65. How frequently is an insurer expected to screen its databases for OFAC compliance?
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not have knowledge that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.
OFAC recommends insurers use a risk-based approach to sanctions compliance consistent with OFAC’s Framework for Compliance Commitments. Sanctions compliance programs, including screening frequency, will vary depending on the size and nature of an insurer’s business (including the particular risk factors of its products and customer base) and its relevant regulator. Routine screening of all issued policies, policyholders, beneficiaries, and other relevant counterparties improves an insurer’s ability to comply with applicable OFAC regulatory requirements.
In addition to screening all relevant policyholders, beneficiaries, and counterparties to an insurance policy upon issuance (as described in FAQ 62), insurers should also consider screening against OFAC sanctions at policy renewal, policy amendment (including, but not limited to, the addition of insured parties or beneficiaries to the policy), claim submission, claim payment, updates by OFAC to its sanctions or sanctions lists, and at any other time when an insurer may be exposed to sanctions risk. OFAC's sanctions programs and lists are updated frequently. Screening only at the point of policy issuance may expose insurers to sanctions risk, for example, providing financial benefit to subsequently blocked persons.
Date Updated: November 13, 2024
Date Released
January 30, 2015
---
65. How frequently is an insurer expected to scrub its databases for OFAC compliance?
That is up to your firm and your regulator. Remember that a critical aspect of the designation of a Specially Designated National (SDN) is that the SDN's assets must be frozen immediately, before they can be removed from U.S. jurisdiction. If a firm only scrubs its database quarterly, it could be 3 months too late in freezing targeted assets. Although the prohibitions and treatments for individuals and entities on OFAC's other sanctions lists are different from those on the SDN list, there may be similar consequences if your firm takes a long time in recognizing a sanctions list match.
OFAC's sanctions lists may be updated as frequently as a few times a week or as rarely as once in a month. [01-30-2015]
1) OFAC expects routine re-screening of pre-existing customers. See AXA Equitable Life Insurance Company (2016), Bupa Florida (2014) and GEICO General Insurance Company (2nd action) (2010) for examples of insurance companies being fined for failing to re-screen pre-existing persons insured. All indications are that "quarterly" is not even close to being in line with OFAC's expectations (see original version of the FAQ), but at the same time, OFAC does not appear to expect real-time daily rescreening of all policy data. Instead, it appears that rescreening with respect to policies in a status quo state is less of a priority than screening at times when discrete “dealings” in the policy occur, with the examples being “policy renewal, policy amendment (including, but not limited to, the addition of insured parties or beneficiaries to the policy), claim submission, claim payment, updates by OFAC to its sanctions or sanctions lists, and at any other time when an insurer may be exposed to sanctions”.
2) Reason to Know
As discussed at length in General Note on the Terms "Knowingly," "Should Have Known" And "Reason to Know" In the Primary Sanctions, Secondary Sanctions and Derivative Designation Contexts (System Ed. Note), OFAC does not (or at least has not) pursued enforcement in cases in which an alleged violator did not have a “reason to know” of the facts and circumstances giving rise to the alleged violations. Notwithstanding this, OFAC has issued certain guidance documents stating that “OFAC may impose such civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC”. See e.g. Sanctions Risks Related to Petroleum Shipments involving Iran and Syria and Sanctions Compliance Guidance for the Virtual Currency Industry (2021 Brochure). What is the point of appearing to “reserve the right” to enforce violation against persons that did not “have reason to know that it was engaging in a transaction that was prohibited”? On 11-17-24, this FAQ was amended to add the following language:
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not have knowledge that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC”.
This is the first such time that OFAC has changed the wording of the relevant sentence to specify that a person “may be held civilly liable even if such person did not have knowledge that it was engaging”. The likely reason for the change is that, in the preceding FAQ # 64, OFAC makes an effort to convey that there would not be an enforcement concern where an insurer learns of the sanctions-implicating nature of a policy once a claim is made where the insurer did not have a “reason to know” of such sanctions-implicating facts. If OFAC cut and pasted the “may be held civilly liable even if such person did not know or have reason to know” language that appears in certain other guidance documents, this would have clashed with the prior FAQ.