Sanctions screening catches listed names. It does not catch the intermediary who has introduced three single-premium policies from grey-listed jurisdictions in 18 months. Financial crime in insurance requires five detection layers: CDD, sanctions screening, behavioural transaction monitoring, intermediary network analysis, and SAR quality review. This post explains each layer, the regulatory obligations under AMLD6 and FATF Recommendation 26, and where the MLRO's professional judgement remains irreplaceable.
The Screen Showed Clear. The Analyst Did Not Feel Clear. That Gap Is Where Financial Crime Hides.
The application is for a single-premium whole-of-life policy. The premium is NOK 850,000. It is to be paid by bank transfer. The transfer will come from an account held in a jurisdiction on the FATF grey list. The customer was introduced by a third-party intermediary. The financial crime analyst checks the intermediary record. She finds two prior introductions. Both were single-premium policies. Both had high-value transfers from offshore accounts. Both policies were surrendered within 18 months.
She runs the standard AML screen. The customer name returns no matches on any sanctions list. No politically exposed person flag. The screen shows clear. She does not feel clear. The sum is large. The source is grey-listed. The product type is high-risk for money laundering. The intermediary pattern is unusual. Three introductions with the same characteristics is not a coincidence. It is a pattern.
The screen cannot see the pattern. It can only match names against lists. The analyst opens a manual enhanced due diligence review. She knows two things. The screen is necessary. The screen is not sufficient.
The Financial Crime Risk Landscape in Insurance
Not all insurance products carry the same financial crime risk. The products most exposed to money laundering are those that accept large single payments, offer a legitimate investment return, and can be surrendered or transferred with relative ease.
| Product type | Financial crime risk level | Money laundering typology | Key red flags |
|---|---|---|---|
| Single-premium whole-of-life | Very high | Placement and layering: large lump sum invested, surrendered as "insurance proceeds" | Grey-listed payment source; early surrender; third-party introducer; high premium-to-income ratio |
| Investment-linked policies | High | Layering: fund switches create complex audit trail; value extracted as investment returns | Rapid fund switches; unusual beneficiary changes; top-up premiums from new sources |
| Regular premium life | Medium | Structuring: regular payments from criminal income; policy used as savings vehicle | Premium source inconsistent with declared income; overpayment with refund request |
| Non-life (commercial) | Medium | Claims fraud linked to wider criminal enterprise; fictitious insured assets | High-value asset insured with limited supporting documentation; immediate large claim |
| Personal non-life | Lower | Primarily fraud rather than money laundering; staged claims, ghost policies | Multiple policies on same asset; claims pattern inconsistent with loss history |
The pattern in the opening scene involves a single-premium whole-of-life policy — the highest financial crime risk category in European insurance. It accepts a large lump sum. It provides a legitimate paper trail showing the funds were invested in an insurance product. It can be surrendered, with the proceeds appearing as insurance returns rather than the original criminal funds. For Norwegian insurers, the Hvitvaskingsloven requires enhanced due diligence for products identified as high-risk for money laundering. Single-premium life products and investment-linked policies are in scope. Finanstilsynet's AML supervision guidance identifies the specific indicators that trigger enhanced due diligence obligations. Specific Norwegian AML requirements should be verified with qualified Norwegian legal counsel.[5]
The Five Detection Layers for Insurance Financial Crime
Effective AML insurance technology operates across five detection layers. Each catches different financial crime typologies. Each has a specific limitation. No single layer is sufficient alone.
