2. Understanding and Assessing the ML/FT Risks
2.1. Overview of Insurance Sector Activities and Participants
The insurance sector offers a range of products and services to individuals and companies designed to provide a guarantee of compensation for specified loss, damage, illness, or death and facilitate financial planning and risk management in the face of uncertain future events. At the most general level, insurance products can be divided into two categories:
• Insurance of persons and funds accumulation (hereafter referred to as “life and other investment-related insurance”), which provides long-term coverage against the risk of a future loss, such as death, and may serve as an alternative long-term savings or investment vehicle (e.g., to be paid out upon retirement); and
• Property and liability insurance (hereafter referred to as “general insurance”), which provides shorter-term coverage against the risk of specific losses, such as damage to property, illness and associated medical expenses, or personal or corporate liability.
Both types of insurance may be offered in the UAE by conventional and Takaful insurance companies. The classes and types of the above-mentioned insurance categories are defined by Articles 3 and 4 of the Executive Regulation2 of the Federal Law No. (6) of 2007 on the Establishment of the Insurance Authority & Organization of Its Operations as amended by Federal Law No. 3 of 2018 (“Insurance Law”)).
Under Article 2.16 of the AML-CFT Decision as amended, only life insurance and other investment-related insurance products are subject to the UAE’s AML/CFT legal and regulatory framework. It is therefore critical that each licensed insurer, re-insurer, agent, and broker undertakes a comprehensive assessment of its ML/FT risks, including especially the risks associated with its life insurance and other investment-related insurance product offerings, and that it designs and implements an AML/CFT compliance program that is commensurate with those risks.
Insurance sector participants include operators in the insurance sector, which sell or facilitate the sale of insurance products and must be licensed by the CBUAE, and customers who own, pay for, and/or are covered by or the beneficiaries of insurance products.
Principal insurance sector operators, as defined by the Insurance Law, include:
• Insurers, defined as any insurance company incorporated in the UAE or foreign company licensed to carry out insurance operations in the UAE according to the provisions of the Insurance Law, including Takaful insurance companies.
○ Note: An insurer can issue insurance policies to consumers, or to other insurers or re-insurers, in exchange for payment of a premium.
• Re-insurers, defined as any re-insurance company incorporated in the UAE of foreign re-insurance company licensed to carry out insurance operations inside the UAE or a foreign re-insurance company outside the UAE.
○ Note: Reinsurers are insurers that issue insurance policies to customers that are themselves insurers or reinsurers. Reinsurance includes both “treaty” agreements, which cover broad groups of policies issued by the primary insurer, as well as “facultative” agreements, which cover specific policies or risks, negotiated on an ad hoc basis.
• Insurance agents, defined as any natural or legal person approved and authorized by the insurance company to carry out insurance operations on its behalf or on behalf of any branch thereof.
○ Note: All insurance agents are “tied” agents, meaning they have a contractual agreement to underwriting and sell insurance products exclusively on behalf of a single insurer. Persons who are contractually free to sell insurance on behalf of multiple insurers or as a freestanding intermediary between insurers and consumers are referred to as insurance brokers, as defined below.
• Insurance brokers, defined as any legal person who independently intermediates in insurance and re-insurance operations between the insurance or re-insurance seeker on one side and any insurance or re-insurance company on the other side and receives for his efforts commission from the insurance company or the re-insurance company with which the insurance or re-insurance has been accomplished.
○ Note: Insurance brokers can be authorized by multiple insurers to sell insurance products to consumers (or other insurers or reinsurers) on their behalf or to execute insurance sales as freestanding intermediaries between insurers and consumers, in either case in exchange for payment of a commission from the insurer.
Under the Insurance Law and supporting Insurance Authority Board Resolutions3, insurance operators also include:
- Health insurance third-party administrators, defined as legal persons licensed by the CBUAE to perform health insurance third party administration in accordance with the provisions of the related instructions (e.g. manage health insurance programs and pay health insurance claims on behalf of an insurer); - Insurance producers, defined as natural or legal persons licensed by the CBUAE to practice the profession of marketing insurance policies through ordinary means or electronic means; - Price comparison websites (also referred to as “insurance aggregators”), defined as legal persons registered by the CBUAE to provide insurance premium price comparison services using the Internet; - Consultants, defined as natural or legal persons who study the insurance requirements for his customers, give advice in respect of the suitable insurance coverage, assist in preparing the insurance claims along with conducting the other duties specified in the regulation and receive their fees from his customers;4 - Actuaries, defined as persons who estimate values of the insurance contracts, documents and the related accounts; and - Loss and damage adjusters, defined as persons who examine the damages occurred to the subject matter of the insurance, and assess them.
However, as these participants are not involved or play a very limited role in selling or facilitating the sale of insurance products, and as per Article 2 of the AML-CFT Decision, they are not included under Section 1.2. Applicability of this Guidance.
