4.4. Customer Due Diligence
The goal of the CDD process is to ensure that LEH understand who their customer is and the purpose for which the customer will use the LEH’s services. Where a LEH cannot satisfy itself that it understands a customer, then it must not accept the customer. If there is an existing business relationship, the LEH should not continue it. LEH should also consider filing an STR, SAR or other report types to the FIU as discussed in section 5 below. This guidance is not an exhaustive list of CDD obligations and LEH should consult the legal and regulatory framework in force in the UAE for the measures to be taken.
Under Article 8 of AML-CFT Decision, LEHs are required to identify and verify the identity of all customers. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) the LEH must use the online validation gateway of the Federal Authority for Identity & Citizenship, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where acceptable IDs other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original ID and certified as “Original Sighted and Verified” by the employee who carries out the CDD process.
As required by Paragraph 16.7 of the Standards, LEH must implement a strong Know Your Customer (“KYC”) process that is based on clear and comprehensive written policies and procedures. Implementation of an effective KYC process is an essential cornerstone of a LEH’s AML/CFT Program and is necessary in order to:
• Understand who LEH’s customers and counterparties are. • Detect suspicious activity or transactions in a timely manner. • Promote safe and sound business practices. • Minimize the risk that the LEH is abused by illicit actors. • Reduce the risk of processing transactions when the customer is involved in criminal activity. • Protect the reputation of the LEH. • Comply with statutory obligations.
The KYC process must be risk-based and, as such, the KYC measures applied must be commensurate with the ML/FT risks associated with their customers or transactions. Accordingly, Paragraph 16.7.3 of the Standards requires three types of KYC processes that must be applied depending on the customer’s risk and the nature of the transaction and customer. These are:
• Customer Identification (CID); • Customer Due Diligence (CDD); and • Enhanced Due Diligence (EDD).
Please refer to the table below on when to use each KYC measure and to refer to the respective paragraphs in the Standards for the detailed requirements:
Customer Type Customer Activity Value of Transaction Preventive Measure Required Paragraph in the Standards, Version 1.20 Natural Persons Currency Exchange Equal to or greater than AED 3,500 and less than AED 35,000 CID 16.8 Equal to or greater than AED 35,000 and less than AED 55,000 within a 90-day period CID and
CDD16.8
16.9Equal to or greater than AED 55,000 within a 90-day period CID,
CDD, and
EDD16.8
16.9
16.10Money Transfer Any value less than AED 55,000 CID and
CDD16.8
16.9Equal to or greater than AED 55,000 within a 45-day period CID,
CDD, and
EDD16.8
16.9
16.10All Legal Persons or Arrangements Any Activity Any Value CDD and
EDD16.11 Counterparty Relationships Any Activity Any Value CDD and
EDD16.11.8 to
16.11.12
16.11.2PEPs Any Activity Any Value CID,
CDD, and
EDD16.13 DNFBPs/DPMS Any Activity Any Value CID (if the customer is a natural person), CDD, and
EDD16.14/16.15 High-Risk Natural Persons Any Activity Any Value CID,
CDD, and
EDD16.16
16.8,
16.9
16.10High-Risk circumstances Any Activity Any Value CID (if the customer is a natural person), CDD, and
EDD16.16
16.8,
16.9
16.10/11Third Party Transactions Any Activity Any Value CID (if the customer is a natural person), CDD, and
EDD16.20
16.8,
16.9
16.10/114.4.1. Ongoing Monitoring
Under Article 7 of the AML-CFT Decision, LEH are required to ensure that the documents, data or information obtained under CDD measures are up-to-date and appropriate by reviewing the records, particularly those of high-risk customer categories. Ongoing monitoring allows the LEH to ensure that the Exchange Business is being used in accordance with the customer or relationship profile developed through KYC during onboarding, and that transactions are normal, reasonable, and legitimate.
As per Paragraphs 16.9.11 and 16.11.7 of the Standards, where the customer is a natural person (when CDD must be applied) or a legal person or arrangement, the customer profile must be reviewed and updated either annually, or at least upon the expiry of the ID, the trade license or the ID of any person authorized to make transactions on behalf of the customer, whichever comes first. At this time, the LEH must conduct ongoing monitoring on the customer which must consist of the following:
• The original ID must be verified (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7) and its copy must be held in the records during the review of a customer profile; • CDD (and, where appropriate, EDD) must be repeated and the customer profile updated, including the information required under Paragraph 16.9.4 or 16.11.2 of this Chapter. • CDD and EDD must also be repeated whenever there is a change in the profile of the customer; • LEH must scrutinize the transactions concluded by a customer to ensure that transactions are consistent with its knowledge of the customer, the customer’s business, risk profile, the source of funds and where necessary, source of the customer’s wealth; and • LEH must review transaction monitoring results for the customer to determine whether any STR/SARs or other reports have been filed or whether the customer’s behavior has generated alerts.
Unless otherwise required, such as in the cases above mentioned, LEH should update the KYC information on customers and counterparties on a risk-based schedule, with KYC on higher-risk customers being updated more frequently. KYC updates should include a refresh of all elements of initial KYC, and in particular must ascertain whether:
• The customer/counterparty’s beneficial owners remain the same. • The customer continues to have an active status with the LEH Point of Sale system. • The customer/counterparty is domiciled in the same jurisdiction. • The customer/counterparty is engaged in the same type of business, and in the same geographies. • The customer/counterparty’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established, or the business that the LEH expected to engage in when it established the counterparty relationship.
If any of the above characteristics have changed, the LEH should risk-rate the customer/counterparty again.
Furthermore, LEH should conduct EDD when the revised risk rating demands it or if the customer/counterparty’s history of transactions is not consistent with its profile and the expectations established at account opening. In particular, if the customer/counterparty’s transactions/behavior have resulted in the filing of an STR/SAR with the FIU, the LEH should review the customer/counterparty profile and the activity that led to the report and make a determination as to whether the risk rating should be raised or the relationship should be terminated. LEH may consider requiring that the customer/counterparty update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LEH must not rely on the customer/counterparty to notify it of a change, but must still update KYC on a schedule appropriate to the customer’s risk rating.