7 REPORTING OF SUSPICIOUS TRANSACTIONS
7.1 Clear guidance should be provided to all officers, employees and agents as to what constitutes a “suspicious transaction” that warrants escalation and reporting.
7.2 There should be well-defined guidelines and procedures in place for escalating, investigating, reporting and acting on suspicious transactions. The channels for reporting suspicious transactions should be clearly specified in writing and communicated to all personnel.
7.3 A clear internal reporting channel should be set up for the escalation of suspicious transaction reports from the officer, employee or agent making the report. The insurer should establish a single reference point (e.g. Chief Executive, Head of Compliance) within the organisation to whom all transactions suspected of being connected to ML/TF activity should be referred to.
7.4 The onus is on the insurer to identify and assess red flag indicators of suspicious transactions. The insurer should determine what constitutes a suspicious transaction which warrants escalation and reporting based on the scale, complexity, and inherent risk of its business. In terms of determining and assessing suspicious activity exhibited by customers, examples of suspicious circumstances that may warrant the filing of an STR may include the following:
(a) where the customer is reluctant, unable or unwilling to provide any information requested by the insurer;
(b) where the customer, without reasonable grounds, decides to withdraw a pending application to establish business relations with the insurer;
(c) where the customer, without reasonable grounds, decides to suddenly terminate existing business relations with the insurer;
(d) abnormal settlement instructions, including payment to apparently unconnected parties; or
(e) frequent changes to the customer’s address or to authorised signatories.
7.5 STRs should be filed on all suspicious transactions and cases. Where an insurer decides not to file an STR for a case that was initially thought to be suspicious, the basis for doing so should be documented, and the decision made by the initial assessor of the case should be raised to a higher authority for review and approval.
7.6 An STR should be filed within 15 business days of the case being referred by the relevant officer, employee or agent, if the insurer has assessed that the matter should be referred to the STRO, unless the circumstances are exceptional or extraordinary. The decision as to whether to refer the matter to the STRO should be regardless of the amount of the transaction, if any.
7.7 STR reporting templates are available on the Commercial Affairs Department’s website. However, insurers are strongly encouraged to use the online system provided by STRO to lodge STRs, as this also enables reporting entities to be kept apprised of STRO’s advisories. In the event that an insurer is of the view that STRO should be informed on an urgent basis, including where a transaction is known to be part of an ongoing investigation by the relevant authorities, the insurer should give initial notification to STRO by telephone or email and follow up with such other means of reporting as STRO may direct.
7.8 Under exceptional circumstances, (e.g. if the online system is down) and the insurer files an STR manually with the STRO (i.e. not through the STRO Online Notices and Reporting Platform (SONAR)), a copy of the report should be extended to the Authority for information.
6 RECORD KEEPING AND DOCUMENTATION
6.1 There should be adequate documentation by the insurer for the basis of clearing or dismissing hits arising from its screening procedures (i.e. false positive hits). As a good practice, additional parameters such as date of birth and nationality should minimally be used to establish and dismiss false hits.
6.2 There should be documentation and maintenance of proper records by the insurer as to when screening was performed, the results of the screening and the assessment of screening results for all policies.
6.3 A record of all transactions referred to the Suspicious Transaction Reporting Office (“STRO”) should be maintained by an insurer, including the relevant internal findings and analysis.
6.4 In cases where an insurer maintains an internal database containing the list of designated individuals and entities for the purpose of screening, there should be clear documentation of when the internal database was most recently updated, as well as of the name of the person who carried out the update.
5 CUSTOMER DUE DILIGENCE AND SCREENING PROCEDURES
5.1 Screening of customers11 should be carried out against relevant ML/TF information sources, which include designated names of individuals and/or entities within:
(a) the lists and information provided by the Authority or other relevant authorities in Singapore in relation to ML/TF risks;
(b) the First Schedule of the TSOFA; and
(c) the MAS TFS Regulations.
5.2 In the context of direct insurance business, the screening of customers should include the screening of policy owners, insureds and claimants. In cases where an insurer has assessed the policy owner or insured to be of a higher ML/TF risk, the insurer should also screen the substantial shareholders (direct and indirect), beneficial owners, natural persons appointed to act on behalf of the customer and directors, if any, of the policy owner or insured.
5.3 In the context of reinsurance business, the screening of customers should include the screening of cedants and claimants12. Underlying insureds should also be screened in cases where they are made known to the reinsurers. In cases where a reinsurer has assessed the cedant or underlying insured to be of a higher ML/TF risk, the reinsurer should also screen the substantial shareholders (direct and indirect), beneficial owners and directors, if any, of the cedant or underlying insured.
