There is a task sitting inside almost every insurance business that almost nobody talks about at conferences, almost nobody writes about on LinkedIn, and almost nobody has seriously thought about, right up until the moment a regulator or a Lloyd's auditor asks to see the records.
Sanctions screening. The obligation to check every person and every entity you insure against global watchlists (including OFAC, the UN consolidated list, the UK sanctions list, the Australian DFAT list, and, depending on your business, several others) before you bind cover, render any payment, or claim and at renewal.
It sounds boring and procedural, and it kinda is. But more importantly, it's structural. And the gap between how most insurance businesses handle it and how it should be handled is wider than most compliance officers would be comfortable admitting.
Why this matters more than it used to
Sanctions exposure in insurance is not a theoretical risk. It is a documented, enforcement-tested risk with a track record of significant penalties.
The Lloyd's market has been explicit about this for years. MS11, the Lloyd's Coverholder Compliance Management requirements, establishes that coverholders must have documented procedures for sanctions screening, must be able to demonstrate those procedures to Lloyd's oversight, and must maintain auditable records of checks performed. "We do a manual Google search before binding" does not satisfy that requirement. Neither does "our broker handles it" without documented evidence that the broker's process meets the standard.
In Australia, the autonomous sanctions regime administered by DFAT sits alongside AML/CTF obligations under AUSTRAC. For businesses operating under both Lloyd's and Australian regulatory frameworks, which describes a large proportion of specialist insurers and coverholders in this market, the compliance matrix is genuinely complex. The obligations do not always align neatly. The watchlists you need to screen against are not the same for every risk category. And the documentation standard for demonstrating compliance is higher than most businesses realise until they are asked to produce it.
What most businesses are actually doing
When I started building SanctionsCheck with my co-founders, Dylan and Chad, both engineers with years of insurtech experience, who had watched compliance workflows from the inside, the research phase was instructive. We spent time understanding how insurance businesses were handling this obligation in practice, not how they described handling it in their compliance manuals.
The honest picture looked like this.
A significant proportion of smaller coverholders and MGAs were performing manual checks, searching individual names against sanctions lists in Excel sheets downloaded from government portals, one at a time, with no audit trail beyond a note in the file indicating the check had been performed. This is slow, error-prone, and produces records that are difficult to defend under audit because there is no standardised evidence of what was checked, against which list, on which date, with which result.
A second cohort was using general-purpose Know Your Customer (KYC) tools designed for banking and legal services. These tools are competent but poorly calibrated for insurance workflows. They tend to generate high false-positive rates on insurance-relevant names because the matching logic is tuned for the transaction volumes and risk profiles of banking, not the submission and renewal cycles of an MGA. The result is alert fatigue: compliance teams that have cried wolf so many times on false positives that genuine matches start to get waved through.
A third cohort, typically the larger, better-resourced businesses, had enterprise screening solutions priced out of reach for the long tail of coverholders, MGAs, and brokers, who collectively account for a significant portion of the Lloyd's market's compliance exposure.
And a fourth cohort, smaller than the others but not negligible, was doing essentially nothing, with no documentation; screening was happening somewhere, loosely, but the records did not exist in a form that would survive an audit.
What good actually looks like
Good sanctions compliance in the insurance business has four characteristics, all of which are operational rather than philosophical.
It is API-native. The most reliable way to ensure every risk is screened is to make screening a step in the workflow rather than a task someone has to remember. For a coverholder running on any reasonably modern platform, this means integrating a screening API into the quoting and binding process to automatically trigger a check before cover is bound. The result is not just better compliance, it is better records, because the API call generates a timestamped, auditable log of when the check occurred, the result, and which list version was used.
Once the API is embedded, it's leveraged throughout the policy lifecycle. Every mid-term adjustment, every claim submittied, every refund or claim disbursement, and every renewal hits the API in real time to check the updated sanctions list.
It manages false positives intelligently. The matching problem in sanctions screening is genuinely hard. Common names in some geographies will generate false positives at a rate that makes manual review unsustainable if the threshold is set too low. Good tooling distinguishes between a name match and a confirmed match, provides enough contextual information to make a quick disposition decision, and documents the decision alongside the original alert. The goal is not zero alerts; it is appropriately calibrated alerts with a clear, documented decision pathway.
It produces records that can be audited. This is the test that matters. If Lloyd's oversight asks to see your sanctions screening records for the past twelve months, you should be able to produce, for every risk bound in that period: the name and entity screened, the date and time of the check, the lists screened against, the result, and, if there was a potential match, the disposition decision and the name of the person who made it. If you cannot produce that, your screening process, however thorough it felt at the time, does not meet the standard.
The moat
Here is the strategic argument, stated plainly.
In a competitive market for specialist insurance placement, compliance infrastructure is increasingly a differentiator. Lloyd's syndicates and capacity providers are under greater scrutiny than at any point in the past decade. The oversight function is asking harder questions. The expectation that coverholders can demonstrate robust compliance processes, not just describe them, is rising.
A coverholder that can show auditable, API-generated screening records for every risk bound in the past three years is in a materially different position in a Lloyd's audit than one that cannot. That difference is not just compliance risk management. It is competitive positioning. Capacity providers choose partners partly on the basis of operational quality. Compliance infrastructure is part of operational quality.
This is the moat. Not the screening itself, that is table stakes. The moat is the documented, auditable, systematic process that makes the screening visible and defensible. Building that process is not expensive. But it requires deciding to build it, rather than continuing to treat it as a task rather than a system.
The businesses that have built it are harder to displace from their capacity relationships. The businesses that have not are carrying risk they have not fully priced.
A practical starting point
If you are running a coverholder, MGA, or brokerage and your current process involves manual checks, spreadsheet records, or general-purpose banking AML tools, the remediation path is straightforward.
Map your current workflow: where in the binding and renewal process should a check occur? What information is available at that point, name, entity, jurisdiction, ownership structure? That determines what you need to screen and in what format.
Then assess your tooling against that workflow. The right solution is not the most expensive or the most feature-rich. It is the one that integrates cleanly into how your business actually binds cover, generates records in a format you can produce under audit, and is calibrated for insurance risk profiles rather than banking transaction volumes.
SanctionsCheck was built specifically for this problem, by insurance people, for insurance workflows, at a price point accessible to the businesses that need it most. API-first, audit ready, insurance-calibrated. If you are thinking through your screening infrastructure, it is worth a look: sanctionscheck.co
The obligation is not going away. The audit standard is rising. The gap between where most businesses are and where they need to be is closeable, but it requires treating this as a system, not a task.