Since the early 1800s, the U.S. government has used economic sanctions to support its foreign policy and national security interests, primarily seeking sanctions against banks. The recent rise in global commerce, crime and terrorism has spurred an increase in insurers facing economic sanctions from the Treasury Department’s Office of Foreign Assets Control (OFAC). In fact, from January 1, 2006 to July 1, 2013, OFAC opened 331 case files involving insurers, with more than one-half – about 186 – involving property and casualty (P&C) carriers. In addition, 55 involved reinsurance, many of them covering P&C risks.
To comply with the OFAC, insurers and reinsurers, foreign branches and certain foreign subsidiaries are barred from doing business with or providing services to persons and entities on the Specially Designated Nationals and Blocked Persons List (SDN List). Published by the OFAC, this list includes not only prohibited countries, but thousands of persons, organizations, companies and vessels with whom business is prohibited.
An insurer violates OFAC requirements if it issues a policy, receives premiums, pays claims, facilitates a transaction or otherwise deals with any person or entity on the SDN List. OFAC prohibitions not only apply to policyholders, but also to additional insureds, premium payers, beneficiaries, loss payees, intermediaries and administrators, banks and bank lien holders, third-party liability claimants and other insurance-related entities.
In the event of a violation, civil penalties may be imposed on insurers and their underwriting, administration and claims personnel, with numerous violations potentially resulting in multiple penalties. Criminal referrals are also possible. To avoid business disruption, reputational risk and fines associated with OFAC violations, a P&C carrier should stay abreast of industry best practices and take steps necessary to avoid a violation.
SDN List Screening
OFAC regulations require that P&C and other insurers: (i) frequently check customers and others they conduct business with to ensure these entities are not on the SDN List (ii) confirm that prospective employees, customers and business partners are not on government sanctions lists before engaging in financial transactions and (iii) periodically confirm that active employees, customers, claimants and business partners are not on government sanctions lists. The SDN List, with approximately 6,000 entries at this time, is continually updated as circumstances warrant. To assist in this screening, many companies use OFAC compliance software. An insurer should check with its regulator regarding the suitability of specific programs to its unique situation.
P&C insurers should begin the compliance process by collecting applicant information required by the government’s lists – name, date of birth, address, social security number (SSN) and the country issuing a passport – and validating the information to detect duplicate or invalid SSNs. If the applicant is not a U.S. citizen and has no SSN, passport information should be used to screen against government lists.
P&C insurers must then check the OFAC website for all applicants, policyholders, beneficiaries, payors or any individual, business or trust that financially touches a policy or P&C insurer offering, or could in any way benefit from policy proceeds. They should then periodically recheck the government lists to validate that there are no matches at least before a policy renewal or a claim payment, and preferably on a regular basis to ensure the insurer has complete and current information regarding restrictions affecting countries and parties with which it is doing or plans to do business.
Types of P&C insurance more likely to raise issues under OFAC are:
- Large commercial P&C insurance for multinational or non-U.S. corporations
- Pooling arrangements covering international risks
- Ocean marine, aviation and other transportation policies
- Travel or expatriate insurance, including policies requested by third-country nationals who travel to OFAC target countries
- Crisis coverage like political risk, contract frustration and kidnap, ransom and extortion (KRE) policies
When an apparent match is found, it is necessary to determine if it is accurate through research and analysis. This due diligence should include:
- Determining the reason for the match (e.g., identified on the SDN List, involving a targeted country or some other reason).
- Evaluating the quality of the match – comparing the name in the transaction with the name on the SDN List. The insurer should research, for example, whether it is an exact name match or merely close. If, when you compare the SDN and transaction name, you are missing significant required information (e.g., full name, address, nationality, passport, tax ID, place of birth, date of birth or former names or aliases), an insurer should get more information and compare it again against the SDN List.
