Sanctions Compliance for Insurers: Converging Expectations with Bank in a Post-2022 Environment

By Madina Rashid and Maeva Donlin

Madina Rashid is a Legal and Compliance Consultant advising governments, financial institutions and multilateral organizations on national security, financial crime and regulatory risk. She specialises in national security, sanctions and compliance governance, with experience across both public and private sectors. She advises on the design and implementation of risk-based compliance frameworks in complex cross-border environments, with a particular focus on sanctions regimes, financial crime risk and regulatory governance. Madina is UK legally trained and is currently undertaking the New York Bar.

Maeva Donlin is Head of Sanctions Compliance at Nordea, responsible for the bank’s global sanctions and trade regulatory compliance framework. Previously, she served as Sanctions Advisory Lead at Bank of the West (BNP Paribas Group), where she advised on complex sanctions issues, led regulatory examinations, and oversaw sanctions policy governance and risk assessments. She is a founding member of the Women in Sanctions Network and an Adjunct Professor at Fordham University School of Law, where she teaches sanctions and financial crime compliance.

Introduction

Sanctions compliance has moved from a specialist legal function to a core element of enterprise risk management. That shift has been driven by three related developments: the expansion of sanctions programs in response to geopolitical events, the increasing operational complexity of cross-border business, and a more interventionist supervisory stance from regulators and enforcement agencies. In practice, firms are now expected not merely to maintain written policies, but to demonstrate that their controls operate effectively across customer onboarding, ongoing monitoring, escalation and decision-making as set out in OFAC’s 2019 Framework for OFAC Compliance Commitments remains the clearest articulation of that expectation in the United States, setting out five essential components of an effective sanctions compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training. 

This shift reflects a broader recognition that insurance services can create indirect channels through which sanctioned individuals, entities or jurisdictions may benefit from financial activity. Insurance products linked to cross-border trade, asset protection or financial guarantees can create exposure to sanctions risk comparable to that faced by traditional financial institutions.

Historically, banks have been the primary focus of sanctions enforcement, as reported in Economic Sanctions Enforcement Guidelines, largely because they sit at the centre of payment flows and correspondent banking relationships. Insurers, by contrast, were often viewed through a narrower lens, with compliance efforts concentrated on underwriting, distribution and claims. That distinction is now materially less persuasive. From a regulatory perspective, insurance products can provide funds or economic resources, preserve asset value, enable trade or confer a measurable benefit on a designated person. Once that premise is accepted, it follows that insurers must be able to evidence robust end-to-end controls, even if their exposure arises at different points in the business lifecycle than in banking as set out in Council Regulation (EU) No 269/2014.  

This is particularly relevant in the post-2022 environment. The speed and scale of Russia-related measures required firms to update screening controls, refresh customer and counterparty populations, reassess ownership and control issues, and respond to fast-moving restrictions that were not always aligned across jurisdictions. For multinational groups, the difficulty was not only the volume of designations, but the need to operationalize U.S., EU and UK requirements simultaneously while preserving defensible governance and audit trails. That challenge has been especially acute for insurers and insurance groups operating across banking, trade finance, marine, specialty and reinsurance markets. For example, OFAC’s settlement with American Life Insurance Company (2024) as reported in OFAC’s enforcement action, involved over 2,300 apparent violations of Iran-related sanctions, where insurance policies were issued and claims processed for UAE-based entities owned or controlled by the Government of Iran, highlighting failures in screening and escalation controls across the policy lifecycle, particularly in identifying exposure to sanctioned ownership structures.

The Post-2022 Sanctions Environment

Russia’s invasion of Ukraine in February 2022 marked a step-change in the breadth and intensity of sanctions measures adopted by the United States, the European Union and the United Kingdom. In the EU, Council Regulation (EU) No 269/2014, together with successive amendments and related measures, formed part of a broader package of asset-freezing and restrictive measures targeting persons and entities associated with actions undermining Ukraine’s territorial integrity. In the UK, OFSI has continued to position itself as an active implementation and enforcement authority, supported by updated general guidance, FAQs and monetary penalties guidance. In the United States, the Treasury announced “unprecedented and expansive” sanctions measures in the immediate aftermath of the invasion, reinforcing the expectation that firms would move quickly to identify and block prohibited dealings.