| Detection layer | What it catches | Limitation | Technology component |
|---|---|---|---|
| Customer due diligence (CDD) | Identity fraud; undisclosed PEP status; inconsistent source of funds declarations | Relies on declared information; does not detect patterns across customer portfolio | Automated identity verification; PEP/sanctions matching; document verification |
| Sanctions and PEP screening | Listed individuals, entities, and jurisdictions; politically exposed persons and their associates | Catches listed actors only; the unlisted beneficial owner behind a corporate structure is invisible | Global watchlist matching; fuzzy name matching; jurisdiction risk scoring |
| Behavioural transaction monitoring | Transaction patterns inconsistent with declared customer profile; anomalies against peer group baseline | A sophisticated actor who understands model parameters can deliberately stay within normal ranges | ML anomaly detection; peer group comparison; premium-to-income ratio scoring |
| Intermediary network analysis | Clustering of high-risk introductions from a single intermediary; coordinated money laundering through multiple applications | Requires connected data across the policy portfolio; siloed systems cannot support this capability | Graph network analysis; cross-policy clustering; intermediary risk scoring |
| SAR quality review | Ensures submitted reports contain sufficient information for NCA/Finanstilsynet investigators to act on | Quality depends on the evidence assembled; AI drafting supports but does not replace MLRO judgement | AI-assisted SAR drafting; case file assembly; submission deadline tracking |
Intermediary network analysis has the highest marginal detection value in insurance. The financial crime analyst in the opening scene identified the suspicious pattern because she could see all three introductions from the same intermediary simultaneously. A screening system that reviews each application in isolation cannot see that pattern. Graph network analysis that maps all introductions from each intermediary across the policy portfolio can. This is the capability that AI adds beyond what list screening provides.
Customer Due Diligence, AI Behavioural Models, and Transaction Monitoring
Automated CDD and its limitations
Automated customer due diligence performs three functions: identity verification confirms the customer is who they claim to be; sanctions and PEP screening checks the customer against global watchlists; and source of funds verification assesses whether the declared source of funds is plausible for the customer's declared profile. Insurance anti-money laundering compliance requires all three. AMLD6 Article 13 requires enhanced due diligence where there is higher risk — defined by customer characteristics, transaction characteristics, geographic factors, and product type simultaneously.
The NOK 850,000 single-premium payment from a grey-listed jurisdiction meets the higher risk threshold on multiple criteria. Enhanced due diligence is mandatory. The standard screen returning a clear result does not reduce the obligation. It confirms only that the customer is not on a known list. The pattern analysis that identifies the risk is a separate capability.[3]
AI-extended detection: behavioural and network analysis
AI extends insurance fraud detection technology beyond list matching into behavioural and network pattern analysis. Behavioural models are trained on the characteristics of confirmed money laundering cases. They score each new application against the pattern. A high score triggers enhanced due diligence, not an automatic decline. The specific variables that generate high behavioural risk scores in single-premium insurance include: premium-to-declared-income ratio above threshold, payment source in a high-risk jurisdiction, third-party introducer involvement, early surrender history on prior policies, and unusual beneficiary designations.
Network analysis maps the relationships between customers, intermediaries, payment sources, and beneficiaries across the full policy portfolio. It identifies clusters: multiple customers introduced by the same intermediary, multiple policies funded from the same payment source, or multiple beneficiaries connected to a single corporate entity. Each cluster is a financial crime risk signal that individual application screening cannot see.[1]
Transaction monitoring for ongoing financial crime detection
Financial crime is not always present at the point of application. A customer who passes CDD at inception may behave suspiciously after the policy is in force. Transaction monitoring tracks post-inception policy behaviour: rapid premium top-ups; unusual fund switch patterns on investment-linked products; premium overpayments followed by refund requests; early surrender requests, particularly where the surrender value is lower than the premium paid. AML insurance technology that monitors these behaviours against peer group baselines identifies anomalies that manual case review would not detect at scale.[4]
Suspicious Activity Reporting: Automation and Professional Judgement
A suspicious activity report submitted to the NCA or Finanstilsynet must contain sufficient information for investigators to act on it. AI-assisted SAR drafting assembles the factual elements from the case file: the customer record, the transaction history, the screening results, the behavioural risk score, and the intermediary network analysis. It produces a draft report that the MLRO reviews, amends, and submits.
The MLRO's professional judgement is irreplaceable at the submission decision point. The AI assembles the evidence. The MLRO decides whether the evidence meets the suspicion threshold and whether submission is appropriate given all the circumstances, including any tipping-off risk. Automation supports the quality of the report. It does not replace the decision to submit it.
