Álex Rio: "The only way to truly know who we are dealing with is through a robust KYC process"

Álex Río is a seasoned compliance professional specializing in Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) within the insurance sector. As an AML/CTF Expert, he brings a nuanced understanding of risk management, regulatory compliance, and the critical role of Know Your Customer (KYC) processes.

With a background transitioning from banking to insurance, Río offers unique insights into the evolving landscape of financial compliance. He emphasizes that "KYC is essential—the only way to truly understand who we are dealing with is through a robust verification process."

In this interview, Río provides a comprehensive view of how insurance companies can navigate complex regulatory environments, leverage technological innovations, and maintain a delicate balance between rigorous compliance and optimal customer experience.

Question: How would you define the critical role of KYC and AML in protecting the integrity of the insurance sector?

Answer: Not just for insurers but for any obligated entity, KYC is essential. Why? What distinguishes a regular customer from one with a history of illicit activity is our knowledge of them. The only way to truly understand who we are dealing with is through a robust KYC process.

Let’s say it is of utmost importance. It is our point of contact with the customer and where we gather all the necessary information to cross-check against lists, perform screenings in external and internal databases, and consult public sources.

If it’s not the most important element, it is undoubtedly one of the most crucial within the framework of anti-money laundering (AML) prevention.

Q: What specific risks do these processes mitigate for an insurance company?

A: Beyond regulatory risk, which must always be kept in mind, these processes achieve several goals:

• Ensuring that the person initiating a business relationship is indeed who they claim to be, which is essential.
• Clearly identifying risks through a strong KYC process. If these risks are tolerable, they should also be mitigable.

Additionally, if we thoroughly understand the person we are engaging with, we can obtain critical information from external sources to mitigate significant AML/CFT (Counter Financing of Terrorism) risks—such as connections to terrorist organizations or money laundering offenses—if the client has such a history.

KYC allows us to mitigate that initial risk. Risk mitigation in AML is a continuous process governed by various phases. It’s like meeting someone for the first time—it’s that initial impression.

This is why KYC helps us avoid entering into business relationships with undesirable individuals.

Q: Working with risk profiling strategies is important for you in the insurance sector, isn’t it?

A: Risk profiling within AML prevention is essential—and increasingly so. There are different ways and approaches to handling it. What’s important? Identifying both current and future risks.

Risk is a dynamic scenario and must be accompanied by continuous monitoring and tools to track a client’s activities.

In the insurance sector, touchpoints are fewer compared to banking. A client takes out a policy and typically won’t interact again until renewal, payment, or adjustments to their policy. Unlike banking, where transactions occur constantly, there are fewer opportunities to generate risk scenarios for specific clients.

Q: Is the insurance sector more prone to fraud than other industries?

A: It mainly depends on the company’s exposure to risk and its product portfolio. For example, allowing cash payments for certain products might increase risk. While the potential risk is generally lower than in the banking sector, constant monitoring of all operations is still essential.

The greatest risk in the insurance sector lies in savings and investment products. These products do carry some money laundering risks but are generally not considered high-risk.

For this reason, transaction monitoring is crucial—linked to risk profiles and scenarios where client activities deviate from expected behavior based on their profile.

Additionally, commercial agents—who maintain client contact—play an essential role in ensuring a steady flow of knowledge and information. They truly know the client. However, this must always be supported by tools that enable effective monitoring.

Q: So, corporate compliance culture is important…

A: I wouldn’t say it’s everything—but almost. And not just for mitigating client risks but also for addressing employee-related risks and anti-corruption policies. This aspect is often overlooked when discussing money laundering but is an integral part of compliance and ethical codes.

Especially when dealing with loyal clients, there could be exchanges outside company policies or external agreements. In other words, compliance within corporate culture is indispensable.

For this reason, having a tone from the top approach is crucial. If leadership is committed to compliance, the organization is more likely to develop a strong culture. Without this, there might not even be sufficient resources to promote it effectively.

Q: In case of non-compliance, what consequences would an obligated entity face within the insurance industry?

A: The consequences are the same as for any other obligated entity. Internally, if there’s awareness of compliance issues and things aren’t being done correctly, it must have repercussions—whether through internal management actions or dismissals. It’s a critically important issue.

Externally, we’re talking about reputational damage and fines from regulators. In this highly competitive sector, reputational damage is often the most harmful consequence. Since it’s not quantifiable, its importance tends to be underestimated.

In our industry, we have an indicator called NPS (Net Promoter Score), which measures how likely a customer is to recommend you to others. Reputation plays a key role here.

Q: How have AML regulations in the insurance sector evolved in recent years?

A: Coming from the banking sector, the transition to insurance was a shock due to the stark differences. However, it’s a fascinating industry. While both are obligated entities, they are entirely different.

In my two years in this industry, I’ve seen significant progress, with increasing rigor and depth in controls.

This could also be driven by SEPLAC, the regulatory body in Spain, as well as by the creation of AMLA, a recently established European anti-money laundering body with direct supervisory authority.

Some sectors adopt a compliance-first philosophy, while others reactively follow regulations as circumstances dictate.

I believe regulatory pressure is increasing, and controls are becoming stricter. While we may not match the banking sector’s level of scrutiny, progress is evident. This trend is likely to accelerate in the near future.