These measures significantly expanded the scope of sanctions compliance obligations for financial institutions and other regulated entities. Institutions were required to rapidly implement enhanced screening controls, reassess risk exposure across their customer base and strengthen governance frameworks to respond to rapidly evolving regulatory requirements, across multiple jurisdictions, each with distinct sanctions regimes and requirements.

For insurers, the practical significance of this shift is straightforward. Insurance is no longer treated as peripheral to sanctions risk. It is increasingly recognised as part of the financial architecture through which value, protection and commercial continuity can be maintained. That is particularly clear in marine, trade credit, political risk and specialty lines, but it is also relevant in life, annuity and claims contexts where a designated person may hold contractual rights or receive a payout. In other words, the regulatory question is no longer whether insurers are in scope in principle; it is whether their controls are calibrated to the way risk arises in their business. (See UK financial sanctions general guidance) 

In the United States, the Office of Foreign Assets Control (OFAC) has provided additional guidance clarifying the obligations of insurance companies in transactions potentially involving sanctioned persons. Updated FAQs and enforcement actions have underscored the expectation that insurers implement sanctions compliance programs capable of preventing transactions involving individuals or entities included on the Specially Designated Nationals and Blocked Persons List.

Recent OFAC enforcement actions involving insurance companies have illustrated how weaknesses in screening processes, due diligence procedures or internal escalation frameworks may expose institutions to regulatory actions. These cases demonstrate that insurers are expected to maintain sanctions controls comparable in effectiveness to those applied within banking institutions. 

The supervisory trend is also more outcome-focused than before. OFSI’s current guidance and penalties framework make clear that enforcement is not confined to deliberate misconduct; it can also turn on systems and controls failings, weak governance or inadequate escalation. That approach mirrors a broader international move away from purely formal compliance toward evidence-based control effectiveness. For firms, that means sanctions frameworks must be capable of being explained, tested and defended, not merely documented. (See Financial sanctions enforcement and monetary penalties guidance) 

The overall effect has been a significant narrowing of the regulatory distinction between banking and insurance sectors with respect to sanctions compliance expectations.

Convergence of Compliance Standards

Banks have traditionally faced stricter sanctions expectations because they process large volumes of transactions in real time, including cross-border payments, correspondent flows and securities activity. That operating model naturally drove early investment in real-time screening, interdiction engines, alert management and transaction monitoring. It also explains why many of the best-known sanctions enforcement actions historically sat in the banking sector.(See OFAC Issues a Framework for Compliance Commitments)

Banks typically process high volumes of transactions across global financial networks, creating substantial direct and indirect exposure to sanctions risk. As a result, banks have long been required to maintain sophisticated compliance frameworks including real-time sanctions screening, transaction monitoring and enhanced due diligence procedures.

Insurers operate differently, but the legal risk is not necessarily lower. The exposure simply manifests elsewhere: during onboarding, at underwriting, through broker and intermediary channels, when validating beneficial interests, at claims payment, or when servicing an existing policy after sanctions status changes. The fact that insurer interactions may be periodic rather than continuous does not remove the underlying obligation to avoid making funds, services or economic resources available to a designated person. In practice, it means insurers need controls designed around event-driven risk rather than only payment-flow risk. For example, sanctions exposure may arise at the point of claims payment where a previously non-designated beneficiary becomes subject to sanctions, requiring firms to ensure ongoing screening and effective escalation controls throughout the policy lifecycle.

That is why the notion of “convergence” is useful, but only up to a point. Regulators are not requiring insurers to become banks. They are, however, expecting insurers to adopt a comparably rigorous, risk-based approach that reflects the realities of their business model. The correct comparison is therefore not between identical control sets, but between equivalent control effectiveness. A bank may rely on continuous screening and transaction interdiction; an insurer may need stronger trigger-based controls around underwriting, endorsements, claims, beneficiary changes and policy servicing. The test in both cases is whether prohibited exposure is identified early enough to prevent a breach and escalate appropriately.

