Insurers Beware: The Risks of Failing to Comply With OFAC SDN Screening Requirements

Two related enforcement actions by the U.S. Department of Treasury’s Office of Foreign Assets Compliance (OFAC) are stark reminders that health insurance providers (and other insurers) must maintain adequate U.S. trade sanctions compliance programs, including conducting screening of customers and others. While the insurance company and its third party administrator (TPA), which provided health insurance coverage to, and received payments from, sanctioned narcotics dealers, were fortunate to escape with non-monetary “Findings of Violation,” in the future insurers that do not engage in adequate screening and other trade sanctions compliance measures may not be so lucky.

Under the Foreign Narcotics Kingpin Sanctions Regulations, 31 C.F.R. Part 598, “U.S. Persons”¹ are forbidden from dealing with all blocked property and interests in property within the United States, or within the possession or control of any U.S. person, that are owned or controlled by significant foreign narcotics traffickers, as identified by the President, or foreign persons designated by the Secretary of the Treasury. Similar prohibitions are found in other U.S. trade sanctions programs (e.g., various country-specific sanctions (e.g., Iran, North Korea, Sudan, Syria, Cuba and Crimea), non-proliferation sanctions, anti-terrorism sanctions, etc.). The names of individuals, groups and companies with whom such dealings are forbidden – which today number approximately 7,500 -- are collected in the Specially Designated Nationals (SDN) List, which is maintained by OFAC.

Although OFAC proscribes U.S. persons from engaging in transactions with such persons, it does not specifically describe what actions will be deemed adequate for purposes of measuring compliance with the sanctions regulations. Rather, U.S. Persons must perform a “risk-based” analysis to determine an appropriate level of compliance based upon the nature of their business and the likelihood of engaging in transactions with SDNs. Two fundamental compliance measures are (1) maintaining and applying an adequate written compliance program, and (2) periodically screening customers, and perhaps other persons, to identify SDNs. Violations of the regulations can lead to the imposition of substantial monetary penalties, which can amount to the higher of $250,000 (which amount is about to be increased) or twice the value of the transactions at issue.

In its recent enforcement actions, OFAC found that AXA Equitable Life Insurance Company (AXA) facilitated and/or processed payments and maintained two health insurance policies in which SDNs had an interest. When AXA issued the policies in 1992, the policy holders were not on the SDN List. The Kanawha Insurance Company (whose parent company is Humana, Inc.), as TPA, serviced the policies, collected premiums, maintained policy records, and answered general inquiries from insured parties. In 2009, OFAC added the policy holders to the SDN List. Neither AXA nor Kanawha screened the names of the policyholders serviced by the TPA, and both companies failed to identify and block the policies and premium payments. In 2011, a new company assumed TPA responsibilities, identified the policyholders as SDNs, and coordinated with AXA to block and cease providing any services for the policies.

OFAC found that Findings of Violation should be issued because:

• The companies are large and commercially sophisticated financial institutions.
• The companies facilitated and/or processed numerous payments, and maintained two health insurance policies in which one or more SDNs had an interest, doing harm to the U.S. sanctions programs.
• The companies’ compliance programs did not ensure that the names of policyholders associated with policies were screened or reviewed for OFAC compliance purposes.

However, OFAC elected not to impose monetary penalties because:

• No company personnel, including managers or supervisors, appear to have had actual knowledge of the conduct that led to the violations.
• The companies had not received a penalty notice or Finding of Violation from OFAC relating to substantially similar violations in the five years preceding the current violation.
• The companies cooperated with OFAC’s investigation, including by making voluntary disclosures, and executing statute of limitations tolling agreements and extensions.

These companies were fortunate to avoid monetary fines, but the violations nonetheless have consequences. For example, should either company violate OFAC’s rules again in the next five years, OFAC will consider these past violations, making significant monetary penalties likely.

OFAC’s recent actions are a reminder to health (and other) insurance companies, as well as their administrators and other service providers, that they must maintain and apply adequate OFAC compliance programs and procedures, including periodic screening of customers and others. Failure to do so could be very risky indeed.

FOOTNOTE
1 A “U.S. Person” is any United States citizen or national, permanent resident alien, an entity organized under the laws of the United States (including its foreign branches), or any person within the United States. 31 C.F.R. § 598.318.