Skip to main content
  • 2. Sanctions Compliance Program

    LFIs should take appropriate steps to develop, implement and regularly update an appropriate Sanctions Compliance Program (SCP) in order to fulfil their obligation to comply with the provisions of the Cabinet Decision 74 as well as with the directives of the relevant competent authorities and supervisory authorities in regard to sanctions issued by the UNSC. An appropriate SCP also assists LFIs to manage their exposure to the risks associated with international financial sanctions programs and restrictive measures implemented by other countries.

    LFIs should design and update their SCP so that its scope is proportionate to the level of their risk profile, tailored to their nature, scale, and complexity, appropriate for the products and services they offer, the customers, clients, and partner relationships they maintain, and the geographic regions in which they operate. LFIs should ensure the SCP includes the eight (8) essential components: senior management commitment, risk assessment, sanctions risk appetite, internal controls, policies and procedures, training, independent audit and testing of processes and systems, and record keeping.

    • 2.1. Senior Management Commitment

      Senior management is defined broadly to include senior leadership, executives, and the board of directors. Senior management’s commitment to, and support of, the LFI’s SCP is one of the most important factors in determining its success. In order to facilitate effective senior management commitment, an LFI should:

       Ensure that senior management has reviewed and approved the organization’s SCP.
       Ensure that senior management has reviewed and approved the methodology used for undertaking the risk assessment and reviewed and approved the LFI’s risk assessments at least on an annual basis.
       Clearly designate the personnel responsible for ensuring proper implementation of the SCP, including day-to-day operations, and compliance with statutory obligations. This personnel should have the appropriate competencies and experience, or be appropriately trained, to perform the duties and responsibilities associated with this role, has sufficient seniority, and is delegated sufficient authority and autonomy in order to discharge the LFI’s responsibilities. The personnel may have other responsibilities in the LFI, provided that these responsibilities do not conflict with their role in implementing the SCP. For example, large LFIs may choose to hire a dedicated sanctions compliance officer, while smaller LFIs may choose a specific officer or manager currently working at the LFI to be responsible for the SCP in addition to their other duties.
       Ensure the existence of direct reporting lines between the personnel responsible for the SCP and senior management to facilitate the escalation of financial sanctions issues, including regular and periodic meetings.
       Ensure that the SCP is fully integrated into the organization’s daily operations and allocated adequate resources in the form of human capital, expertise, information technology, and other resources as appropriate.
       Recognize compliance failings and implement necessary measures to reduce future incidents, including through addressing root causes and implementing systemic solutions.
       
    • 2.2. Risk Assessment

      LFIs should take appropriate steps to conduct a regular and updated risk assessment to identify, understand, assess, monitor, and manage their risks in line with their business nature and size. While there is no “one-size-fits all” risk assessment, the assessment exercise should generally consist of a holistic review of the LFI from top-to-bottom and assess its touchpoints to the outside world where the LFI may potentially, directly or indirectly, be exposed to sanctioned parties or transactions. In most cases, LFIs should consider performing such risk assessments annually; however, assessments that are more frequent or less frequent may be justified, depending on the particular circumstances. These may include a change to the LFI risk profile, regulatory or law enforcement advisories, or global trends in terrorism financing (“TF”) and the financing of proliferation of weapons of mass of mass destruction (“PF”).

       In determining potential risks, LFIs should take into account, to the extent relevant, any vulnerabilities relating to:
        oits customers, supply chain, intermediaries, and counterparties;
        oits products and services, including how and where such items fit into other financial or commercial products, services, networks, or systems;
        othe geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counterparties;
        oits distribution channels and business partners;
        othe complexity and volume of its transactions;
        othe development of new products and business practices including new delivery mechanisms, channels, and partners; and
        othe use of new or developing technologies for both new and pre-existing products and services.
       LFIs should document risk assessment operations, maintain them up-to-date on an on-going basis, and make them available upon request.
       The results of a risk assessment are integral to informing the SCP’s policies, procedures, internal controls, and training in order to effectively mitigate risks.
       LFIs should develop and thoroughly document their risk assessment methodologies to identify, analyze, and address relevant risks. The methodologies should reflect the conduct and root cause of any violations or systemic deficiencies identified.
       
    • 2.3. Sanctions Risk Appetite

      LFIs should develop and maintain a comprehensive written sanctions risk appetite approved by the LFI’s senior management and embedded through policies, procedures, and screening systems parameterization.

       The sanctions risk appetite should specify which sanctions regimes are applicable to the LFI (for example UNSCR, OFAC, EU, UK etc.).
       LFIs should specify their policy on treating of interests, properties, assets, or entities that are owned or controlled 50% or more by a Listed Person.
       LFIs should specify their approach on mitigating the risk of breaching of unilateral sanctions, especially in the context of sanctions that may have extra-territorial implications or the Listed Persons may or may not have a presence in UAE (for example secondary sanctions by OFAC).
       LFIs should specify their approach on screening of alias names such as one word synonyms, vessel names or paper based instruments.
       LFIs should identify and document any exceptions to sanctions risk appetite or deviations from their policies and procedures; these should be approved by senior management.
       

      For more details and information, please refer to Annex 2 for related Lessons learned from CBUAE Supervision.

