As required by Article 4 of the AML-CFT Decision and Paragraph 16.2 of the Standards, LEH must identify, assess and understand the ML/FT risks associated with their businesses and perform an enterprise wide ML/FT risk assessment on a regular basis. It must develop a risk assessment in order to understand how and to what extent it is vulnerable to ML/FT, and help determine the nature and extent of AML/CFT resources necessary to mitigate and manage that risk.

The risk assessment creates the basis for the LEH’s risk-based approach. LEH may utilize a variety of models or methodologies to analyze their risks. In general, the risk assessment process would entail the following six (6) steps:

The nature and extent of any assessment of ML/FT risks must be appropriate to the nature, size, and complexity of the LEHS business. The risk assessment should cover all relevant factors including but not limited to:

As per Article 4.2 of the AML-CFT Decision as well as Paragraphs 16.2 and 16.3 of the Standards, the senior management of the LEH must be closely engaged in the risk assessment process and take responsibility for conducting an appropriate assessment. It must review and approve at least on an annual basis the LEH’s risk appetite statement, risk assessment methodology, and risk assessment findings. If an initial risk assessment assesses the LEH as higher risk, it may be necessary to conduct a more intensive assessment of certain areas of the LEH’s operations. In assessing ML/FT risks, the LEH must have the following elements in place:

The risk assessment must be regularly updated annually at a minimum as well as in response to major changes in the LEH’s operations. The risk assessment process must also be fully aligned with the LEH’s products, services, customers, and geographic locations, changes in the LEH’s operations, appetite statement, the legal and regulatory framework in force in the UAE, and the guidance issued by the CBUAE. In addition, LEH may consult the the FATF Guidance on the Risk-Based Approach for Money Services Businesses and the Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption for more information on how to plan and perform comprehensive and appropriate risk assessments.³ In tandem, the risk assessment findings should be used to inform the AML/CFT Program policies, procedures, internal controls, and training in order to effectively mitigate risks. The risk assessment should also inform the LEH’s risk-based approach by directing an efficient allocation of AML/CFT risk management resources to the areas of greatest concern. The risk assessment findings should be provided to all business lines across the LEH, its senior management, and relevant employees.

³ Available at: https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf; and https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/faqs/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf.

As required by Article 4.2.a) of the AML-CFT Decision and Paragraph 16.3 of the Standards, LEH must establish and implement comprehensive and documented AML/CFT policies and procedures to enable them to effectively manage and mitigate the risks they have identified. Under Paragraph 16.3.6 of The Standards, these must be approved by the Manager in Charge, the Compliance Officer, and the Board of Directors (or Owner/Partners where there is no Board of Directors). They must be reviewed and updated annually at a minimum to ensure that they are consistent with statutory obligations and other international best practices, and effective in mitigating existing as well as emerging ML/FT risks as per Paragraph 16.3.7 of the Standards. Policies and procedures should at a minimum:

Policies and procedures should be clearly communicated to all relevant employees. They should be easy to follow and be designed to support the compliant and effective functioning of the AML/CFT program and prevent employees from engaging in misconduct.

The core of an effective risk-based program is an appropriately experienced AML/CFT Compliance Officer who understands the LEH’s risks and obligations and who has the resources and autonomy necessary to ensure that the LEH’s program is effective. As per Article 21 of the AML-CFT Decision and Paragraph 16.4 of the Standards, the LEH must appoint a Compliance Officer who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT Program. The role of Compliance Officer must be limited to tasks related to AML/CFT compliance and not be combined with any other functions of the LEH to avoid conflict of interest from multiple roles. Furthermore, as per Paragraphs 16.5 and 6.9.3 of the Standards, the LEH must further appoint an Alternate Compliance Officer to strengthen the AML/CFT Program as well as establish and maintain a Compliance Committee to provide additional oversight of the AML/CFT program. Chapter 6 of the Standards refers to Corporate Governance as the mechanisms and processes by which the LEH is managed, controlled and directed. For more details and information please refer to the relevant section in the Standards.