Frequently Asked Questions
We screen all customers against sanctions lists — is that not sufficient for AML compliance?+
No. Sanctions screening is a necessary component of AML compliance. It is not sufficient. AMLD6 and FCA SYSC 6.3 require customer due diligence that goes beyond name matching: source of funds verification, enhanced due diligence for higher-risk customers, and ongoing transaction monitoring. FATF Recommendation 26 specifically requires insurers to identify and assess the money laundering risks in their product portfolio and apply controls proportionate to those risks. An insurer with single-premium life products and only sanctions screening has a gap between its product risk profile and its detection capability that regulators will identify.[3][4]
How do we structure an intermediary network analysis capability?+
Intermediary network analysis requires two things. First, a data structure that links each policy to its introducing intermediary and captures the key transaction characteristics: premium amount, payment source, product type, and policy outcome. Second, a graph analysis tool that maps the portfolio of introductions from each intermediary and identifies anomalous patterns: clustering by product type, payment source geography, or policy outcome. The analysis runs at the portfolio level, not the individual application level. A siloed policy administration system that cannot query across the policy book cannot support this capability.[1]
What does FATF Recommendation 26 require from insurers specifically?+
FATF Recommendation 26 requires insurers to identify and assess the money laundering and terrorist financing risks associated with their products, customers, delivery channels, and geographic exposure. They must apply enhanced due diligence to higher-risk situations, have a transaction monitoring system proportionate to their risk profile, designate a compliance officer responsible for AML, train staff on financial crime recognition, and report suspicious activities to the relevant financial intelligence unit. The FATF guidance for the insurance sector, updated in 2024, provides specific typologies and red flags for life insurance products, investment-linked products, and premium finance arrangements.[1]
How does the Norwegian Hvitvaskingsloven apply to insurance AML obligations?+
The Hvitvaskingsloven (Money Laundering Act) implements AMLD requirements in Norway. It designates life insurers and certain other insurance entities as reporting entities with CDD, monitoring, and SAR obligations. The Act requires Norwegian insurers to establish risk-based AML programmes, including customer risk assessments, transaction monitoring, and suspicious activity reporting to Finanstilsynet's Financial Intelligence Unit. Finanstilsynet conducts AML supervision of Norwegian insurance entities and has published guidance on expected AML controls for the sector. Specific Hvitvaskingsloven obligations and Finanstilsynet expectations should be verified with qualified Norwegian legal counsel.[5]
What is the tipping-off risk in insurance AML and how do we manage it?+
Tipping-off occurs when a firm discloses to a customer or third party that a SAR has been filed or that an investigation is underway. This is a criminal offence under AML legislation in both the UK and Norway. The risk arises when the insurer needs to request additional information from the customer as part of enhanced due diligence — the request itself may signal that the customer is under suspicion. The MLRO manages tipping-off risk by limiting knowledge of SAR submissions to the compliance function, ensuring front-line staff do not discuss unusual requests with customers without compliance guidance, and structuring enhanced due diligence requests in ways that do not reveal the specific suspicion.[4]
How do we build the business case for AML technology investment?+
The business case has three components. The cost of non-compliance: FCA and Finanstilsynet AML fines averaging NOK 180 million for serious failures, plus the reputational cost of a public enforcement action. The cost of manual detection: the financial crime analyst time required to review applications manually versus the coverage that AI behavioural models provide across the full policy intake. The detection improvement: the 34% of SARs that behavioural pattern analysis identifies and that name screening alone would have missed. Each SAR filed because the AI detected the pattern — rather than filed because a regulator found the problem first — is a compliance outcome with a quantifiable value.[2]
This article provides general information only and does not constitute legal or regulatory advice. AML obligations under AMLD6, FATF Recommendation 26, FCA SYSC 6.3, Hvitvaskingsloven, and Finanstilsynet AML supervision guidance require case-specific legal assessment. Insurers should consult qualified legal and compliance counsel for guidance specific to their jurisdiction, product portfolio, and AML programme design. The tipping-off provisions of UK and Norwegian AML legislation should be reviewed with qualified legal counsel before any customer communication relating to an enhanced due diligence review.
References
All statistics sourced from documented research and regulatory publications. All currency figures in NOK. Links verified 2026. Click any citation to jump to its source.
