ALICO OFAC Case Article

ALICO OFAC Case Article

| By Ashwin Nandakumar | Category: Opinion

Insurance giant American Life Insurance Company (ALICO), a Delaware subsidiary of MetLife, recently found itself at the center of an unusual crisis following a penalty from the U.S. Office of Foreign Assets Control (OFAC). The company was fined $178,421 for violating U.S. sanctions.

We don’t often see sanctions penalties being doled out to insurers. While the case study is unique, it also sheds light on the challenges insurers face in maintaining effective compliance frameworks and a reminder of continued susceptibility, especially via subsidiaries and third parties.

The Case

Part 1

In Feb 2023, a sales agent in the UAE requested a customized insurance policy on behalf of a client (Client A).

Following the standard compliance procedure, ALICO collected KYC information, including a trade license that identified the Client A’s owner as the Iranian Embassy. The details went through the usual sanctions screening test (OFAC SDN).

While the alerts were generated, it was treated as a false positive since the entity itself was not an SDN or a blocked person.

However, the PEP screening pointed out the direct connection to the Iranian Embassy’s ownership; it was escalated to the regional compliance team and subsequently to MetLife’s Anti- Financial Crimes Unit, which declined the onboarding.

So far so good.

Seven days later, the same sales agent resubmitted Client A’s request, this time via a pre- packaged policy instead of a custom policy via a third-party administrator. In addition, the agent removed reference to the Iranian Embassy from the trade license, enabling the SDN and PEP screenings to pass without any flagging. Consequently, the policy was issued.

Evidently, ALICO seemed to have lacked a system to screen new applications against those that have been either rejected/blocked previously, especially those processed via TPAs.

Part 2

The same sales agent later submitted another request for a customized policy via both the underwriters and the TPA for a school in the UAE (which had the term ‘Iranian’ in its name). (Client B). He went so far as to informally ‘stress test’ the trade license data of the school.

Despite the name reference, no alerts were triggered. Based on this confidence, he went ahead and submitted the policy, which was then subsequently approved.

Here, there seemed to be some model issues with the screening facility leading to the actual name not getting alerted despite having the name “Iran” in it.

Part 3

Later, Client B attempted to pay premiums for both client A & client B via a single check drawn at Bank Melli, a blocked Iranian institution. The payment was promptly rejected.

The client requested approval to pay the premiums in cash, facilitated by the sales agent. ALICO conducted a review and another screening of the transaction. Despite the clear connection to Bank Melli and the trail of a blocked transaction screening effort, no red flag was raised, and the insurer ended up accepting USD 78,143.36 via cash.

Here, we see multiple control failures. First, controls around requests for cash payment after a failed check transfer owing to a blocked instituted list. Second, combined payment for two unrelated entities. Both seen together should have raised sufficient reasons for enhanced due diligence. With or without an SDN reference, this looked like a red flag.

Part 4

During the revalidation and reverse screening process, it was ‘recollected’ by a member that Client A was rejected owing to controllership issues and requested further investigation into the deviation.

During the course of review, manipulation of the trade license was noted. This cascaded into a more detailed round of reviews that unraveled several policies issued to another Iranian- controlled school in the UAE (Client C), despite letterhead stating ‘The Islamic Republic of Iran,’ which was not flagged during the KYC due diligence process.

Further, certain backdated claims by the said entities were paid by the TPA despite multiple notifications by ALICO.

Here again, we see various control failures. What if no one recollected the connection with the entity in the first place? The control was purely a human intuitive check rather than anything else.

Multiple instances of similar categories of customers getting passed through without sufficient screening allude to weak KYC/due diligence control frameworks at the sales, compliance, and branch levels & at TPA levels.

In summary, ALICO ended up collecting premiums worth approx. USD 240,000 and claims totaling approx. USD 200,000.

Owing to the voluntary self-disclosure and the non-egregious nature of the violations, the final penalty amount was reduced from a maximum civil penalty of USD 85mn to USD 178,421.

Way Forward

Based on the above case study, insurers may want to consider

  • Strengthening screening protocols to consider generation upon the appearance of names of sanctioned countries.
  • Screening counterparties against historically blocked/rejected/declined/blacklisted entities.
  • Enhancing KYC & documentation review protocols
  • Additional controls around receiving cash premium post-failure of check payments drawn at blocked FIs.
  • Strengthening oversight and control frameworks as implemented by TPAs and other outsourced entities.
  • Improving training & development mechanisms for sales, TPAs & compliance staff on identifying and mitigating money laundering & sanctions risks.