Principal insurance sector customers include:
• Policyholders or policy owners, defined as natural persons, legal persons, or legal arrangements who own and maintain the contractual rights of an insurance policy, including powers to inject funds, establish the beneficiary, and exercise early surrender rights. In the case of a group policy, the policyholder is the owner of the master policy.
• Policy payers, defined as natural persons, legal persons, or legal arrangements who pay the necessary premium to keep the policy in force.
• Insured, defined by the Insurance Law as natural persons, legal persons, or legal arrangements who concluded an insurance contract with the Insurer.
○ Note: In many cases, the policyholder, policy payer, and insured will be the same person. The insured will also be the person covered by the insurance policy.
• Beneficiaries, defined by the Insurance Law as natural persons, legal persons, or legal arrangements who acquired the rights of the insurance contract at the start or these rights has been legally transferred thereto.
○ Note: Beneficiaries and other payees are entitled to receive claim payments, distributions, or other payouts under an insurance policy. The payee of a general insurance policy is typically the insured, although certain property insurance policies may specify a third party, such as a lender or lessor with an interest in the covered property, as entitled to all or part of the claim payments on the policy.5 2 Insurance Authority – The Board of Directors’ Resolution No2 of 2009 on Issuance of the Executive Regulation of the Federal Law No6 f 2007 on Establishment of the Insurance Authority and Organization of the Insurance Operations (Published in the Official Gazette No504 on 31/01/2010).
3 Including Insurance Authority Board Resolution No. 9 of 2011 Concerning the Instructions for Licensing Health Insurance Third Party Administrators and Regulation and Control of their Business, Insurance Authority Board of Directors’ Decision No. 12 of 2018 Concerning the Regulation on Licensing and Registration of Insurance Consultants and Organization of their Operations, Insurance Authority Board of Directors’ Resolution No. 27 of 2020 Concerning the Instructions for Licensing Insurance Producers, and Insurance Authority Board of Directors’ Resolution No. 18 of 2020 Concerning the Electronic Insurance Regulations.
4 Unlike agents and brokers, consultants are not authorized to complete insurance sales (or to “bind coverage”) on behalf of an insurer.
5 A policyholder’s insurable interest is an interest in the value of the subject of insurance, including any item, event, action, or legal or financial relationship whose loss would cause a financial or other hardship. An insurable interest may result from property rights, contractual rights, or potential legal liability.2.2. ML/FT Risks Relevant to Life Insurance and other Investment-Related Insurance Products
Criminal actors may use life insurance and other investment-related insurance products to place illicit proceeds into the financial system, especially (though not exclusively) where the insurer or intermediary accepts premium payments in cash. Such products may be purchased with the intention of either holding the insurance policy over its standard duration or canceling coverage before maturity and, where permitted, withdrawing premiums paid less a penalty (a practice known as “early surrender”) so as to free up funds for alternative uses. Illicit actors may also deliberately overpay premiums and request a refund for the amount overpaid to the insurance carrier in order to trigger payout under a policy. Reimbursed premiums, withdrawn contributions, and payout proceeds (whether legitimate or fraudulent) can then be deposited into a bank account or used to purchase other financial instruments without necessarily revealing the ultimate origin of the funds.
As noted above, life and other investment-related products are generally considered to present higher ML/FT risk, particularly where they have high cash values upon surrender. The following methods may be employed to launder funds through life insurance and other investment-related insurance products or relationships:
• Assigning policies and payments to third parties, especially through policies (such as secondhand endowment and bearer insurance policies) that allow the policyholder to change the beneficiary before maturity or surrender without the knowledge or consent of the insurer;
• Borrowing against the cash surrender value of permanent life insurance policies or using a policy as collateral to purchase other financial instruments;
• Selling units in investment-linked products, such as annuities;
• Buying products with insurance termination features without concern for the product’s investment performance; and
• Establishing fictitious insurance or reinsurance companies or intermediaries in order to place or move illicit proceeds without revealing the true source of funds.
In addition to these vulnerabilities, the insurance sector is also vulnerable to abuse from other types of economic crime, particularly orchestrated fraud. Moreover, even where insurance products or relationships are not directly abused to launder money or perform other illicit transactions, insurance may be purchased by illicit actors to provide an appearance of legitimacy to the underlying, insured activities. As per Article 11.2 of the AML-CFT Decision, LFIs must consider the customer and the beneficiary of life insurance and family Takaful policies as risk factors when determining the applicability of enhanced due diligence procedures (EDD).
