Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:06 AM
Connect Directly

Ready for the USA PATRIOT Act?

Insurers must begin working immediately, in terms of policies, controls and systems implementations, to meet the compliance deadline.

This Month's Experts


Director, Insurance Practice, TowerGroup, Needham, MA.


Vice President, Information Technology, RLI Insurance Co., Peoria, IL, $1.39 billion in assets.


Global Vice President, Trading and Risk Management, Cap Gemini Ernst & Young, New York.


Senior Director of Product Strategy, Sybase, Dublin, CA.

Q: Are insurance CIOs aware of what's expected of IT for USA Patriot Act compliance? How far along should insurers be in the compliance process?

A: Jamie Bisker, TowerGroup: Insurance company CIOs have been made aware of the act from the national insurance organizations, as well as their own state departments of insurance and press reports. While the April 24, 2002, deadline for establishing anti-money laundering programs has been extended (for up to six months) by the Treasury Department, carriers should already have started their compliance with the basic requirements. The minimum compliance requirements include development of internal policies, procedures, and controls to identify money laundering appropriate to the level of risk associated with the activity in question. Insurers also must designate a compliance officer to execute these responsibilities. Development and implementation of an employee training program to match employee roles in the effort to identify and control money laundering is another minimum requirement. Carriers must also create an independent audit program to monitor and test the implementation of these requirements.

A: Piyush Singh, RLI Insurance: RLI Insurance is quite aware of what is expected of IT for compliance. It has a person in its legal department watching for compliance requirements. RLI is currently proceeding on two parallel tracks. As part of track one, RLI is evaluating different software offerings. In track two, it is trying to define the processes that need to be followed internally. As part of this track RLI is also coordinating with external entities when a name match is found. As you can understand, a name match is not sufficient evidence and grounds for people to stop doing business. We will definitely meet the compliance deadline; hopefully RLI will be compliant before the deadline.

A: Neal Oswald, Cap Gemini Ernst & Young: Some view the insurance industry as being the least prepared to take on the tasks associated with compliance with the Patriot Act. The industry feels there is little evidence of money laundering being conducted through insurance. Devising rules for the insurance industry will require more time, as the industry is so varied. Accordingly, the Treasury Department is exercising its authority to defer, for not more than six months, the application of Section 352 of the act for the insurance industry. Nevertheless, the industry has existing obligations to file reports of transactions involving cash or currency. Insurers should commence preparation immediately. They should immediately designate compliance officers and they should also undertake a risk-based assessment to identify potential compliance gaps and risks.

A: Bob Breton, Sybase: To many insurance CIOs, compliance with the requirements set by the Patriot Act is new. Given the tight timeframe within which they are required to become compliant, they are forced to get up to speed rather quickly. Insurers must have in place a fully actionable plan by October of this year.

Q: What types of resources will IT organizations need to comply? How much money can the average insurer expect to spend on Patriot Act compliance? How will this affect other IT initiatives?

A: Bisker, TowerGroup: The resources required for compliance, in terms of funding and staff, will vary between carriers. Monetary factors depend on the market coverage a given insurance carrier has (regional single-line, to national and international multi-line carriers). Costs could range from $250,000 to several million dollars. Ongoing costs will include the cost for additional staff for compliance, monitoring, auditing and training. As most budget cycles were completed by the time the initial requirements were made public, and the requirements for the insurance industry are still being formulated, it is unlikely that many carriers have sufficiently budgeted for this in their 2002 budgets. However, it is clear now that monies need to be targeted to this, and most carriers will respond with discretionary funds.

A: Oswald, CGE&Y: The USA Patriot Act requires the affected financial organizations to designate a compliance officer who will have to educate senior management and executives across the organization on the risks, penalties and issues surrounding compliance with the Act. A smoother transition will come from a significant technology investment of purchasing and integrating a pre-packaged solution, rather than having one built. It is unlikely that financial institutions have all resource requirements budgeted, as the industry is varied and the tasks in the timeline to ensure compliance are very complex and burdensome. However, compliance is not optional and insurance institutions need to make it a priority.

A: Breton, Sybase: In terms of staffing, insurance companies should not require a significant change in resources. However, they will require systems to support compliance. Regulators have repeatedly pointed out that manual reviews of suspicious activities will not be deemed sufficient. As such, insurers will have to purchase the systems/software necessary to beef up their infrastructures so that this process is happening electronically and in real-time. Depending on the existing platform, insurers should expect to pay a minimum of $200,000.

Q: The act says insurers are responsible for their employees regarding the anti-money laundering (AML) legislation, but are insurers responsible for agents? Should carriers extend use of AML technologies to agents? What are the risks due to agents working without anti-money laundering technologies?

A: Bisker, TowerGroup: The question is not whether carriers should extend their AML technologies to agents, but how. With the advent of real-time CRM solutions and the "push" of data back to agents, it seems likely that agents will have several options presented to them to assist insurers in this important task. When an application is taken, a carrier's AML system may flag it from an Office of Foreign Asset Control (OFAC) database hit, or from a suspicious transaction standpoint. An agent may receive a real-time reply with these things flagged and procedures would have to be followed (most likely to do nothing) to assure an individual's rights were not being denied and that national security was also being served. Another likely scenario is a periodic report or daily alert as to AML activity.

A: Singh, RLI Insurance: We have not thought about the implications from an agent's perspective but intend to link all our systems-e-commerce as well as internal wholesale brokerage systems-to run the checks prior to any binding of the policies. We will also offer on-line checking for agents who might need to do the same.

A: Oswald, CGE&Y: Insurance agents are the first line of defense and are often the only contact insurers have with customers. Primarily, it is the agents who have an opportunity to view the behavior of clients, which may be suspicious, and to ask appropriate questions. Compliance with AML and anti-terrorist requirements is not only a compliance matter, but also one that is directly related to reputation. One important consideration for any insurance company that has investment services or has registered as a bank holding company: It must comply with banking and securities requirements and deadlines, regardless of those for insurance.

A: Breton, Sybase: Title III, Section 355 requires that employees, agents and brokers be verified of anti-money laundering legislation. Anyone acting on behalf of a company is covered. This is also covered in the commissioners' letter dated March 17, 2002. Insurers can extend the use of their AML technology to agents, but at the very least, they should cover their transactions with their agents. It is important to point out the law does require that companies understand the business their agents conduct and that they are in compliance. Insurance companies should be fearful if they haven't conducted the necessary due diligence to ensure that their agents meet the compliance requirements, as not only will they be met with customer backlash, but they could find themselves involved in illicit activities.

Register for Insurance & Technology Newsletters