3 THE THREE LINES OF DEFENCE
3.1 Insurers are reminded that the ultimate responsibility and accountability for ensuring compliance with AML and CFT (“AML/CFT”)-related laws and regulations rest with their board of directors and senior management8.
3.2 An insurer’s board of directors and senior management are responsible for ensuring strong governance and sound risk management and controls in relation to AML/CFT within the insurer. While certain responsibilities can be delegated to senior employees responsible for AML/CFT, the final accountability rests with an insurer’s board of directors and senior management. The insurer should ensure a strong compliance culture throughout the organisation, where the board of directors and senior management set the right tone from the top. The board of directors and senior management should also set a clear risk appetite and establish a compliance culture whereby financial crime is not tolerated.
3.3 Business units (e.g. front office, customer-facing functions) constitute the first line of defence in identifying, assessing and mitigating the ML/TF risks faced by an insurer. As part of the first line of defence, business units require robust controls to detect illicit activities and should be allocated sufficient resources to perform this function effectively. The insurer’s policies, procedures and controls on AML/CFT should be clearly documented in writing, and communicated to all relevant officers, employees and agents in the various business units. The insurer should also ensure that its officers, employees and agents are adequately trained to be aware of their AML/CFT-related obligations, so that the insurer is in compliance with prevailing AML/CFT laws and regulations.
3.4 The second line of defence includes an insurer’s compliance function9, and other support functions such as operations, human resource or technology that work together with the compliance function to identify ML/TF risks. The compliance function is typically responsible for the screening of new and existing business relations and their ongoing monitoring. The compliance function should alert the board of directors or senior management if it has reason to believe that the insurer’s officers, employees or agents are failing or have failed to adequately address ML/TF risks and concerns or have breached applicable AML/CFT laws and regulations. While the other support functions also play a role in mitigating ML/TF risks that an insurer faces, the compliance function will usually be the main contact point in relation to all AML/CFT-related issues for domestic and foreign authorities, including supervisory authorities, law enforcement authorities and financial intelligence units.
3.5 The third line of defence is an insurer’s internal audit function, which plays a key role in independently evaluating the insurer’s AML/CFT risk management framework and controls. This independent assessment is achieved through internal audits (or an equivalent function’s periodic evaluations) of the insurer’s compliance with AML/CFT laws and regulations, as well as policies, procedures and controls. An insurer should establish policies for periodic AML/CFT internal audits, covering areas such as –
(a) adequacy of the insurer’s AML/CFT policies, procedures and controls in identifying ML/TF risks, addressing the identified risks and complying with laws, regulations and notices;
(b) effectiveness of the insurer’s officers, employees and agents in implementing the insurer’s policies, procedures and controls;
(c) effectiveness of the compliance oversight and quality control including parameters and criteria for transaction alerts; and
(d) adequacy and effectiveness of the insurer’s AML/CFT training of relevant officers, employees and agents.
The results of these assessments should be reported to either the Audit or Risk Committee of the insurer, or a similar body of oversight, on a regular basis. Significant AML/CFT issues should be escalated to the Board. Any deficiencies identified should be promptly addressed to mitigate risks, including legal and reputational risks, to the insurer.
3.6 The board of directors and senior management should understand the ML/TF risks that the insurer is exposed to and how the insurer’s AML/CFT control framework operates to mitigate those risks. The AML/CFT controls put in place by an insurer should commensurate with the scale, complexity and inherent risk of the insurer, and may be broadly categorised into the following 4 categories, which will be elaborated on within these Guidelines:
(a) Management Oversight, Policies and Training;
(b) Customer Due Diligence and Screening Procedures;
(c) Record Keeping and Documentation; and
(d) Assessment and Reporting of Suspicious Transactions.