The remainder of this section presents additional examples of key ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products, organized by risks related to insurance products, services and transactions, distribution channels and intermediaries, customers, and geographies. These should be considered by insurance sector operators when performing their financial crimes risk assessments (see section 3.1) and determining the risks presented by specific customers or business activities. Individual risks may be heightened in view of the UAE’s national and regional circumstances and the composition of the local insurance sector. Where a risk factor is coupled with one or more of the red flag indicators provided in Annex 1 of this Guidance, insurance sector operators should consider assigning additional resources or controls to the area of heightened risk, such as by applying enhanced due diligence (“EDD”) or heightened ongoing monitoring.
Insurance operators are expected to perform and document an enterprise ML/FT risk assessment and keep the risk assessment up to date given material changes to their risk profile or legal, regulatory, or supervisory environment. Additional details on the enterprise risk assessment process and the use of risk assessment findings to support a risk-based approach are provided in section 3.1.
2.2.1. Product Risk Factors
Product risk is assessed by identifying how vulnerable a product is to money laundering and terrorist financing based on the product’s design. Product risk should be assessed periodically and when significant changes are made to product offerings, including the development of new products, services, or technologies. Product risk is a significant factor in identifying unusual activity.
The following table describes attributes used to assess the vulnerability of product offerings and provides lower-and higher-risk examples of each.
Attribute Lower-risk example Higher-risk example Ability to hold funds or transact large sums Product design that does not hold a balance or cannot be withdrawn against, such as group benefits Product design that allows funds to be held on behalf of the customer; high-value or unlimited-value premium payments, overpayments, or large volumes of lower-value payments Customer anonymity or third-party transactions Product design that only allows transactions from customers with identification, or where all funds flow back to the customer Product design that allows deposits and payments by third parties or that provides for non-face-to-face transactions (e.g., mobile apps where payment source is unknown) Liquidity Product design that does not permit withdrawals or includes significant fees or other penalties for early withdrawals Product design that has no (or no significant) fees or other penalties for early withdrawal Time horizon Products that are typically held for a long period of time, such as years, until retirement or death Products that are typically held for a shorter time period Purpose or intended use of the product Product design makes it easy to identify if products are not being used as intended Product design makes it difficult to identify if products are not being used as intended 2.2.2. Service and Transaction Risk Factors
Service and transaction risk can be assessed by identifying how vulnerable a product is to use by a third party or unintended use based on the methods of transaction available. Service and transaction risk is influenced by product design. Understanding potential service and transaction risks in the business is a significant factor in recognizing unusual activity at a customer level.
The following table describes attributes used to assess service and transaction risk and provides lower-and higher-risk examples of each.
Attribute Lower-risk example Higher-risk example Difficulty in tracing ownership of funds Preprinted checks, bill payments, and electronic funds transfer (EFT) payments with verified banking records Cash, bank drafts in bearer form, travelers checks, counter checks (where ownership information is handwritten or typed in a different font than the rest of the check), and potentially some digital currencies The customer is not the payer or recipient of the funds The funds are moved from or to another financial institution The third-party paying or receiving funds has not previously been disclosed Payment source or recipient is based outside of the country The recipient or payer is the policyholder and is in a low-risk country The recipient or payer is the policyholder and is in a higher-risk country or is a third party outside the country (making it more difficult to trade or confirm the source of funds) Number of transactions The low number of transactions or transaction frequency that is typical for the product A large number of transactions back and forth with the customer or third parties, especially where it exceeds typical usage for the product Transactional patterns Regular and expected customer account activity Significant, unexpected, and unexplained change in the customer’s typical activity, such as early surrenders or withdrawals where such service is offered 2.2.3. Distribution Channel and Intermediary Risk Factors
The distribution channel is the method a customer uses to open a new policy or account. The distribution channel risk is identified by assessing how vulnerable the channel is to money laundering or terrorist financing activities based on attributes that may make it easier to obscure customer identity.
The risk of failing to identify a customer correctly may be higher for distribution channels that use an intermediary or do not require face-to-face contact. Depending on the product, distribution channel risk may be mitigated by using distributors who are also subject to AML/CFT obligations or a pension scheme subscribed through the customer’s employer.
The following table describes attributes used to assess the vulnerability of distribution channels and provides lower- and higher-risk examples of each.
Attribute Lower-risk example Higher-risk example The distributor has AML/CFT obligations The distributor is overseen by a regulatory authority and subject to AML/CFT laws equivalent to or stronger than the insurer Distributor is not subject to AML/CFT requirements Payment to an insurer Customer pays the insurer directly from their account at a bank or securities dealer The customer pays the distributor, who then pays the insurer The direct relationship of customer to insurer Tied agents, brokers, and banking consultants; products distributed directly by insurers Non-face-to-face relationships6 with insurers or agents (e.g., trusts or insurance sold by telephone or online without adequate safeguards for confirmation of identity) 6 As discussed in section 3.3.1.5 below, relationships in which personal contact between an insurer or agent and the customer is achieved via video teleconference are not considered to be non-face-to-face relationships.
