Federal antiterrorist legislation enacted last October requires that health insurance companies, along with an array of other financial institutions, should have adopted and implemented programs to combat money laundering by April 24, 2002. Because the health insurance industry has not previously been subject to such requirements, many health insurers are not even aware that this applies to them.
On Oct. 26, 2002, President Bush signed the USA PATRIOT (Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act, designed to combat terrorism on several fronts. Title III of the USA PATRIOT Act, referred to as the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, contains a series of provisions against money laundering. These are designed to strengthen existing laws by establishing new requirements and expanding the existing obligations to a broader range of institutions.
Insurers not exempted
Depository institutions, which includes banks and savings and loan associations, have been subject to anti-money-laundering requirements for decades. Under the Money Laundering Act, all financial institutions, as defined in the Bank Secrecy Act, are also subject to anti-money-laundering requirements.
The Bank Secrecy Act defines the term financial institution broadly, to include — among others — banks, trust companies, thrift institutions, private bankers, investment bankers, investment companies, loan or finance companies, broker-dealers in securities or commodities, and insurance companies. The act does not define the term insurance company, and thus, on its face, appears to apply to all insurance companies, including health insurers and, possibly, HMOs.
The Money Laundering Act applies to certain financial institutions — specifically, banks, thrifts, trust companies, credit unions, U.S. branches or agencies of foreign banks, and registered broker-dealers. The definition of a "covered financial institution" does not specifically include insurance companies. Accordingly, insurance companies are not subject to the much broader substantive prohibitions imposed on institutions covered under the act.
The act also empowers the secretary of the treasury to exempt certain financial institutions from its anti-money-laundering requirements. Yet, the treasury department had not exempted insurance companies or any other category of financial institution as of press time.
The act also authorizes the department to set minimum standards for programs that would combat money laundering, and requires the department to prescribe regulations that would allow financial institutions some flexibility in developing programs to fight money laundering, commensurate with their size, location, and activities. As of press time, no such regulations had been issued.
Section 352 of the Money Laundering Act requires financial institutions to have developed and instituted anti-money-laundering programs by April 24. The act does not offer detailed guidance on the structure or content of such programs, stating only that each financial institution's anti-money-laundering program must include, at a minimum:
Internal policies, procedures, and controls;
The designation of a compliance officer;
An employee training program; and
An independent audit function to test programs.
Because the treasury department has not yet issued regulations indicating how financial institutions should implement these requirements, insurance companies and other institutions will not have the benefit of federal guidance when formulating their programs. In preparing their programs, health insurers may want to keep the following guidelines in mind:
Policies should be tailored to the institution. First, the act's legislative history makes it clear that Congress did not envision a one-size-fits-all program requirement to combat money laundering. Rather, Congress intended each financial institution to have the flexibility to design such a program to fit its size, location, activities, types of accounts, nature of its customer base, and vulnerability to money laundering.
Internal policies, procedures, and controls. Internal measures should be designed in a way that allows the institution to identify suspicious activities that may be indicative of money laundering or other illegal activity.
They should include, among other matters, provisions designed to verify the identity of an insurance company's customers; identify customer-risk indicators that would trigger additional scrutiny (for example, any unusual or disadvantageous early redemption of an insurance policy); and procedures designed to prohibit transactions with individuals, entities, and jurisdictions identified by the office of foreign assets control (OFAC), including those individuals on OFAC's "specially designated nationals and blocked persons" list.
With regard to verifying the identity of customers, Section 326 of the USA PATRIOT Act requires the treasury department to issue regulations establishing minimum know-your-customer procedures.
These regulations, which are to be in place and effective before Oct. 26, 2002, will, at a minimum, require financial institutions to implement, and customers (after being given reasonable notice) to comply with, procedures for: (1) verifying the identity — to the extent reasonable and practicable — of any person who would open an account; (2) maintaining records of the information used to verify a person's identity, and (3) consulting government-provided lists of known or suspected terrorists or terrorist organizations to determine whether a person who wants to open an account appears on any such list.
After the know-your-customer regulations are finalized, insurance companies will need to review their anti-money-laundering programs to ensure that they are in compliance.
Compliance officer. A compliance officer should have sufficient authority to implement and enforce the company's policies and procedures aimed at money laundering. This provides evidence of senior management's commitment to efforts to combat money laundering and, more importantly, provides added assurance that the officer will have sufficient clout to investigate potentially suspicious activities.
Employee training. Training must involve all relevant employees and must be constantly updated. Employees should be able to recognize signs of possible money laundering (suspicious activities) and know what to do once a risk is identified.
Programs will need to be re-evaluated frequently to ensure that employees understand their obligations under the act and its regulations. Updating training programs will be particularly important as regulations that implement the provisions of the act are proposed and adopted.
Audit. Insurance companies must commission an independent audit of their anti-money- laundering programs. The audit, which will review and test implementation of the financial institution's policies and procedures, should take place at least once a year and should cover all aspects of the company's operations.
Because the health insurance industry historically has not been the subject of anti-money-laundering regulations, many health insurers do not have experience with developing and implementing such programs. Insurance companies will need to pay special attention to such developments and be prepared to implement the new requirements.
Melanie Brody is a partner in the Washington, D.C., office of Kirkpatrick & Lockhart LLP.