Insurance KYC Compliance 2026: AMLD6 and Solvency II Obligations

Life insurance companies and insurance intermediaries are obligated entities under anti-money laundering law. Under the UK's Money Laundering Regulations 2017 (MLR 2017), life insurers must verify customer identity, assess financial crime risk, and conduct ongoing monitoring for every policy with a surrender value. With EU AMLD6 (Directive (EU) 2024/1640) becoming transposable by July 2027 and the AMLR directly applicable from the same date, UK firms that passport into the EU or operate cross-border need to track both regimes.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice tailored to your situation.

Why Insurance Companies Are AML-Obligated Entities

Insurance is a documented route for money laundering: placing illicit funds as premiums, layering through policy transfers, and integrating by claiming legitimate investment returns. The Financial Action Task Force (FATF) has identified life insurance, annuities, and unit-linked products as high-risk vectors.

The FCA's 2023 financial crime review of the insurance sector found that 40% of firms reviewed had material gaps in customer due diligence documentation. This figure underscores why regulators have intensified oversight of insurers since 2024. For a broader overview of AML compliance frameworks, see our complete AML compliance guide.

Which Insurance Products Trigger KYC Obligations?

Not all insurance products carry the same AML risk. MLR 2017 Regulation 38 provides explicit exclusions for low-risk insurance.

The critical dividing line is whether the product has a surrender value or an investment component. If it does, full KYC applies from the outset.

Core KYC Obligations Under MLR 2017

The FCA Handbook SYSC 6.3 and MLR 2017 Regulations 27–38 set out the due diligence framework for insurers. The four core obligations are:

1. Customer Due Diligence (CDD)

Before establishing a business relationship or carrying out an occasional transaction of £10,000 or more, insurers must:

• Identify the customer: full name, date of birth, residential address
• Verify identity using reliable, independent source documents (passport, UK photocard driving licence, biometric residence permit)
• Identify the beneficial owner of any corporate entity or trust taking out a policy
• Understand the purpose and intended nature of the business relationship

Where a policyholder is a legal entity, verification must now extend to the ultimate beneficial owner. Since AMLD5 transposition, this involves checking the UK's Companies House People with Significant Control (PSC) register.

2. Enhanced Due Diligence (EDD)

EDD is mandatory in higher-risk situations under MLR 2017 Regulation 33:

• Politically Exposed Persons (PEPs): current or former senior public figures, their family members and close associates
• High-risk third countries: customers or transactions involving jurisdictions on the FATF grey list or blacklist
• Complex or unusually large transactions with no obvious economic or lawful purpose
• Unusual transaction patterns not consistent with the customer profile

For PEPs, senior management approval is required before or during the business relationship. Source of wealth and source of funds must be established and documented. Ongoing monitoring must be more frequent and intensive.

3. Ongoing Monitoring

Insurers must monitor the business relationship on a continuous basis: scrutinising transactions against the customer's risk profile, ensuring documentation remains current, and updating CDD when material changes occur. Red flags specific to insurance include:

• Early surrender requests shortly after inception
• Frequent changes of beneficiary designation
• Premium payments from multiple unrelated sources
• Requests to redirect surrender proceeds to third-party accounts

4. Suspicious Activity Reports (SARs)

When an insurer knows or suspects money laundering or terrorist financing, it must submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) using the SARs Online portal. A SAR must be submitted before the suspicious transaction takes place if possible. The insurer should then await a consent decision or allow the 7-working-day moratorium to lapse before proceeding.

AMLD6 and the 2027 EU Regulatory Wave

Although the UK left the EU, UK firms cross-border-passporting into EU markets must comply with EU AML standards in those jurisdictions. The AMLR (Regulation (EU) 2024/1624) becomes directly applicable in EU member states from 10 July 2027. Key changes affecting insurance companies include:

• Beneficial ownership threshold reduced from 25% to 15% (5% for opaque structures)
• Expanded PEP definition to include senior officials of major international organisations
• Harmonised EU-wide cash transaction cap of €10,000
• AMLA direct supervision of 40 high-risk financial entities from January 2028
• Stricter record-keeping requirements with enhanced audit trail standards

For UK-only operations under the post-Brexit UK regulatory regime, the FCA is consulting on UK MLR reforms independently. Firms should monitor FCA Consultation Paper CP24/9 for the latest proposals.