2.2.4. Customer Risk Factors
Customer-based risk factors are assessed to evaluate the level of vulnerability to ML/FT threats posed by customers based on their characteristics. Understanding the inherent risks enables an insurer, agent, or broker to identify appropriate mitigating controls and manage residual risks. Customer risk factors combined with business risk factors can be used as criteria for risk scoring to identify high-risk customers. Such risk factors include:
• Customer identity; • Third-party involvement; • Customer’s source of wealth or funds; • Customers who are politically exposed persons (“PEPs”), including the direct family members and close known associates of a PEP, and legal entities where at least one beneficial owner is a PEP; and • Known criminals, terrorists, or persons on sanctions lists.7
The following table describes attributes used to assess customer risks and provides lower- and higher-risk examples of each.
Attribute Lower-risk example Higher-risk example Identification Customer provides identification or can be identified using third-party sources. Customer has difficulty producing identification, or the authenticity of the identification provided is questionable Third-party relationships No third-party involvement Customer is controlled by a third party, or there are multiple indicators of third-party deposits or payments; customer is controlled by a gatekeeper (such as an accountant, lawyer, or other professional holding accounts or contracts at the insurer) without any interaction with the beneficial owner Customer’s legal form Customer is a living person or is a large, publicly-traded legal entity with clear ownership and control Customer is a legal entity with a complex structure where it is difficult to ascertain those who own or control the entity; policyholder and/or beneficiary are companies with nominee shareholders and/or shares in bearer form Occupation, business type, or another source of wealth or funds Customer’s business type or occupation is in a lower-risk industry Customer’s business or occupation is in a higher-risk industry (such as a cash-intensive business or an industry that has extensive international exposure or is associated with crime typologies) or is associated with a lower income for a high-value deposit without a confirmed source of funds or wealth (such as inheritance or real estate) Depth and duration of relationship with customer Customer has a long history with the insurer or its agents and additional information is on file (such as credit underwriting, insurance underwriting, customer due diligence, etc.) Customer is new to the insurer or insurer has little or no experience with the customer Customer only holds accounts with lower risk products and services Customer holds policies or accounts that are registered with the government, such as a registered retirement savings plan Customer only holds non-registered policies or accounts (e.g., investment or bank accounts with an affiliate) Political exposure Customer does not have any ties to politically exposed persons Customer is considered a politically exposed person, particularly from a foreign jurisdiction Other screening results Customer does not have negative news media or media confirms what is known about the customer (such as career confirmation or community engagement) Customer has ties to or is on a designated sanctions list; has a history of predicate offenses; or is associated with negative news 7 Please see section 3.5 below and also refer to the Executive Office’s “Typologies on the circumvention of Targeted Sanctions against Terrorism and the Proliferation of Weapons of Mass Destruction”: available at https://www.uaeiec.gov.ae/en-us/un-page?p=2#
2.2.5. Geographic Risk Factors
A customer’s geographic location or connections may indicate a higher risk for ML/FT activities. To mitigate risk, controls are recommended based on domestic and international geographic risk factors. Where available, data from internal insurer historical case experiences or government data based on crimes applicable to ML or predicate offenses can be used to inform the assessment of domestic geographical risk. Customer risk is higher among customers with connections outside the country, especially connections to higher-risk countries. According to the National Assessment of Inherent Money Laundering and Terrorist Financing Risks in the United Arab Emirates, the regions and jurisdictions most often involved in criminal activity in relation to the UAE were Pakistan, India, Iran, Bangladesh, China, Russia, South Africa, Nigeria, Somalia, Lebanon, Yemen, Syria, Iraq, Afghanistan, and North Africa. The following table describes attributes used to assess geographic risks and provides each's lower- and higher-risk examples.
Attribute Lower-risk example Higher-risk example Higher-crime regions Customer does not reside in a region with higher frequency and severity of crimes with ML risk, based on the insurer’s own risk assessment (utilizing historical case experiences or government data where appropriate) Customer resides in a region with high frequency and severity of crimes with ML risk, based on the insurer’s own risk assessment (utilizing historical case experiences or government data where appropriate) History high-risk activity or fraud Customer does not reside in a region that experiences a higher incidence of high-risk activity or fraud Customer resides in a region that experiences a higher incidence of high-risk activity or fraud Foreign tax or physical residency of customer Countries risk rated as low by the insurer Countries risk rated as high by the insurer Foreign ties or transactions Customer does not have any indicators of foreign residency or transactions outside of country Customer has requested or performed transactions with ties to high-risk countries, including especially those on the NAMLCFTC’s and FATF’s lists of high-risk jurisdictions subject to a call for action and jurisdictions under increased monitoring.