GFSC Fines Utmost £1.96M: What Went Wrong?
Utmost Worldwide Limited was fined £1.96 million by the Guernsey Financial Services Commission (GFSC) in March 2026 after the regulator found serious and systemic financial crime control failings across its life insurance business.
The action also included a £35,000 fine for Chief Executive Officer Leon Steyn and a £10,500 fine for James Alexander Watchorn, the firm’s former Nominated Officer and Deputy Money Laundering Reporting Officer. Watchorn was also prohibited from holding MLRO and MLCO roles for one year and five months.
The case provides a key example of financial crime risk in legacy life insurance books. The GFSC did not treat the failings as isolated errors. It found weaknesses that ran through Utmost’s risk assessment, customer due diligence, source of wealth and source of funds controls, screening, monitoring and suspicious activity escalation. The firm had a large and historically high-risk international client book, but its controls did not give it a current, reliable understanding of who its customers were, where their wealth came from, or whether their risk profile had changed.
What Went Wrong at Utmost Worldwide?
Founded in Guernsey in 1993 as Generali Worldwide Insurance Company Limited, the business was largely built on regular-premium, unit-linked savings products. After Utmost Group bought the company in 2019, it wrote little new business and was left with a sizeable legacy portfolio to oversee.
The GFSC said Utmost’s legacy risk profile was shaped in part by its historic use of brokers that were not regulated for international business, including introducers active in developing and higher-risk jurisdictions. Although the firm stopped writing business through unregulated brokers in 2016, a number of policies from that earlier model remained on its books. In the regulator’s view, that legacy book called for ongoing scrutiny and stronger mitigating controls. The weakness was that Utmost did not fully reflect that risk in practice. While many customers were formally classified as high risk, the firm’s operating model did not always subject them to a level of review and monitoring consistent with that classification.
At one point, Utmost had around 22,500 high-risk clients, yet its review methodology meant that fewer than 3.5% were reviewed each year. Most high-risk relationships were instead revisited only when a defined trigger occurred, such as a policy surrender or a premium increase. Trigger-event reviews are not inherently problematic, but the GFSC found that Utmost placed too much weight on them. In practice, this meant some relationships were left untouched for long periods. Even when a review was triggered, the process did not always refresh source of wealth or source of funds information, pick up adverse media, or close outstanding CDD issues.
Key Areas of Failure
1. High-risk customers were not reviewed properly
Utmost’s approach divided high-risk clients into two broad groups. The largest group, representing about 96% of high-risk clients, had been rated high risk because of jurisdictional factors such as residence or nationality. These clients were generally not placed on an annual review cycle and were instead reviewed when a trigger event occurred.
The GFSC found that this effectively meant the firm treated many high-risk clients no differently from standard or low-risk clients. That was a fundamental weakness. A customer rated high risk because of country exposure still requires enhanced attention, particularly where the relationship is long-running, introduced through intermediaries, and connected to higher-risk jurisdictions.
The smaller high-risk cohort, around 4%, covered customers identified as PEPs, commercially exposed persons or individuals subject to adverse media. Although this group was reviewed annually, the GFSC found that the reviews still fell short. In some cases, source of wealth and source of funds were not properly refreshed, changes in occupation or location were not sufficiently checked, and remediation work was pushed into the future.
In one case, a high-risk client who became a PEP in 2008 was not identified as such until 2021. In another, a PEP review in 2023 relied on source of funds information collected nine years earlier.
2. The firm relied too heavily on trigger events
A central weakness in the case was the firm’s reliance on trigger-event reviews. This meant that the firm waited for specific activity before refreshing its understanding of many customers. The GFSC found real examples of this problem. One high-risk customer taken on in 2007 was not reviewed until 2021, when the firm identified adverse media from 2012 linking the customer to tax evasion allegations. The customer was later cleared, but the firm had not maintained an up-to-date understanding of the relationship. In another case, the firm did not identify a customer’s PEP status for 13 years.
3. Source of wealth and source of funds controls were weak
The GFSC sampled 72 high-risk client files and found that 71 were deficient in some respect in relation to source of wealth or source of funds. For a life insurance business, source of funds and source of wealth are central controls. Regular premiums, premium increases and surrenders can all present financial crime risk. A firm needs to know not only who the customer is, but whether the funds used to pay premiums are consistent with the customer’s profile and whether the stated source of wealth is plausible and corroborated. The regulator found weaknesses from onboarding through to the ongoing life cycle of relationships. Source of funds information was not always corroborated where higher-risk factors were present. It was not always refreshed during periodic or trigger-event reviews.
4. Broker-related CDD fraud was not remediated quickly enough
In 2014, Utmost identified a serious issue involving one of its third-party brokers in South and Central America, where staff had falsified proof-of-address records for some Central American clients. The firm accepted that this carried significant money laundering risk. The initial review identified about 1,900 files requiring remediation. Utmost suspended new business from the broker and set out plans to refresh the affected CDD, including through independent notarisation. The remediation, however, remained incomplete for years. By 2024, around 200 clients whose proof-of-address records were suspected to have been fraudulently altered were still outstanding. The issue showed the risk of relying on intermediary-supplied CDD where the integrity of customer records is in doubt. The GFSC concluded that the firm failed to act with prudence, professional skill and in a manner that would not damage Guernsey’s reputation as an international finance centre.