- If the match is for some special reason, an insurer should contact the “keeper” of the list being matched against (e.g., the Bureau of Industry and Security at the U.S. Department of Commerce, the Federal Bureau of Investigation, the Office of Defense Trade Controls at the U.S. Department of State or the Financial Crimes Enforcement Network). If an insurer is uncertain who to contact, they should contact the software provider that advised of the match or issue.
Although the OFAC does not require a compliance program, an insurer is well advised to establish OFAC policies and procedures that include a system for checking the SDN List periodically, and whenever a material event regarding an insured or its policy occurs. A material event includes, for example, whenever an application is received; a request is made to change an insured, owner or beneficiary; a request is made to add an additional insured, loss payee or lien holder; a claim is made; or a claim payment is made, including one requiring a deposit or transfer of funds through a bank.
P&C Insurer Obligations Upon Finding an SDN Match
If an insurer receives an application from a designated SDN for a policy, it may not issue the policy (or at least that portion of the risk that violates the OFAC) and the OFAC must be notified. If the designated SDN sends a deposit with the application, the payment must be blocked. If an insurer has confirmed with the OFAC that it has a “good match,” it may explain that to the customer, who can contact the OFAC for further information.
If screening efforts uncover a policyholder who became a designated SDN after the policy was issued, an insurance company should first contact OFAC compliance regarding the specifics of the case. An insurance contract in which any person or entity on the SDN List has a direct or indirect interest, or which illegally facilitates an OFAC violation, is prohibited and must be blocked or frozen.
The insurer may then notify the policyholder that the policy is “blocked,” instructing the policyholder that if they submit further premium payments, the insurer is required under applicable law to place such funds in a blocked account. In some states, the state insurance department must also be notified.
If these required screening efforts reveal that a beneficiary, payor or individual, business or trust financially touches a policy or P&C insurer offering or could in any way benefit from policy proceeds, the insurer must again contact OFAC compliance regarding the match and blocked funds. The person whose funds are being targeted must also be notified.
It is critical that all funds in which an OFAC target has a direct or indirect interest be blocked or frozen by depositing them in a U.S. bank. The funds must also be in a separate interest-bearing account on an insurer’s books, from which only OFAC-authorized debits may be made. In addition, the block must be reported to OFAC compliance in writing within 10 business days. An insurer may open separate accounts for each blocked transaction or use an omnibus account, provided there is an audit trail that allows specific funds to be unblocked with interest at any point in the future. Blocking and rejection reports must contain a copy of the original transfer instructions. The block extends to all property – premium payments, policy loan interest payments and policy loan repayments related to blocked insurance contracts. Claims cannot be adjusted or paid unless an OFAC license is first obtained. Finally, a report of blocked property must be submitted annually by September 30 to OFAC compliance.
OFAC has the authority to license a person or entity to engage in a transaction which otherwise would be prohibited (although in some cases, legislation may restrict that authority). To obtain authority to unblock funds, an insurer must submit an application for the release of blocked funds by describing in detail the underlying transaction and including copies of supporting documentation. This can be done via a form available on the OFAC website.
P&C Recordkeeping Obligations
Every person subject to OFAC requirements is required to keep and make available for examination a full and accurate record of each transaction engaged in, whether or not pursuant to license, at least five years after the date of the transaction. Every person holding blocked property is required to keep and make available a full and accurate record of the property for the period it is blocked and at least five years after it is unblocked.
Due diligence regarding OFAC rules and guidelines can be a daunting task for any insurer, but there a number of best practices a company can implement to ensure compliance.
- Have a written OFAC policy that requires cross reference to various OFAC lists and bans all transactions with restricted persons or countries without prior approval
- Separately track transactions involving restricted countries or persons
- Maintain an OFAC compliance point person to run OFAC checks and handle OFAC-related inquiries
- Continually monitor Treasury Department OFAC lists for changes
- Institute internal controls to monitor compliance with OFAC regulations for international business dealings
- Regularly train employees and staff on OFAC rules