5.4 Screening of customers should be conducted at the following points in time:
(a) before establishing business relations for new customers, otherwise as soon as reasonably practicable thereafter;
(b) prior to renewing business relations with existing customers;
(c) on a regular basis after the establishment of business relations13;
(d) when there are changes made to the lists14 mentioned in paragraph 5.1 above;
(e) before making claim payments to claimants15.
5.5 For the purposes of screening, the insurer should minimally, either:
(a) subscribe to a commercial sanctions database; or
(b) maintain an internal database containing the names of designated individuals
5.6 The screening database(s) (i.e. commercial sanctions database and/or internally-
maintained database) and procedures adopted by an insurer should be effective in identifying individuals and entities with adverse information, as well as designated individuals and entities as defined in the First Schedule of the TSOFA and the MAS TFS Regulations, or as informed by the relevant authorities in Singapore.
5.7 In view of system limitations in screening capability, some insurers may not be able to effectively detect designated individuals or entities if they were to perform screening based on a full/exact match logic instead of a partial/fuzzy16 match logic for name searches. A full/exact name match for screening should not be used, as this will likely result in missed sanctions or adverse comments hits. In addition, the screening filters used by the insurer should not be limiting17 and should take into account the various permutations of a person’s first and last names.
5.8 Insurers are reminded that where screening results in a positive hit against the lists mentioned in paragraph 5.1, an insurer shall freeze without delay and without prior notice, the funds or other assets of designated persons and entities that it has control over, so as to comply with applicable laws and regulations in Singapore. This would include both the TSOFA and the MAS TFS Regulations relating to sanctions and freezing of assets of persons. Any such assets shall be reported promptly to the relevant authorities and an STR shall be filed.
5.9 Insurers should also have in place screening procedures when hiring employees, officers18 and agents19, and when establishing business relationships with offshore intermediaries. This should include, where applicable:
(a) background checks with past employers;
(b) credit history checks;
(c) screening against ML/TF information sources; and
(d) bankruptcy searches.
4 MANAGEMENT OVERSIGHT, POLICIES AND TRAINING
relation to AML/CFT should be clearly set out.
The roles and responsibilities of the board of directors and senior management in
4.2 There should be a formalised process in place to keep the board of directors and senior management informed regularly of compliance and risk management efforts, audit reports, identified compliance and risk management deficiencies, and corrective actions taken in relation to AML/CFT. Examples of such reports may include statistics on the number of Suspicious Transaction Reports (“STRs”) filed, sanctions hits, outstanding transaction monitoring alerts and/or sanctions alerts including aging reports and resource issues.
4.3 Senior management are reminded to take prompt corrective actions to ensure the proper and timely remediation of deficiencies in AML/CFT controls and risk management.
4.4 There should be adequate processes in place for updating senior management and any other relevant personnel of AML/CFT-related updates issued by the Authority or other relevant authorities in Singapore. There should also be a designated employee (e.g. Head of Compliance) responsible for providing such updates to management and other relevant personnel.
4.5 There should be a clear and detailed set of documented AML/CFT policies and procedures in place that incorporate, at a minimum, the following elements:
(a) Customer due diligence and screening procedures;
(b) Documentation of screening results;
(c) Assessment, escalation and reporting of suspicious transactions; and
(d) Frequency and recipients of AML/CFT-related training.
4.6 AML/CFT policies and procedures should be reviewed regularly by the board of directors and/or senior management. At a minimum, these policies should be reviewed whenever there are changes in regulations or if there is a significant change in the insurer’s business strategies.
4.7 Regular AML/CFT-related training10 should be conducted for the board of directors, employees and agents (where applicable) of the insurer. Such training may take the form of seminars, e-learning modules, etc.
3 THE THREE LINES OF DEFENCE
3.1 Insurers are reminded that the ultimate responsibility and accountability for ensuring compliance with AML and CFT (“AML/CFT”)-related laws and regulations rest with their board of directors and senior management8.
3.2 An insurer’s board of directors and senior management are responsible for ensuring strong governance and sound risk management and controls in relation to AML/CFT within the insurer. While certain responsibilities can be delegated to senior employees responsible for AML/CFT, the final accountability rests with an insurer’s board of directors and senior management. The insurer should ensure a strong compliance culture throughout the organisation, where the board of directors and senior management set the right tone from the top. The board of directors and senior management should also set a clear risk appetite and establish a compliance culture whereby financial crime is not tolerated.
