We have a Universal Password policy with "verify current password"
enabled. Upon login with a password that violates the currently
assigned policy, the user should be prompted to change but they are not.

Is there something that needs to be set on the client for this to work?

NMAS Authentication is enabled. We are using 4.91 SP2.