Skip to main content
  • 3.6. Third-Party Reliance and Outsourcing

    As noted above, insurers are permitted to delegate the performance of specified controls to insurance agents or other intermediaries, using either a third-party reliance or an outsourcing model.

     Under a third-party reliance model, insurers may rely on any third-party LFI, such as a bank or insurance agent or broker, to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, following the third party’s AML/CFT policies and procedures. In such circumstances, the third party will usually have an existing business relationship with the customer, which is independent of the relationship to be formed by the customer with the relying institution. The third-party reliance model is most commonly employed in the case of insurance brokers, who sell insurance products to consumers on behalf of multiple insurers and therefore typically maintain and apply their own AML/CFT policies and procedures.
     Under an outsourcing model, by contrast, insurers may engage a third-party service provider, such as an insurance agent or other intermediary, to apply some or all of the AML/CFT preventive measures described in this section on behalf of the delegating institution, following the insurer’s AML/CFT policies and procedures. In an outsourcing scenario, the third party is subject to the delegating insurer’s control regarding the effective implementation of those policies and procedures by the outsourcing entity. The outsourcing model is most commonly employed in the case of tied agents, who sell insurance products to consumers exclusively on behalf of a single insurer and therefore typically follow the insurer’s AML/CFT policies and procedures.
     

    Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures.

    • 3.6.1. Third-Party Reliance

      Insurers are permitted to rely on third-party LFIs to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, provided the insurer relying on a third party:

       Immediately obtains the necessary CDD information concerning the elements described in sections 3.3.1.1 through 3.3.1.3;
       Takes adequate steps to satisfy itself that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay;
       Satisfies itself that the third party is regulated, supervised, or monitored for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF standards and local law and regulation; and
       Takes appropriate steps to identify, assess, and understand the ML/FT risks specific to the countries or jurisdictions in which the third party operates.
       

      With respect to the second of these conditions, a best practice is for insurers to obtain a copy of the relevant CDD records or have direct access to the database where such information is held, in order to facilitate ongoing monitoring of the business relationship and, if applicable, the filing of STRs and for a complete assessment record in case of a change of intermediary servicing the policy.

      Insurers are not permitted to rely on third parties to conduct ongoing monitoring of business relationships (described in section 3.3.1.4), although they may outsource such functions following the guidelines described immediately below.

    • 3.6.2. Outsourcing

      In an outsourcing or agency scenario, the outsourced entity applies CDD or other AML/CFT measures on behalf of the delegating insurer, in accordance with the insurer’s internal policies and procedures, and is subject to the insurer’s control of the effective implementation of those policies and procedure by the outsourced entity. When outsourcing a part of their AML/CFT function, including the distribution of products, an insurer should therefore include any outsourced entity in its own AML/CFT program and internal control processes, and should monitor such an entity for compliance with its internal AML/CFT policies and procedures. Outsourced entities should also be subject to the employee and agent screening and monitoring checks described immediately below.