Over the last four years, the Dutch Central Bank (De Nederlandsche Bank, DNB) has investigated the compliance of insurers (both life and non-life) with the Dutch sanctions rules and regulations. Recently DNB published its findings stating that during this period improvements were made, but that there is still a lack of awareness among insurers of the risks that they face in the sanctions domain.
In this article, we will consider the results of DNB’s investigations. We will also address a number of topics that have been addressed in a recently published Q&A by DNB on compliance with the Dutch Sanctions Act (Sanctiewet 1977, the Sanctions Act) by non-life insurers. This article concludes with DNB’s most recent investigation into branches of non-Dutch EEA insurers operating in the Netherlands.
Compliance with the Sanctions Act by insurers has been a subject of special attention of DNB since 2012, when it first launched its first investigation into this topic. At the end of 2012, DNB organized a seminar, where it published the results of its investigation. Deficiencies were detected at two out of three insurers and DNB announced that it would become more stringent in ensuring compliance with the Sanctions Act.
In October 2014, on the heels of the sanctions measures that were imposed in relation to the conflict between Russia and the Ukraine, DNB launched another investigation into compliance with the Sanctions Act. The first results of this investigation caused the DNB to conduct a follow-up investigation and to make compliance with the Sanctions Act a thematic project for 2015. As part of DNB’s thematic investigation entitled Compliance Sanctions Act, insurers were required to complete questionnaires and a number of insurers were investigated on-site. In November 2015, DNB published an update on its thematic investigation in which it indicated that, among other things, some insurers had difficulties in implementing adequate measures to ensure compliance with the Sanctions Act, while others had implemented excessive measures.
In March 2016, DNB published the final results of its two year thematic investigation. DNB concluded that compliance with the Sanctions Act was still generally inadequate. For example, DNB indicated that the insurers’ systematic integrity risk analysis (SIRA) was inadequate and that sanction rules and regulations were scarcely addressed in training programmes for employees. In addition, DNB noted a number of other problems, including but not limited to the following:
- Many non-life insurers failed to record their clients’ ultimate beneficial owners (UBOs); as a result, it has been impossible to screen against sanctions lists.
- Little to no screening took place if a sanctions list was updated.
- Insurers only periodically updated the lists used for sanctions screening, rather than at the time that a sanctions list was updated. This means it is possible that clients included in an updated sanctions list may have been inadvertently accepted by insurers.
- Knowledge of the sanction regulations is inadequate for part of the insurance sector.
In August 2016, DNB published a Q&A on the Sanctions Act for non-life insurers (the Q&A). The Q&A aims to clarify the obligations non-life insurers have under the Sanctions Act and offer guidance on implementing measures. The Q&A also provides for a number of good practices. Below we set out a selection of topics that are addressed in the Q&A.
Intent and awareness
DNB indicates that the issue of sanctions should be part of the SIRA that non-life insurers have to perform. In addition, DNB recommends as a matter of good practice that non-life insurers perform an internal audit every three years in compliance with the Sanctions Act. This also includes insurers perceived to be low-risk.
The Sanctions Act defines a ‘relation’ as “anyone involved in a financial service or financial transaction”. This definition includes, among others: policyholders, insureds, beneficiaries, representatives and UBOs.
The Sanctions Act requires every non-life insurer to identify its ‘relations’. Although the Sanctions Act does not require non-life insurers to subsequently verify the identity, in practice non-life insurers generally do this (e.g. by requesting a valid identification document) to limit the risk that in reality they might be dealing with a different person.
DNB also states that non-life insurers cannot simply rely on information provided by third parties in respect of the screening of relations. Outsourcing the screening against sanctions lists is only allowed where outsourcing agreements have been clearly documented.
For business relationships, a non-life insurer needs to identify the UBO(s) of the party they are dealing with. Pursuant to the Sanctions Act, an UBO is any natural person that holds 50 per cent or more of the ownership rights of, or has control over, the relevant company. A large number of non-life insurers use a so-called UBO-statement (UBO-verklaring) to identify the UBO of a company. DNB is of the opinion that solely using an UBO-statement is susceptible to fraud. Therefore, DNB considers it good practice to conduct additional research into the relevant UBO(s). In the case of charities (stichting) and other non-profit organizations, it is relevant to determine who has ultimate control over the organization. In practice, this will often be the directors and/or representatives.
Controlling and screening
A non-life insurer that operates in the Netherlands is required to screen its relationships against the Dutch sanctions list, EU sanctions lists and certain other foreign sanctions list. The Sanctions Act prescribes that a non-life insurer needs to ‘regularly’ screen its relationships against these sanctions lists. The frequency of screenings can be determined on a risk basis. Low-risk relationships can generally be screened less frequently than relationships with a high-risk profile.
As the UBO(s) of a company can change, it is important to frequently check whether the information provided in respect of the UBO(s) is still up-to-date. DNB considers it good practice to annually check whether the UBO(s)-information is still correct in respect of high-risk relationships. A low- or medium-risk relation can be checked once every two years. An additional screening needs to take place when new names are published on a sanctions list.
DNB believes it to be good practice for non-life insurers to establish a screening ratio of between 70 per cent and 85 per cent names against sanctions lists. Although non-life insurers are free to determine their own screening ratio, DNB considers it to be bad practice if 100 per cent of names are screened.
According to DNB the use of thresholds in respect of checks relating to payments is not allowed. Thresholds are only allowed in combination with other factors which enable the non-life insurers to be entirely sure that the risk is very low (e.g. payment to individuals with a Dutch bank account or payment to a Dutch governmental body).
Where a non-life insurer pays a third-party directly, it must screen the third-party, as well as the client. This obligation also includes the screening of a potential UBO. If a non-life insurer makes use of a co-insurer, it is not necessary to conduct the required checks, if it is clear that the required checks have already been performed. If a payment is made to a legal person, a non-life insurer needs to check whether the entity is controlled or owned by a person on a sanctions list.
Investigation into non-Dutch EEA branches
Recently DNB has launched a new investigation focusing on compliance with the Sanctions Act by the Dutch branches of non-Dutch EEA insurers, as these branches were not fully in scope during the previous investigation. DNB commenced its investigation in November 2016 by contacting branch offices directly. Once the investigation is complete, DNB will determine its strategy towards branches of non-Dutch EEA insurers.
The continuous attention that DNB is giving to compliance with the Dutch sanctions rules and regulations by insurers shows the importance of having robust policies and procedures in place in order to assess whether a certain transaction is in breach of those rules and regulations. In its ongoing scrutiny, DNB will now also focus on non-Dutch EEA branches. Because of the high number of publications by DNB on this topic, we believe that DNB will impose enforcement measures if insurers or the Dutch branches of EEA insurers do not comply with the Sanctions Act.