3.3 Business units (e.g. front office, customer-facing functions) constitute the first line of defence in identifying, assessing and mitigating the ML/TF risks faced by an insurer. As part of the first line of defence, business units require robust controls to detect illicit activities and should be allocated sufficient resources to perform this function effectively. The insurer’s policies, procedures and controls on AML/CFT should be clearly documented in writing, and communicated to all relevant officers, employees and agents in the various business units. The insurer should also ensure that its officers, employees and agents are adequately trained to be aware of their AML/CFT-related obligations, so that the insurer is in compliance with prevailing AML/CFT laws and regulations.
3.4 The second line of defence includes an insurer’s compliance function9, and other support functions such as operations, human resource or technology that work together with the compliance function to identify ML/TF risks. The compliance function is typically responsible for the screening of new and existing business relations and their ongoing monitoring. The compliance function should alert the board of directors or senior management if it has reason to believe that the insurer’s officers, employees or agents are failing or have failed to adequately address ML/TF risks and concerns or have breached applicable AML/CFT laws and regulations. While the other support functions also play a role in mitigating ML/TF risks that an insurer faces, the compliance function will usually be the main contact point in relation to all AML/CFT-related issues for domestic and foreign authorities, including supervisory authorities, law enforcement authorities and financial intelligence units.
3.5 The third line of defence is an insurer’s internal audit function, which plays a key role in independently evaluating the insurer’s AML/CFT risk management framework and controls. This independent assessment is achieved through internal audits (or an equivalent function’s periodic evaluations) of the insurer’s compliance with AML/CFT laws and regulations, as well as policies, procedures and controls. An insurer should establish policies for periodic AML/CFT internal audits, covering areas such as –
(a) adequacy of the insurer’s AML/CFT policies, procedures and controls in identifying ML/TF risks, addressing the identified risks and complying with laws, regulations and notices;
(b) effectiveness of the insurer’s officers, employees and agents in implementing the insurer’s policies, procedures and controls;
(c) effectiveness of the compliance oversight and quality control including parameters and criteria for transaction alerts; and
(d) adequacy and effectiveness of the insurer’s AML/CFT training of relevant officers, employees and agents.
The results of these assessments should be reported to either the Audit or Risk Committee of the insurer, or a similar body of oversight, on a regular basis. Significant AML/CFT issues should be escalated to the Board. Any deficiencies identified should be promptly addressed to mitigate risks, including legal and reputational risks, to the insurer.
3.6 The board of directors and senior management should understand the ML/TF risks that the insurer is exposed to and how the insurer’s AML/CFT control framework operates to mitigate those risks. The AML/CFT controls put in place by an insurer should commensurate with the scale, complexity and inherent risk of the insurer, and may be broadly categorised into the following 4 categories, which will be elaborated on within these Guidelines:
(a) Management Oversight, Policies and Training;
(b) Customer Due Diligence and Screening Procedures;
(c) Record Keeping and Documentation; and
(d) Assessment and Reporting of Suspicious Transactions.
2 MONEY LAUNDERING AND TERRORISM FINANCING
2.1 Insurers should be cognisant of their exposure to ML/TF risks. Payments originating from insurers are viewed as commonplace, with the money assumed to be clean. If money launderers are able to successfully place funds into an insurance policy, they would have made significant steps in layering and integrating such funds into the financial system.
2.2 Funds for TF may be derived from criminal activities such as robbery, drug-trafficking, kidnapping, extortion, fraud or hacking of online accounts. In such cases, there may also be an element of money laundering involved to disguise the source of such funds.
2.3 Terrorist acts and organisations may also be financed from legitimate sources such as donations from charities, legitimate business operations and self-funding by individuals. In addition, considering the fact that TF does not always need to involve large sums of money, TF can be hard to detect and insurers should remain vigilant.
2.4 In the case of direct insurance business, ML/TF activity could occur within the context of, and as the motive behind, insurance fraud. For example, exaggerated or false claims could be made to recover part of invested illegitimate funds. Other examples could include the refund of premiums, by an insurer’s cheque, for overpaid or cancelled policies.
2.5 In the case of reinsurance business, ML/TF activity could occur through the establishment of fictitious fronting arrangements and captives, or by the misuse of normal reinsurance transactions. Examples include dealing with bogus insurers or receiving tainted premiums from insurers which have weak anti-money laundering (“AML”) controls that allow illicit funds or funds from unclear or dubious sources to pass through.