Q: This compliance-first philosophy can be a competitive advantage. Do you see it that way as well?

A: It’s a double-edged sword, depending on the sector. You have to consider that being a pioneer carries additional risks, primarily at the commercial level. If you impose more hurdles than your competitors…

For example, in our sector with agents—if they are exclusive agents, they’re like employees. But if they’re tied agents or brokers, imposing greater obstacles when selling products might lead them to prioritize competitors’ products or leave entirely.

For instance, if I ask for 15 requirements and a competitor only asks for 5, given the value of time and the number of policies issued, it’s likely they’ll choose to work with the competitor.

On the other hand, being perceived as a diligent and conscientious company can provide a reputational advantage. However, this is a complex and delicate balance to strike.

Q: What methods do you consider most effective for verifying client identities in insurance?

A: Considering the challenges posed by generative AI technologies, remote identification can become complicated due to issues like impersonation or fake documents. As of today, the safest method is in-person identification, as there’s relatively little doubt that the person is who they claim to be.

That said, remote identification cannot be entirely restricted. However, given the challenges, it should be limited to low-risk products until a strong regulatory framework is in place, as bad actors are always ahead of the curve.

Q: Regulations like eIDAS could solve this problem…

A: Yes, but historically, the insurance sector has been relatively slow to evolve—except for a few cases.

In most instances, implementing these tools is costly and complex.

As of today, these implementations remain challenging.

Q: How do you think artificial intelligence and machine learning technologies can improve KYC and AML processes?

A: It’s probably the most significant revolution since the Industrial Revolution—and we’re just getting started. We haven’t yet seen its full potential. However, it is already proving to be an essential tool, especially in transaction monitoring and risk profiling. In fact, it’s already being applied.

Q: Is it possible to achieve compliance without technology?

A: That’s an interesting question because regulations increasingly rely on IT systems. The regulation itself demands these resources. For small organizations with a limited client base, compliance might be manageable without technology.

However, for medium-to-large organizations, it’s neither feasible nor possible. Managing information—especially processing it to ensure compliance—requires technological tools.

For example, screening can be done manually with a small client base. But if you have millions of clients, everything needs to be digitized.

Q: What indicators do you consider most relevant for assessing money laundering risks in an insurance policy?

A: On one hand, we can rely on an agent’s intuition or instinct when something doesn’t align with what they know about the client. For example, it’s like being in a small town where everyone knows each other—even in larger settings, you can often sense when something seems off.

False positives are common and will likely never disappear entirely.

But that’s just one aspect of assessing clients.

Once intuition is taken into account, IT tools allow us to process data and detect profile discrepancies. For example:

• A very young person with no apparent employment wanting to purchase an expensive investment product raises a red flag.
• A legal entity with a complex structure attempting to obscure ultimate beneficial ownership.
• Adverse news reports.

These are all signs of risk. Everything depends on what we know about the client. That’s why I said at the beginning that KYC is indispensable.

Q: How do you balance the thoroughness of processes with the customer experience?

A: In the insurance sector, this is key due to the difficulty of differentiating products. Sometimes, a customer may not even know enough to distinguish between two competitors.

From their perspective, one company or another, with similar characteristics, might seem identical. Therefore, the customer experience must be as non-invasive as possible. It’s true that past requirements were more limited, but they have grown over time. Today, customers are somewhat “trained” due to the banking sector’s partial role in educating them. Everyone has a bank account and is familiar with these common requirements.

When purchasing an insurance policy, customers already understand these processes. While regulations require processes to be relatively similar across companies, there’s a degree of familiarity that helps streamline interactions.

This is why it’s essential to strike a balance, ensuring that regulatory compliance remains the core focus while minimizing any unnecessary friction for customers. Compliance cannot be compromised, but we must also prioritize a seamless and efficient customer experience.

Q: How do you proceed when you detect a suspicious transaction?

A: An obligated entity like the insurance sector always adheres to the regulator’s guidelines. Reporting suspicious activities is strictly regulated. Typically, we rely on SEPLAC’s best practices guide, which serves as our primary reference for money laundering matters.

The general process is as follows:

• Detection of suspicious activity.
• Analysis and investigation, including gathering information and generating reports.
• If deemed necessary after internal approval, the activity is reported to SEPLAC using Form F19.

To effectively detect and report such activities, having the right tools is essential. Confidentiality is critical—not only ensuring the client doesn’t realize they’re under investigation, which might alter their behavior, but also safeguarding sensitive internal information.

This process is important because reports sent to the regulator always include an evaluation. Maintaining high-quality standards for these reports is a priority, ensuring that every report reflects a valid risk factor and complies with regulatory expectations.

About the Author

Víctor Navarro

Specialist in Digital Identity and Communication

I am Víctor Navarro, with over 15 years of experience in digital marketing and SEO. I am passionate about technology and how it can transform the digital identity sector. At Didit, an artificial intelligence company specialized in identity, I educate and explain how AI can enhance critical processes such as KYC and regulatory compliance. My goal is to humanize the internet in the age of artificial intelligence, offering accessible and efficient solutions for individuals.

"Humanizing the internet in the AI age"

Para consultas profesionales, contacta conmigo en victor.navarro@didit.me