As a result, regulators now expect insurers to implement end-to-end sanctions compliance controls capable of identifying and mitigating sanctions exposure across the insurance lifecycle. These controls typically include due diligence and screening at multiple stages, including:

• onboarding of policyholders and beneficiaries

• underwriting assessments

• sanctions screening of insured parties

• claims processing and payment verification

This shift reflects a broader regulatory trend towards convergence in compliance expectations across sectors.

Enforcement lessons for the insurance sector

In practice, the most persistent challenge is not usually the absence of sanctions lists or screening tools. It is the quality, accessibility and governance of the underlying data. Banks often face this problem in legacy payments architecture; insurers face it across product, claims and distribution systems that were not originally designed for sanctions analytics. Customer, broker, beneficiary and asset information may sit in separate systems, be owned by different teams, or be captured inconsistently across jurisdictions. Where data fields are incomplete or not normalised, sanctions screening becomes less reliable and alert disposition becomes harder to defend. 

This becomes more acute where ownership and control issues are in play. EU and UK sanctions frameworks frequently require firms to look beyond the named party and consider whether a designated person owns or controls an entity or otherwise benefits from an arrangement. That analysis can be difficult enough in banking. In insurance, it may be harder still where distribution chains involve brokers, delegated authorities, cover holders, corporate structures or layered beneficiary interests. A defensible framework therefore needs a clear methodology for when enhanced due diligence is triggered, what documentary evidence is required, and who has authority to resolve borderline cases.

Despite this convergence in regulatory expectations, important operational differences remain between the banking and insurance sectors.

Banks generally operate with lower risk tolerance thresholds due to their continuous exposure to financial transactions. Real-time payment processing requires banks to implement automated screening systems capable of identifying potential sanctions exposure immediately.

Typical features of banking compliance frameworks include:

• real-time screening of payment instructions

• lower thresholds for potential sanctions matches

• automated escalation of alerts

• extensive transaction monitoring systems

Insurance companies, by contrast, tend to engage in financial transactions less frequently than banks. Their exposure to sanctions risks often arises at key points in the insurance lifecycle; including during underwriting decisions, premium payments or claims settlement.

While both sectors are subject to increasing stringent sanctions requirements and a low  tolerance for possible breaches, these structural differences influence the operational design of compliance programs. 

Due Diligence and Data Governance Challenges

As sanctions compliance frameworks rapidly evolve, institutions increasingly face challenges relating to data collection, data governance and internal coordination.

One of the most common challenges arises from fragmented data ownership within organisations. Customer and third-party information is often distributed across multiple departments, including underwriting, claims, risk and compliance functions as well as across multiple systems and platforms. This fragmentation can complicate sanctions screening and due diligence processes. In addition, both sectors must navigate multiple jurisdictions and associated sanctions lists, with different rules, designations and enforcement expectations. 

Differences in screening methodologies may also create operational challenges. Banks typically rely on real-time (or near real-time) screening and transaction monitoring systems, whereas insurers more often conduct sanctions screening at periodic intervals or at key points in the policy lifecycle.  In practice, this often manifests where beneficiary or ownership information is not consistently captured across underwriting and claims systems, resulting in incomplete screening populations and potential exposure to sanctioned parties through indirect interests.

Where banks and insurers interact within the same financial ecosystem, these differences can create inconsistencies in risk detection and escalation processes.

Regulators have therefore emphasized the importance of establishing clear governance structures to ensure that sanctions risk is appropriately identified, monitored and escalated across organizational boundaries.

Third-Party Risk and Outsourcing

Another area of increasing regulatory focus relates to third-party relationships and outsourcing arrangements.