The goal of the CDD process is to ensure that LEH understand who their customer is and the purpose for which the customer will use the LEH’s services. Where a LEH cannot satisfy itself that it understands a customer, then it must not accept the customer. If there is an existing business relationship, the LEH should not continue it. LEH should also consider filing an STR, SAR or other report types to the FIU as discussed in section 5 below. This guidance is not an exhaustive list of CDD obligations and LEH should consult the legal and regulatory framework in force in the UAE for the measures to be taken.

Under Article 8 of AML-CFT Decision, LEHs are required to identify and verify the identity of all customers. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) the LEH must use the online validation gateway of the Federal Authority for Identity & Citizenship, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where acceptable IDs other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original ID and certified as “Original Sighted and Verified” by the employee who carries out the CDD process.

As required by Paragraph 16.7 of the Standards, LEH must implement a strong Know Your Customer (“KYC”) process that is based on clear and comprehensive written policies and procedures. Implementation of an effective KYC process is an essential cornerstone of a LEH’s AML/CFT Program and is necessary in order to:

The KYC process must be risk-based and, as such, the KYC measures applied must be commensurate with the ML/FT risks associated with their customers or transactions. Accordingly, Paragraph 16.7.3 of the Standards requires three types of KYC processes that must be applied depending on the customer’s risk and the nature of the transaction and customer. These are:

Please refer to the table below on when to use each KYC measure and to refer to the respective paragraphs in the Standards for the detailed requirements:

As required by Article 7 of the AML-CFT Decision and Paragraph 16.24 of the Standards, LEH must continuously monitor all their transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. Transaction monitoring systems allow the LEH to monitor the transactions made by their customers in real-time and/or on a daily basis. All LEH should have a form of transaction monitoring system in place in order to monitor for any suspicious transactions to and from customers. Failure to have such a system in place may not only cost a LEH its reputation, but also lead to large fines and other penalties.

Transaction monitoring is distinct from the ongoing monitoring discussed in section 4.4.1. Both are required, but the purpose of transaction monitoring is not primarily to update the customer risk profile but to detect and investigate transactions that may need to be reported to the FIU because they are potentially related to illicit activity. While CDD review (as discussed in section 4.4.1) may take place once a year, transaction monitoring occurs in real time and is thus able to support prompt reporting to the FIU after the transaction takes place.

Under Article 4.2 (a) of the AML-CFT Decision and Paragraph 16.24.1 of the Standards, Transaction monitoring must be commensurate with the risk posed by the LEH’s size, scale, complexity, the nature and volume of its Exchange Business, the nature of its customer base, and the geographic areas in which it operates. The transaction monitoring system used by a LEH, whether automated or manual, must be able to flag unusual movements of funds or transactions for further analysis. Rules and parameters must take account of ML/FT typologies in the Exchange Houses sector.

When the monitoring system generates an alert, it must be investigated and either escalated or otherwise dispositioned in a timely fashion in order to support prompt reporting to the FIU. Transaction monitoring systems should create an audit trail of all activity related to alert generation, investigation, and disposition to have a clear understanding of the activity, and potentially report it to the relevant authorities.

For more details and information, please refer to the CBUAE Guidance for Licensed Financial Institutions on Transaction Monitoring Screening and Sanction screening⁹.

⁹ Available at https://www.centralbank.ae/en/cbuae-amlcft.

Article 16.1 of the AML-CFT Law and Article 60 of the AML-CFT Decision require LEH to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council under Chapter VII of the Charter of the United Nations (“UN”). In furtherance of this requirement, the Cabinet Decision 74 sets out the legal and regulatory framework in the UAE regarding Targeted Financial Sanctions (“TFS”).

For more information and details on their obligations in relation to their sanctions obligations LEH should consult Paragraph 16.25 of the Standards; the Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control‘s “Guidance on Targeted Financial Sanctions for Financial Institutions and designated non-financial business and professions”; the “CBUAE Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions” as well as the “CBUAE Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening”¹¹.