Sanctions screening catches listed names. It does not catch the intermediary who has introduced three single-premium policies from grey-listed jurisdictions in 18 months. Financial crime in insurance requires five detection layers: CDD, sanctions screening, behavioural transaction monitoring, intermediary network analysis, and SAR quality review. This post explains each layer, the regulatory obligations under AMLD6 and FATF Recommendation 26, and where the MLRO's professional judgement remains irreplaceable.
The Screen Showed Clear. The Analyst Did Not Feel Clear. That Gap Is Where Financial Crime Hides.
The application is for a single-premium whole-of-life policy. The premium is NOK 850,000. It is to be paid by bank transfer. The transfer will come from an account held in a jurisdiction on the FATF grey list. The customer was introduced by a third-party intermediary. The financial crime analyst checks the intermediary record. She finds two prior introductions. Both were single-premium policies. Both had high-value transfers from offshore accounts. Both policies were surrendered within 18 months.
She runs the standard AML screen. The customer name returns no matches on any sanctions list. No politically exposed person flag. The screen shows clear. She does not feel clear. The sum is large. The source is grey-listed. The product type is high-risk for money laundering. The intermediary pattern is unusual. Three introductions with the same characteristics is not a coincidence. It is a pattern.
The screen cannot see the pattern. It can only match names against lists. The analyst opens a manual enhanced due diligence review. She knows two things. The screen is necessary. The screen is not sufficient.
The Financial Crime Risk Landscape in Insurance
Not all insurance products carry the same financial crime risk. The products most exposed to money laundering are those that accept large single payments, offer a legitimate investment return, and can be surrendered or transferred with relative ease.
| Product type | Financial crime risk level | Money laundering typology | Key red flags |
|---|---|---|---|
| Single-premium whole-of-life | Very high | Placement and layering: large lump sum invested, surrendered as "insurance proceeds" | Grey-listed payment source; early surrender; third-party introducer; high premium-to-income ratio |
| Investment-linked policies | High | Layering: fund switches create complex audit trail; value extracted as investment returns | Rapid fund switches; unusual beneficiary changes; top-up premiums from new sources |
| Regular premium life | Medium | Structuring: regular payments from criminal income; policy used as savings vehicle | Premium source inconsistent with declared income; overpayment with refund request |
| Non-life (commercial) | Medium | Claims fraud linked to wider criminal enterprise; fictitious insured assets | High-value asset insured with limited supporting documentation; immediate large claim |
| Personal non-life | Lower | Primarily fraud rather than money laundering; staged claims, ghost policies | Multiple policies on same asset; claims pattern inconsistent with loss history |
The pattern in the opening scene involves a single-premium whole-of-life policy — the highest financial crime risk category in European insurance. It accepts a large lump sum. It provides a legitimate paper trail showing the funds were invested in an insurance product. It can be surrendered, with the proceeds appearing as insurance returns rather than the original criminal funds. For Norwegian insurers, the Hvitvaskingsloven requires enhanced due diligence for products identified as high-risk for money laundering. Single-premium life products and investment-linked policies are in scope. Finanstilsynet's AML supervision guidance identifies the specific indicators that trigger enhanced due diligence obligations. Specific Norwegian AML requirements should be verified with qualified Norwegian legal counsel.[5]
The Five Detection Layers for Insurance Financial Crime
Effective AML insurance technology operates across five detection layers. Each catches different financial crime typologies. Each has a specific limitation. No single layer is sufficient alone.
| Detection layer | What it catches | Limitation | Technology component |
|---|---|---|---|
| Customer due diligence (CDD) | Identity fraud; undisclosed PEP status; inconsistent source of funds declarations | Relies on declared information; does not detect patterns across customer portfolio | Automated identity verification; PEP/sanctions matching; document verification |
| Sanctions and PEP screening | Listed individuals, entities, and jurisdictions; politically exposed persons and their associates | Catches listed actors only; the unlisted beneficial owner behind a corporate structure is invisible | Global watchlist matching; fuzzy name matching; jurisdiction risk scoring |
| Behavioural transaction monitoring | Transaction patterns inconsistent with declared customer profile; anomalies against peer group baseline | A sophisticated actor who understands model parameters can deliberately stay within normal ranges | ML anomaly detection; peer group comparison; premium-to-income ratio scoring |
| Intermediary network analysis | Clustering of high-risk introductions from a single intermediary; coordinated money laundering through multiple applications | Requires connected data across the policy portfolio; siloed systems cannot support this capability | Graph network analysis; cross-policy clustering; intermediary risk scoring |
| SAR quality review | Ensures submitted reports contain sufficient information for NCA/Finanstilsynet investigators to act on | Quality depends on the evidence assembled; AI drafting supports but does not replace MLRO judgement | AI-assisted SAR drafting; case file assembly; submission deadline tracking |
Intermediary network analysis has the highest marginal detection value in insurance. The financial crime analyst in the opening scene identified the suspicious pattern because she could see all three introductions from the same intermediary simultaneously. A screening system that reviews each application in isolation cannot see that pattern. Graph network analysis that maps all introductions from each intermediary across the policy portfolio can. This is the capability that AI adds beyond what list screening provides.
Customer Due Diligence, AI Behavioural Models, and Transaction Monitoring
Automated CDD and its limitations
Automated customer due diligence performs three functions: identity verification confirms the customer is who they claim to be; sanctions and PEP screening checks the customer against global watchlists; and source of funds verification assesses whether the declared source of funds is plausible for the customer's declared profile. Insurance anti-money laundering compliance requires all three. AMLD6 Article 13 requires enhanced due diligence where there is higher risk — defined by customer characteristics, transaction characteristics, geographic factors, and product type simultaneously.
The NOK 850,000 single-premium payment from a grey-listed jurisdiction meets the higher risk threshold on multiple criteria. Enhanced due diligence is mandatory. The standard screen returning a clear result does not reduce the obligation. It confirms only that the customer is not on a known list. The pattern analysis that identifies the risk is a separate capability.[3]
AI-extended detection: behavioural and network analysis
AI extends insurance fraud detection technology beyond list matching into behavioural and network pattern analysis. Behavioural models are trained on the characteristics of confirmed money laundering cases. They score each new application against the pattern. A high score triggers enhanced due diligence, not an automatic decline. The specific variables that generate high behavioural risk scores in single-premium insurance include: premium-to-declared-income ratio above threshold, payment source in a high-risk jurisdiction, third-party introducer involvement, early surrender history on prior policies, and unusual beneficiary designations.
Network analysis maps the relationships between customers, intermediaries, payment sources, and beneficiaries across the full policy portfolio. It identifies clusters: multiple customers introduced by the same intermediary, multiple policies funded from the same payment source, or multiple beneficiaries connected to a single corporate entity. Each cluster is a financial crime risk signal that individual application screening cannot see.[1]
Transaction monitoring for ongoing financial crime detection
Financial crime is not always present at the point of application. A customer who passes CDD at inception may behave suspiciously after the policy is in force. Transaction monitoring tracks post-inception policy behaviour: rapid premium top-ups; unusual fund switch patterns on investment-linked products; premium overpayments followed by refund requests; early surrender requests, particularly where the surrender value is lower than the premium paid. AML insurance technology that monitors these behaviours against peer group baselines identifies anomalies that manual case review would not detect at scale.[4]
Suspicious Activity Reporting: Automation and Professional Judgement
A suspicious activity report submitted to the NCA or Finanstilsynet must contain sufficient information for investigators to act on it. AI-assisted SAR drafting assembles the factual elements from the case file: the customer record, the transaction history, the screening results, the behavioural risk score, and the intermediary network analysis. It produces a draft report that the MLRO reviews, amends, and submits.
The MLRO's professional judgement is irreplaceable at the submission decision point. The AI assembles the evidence. The MLRO decides whether the evidence meets the suspicion threshold and whether submission is appropriate given all the circumstances, including any tipping-off risk. Automation supports the quality of the report. It does not replace the decision to submit it.