    • 2.4. Internal Controls

      Internal controls are the mechanisms, rules, and procedures implemented to help ensure the integrity and effectiveness of an LFI’s SCP. As required by Cabinet Decision 74, LFIs must have appropriate internal controls in place, including the most recent publication of Targeted Financial Sanctions of the UN Consolidated List and the Local Terrorist List. Accordingly, LFIs must maintain strong and clear internal controls that ensure the effective implementation of their SCP, including policies, procedures, processes, and systems.

       LFIs should document how their processes and systems are configured in order to demonstrate that their configuration is reasonably expected to detect and manage the specific sanctions risks to which the LFI is exposed to and ensure transparency of any system limitations or risk-based decisions that the screening controls are not designed to detect.4
       LFIs should establish a mechanism to ensure that, upon learning of a weakness pertaining to its SPC compliance, immediate and effective action is taken to identify compliance gaps and their root causes, including all program-related software, systems, and other technology, and remediate them by implementing systemic solutions to reduce the chances of future failures.
       

      4 See https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20Sanctions%20Screening.pdf

    • 2.5. Policies and Procedures

      LFIs should develop and maintain clear and comprehensive written policies and procedures to enable them to manage and mitigate the sanctions risks they have identified, commensurate with the nature and size of their business.

       LFIs should ensure that policies and procedures are approved by senior management and that they:
        oEnable the LFI to clearly and effectively identify, prevent, escalate, and report suspicious transactions and activities;
        oAre tailored to the organization and capture the organization’s day-to-day operations and processes;
        oAre easy to follow and designed to prevent employees from engaging in misconduct;
        oProhibit employees from, directly or indirectly, informing the customer or any third party that freezing or any Other Measures shall be implemented;
        oRequire enhanced due diligence to be conducted on all customers and transactions that are assessed to be high-risk for TF and PF; and
        oContain sufficient detail of their record keeping obligations.
       LFIs should ensure the effective and consistent implementation of the policies and procedures related to the SCP across their organizations, including branches, Subsidiaries, and other entities in which LFIs hold a majority interest.
       LFIs should clearly communicate the SCP’s policies and procedures, including for record keeping, to all relevant employees and external or outsourced service providers.
       LFIs should review and update policies and procedures in a timely manner in response to events or emerging risks and ensure that such updates are communicated to employees on a timely basis.
       LFIs should implement a formal review process at least annually of the policies and procedures at appropriate levels subject to approval where changes are material.
       LFIs should identify and document any exceptions or deviations from the policies and procedures related to the SCP; these should be approved by senior management.
       
    • 2.6. Training

      The maintenance and implementation of an effective SCP requires that all relevant employees and management understand requirements and obligations, policies and procedures, internal control mechanisms, and threats, risks, and vulnerabilities. A robust training program is an integral component of an effective SCP. A training program should:

       Be of a scope and nature proportionate to the LFI’s overall risk profile;
       Be specific to the role carried out by the employee, with tailored training for employees engaged in sensitive roles;
       Provide training to all appropriate employees and personnel upon onboarding in a timely manner and at least annually thereafter;
       Hold employees accountable for training through assessments;
       Include measures to take immediate and effective action to provide corrective training or other corrective actions to relevant personnel upon learning of a confirmed negative risk assessment result or audit finding, or other deficiency pertaining to the SPC.
       
    • 2.7. Independent Audit and Testing of Processes and Systems

      Independent audit helps the LFI assess the effectiveness of current processes, including by assessing the sufficiency of the program and by checking for any inconsistencies between the policy and procedures and day-to-day operations in order to identify SCP weaknesses and deficiencies. Independent audits should:

       Be undertaken regularly to review and assess the effectiveness of the financial sanctions policies, procedures, systems and controls, and their compliance with the LFI’s obligations;
       Be undertaken by the internal audit function, or by a competent independent external auditor, or both, and resourced with skilled and competent staff that understand the SCP of the LFI; and
       Be commensurate to the level and sophistication of the SCP and updated to account for changing risk assessments or sanctions environments.
       

      LFIs should ensure that the audit function is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization. LFIs should immediately address negative audit findings and take the necessary steps to identify and implement compensating controls until the root cause is remediated.

      In addition, LFIs should deploy an independent risk-based testing regime to regularly test their processes’ and systems’ adequacy and expected outcomes, as well as to assess their effectiveness in managing the specific risks articulated in the risk assessment. Regular testing of processes and systems ensures that the screening application generates expected alerts, threshold settings and/or screening rules to forego or suppress undesirable alerts in accordance with the LFI’s risk appetite. Regular testing should be supported by metrics, analysis, and reporting, and be reviewed by the personnel responsible for the SPC to determine whether risk acceptance or remediation is appropriate with respect to any relevant findings. Regular testing could be undertaken by the internal audit function, or by a competent external provider, or both.

    • 2.8. Record Keeping

      According to the AML-CFT Law and the AML-CFT Decision, LFIs must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as all records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, and copies of personal identification documents, including STRs and results of any analysis performed. LFIs must maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs must make the records available to the competent authorities immediately upon request.

      The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, all depending on the circumstances.