Insurance financial crime controls – multi-firm review

We found the following cross-sector themes in six of the ten control groups.

AML transaction monitoring

Transaction monitoring may be less developed in non-AML regulated insurance firms and where transaction patterns are predictable. Across the wholesale and retail insurance portfolios, most firms did not carry out formal transaction monitoring and, as a result, this area was not subject to detailed assessment in our review. This reflected firms’ regulatory status and the nature of their transaction patterns.

However, best practice is for firms to consider the risks and benefits of their approach to transaction monitoring and to document their rationale. All firms remain subject to obligations relating to suspicious activity reporting, sanctions compliance, and wider financial crime risk management. Any reduction or simplification in controls should therefore be risk-based, proportionate, and clearly evidenced.

Controls monitoring and testing

Firms’ monitoring and testing activity was consistent across the second and third lines of defence. However, some firms only had limited evidence that they had structured, risk-based monitoring and testing plans. 

We expect firms to have risk-based testing plans for second and third-line activities. They should clearly coordinate their monitoring and testing to avoid duplication or gaps in coverage. If firms don’t have dedicated financial crime assurance expertise, firms should show how they have considered financial crime risks and assessed the need for specialist or outsourced reviews.

Policies and procedures

Firms generally had comprehensive group-level policies and procedures, but they were often not specific enough at business unit or jurisdictional level. 

Firms should consider supplementing their overarching frameworks with documented procedures for specific business units and jurisdictions. These may be linked to group policies but should clearly show how the firm applies them in practice within individual business units to mitigate the risk of gaps or misinterpretation.

Roles and responsibilities

Most firms have a three-lines-of-defence model though many did not have a formal RACI (Responsible, Accountable, Consulted, Informed) matrix to clarify responsibilities across the financial crime framework.

Although not mandatory, firms should consider using a RACI matrix to clearly define roles and responsibilities across their financial crime framework. This supports accountability, transparency, and effective governance. It is particularly useful if there are broader compliance teams working on financial crime activities, including in third-party administrators.

Obligations management

Most firms did not maintain an obligations register that mapped legal and regulatory requirements to internal controls and assigned accountable owners. Obligations registers support clear accountability and oversight of different products and jurisdictions and across regulated and non-regulated activities.

Best practice is to clearly articulate the firm’s legal and regulatory obligations and map them to specific controls, processes, and responsible roles to ensure clear accountabilities and compliance.

Third-party outsourcing

Where firms have outsourced financial crime activities, they consistently recognised that they retain liability. However, while firms can have differing degrees of oversight of third parties, it is important that this is proportionate to the risks and materiality of the outsourced activities. Only one firm in our review had enhanced, risk-based levels of third-party oversight for higher risk controls. Firms should categorise third-party relationships by risk, with oversight matched to the risk category.

We expect firms to produce and review risk-focused management information to monitor third-party performance, identify emerging risks, and support timely escalation. They should have clear governance structures and escalation pathways, and document oversight activities and decisions appropriately.

When comparing cross-sector findings, consideration was given to the AML regulated status of the entities.  

Retail insurance 

• The effectiveness of financial crime systems and controls across large retail firms is moderate overall.
• We found strengths in sanctions, fraud risk management, and anti-bribery and corruption control. This is consistent with the lower inherent anti-money laundering risks of these products, where financial crime exposure is more likely to arise from fraud and sanctions breaches.
• Some large retail firms operate within wider group structures and rely on group-level policies and frameworks. Their policies are less specific to these firms or business units and roles and responsibilities are often distributed across multiple teams. This can make it unclear who owns or implements policies at the firm or business unit level.
• Risk assessment controls were assessed as weak, primarily due to limitations in evidence provided specific to individual business units.
• Client due diligence controls were weak across most large firms, largely because they had not fully documented their approach. As non-AML regulated entities, the extent of due diligence may be more limited, but best practice is to clearly document the rationale for any differentiated approach.

Wholesale insurance 

• The effectiveness of financial crime systems and controls across large wholesale firms is moderate overall. 
• Design effectiveness was strongest across people and knowledge, anti-bribery and corruption, and sanctions. 
• This is consistent with the inherent risk profile of wholesale insurance activities, where exposure to financial crime is more likely to arise through these channels.
• Fraud management was generally weaker, reflecting limitations in management information and detail provided on firms' fraud monitoring arrangements. 
• Transaction monitoring is not consistently embedded across these entities, which reflects the nature of business models, risks and transaction flows. However, best practice is for firms to clearly document the rationale for their approach, including how they mitigate financial crime risks. Where they have reduced or alternative procedures, they should be risk-based and proportionate, and supported by appropriate documents. 

Life insurance

• Design effectiveness was the strongest across the life insurance firms, where effectiveness of financial crime systems and controls was assessed as moderate to good, except in transaction monitoring where some improvements are needed. 
• Areas of strength were risk assessment, client due diligence, people and knowledge, third party risk and sanctions.
• Some firms demonstrated strong design effectiveness in fraud risk management, including automated fraud surveillance tools and highly actionable management information.