The regulatory landscape for combating money laundering and the financing of terrorism (AML/CFT) is constantly evolving. Simultaneously, regulatory requirements are becoming more stringent. The implementation of AML/CFT measures, asset freezing, and international sanctions is mandatory in France, both for life insurance and non-life insurance (which encompasses property and casualty insurance – such as auto, home, liability – and personal insurance or health and welfare).

The sanction imposed on MMA IARD1 by the Sanctions Commission of the Prudential Supervision and Resolution Authority (ACPR) at the end of 2021 marked a turning point. It was the first sanction against a “non-life” insurer for deficiencies in its asset freezing system.

Since that date, the French supervisor’s attention to the measures implemented in the field of AML/CFT among “non-life” entities has continued to grow. Numerous inspections are ongoing and upcoming for both general insurers and mutuals. It is worth noting that, unlike AML obligations, which are based on a duty of means, the system for detecting designated individuals or entities is subject to a duty of results. The latter must, in all cases, enable the application of freezing measures and the prohibition of any operation falling within the scope of these measures.

Our perspective focuses on the use of sanctions lists and filtering tools to detect the potential presence of individuals involved in terrorism-related activities. However, it is essential to emphasize that the ACPR also urges regulated entities to exercise vigilance in detecting “weak signals” of terrorism financing3, in addition to utilizing the lists.

Why is Asset Freezing a Priority for the Non-Life Insurance Sector?

Insurance organizations are obligated to implement asset freezing measures at every stage of the contract lifecycle, including subscription and throughout the contract’s duration (for both collections and disbursements). The implementation of these obligations is not straightforward, mainly due to the following reasons:

1. Multiplicity of Contract Parties

Numerous third parties may be involved in the contract, especially in the case of disbursements to beneficiaries other than the policyholder/insured, and often with a time delay. These third parties represent additional populations to be scrutinized for asset freezing at the time of disbursement after establishing a relationship (e.g., employees of companies and their dependents in group health or life insurance contracts, mechanics or experts involved in the event of claims, etc.), and possibly even after the contract’s termination (e.g., temporary or life annuity to the surviving spouse for life insurance or the ten-year guarantee in the context of construction liability insurance).

2. Insufficient and Outdated KYC Data

Know Your Customer (KYC) data on clients and third parties is generally inadequate and rarely up to date. The redesign of subscription and KYC data updating processes to meet new AML/CFT obligations has only partially taken place. The supporting documents that verify identification data are also often missing.

It is crucial to note that, contrary to some beliefs, designated individuals or entities are relatively more common in non-life insurance contracts than in life insurance contracts. This is explained by the fact that the term “financing” can be misleading: the regulations prohibit not only the provision of funds but also economic means, such as allowing a person to drive a vehicle or occupy a residence.

Common Weaknesses in Non-Life Insurance Companies’ Asset Freezing Mechanisms

To comply with regulatory requirements and confidently address or anticipate a potential inspection by the ACPR (Prudential Control and Resolution Authority), insurance organizations must fully grasp the subject and take a comprehensive approach to identify the strengths and weaknesses of their asset freezing mechanisms.

Firstly, let’s reiterate, with the diagram below, the main steps in detecting and reporting designated individuals:

ILLUSTRATION 1

All these steps are important, and deficiencies in the freezing of assets are of ‘particular gravity, given the compelling public interest in protecting public order and safety, which the legislation on asset freezing addresses in the context of the fight against money laundering and the financing of terrorism.’ We have identified seven themes on which we regularly encounter failures:

ILLUSTRATION 2

Information Collection Regarding information collection, the main point of focus is the scope to filter with mandatory identification data. It is sometimes observed

Unfiltered contracts: for example, contracts obtained through certain insurance intermediaries. Unfiltered individuals or entities: in non-life insurance, the populations to filter are broad, including prospects, policyholders, insured individuals, beneficiaries, beneficial owners of legal entities, third-party victims, third parties involved in claims, second drivers, etc. Insufficient quality of customer knowledge data: some mandatory customer identification data (e.g., maiden name, place of birth) may not have been collected. This is also often the case for supporting documentation, which is an integral part of KYC and is frequently missing. The new AML/CFT obligations imposed on non-life insurance have not always led to a comprehensive review of subscription and management processes (including KYC data updates). However, such a overhaul is imperative to collect and update the necessary data to comply with asset freezing obligations.

Data Feed for Filtering

The identification data is integrated into the filtering tool based on defined frequencies and specific timeframes. It is sometimes observed that:

Insufficient frequency of data integration, whether for the flow (new individuals entering the portfolio or individuals with modified data) or the stock of the entire portfolio.

Incomplete, irregular, or suboptimal integration into the filtering tool for the stock portfolio: Due to a significant volume, only flows are regularly loaded into the filtering tool, leading to the following consequences:

In the event of a technical incident resulting from non-integration of data, the filtering of these missing flows will be compromised.

Individuals no longer within the filtering scope (e.g., former clients/prospects, occasional clients, “white list” individuals, etc.) continue to be filtered, generating alerts that will need to be addressed, even though they could have been avoided.

Absence or non-systematic application of upfront filtering, even though it is mandatory before establishing a relationship or disbursing funds.

Official Lists of Designated Persons

There are sometimes observed difficulties with the official lists of Asset Freezing and International Sanctions used and their updating:

Missing or unnecessary lists: Some international or neighboring country lists are relevant to the activities and could be considered. On the other hand, other lists from foreign countries are not necessary for entities not subject to local obligations. The use of these lists creates additional and unnecessary burdens for insurance entities.

Outdated lists: If the updating of the content of the lists is not frequent enough (e.g., weekly), the insurance entity may not be able to promptly detect and report to the competent authorities cases that are proven or for which there is doubt due to a homonymy.