In both banking and insurance, firms often rely on intermediaries, cover holders, TPAs, brokers, delegated authorities, claims handlers, external administrators and technology vendors. Those arrangements can make commercial sense, but they also create distance between the regulated firm and the relevant sanctions data or decision point. From a regulatory perspective, outsourcing may shift tasks, but it does not shift accountability. That principle is reflected consistently in UK guidance and is entirely consistent with OFAC’s broader framework on internal controls and testing. 

Financial institutions and insurers frequently rely on external intermediaries, brokers and service providers to support operational activities. While outsourcing may offer operational efficiencies, regulators consistently emphasise that institutions retain ultimate knowledge and responsibility for ensuring sanctions compliance. The issue is not only whether due diligence is performed at onboarding. It is whether the firm has defined what the third party must screen, how often it must screen, what escalation obligations apply, what contractual rights to information and audit exist, and how exceptions are handled. In insurance settings, that may be especially important where claims decisions or policy servicing occur outside the immediate control of the core compliance team.  For example, regulators have consistently emphasized that firms remain responsible for sanctions compliance failures arising through intermediaries, including brokers, cover holders and delegated authorities, particularly where inadequate oversight results in dealings with sanctioned counterparties or insufficient screening of underlying parties.

Technology and the Role of Artificial Intelligence

Technological innovation is increasingly reshaping sanctions compliance programmes across financial sectors.

Artificial intelligence and advanced data analytics tools are being deployed to improve data quality, enhance screening accuracy and identify patterns across large datasets. These technologies can support automated data cleansing, detection of duplicate records and improve risk analysis across organisational systems. For example, firms are increasingly using entity resolution tools to identify fragmented customer or counterparty records across legacy systems, reducing the risk that sanctioned parties are missed due to inconsistent data capture or siloed datasets.

At the same time, many institutions are undertaking broader modernisation initiatives aimed at addressing legacy technology infrastructure. Improved data architecture and secure information sharing can significantly enhance the effectiveness of sanctions compliance frameworks. 

Nevertheless, regulators continue to emphasise that technological solutions must operate within robust governance frameworks. The use of artificial intelligence in compliance programmes must therefore be accompanied by appropriate oversight, comprehension, transparency and human accountability.

Technology should be viewed as an enabling tool that strengthens compliance frameworks rather than replacing established governance structures, including processes for alerts reviews and dispositions.

Governance and Senior Management Accountability

Across jurisdictions, regulators have placed increasing emphasis on governance and senior management accountability in sanctions compliance. The central point is that sanctions compliance is no longer a siloed technical function. It now sits at the intersection of legal interpretation, operational process, technology architecture, governance and risk appetite. That means boards and senior management do not need to make first-line sanctions decisions, but they do need to set expectations around ownership, resourcing, escalation and challenge. Where sanctions is under-resourced, poorly integrated or treated as a back-end review function, the control environment will almost always degrade over time.

Supervisory authorities expect institutions to demonstrate clear ownership of sanctions risk, well-defined escalation procedures and effective oversight at senior management level (“tone from the top”).

Effective governance frameworks typically include:

• board-level oversight of sanctions risk

• clearly defined reporting structures for compliance functions

• periodic risk assessments reflecting evolving regulatory requirements, geopolitical developments

• ongoing review of customer exposure and business activities

These expectations reflect the growing recognition that sanctions compliance forms a central component of enterprise risk management within institutions.

Conclusion

Sanctions compliance continues to evolve rapidly in response to geopolitical developments, regulatory innovation and enforcement activity. It is that regulators increasingly expect equivalent seriousness, equivalent governance and equivalent control effectiveness, even where the business model differs. For banks, that still means real-time interdiction and high-velocity screening. For insurers, it means robust controls at underwriting, onboarding, policy servicing, claims and beneficiary level, supported by clear data governance and escalation. The convergence is therefore one of expectation, not uniformity.

For practitioners, the challenge lies in designing compliance frameworks that balance operational realities with evolving regulatory expectations. Achieving this balance will require continued investment in governance structures, technological capabilities and cross-functional collaboration