5. Screening and monitoring did not compensate for weak reviews
The firm’s limited review model placed even more importance on screening. If a firm is not regularly refreshing high-risk customer files, its screening systems must be capable of identifying changes such as PEP status, sanctions exposure or adverse media. The GFSC found repeated weaknesses in Utmost’s screening systems. Concerns had been raised during various regulatory engagements, including around PEP identification, adverse media and sanctions screening. In one example, a client onboarded in 2011 became a PEP in 2018, but the firm did not identify the change until 2023 when the GFSC conducted its own screening check. In another, a client became a PEP in 2008 but was not identified by the firm until a trigger-event review in 2021. Utmost had acknowledged in 2021 that the customer data feeding its screening tools had not been reviewed for two years, and that it had no annual compliance monitoring process to test whether those systems were working effectively.
6. Red flags were not escalated with sufficient seriousness
The GFSC found that the firm’s money laundering controls failed on a number of occasions. One example concerned two high-risk clients taken on in 2012 and linked to a manufacturing business in Asia. Utmost held inconsistent client information, including addresses in Asia, Holland and Spain, as well as different spellings of the clients’ surname. The policy required monthly premiums of around USD1,500, yet in 2021 the clients made eight unsolicited payments within just over a month, worth about USD250,000 in total. Utmost sought an updated source of funds questionnaire, but this was not provided. The clients then asked for the money to be repaid to a different bank account. Although an employee flagged the issue, the concerns were dismissed without evidence of further investigation.
The GFSC identified several red flags: large unsolicited payments, refusal to evidence source of funds, and a request to return money to a different account. Another example involved a high-risk client in a jurisdiction assessed as presenting heightened money laundering risk. The client’s monthly premiums rose from USD10,000 to USD20,000, but Utmost could not corroborate the client’s income or verify the company through an online presence. The same client later made five partial surrenders worth about USD1 million over an 18-month period, despite holding what was intended to be a 25-year savings product. The issue was not whether money laundering had occurred, but whether the firm responded properly to clear red flags.
7. The firm missed the 2019 Handbook transition deadline
Guernsey updated its AML/CFT framework in 2019, including revised Handbook requirements designed to align the jurisdiction with international standards and respond to MONEYVAL recommendations. The transitional provisions required firms to review existing business relationships and bring them into line with the updated Handbook. In Utmost’s case, the GFSC found that the firm was required to review all business relationships by 31 December 2021 but failed to complete that exercise within the required timeframe.
8.Governance and individual accountability
The GFSC’s action against Steyn and Watchorn shows that this was also a governance and individual accountability case.
For Steyn, the GFSC focused on his responsibilities as CEO. It found weaknesses in his oversight of client risk assessment policies and procedures, SAR-related controls, the response to the broker CDD issue, and compliance with the 2019 Handbook transitional provisions. In Watchorn’s case, the regulator found that he had not consistently assessed money laundering red flags with the level of competence and diligence expected of someone acting as Nominated Officer and Deputy MLRO.
Key Lessons for Insurance Firms
1. High-risk means high-risk in practice
Risk ratings must drive the controls applied to a customer relationship. A firm cannot classify large numbers of clients as high risk, then review only a small fraction of them each year. Where jurisdiction, customer profile or product use increases financial crime exposure, firms must be able to show that review frequency, CDD depth and monitoring are genuinely aligned to that risk.
2. Legacy books need active risk management
Older books of business can carry elevated AML risk, particularly where customer information is outdated, intermediaries are no longer active, or historic documentation standards fall short of current expectations. Run-off or low levels of new business do not remove the need for current CDD, clear remediation plans, risk-based prioritisation and senior management oversight.
3. Trigger-event reviews need strong safeguards
Trigger-event reviews can support a risk-based framework, but they should not replace effective ongoing monitoring. Firms relying on event-driven reviews need reliable screening, periodic testing, clear escalation rules and evidence that source of wealth, source of funds and CDD are refreshed when risk requires it.
4. Red flags must be investigated, not rationalised away
Large unexplained payments, refusal to provide source of funds evidence, requests to return funds to a different account, uncorroborated wealth and unusual surrender activity all require proper assessment. A weak explanation should not be accepted simply because there is no adverse screening hit. Clear red flags should be investigated, escalated where appropriate and documented properly.
Remediation Actions
The GFSC acknowledged that the firm has since embarked on a substantial remediation programme, including a new risk assessment methodology, re-rating of clients, and a new one, three and five-year review cycle for high, standard and low-risk relationships respectively.
Conclusion
The Utmost Worldwide enforcement action is a warning for life insurers, wealth firms and any regulated business managing legacy international client books. Financial crime risk does not disappear because a book is old, a policy is inactive, or a customer has been with the firm for years. Legacy relationships still need current CDD, effective monitoring and senior management attention. If you cannot evidence that you understand the risk, you cannot evidence that you control it.
The KYC360 platform is an end-to-end solution offering slicker business processes with a streamlined, automated approach to Know Your Customer (KYC) compliance. This enables our customers to outperform commercially through operational efficiency gains whilst delivering improved customer experience and KYC data quality.
Consolidate your system stack and data vendor relationships with one platform to cover all Onboarding, Screening, Perpetual KYC (pKYC) and CLM tasks, with market-leading data sources pre-integrated under a single license agreement. Live risk scoring and automated data collection enables a shift from periodic to event-driven review, while providing a single actionable picture of real-time risk with all documents and data in one place.