Name Screening

The configuration of name screening is a critical aspect of the system. To enable effective screening, the tool and/or the way it has been configured must:

Allow for the consideration of spelling variations (configuring “fuzzy matching” on the names or designation of designated individuals (natural persons, legal entities, entities) of a natural person or the designation of a natural person, as well as the linguistic specificities of the names of individuals in the portfolio).

Enable the Compliance team to understand the functioning of the tool through relevant and up-to-date documentation on the tool and its configuration (avoiding a “black box” effect).

Allow for the management of the “correct” triggering threshold for alerts and the appropriate rate of “fuzzy matching” (neither too strict nor too flexible).

Be periodically reviewed and have a defined governance structure.

Alert Processing Detecting alerts promptly serves little purpose if they are not processed in a timely manner. Indeed, the following issues are sometimes observed:

A significant processing delay due to too many cases of “false positives” to handle and the lack of recourse to the automation of certain tasks.

Prolonged processing time if too little information is directly fed into the filtering tool (and, therefore, accessible to the alert handler). In such cases, additional information must be gathered by navigating between multiple tools.

Suboptimal processing due to a poorly designed alert processing workflow (e.g., the inability to “whitelist” confirmed “false positives” means they will be generated again with each data modification, even minor ones, either in the portfolio or in official lists).

Inadequately documented audit trail in the case manager of the filtering tool, preventing effective monitoring of alert processing efficiency.

Unequal handling of alerts on the same individual across different entities within a group. Those handling alerts need to be trained, and alert processing procedures should be standardized.

Implementation of Freezing Measures The results of the screening must be integrated into underwriting and management tools to be considered by business lines, allowing for the prompt implementation and lifting of freezing measures. There are significant challenges here, including at the business level. It is often observed:

Slowdown in underwriting or management processes across all channels (e.g., online, phone, or in-person at an agency) if information is not relayed in real-time during underwriting or before the transaction takes place.

Business lines may not know how to proceed because they were not involved in the deployment of the system and were not guided to understand and assimilate the change. This leaves several unanswered questions, such as:

What stance should be taken regarding the collection of premiums?

How to handle automatic benefits (e.g., health expense reimbursements)?

What types of transactions are authorized?

What communication approach to adopt with the designated individual?

Should the contract be terminated?

…

Ongoing Monitoring and Documentation of the Model

Lastly, the insufficiency of ongoing monitoring and the quality of documentation in the system are frequently observed, such as:

Absence of an ongoing monitoring system for the effectiveness of the filtering tool, the processing of alerts, and all other components of the aforementioned system.

Lack of documentation on:

a. Governance: management of incidents and developments in the tool.

b. Selection of the filtering solution and the history of changes: foundational options in the study and selection of the filtering solution, major and minor evolutions of the tool, both in terms of configurations and functionalities.

c. Data modeling and processing, data quality: feeding portfolio data, data mapping, data transformation if applicable (e.g., concatenation of data such as all the names and surnames of a natural person, addresses, etc.).

d. Performance and backtesting results: related to the effectiveness of filtering results and the relevance of generated alerts, test results justifying the choice of configurations and thresholds.

How to Make Your Asset Freezing Framework More Effective? Upgrading your designated persons’ detection and processing system is mandatory, and shortcomings are increasingly subject to sanctions. The stakes, including those concerning Civil Society, which is becoming more attentive to the behaviors of financial actors, are crucial. Our numerous interventions for clients allow us to share some insights to address the previously identified weaknesses. Below are “quick wins” and recommendations to be adapted and/or supplemented based on your context and specificities (proposed contracts, organization, distribution networks, etc.).

On Information Collection: The precise identification of the filtering scope is the starting point for a compliant detection system.

The completeness and quality of identity data are prerequisites. They must be determined and diligently monitored by the insurance organization.

As a result, subscription processes (for all customer journeys) and management processes need to be reconsidered to collect the necessary identification data for relevant filtering. They should also facilitate the verification of this data through the collection of supporting documents. Note that data collection and updating can be divided between the second and first lines and can also be subject to partial automation.

On Filtering Tool Feeding: The notion of “a priori” or “a posteriori” filtering is relative and potentially reflects the need to perform “real-time” filtering (versus batch processing at a defined frequency), especially before disbursement operations.

Regarding the customer relationship, it is important to plan filtering at the opportune moment and on prospects as soon as possible. Here, the connection of screening/filtering tools with Customer Relationship Management (CRM) applications is crucial.

Consequently, developments in subscription/management tools are to be expected, especially regarding blocking modalities and information available in case of detection of persons or entities subject to sanctions.

On Name Filtering: While most insurance organizations equip themselves with filtering tools that detect names with a defined matching rate (“fuzzy match”), algorithms based simply on “distances” no longer effectively meet their needs (such as “phonetic” filtering on names in foreign languages).

Some filtering solution providers now offer modules that reduce “false positives” by combining algorithmic detection with rules or new technologies (e.g., Machine Learning, Entity Resolution).

To determine whether the filtering configuration is working correctly or requires optimization, two test methods can be implemented:

Benchmark elements of industry practices, allowing the organization to position its configuration (threshold choice or detection rules) compared to other users of similar solutions.

A “crash test” of the tool, with the filtering of different customized test cases according to the needs and specific cases of the organization (e.g., specificity of names in certain languages or lists from certain countries).

On Alert Processing: The handling of alerts can be managed by the insurance organization itself, centralized in the case of a group, or outsourced (for example, in Shared Service Centers). In the latter case, the organization must retain control over processing times and the quality of the analyses conducted. To do this, it must engage in permanent and periodic control actions.

It is also possible, depending on the situations, to implement technological solutions for a “pre-analysis” of alerts: Machine Learning to optimize the results of alerts to be processed.