Solvency II and KYC: Complementary Frameworks

Solvency II (implemented in the UK as UK Solvency II under PRA SS19/16) establishes governance requirements that intersect with AML compliance:

• System of governance: Solvency II requires documented internal controls and a compliance function — the same infrastructure needed for AML compliance
• ORSA (Own Risk and Solvency Assessment): risk management processes for Solvency II and the AML risk assessment share methodology
• Fit and proper requirements: key function holders must meet PRA/FCA fitness standards, reinforcing the AML MLRO appointment requirements

Practically, many UK insurers combine their Solvency II compliance officer with their Money Laundering Reporting Officer (MLRO) role for smaller firms, subject to FCA approval. Large firms typically separate these functions. See our compliance risk assessment guide for structuring integrated risk governance.

Risk-Based Approach in Insurance AML

MLR 2017 Regulation 18 requires every insurer to conduct a firm-wide risk assessment and document findings. The risk assessment must consider:

• Customer risk factors: residency, profession, legal entity type, PEP status
• Product risk factors: surrender value, premium size, investment component
• Geographic risk factors: domicile and operation in high-risk jurisdictions
• Delivery channel risk: direct vs. intermediary-distributed, digital-only onboarding

The assessment must be reviewed regularly and whenever a material change occurs — including changes to the product range, distribution channels, or customer demographics.

Simplified Due Diligence: When Is It Permitted?

MLR 2017 Regulation 37 permits simplified CDD where the insurer has assessed the risk as low. Group employer pension schemes, certain term life policies, and compulsory occupational insurance may qualify. The insurer must document the low-risk determination and review it periodically.

Insurers on compliance forums frequently ask: "Does a simplified CDD designation mean no documentation at all?" No — it means reduced intensity of verification, not zero verification. The insurer must still collect basic identification and document the rationale for simplified treatment.

Automated KYC for Insurance Companies

Technology-enabled KYC verification allows insurers to handle large policy volumes without proportionally scaling compliance teams. CheckFile's document verification platform supports insurers with multi-layer analysis that combines OCR extraction, metadata validation, and cross-document consistency checks — delivering reliable verification results compatible with fast digital onboarding journeys.

Key operational benefits for insurance compliance teams include:

• Consistency: every applicant processed through the same rule-set, producing an auditable verification log
• Speed: verification results available rapidly, compatible with straight-through-processing for standard-risk policies
• API integration: connect directly to policy administration systems to trigger verification at application stage
• Audit trail: every check timestamped and stored for the 5-year retention period required by MLR 2017

For integration details and pricing, visit CheckFile pricing.

FCA Enforcement and Penalties

The FCA's financial crime enforcement powers are broad and increasingly exercised against insurers. Under FSMA 2000 section 206, the FCA can impose unlimited financial penalties. Beyond fines, the FCA can:

• Withdraw or suspend Part 4A permission (authorisation)
• Impose restrictions on activities
• Require restitution to customers
• Pursue criminal prosecution through the Crown Prosecution Service

A compliance team member active on r/compliance noted: "The FCA expects insurers to treat AML risk with the same seriousness as prudential risk — the era of treating it as a checkbox exercise is over." This shift is reflected in the FCA's 2024 Dear CEO Letter to insurers, which specifically called out weaknesses in customer risk profiling and SAR quality.

Frequently Asked Questions

Are general insurance (non-life) companies required to perform KYC?

General insurance — motor, home, liability, commercial — is largely excluded from MLR 2017 customer due diligence requirements because the AML risk is low. Exceptions apply when a specific product has unusual accumulation characteristics or when the insurer also distributes life products. Firms should confirm with their compliance advisers whether any of their product lines fall within scope.

How often must existing policyholder records be refreshed?

No fixed statutory interval exists. Refresh is triggered by: policy change events (top-up, beneficiary change), adverse media alerts, SAR-adjacent activity, or periodic review cycles. Best practice recognised by the FCA is an annual review for high-risk customers and a three-year cycle for standard risk.

What documentation must be retained after a policy ends?

MLR 2017 Regulation 40 requires retention of CDD records for five years from the end of the business relationship (policy termination, death claim, or full surrender). Records must be retrievable promptly for FCA inspection.

Can the MLRO role be outsourced in an insurance company?

No — MLR 2017 Regulation 21 requires the MLRO to be a member of the insurer's senior management. Day-to-day AML screening can be supported by third-party technology, but accountability for the AML programme must remain with an internal nominated officer.

What is the difference between a SAR and a DAML request?

A Suspicious Activity Report (SAR) is a standard disclosure to the NCA. A Defence Against Money Laundering (DAML) request is a specific type of SAR seeking consent to proceed with a transaction that would otherwise constitute tipping-off or an authorised disclosure. Insurers should use DAML when they need to act (e.g., pay out a claim) while a suspicious transaction investigation is pending.