Frequently Asked Questions
We screen all customers against sanctions lists — is that not sufficient for AML compliance?+
No. Sanctions screening is a necessary component of AML compliance. It is not sufficient. AMLD6 and FCA SYSC 6.3 require customer due diligence that goes beyond name matching: source of funds verification, enhanced due diligence for higher-risk customers, and ongoing transaction monitoring. FATF Recommendation 26 specifically requires insurers to identify and assess the money laundering risks in their product portfolio and apply controls proportionate to those risks. An insurer with single-premium life products and only sanctions screening has a gap between its product risk profile and its detection capability that regulators will identify.[3][4]
How do we structure an intermediary network analysis capability?+
Intermediary network analysis requires two things. First, a data structure that links each policy to its introducing intermediary and captures the key transaction characteristics: premium amount, payment source, product type, and policy outcome. Second, a graph analysis tool that maps the portfolio of introductions from each intermediary and identifies anomalous patterns: clustering by product type, payment source geography, or policy outcome. The analysis runs at the portfolio level, not the individual application level. A siloed policy administration system that cannot query across the policy book cannot support this capability.[1]
What does FATF Recommendation 26 require from insurers specifically?+
FATF Recommendation 26 requires insurers to identify and assess the money laundering and terrorist financing risks associated with their products, customers, delivery channels, and geographic exposure. They must apply enhanced due diligence to higher-risk situations, have a transaction monitoring system proportionate to their risk profile, designate a compliance officer responsible for AML, train staff on financial crime recognition, and report suspicious activities to the relevant financial intelligence unit. The FATF guidance for the insurance sector, updated in 2024, provides specific typologies and red flags for life insurance products, investment-linked products, and premium finance arrangements.[1]
How does the Norwegian Hvitvaskingsloven apply to insurance AML obligations?+
The Hvitvaskingsloven (Money Laundering Act) implements AMLD requirements in Norway. It designates life insurers and certain other insurance entities as reporting entities with CDD, monitoring, and SAR obligations. The Act requires Norwegian insurers to establish risk-based AML programmes, including customer risk assessments, transaction monitoring, and suspicious activity reporting to Finanstilsynet's Financial Intelligence Unit. Finanstilsynet conducts AML supervision of Norwegian insurance entities and has published guidance on expected AML controls for the sector. Specific Hvitvaskingsloven obligations and Finanstilsynet expectations should be verified with qualified Norwegian legal counsel.[5]
What is the tipping-off risk in insurance AML and how do we manage it?+
Tipping-off occurs when a firm discloses to a customer or third party that a SAR has been filed or that an investigation is underway. This is a criminal offence under AML legislation in both the UK and Norway. The risk arises when the insurer needs to request additional information from the customer as part of enhanced due diligence — the request itself may signal that the customer is under suspicion. The MLRO manages tipping-off risk by limiting knowledge of SAR submissions to the compliance function, ensuring front-line staff do not discuss unusual requests with customers without compliance guidance, and structuring enhanced due diligence requests in ways that do not reveal the specific suspicion.[4]
How do we build the business case for AML technology investment?+
The business case has three components. The cost of non-compliance: FCA and Finanstilsynet AML fines averaging NOK 180 million for serious failures, plus the reputational cost of a public enforcement action. The cost of manual detection: the financial crime analyst time required to review applications manually versus the coverage that AI behavioural models provide across the full policy intake. The detection improvement: the 34% of SARs that behavioural pattern analysis identifies and that name screening alone would have missed. Each SAR filed because the AI detected the pattern — rather than filed because a regulator found the problem first — is a compliance outcome with a quantifiable value.[2]
This article provides general information only and does not constitute legal or regulatory advice. AML obligations under AMLD6, FATF Recommendation 26, FCA SYSC 6.3, Hvitvaskingsloven, and Finanstilsynet AML supervision guidance require case-specific legal assessment. Insurers should consult qualified legal and compliance counsel for guidance specific to their jurisdiction, product portfolio, and AML programme design. The tipping-off provisions of UK and Norwegian AML legislation should be reviewed with qualified legal counsel before any customer communication relating to an enhanced due diligence review.
References
All statistics sourced from documented research and regulatory publications. All currency figures in NOK. Links verified 2026. Click any citation to jump to its source.
How insurers are using data to detect and prevent financial crime