicants with the same name as those on the OFAC list;
* Refuse business from brokers known to serve particular communities; or
* Categorically refuse business from customers with certain names.
7. Conduct training.
Those involved in implementing a company's OFAC compliance program should receive appropriate instruction and training in using interdict software, and in reporting apparent matches. Additionally, it is recommended that all employees be trained to identify and notify the compliance officer of any occurrences or behaviors that indicate a person might be involved in criminal or terrorist activities or the funding of those activities, including:
* Lump-sum premium payments with cash or with checks from multiple sources;
* Policy loans taken in unusually large amounts or with unusual frequency;
* Frequent policy changes involving the identity of persons covered by or having an interest in the policy; or
* An unusual curiosity with the company's OFAC or anti-money laundering compliance efforts.
8. Conduct a periodic audit.
An OFAC compliance program should undergo an annual internal audit. All audit reports should be forwarded to the compliance officer and the Audit Committee of the company's Board of Directors. The compliance officer is responsible for implementing any changes to the program that are necessary to ensure ongoing compliance.
Following these general guidelines can help an organization avoid the pitfalls and consequences of violating OFAC regulations.
* Insurers must check the identity of persons or entities having, or seeking to have, an interest in an insurance transaction, to determine whether they are listed by OFAC.
* If an identity matches a person or entity on the list, the transaction must be stopped and any funds collected in connection with the transaction must be held pending further instructions from OFAC.
* Penalties for noncompliance with OFAC regulations can be severe.
Hold That Policy
The following are examples of insurance transactions that would be prohibited by the Office of Foreign Assets Control:
* A health insurance policy issued to a person listed by OFAC
* A life insurance policy naming a listed person as beneficiary
* The return of premium overpayment to a listed person
* A liability policy covering the pharmaceutical operations of an entity listed as an illegal drug trafficker
* A marine hull policy covering damages to the Pinecone, a Cypriot-flag merchant vessel that has been listed by OFAC
* An aviation policy naming a listed investment bank as loss payee
* A cargo policy in which Valleta Shipping Corporation of Panama, a listed entity, is the insured
* A property insurance policy written for a hotel chain that covers hotels in a blocked country
Contributor Scott Lawson is a director for Cleveland-based Compliplan LLC.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Terrorism; Office of Foreign Assets Control|
|Comment:||Identity check: an eight-step compliance program will help insurers avoid the consequences of violating OFAC regulations.(Terrorism)(Office of Foreign Assets Control)|
|Date:||May 1, 2005|
|Next Article:||A second look: UnumProvident is poised to reopen and reconsider more than 215,000 denied disability claims.|