Does your company file SARs when you find fraud by agents, clients, or hackers?
By Vicki Landon
Do you know insurers must file Suspicious Activity Reports (SARs) for fraud and can be fined for failing to do so? In fact, regulators have fined broker-dealers and Money Service Businesses (MSBs) millions of dollars for failing to file SARs on agent fraud, questionable transactions by investment advisors, account takeover, and breaches of personal data. Some have been fined for not reporting attempts to gain unauthorized access.
But no insurance company has been fined under the Bank Secrecy Act (BSA) yet. Do FinCEN and the DOJ care about fraud and cybercrimes in insurance companies?
Yes. Since 2015, FinCEN has been applying the BSA more broadly, increasing its focus on fraud, cybercrime, and tax evasion. These crimes have been on the rise and the SAR database helps law enforcement (at all levels) bring criminals to justice.
While no insurance company has yet been fined under the BSA, you don’t want to be the first, and it seems certain to happen eventually. The likelihood of a fine may be low today, but the compliance obligation is clear based on the letter of the law.
What kind of fraud should insurance companies report?
The BSA details suspicious activities that should be reported via SAR and also provides an exception: “An insurance company is not required to file a SAR to report the submission to it of false or fraudulent information to obtain a policy or make a claim, unless the company has reason to believe that the false or fraudulent submission relates to money laundering or terrorist financing.”
So, what MUST be reported via a SAR? In §1025.320 cited in the footnote reference, the BSA specifies that insurers are required to report a transaction involving $5,000 or more that involves illicit funds, is designed to evade reporting requirements, has no business or apparent lawful purpose, or involves using the insurance company to facilitate criminal activity. It adds that an insurance company is responsible for reporting suspicious transactions by its agents and brokers.
What is an insurance company’s vulnerability to BSA fines?
Like MSBs and broker-dealers, insurance companies have long been vulnerable to agent fraud and account takeover. (See recent examples of agent fraud and ATO from our customers, below.) Elderly clients are among the most vulnerable to these fraudulent schemes. These are among the issues that all regulators, both state and federal, are prioritizing.
What kind of fraud has been trending among insurance companies?
Our clients have seen new or spiking fraudulent activities such as the following, all of which should be reported via SAR:
Several insurers have recently seen a spike in advance commission fraud.
Account takeover is on the rise, often through online activity (e.g., new online account access, change of address, surrender request, etc.)
Elder financial exploitation has also spiked, often by a family member, caregiver, or agent, but increasingly through cybercrime.
Several companies have discovered counterfeit checks purportedly written by the insurer. For example, the scammer sends a counterfeit check, insured via courier, and later contacts the insured to say it was a mistake intended to go to an auto insurance rep. The scammer asks the insured to transfer the value to a specified account.
Business email compromise is on the rise, featuring, for example, fraudulent emails from company executives but also fraudulent emails from 314(b) companies. Section 314(b) is a safe-harbor program for financial institutions to exchange information about customers’ accounts in the interest of discovering fraud or other crimes. At least one company received emails laden with malicious content purportedly from a real individual at a credit union targeting the insurer’s real AML personnel. (Fortunately, the company’s security systems intercepted the email.)
Cybercriminals are accessing insurers’ customer information though hacking agents’ systems.
Insurers have reported employees receiving blackmailing emails saying the employee has visited “bad” websites and must send bitcoin or be reported.
A fraudster impersonating a client requests company payout to be sent via FedEx to the client’s address, obtains the tracking number, then gives FedEx the tracking number to reroute the payout.
What can your company do to make sure fraud is appropriately evaluated for SAR reporting in compliance with the BSA?
The AML team and the SIU or fraud teams should work closely together to analyze fraud attempts for potential SAR filings. In cases of agent fraud, the AML teams generally involve legal and marketing in creating red flags, investigation processes, and evaluation for filing SARs.
How can you stay current and make sure you’re appropriately filing SARs for fraud and cybercrime?
Contact Currin Compliance Services to have an Independent AML Audit (as required by the BSA) to help you pinpoint your vulnerabilities and strengthen your AML, fraud, and cybersecurity programs.