Furthermore, LEH must sign up for the Integrated Enquiries Management System (IEMS) introduced by the FIU to automate and facilitate the execution process of requests for information, implementing decisions of public prosecutions and any other type of ML/FT requests. Via this system, the FIU can make requests to all LFIs simultaneously with the goal of processing requests and providing results to Law Enforcement Agencies more efficiently. For more information, LEH should consult the IEMS User Guide published by FIU¹².

¹¹ Available at: https://www.centralbank.ae/en/cbuae-amlcft
¹² Available at: https://www.uaefiu.gov.ae/media/jtdnttby/integrated-enquiry-management-system.pdf

As per Paragraph 16.23 of the Standards LEH must provide comprehensive AML/CFT compliance training to all employees. The effective application of AML/CFT policies and procedures depends on the employees understanding not only of the processes they are required to follow, but also the risks these processes are designed to mitigate, and the possible consequences of those risks. Employees should remain abreast on an ongoing basis of emerging ML/FT typologies and new internal and external risks. The AML/CFT compliance training should be relevant to the LEH’s ML/FT risks, business activities and up to date with the latest legal and regulatory obligations and internal controls. It should be tailored to particular lines of business within the LEH, equipping employees with a sound understanding of specialized ML/FT risks they are likely to face, and their obligations in relation to those risks and must be provided to all new employees within thirty (30) calendar days from the date of joining. Thereafter, refresher training must be provided to all employees at regular intervals depending on the ML/FT risk exposure of each employee; for example, employees who deal directly with customers, products or services must be trained annually at a minimum. Refresher training must also be provided whenever there are changes in the legal and regulatory framework in force in the UAE or the LEH’s AML policy/procedures. Furthermore, the AML/CFT compliance training should be provided to relevant employees upon learning of a confirmed negative risk assessment result or audit finding, or other deficiency pertaining to the AML/CFT Program. Evidence for all trainings conducted must be retained for inspection by the CBUAE.

The independent audit process helps the LEH assess the effectiveness and adequacy of its current processes, including by assessing the adequacy of the AML/CFT Program and checking for any inconsistencies between the policy and procedures and day-to-day operations in order to identify any weaknesses and deficiencies. Independent auditing must be undertaken regularly to review and assess the effectiveness of the AML/CFT compliance policies, procedures, systems and controls, and their compliance with the LEH’s obligations. As per Paragraph 16.31.1 of the Standards, the Compliance Officer’s function must undergo regular audit by the LEH’s internal audit department. In addition, under Paragraph 16.31.2 of the Standards, “agreed-upon procedures” for the review of the AML/CFT Compliance function must be performed by external auditors annually.

The independent audits, whether internal or external, should be undertaken by skilled and competent auditors. The internal audit department should be resourced with skilled and competent employees that understand the AML/CFT Program of the LEH. The audit should be commensurate to the level and sophistication of the LEH, and be updated to account for changes in risk assessments and the legal and regulatory framework in force in the UAE. The internal audit function should be accountable to the Board of Directors (or the Owner/Partners if there is no Board of Directors), independent of the audited activities and functions, and have sufficient authority, skills, expertise, and resources within the organization.

Under Article 24 of the AML-CFT Decision, LEH must retain all records, documents, data and statistics for all transactions for a minimum period of five (5) years from the date of completion of the transaction or termination of the business relationship or from the closing date of the account. Records must be maintained in an organized manner so as to permit data analysis and, where relevant, the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. For more details and information please refer to paragraph 16.29 of the Standards.

As per Paragraphs 8.2 and 16.22 of the Standards, the LEH must implement an appropriate recruitment and Know Your Employee (“KYE”) process for hiring employees and confirm the background of applicants prior to placing them in employment. The level of vetting procedures applied should reflect the ML/FT risks to which individual employees are exposed in their assigned roles. The LEH should be aware of potential conflicts of interest for employees with AML/CFT responsibilities and should act to reduce or manage such conflicts of interest.

Furthermore, under Paragraph 16.28 of the Standards, the LEH must watch out for its employee’s behavior and be aware of possible indicators of illicit behavior displayed by employees, such as: