Part III—Mitigation of ML/FT Risks
The Elements of an AML/CFT Program
Commonly referred to as the three lines of defense, the basic elements that must be addressed in an AML/ CFT program are
• A system of internal policies, procedures and controls, including an ongoing employee training program (first line of defense);
• A designated compliance function with a compliance officer or money laundering reporting officer (second line of defense); and
• An independent audit function to test the overall effectiveness of the AML program (third line of defense).
In setting up these three lines of defense, FIs can take into account their business nature, size and complexity.
(AML-CFT Law Article 16.1(b), 16.1(d); AML-CFT Decision Articles 4.2 , 4.3)
FIs are obliged to take the necessary measures to manage and mitigate the ML/FT risks to which they are exposed. Both the AML-CFT Law and the AML-CFT Decision provide that FIs may utilize a risk-based approach with respect to mitigation of ML/FT risks.
5. Internal Policies, Controls and Procedures
Policies:
Clear and simple high-level statements that are uniform across the entire organization (sets the tone from the top).
Procedures:
Translates the AML/CFT policies into an acceptable and workable practice, tasking the stakeholders with their respective responsibilities.
Controls:
The internal technology or tools the financial institution utilizes to ensure the AML/CFT program is functioning as intended and within predefined parameters.
(AML-CFT Law Article 16.1(d); AML-CFT Decision Articles 4.2(a), 20)
The AML-CFT Law and the AML-CFT Decision require FIs to implement internal policies, controls and procedures that enable them to manage and mitigate the ML/FT risks they have identified in their ML/TF business risk assessment, in keeping with the nature and size of their businesses. Such policies, controls and procedures must be approved by senior management, reviewed for effectiveness and continuously updated, and must apply to all branches, subsidiaries and affiliated entities in which FIs hold a majority interest (see Section 8.3, Group Oversight for more guidance). They must also take into consideration the results of the NRA and Topical Risk Assessments.
Additionally, FIs should ensure that the policies, controls and procedures they implement to manage and mitigate ML/FT risks are reasonable, proportionate to the risks involved, and consistent with the results of their ML/TF business risk assessments.
Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of the NRA and any Topical Risk Assessment as well as their own ML/FT business risk assessment. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.
In developing the internal AML/CFT control systems, FIs should also take into account their IT infrastructure and management information systems capabilities. FIs should consider how well their technical infrastructure, including their data management and management information reporting capabilities, are suited to the ML/FT risk mitigation requirements of the types of customers they deal with, particularly in respect of the size and growth dynamics of their customer base.
The internal policies, controls and procedures that FIs design to prevent, detect and deter ML/FT risks can be categorised broadly as those related to:
• The identification and assessment of ML/FT risks (see Section 4.5, Business-wide Risk Assessment).
• Customer due diligence (CDD), including enhance due diligence (EDD), and simplified due diligence (SDD) (see Section 6, Customer Due Diligence), including its review and updating, and reliance on third parties in regard to it.
• Customer and transaction monitoring, and the reporting of suspicious transactions (see Section 7, Suspicious Transaction Reporting).
• AML/CFT governance, including compliance staffing and training, senior management responsibilities, and the independent auditing of risk mitigation measures (see Section 8, Governance).
• Record-keeping requirements (see Section 9, Record Keeping).
Guidance in relation to these categories is provided in the above-referenced sections.
6. Customer Due Diligence (CDD)
MAIN ELEMENTS OF A CUSTOMER DUE DILIGENCE PROGRAM
- Customer Identification; - Profiles; - Customer Acceptance; - Risk rating; - Monitoring; - Investigation; and - Documentation
(AML-CFT Law Article 16.1(b); AML-CFT Decision Articles 4.2(b), 4.3, 5-13, 14, 15, 19, 20.1, 22, 24.2-4, 25, 27, 29.2, 30, 31.1, 35.1-2 and 5, 37.1-2, 44.10, 55.1)
6.1 Risk-Based Application of CDD Measures
The AML-CFT Law implicitly recognises the need for an RBA to customer due diligence measures, by obliging FIs to “take the necessary due diligence measures and procedures and define their scope, taking into account the various risk factors and the results of the national risk assessment….” This principle is further emphasised by the AML-CFT Decision, which explicitly provides for the application of enhanced due diligence (EDD) measures to manage identified high risks (see Section 6.4, Enhanced Due Diligence (EDD) Measures), and of simplified due diligence (SDD) to manage identified low risks in the absence of a suspicion of ML/FT (see Section 6.5, Simplified Due Diligence (SDD) Measures).
FIs are reminded, that each customer’s ML/FT risk profile is dynamic and subject to change depending on numerous factors, including (but not limited to) the discovery of new information or a change in behaviour, and the appropriate level of due diligence should be applied in keeping with the specific situation and risk indicators identified. In that regard, FIs should always be prepared to increase the type and level of due diligence exercised on a customer of any ML/FT risk category whenever the circumstances require, including situations in which there are any doubts as to the accuracy or appropriateness of the customer’s originally designated ML/FT risk category. This means that the CDD measures are not to be taken as a static formula but that depending on the risk of a customer the intensity and depth of the CDD measures should vary.
6.1.1. Assessing Customer and Business Relationship Risk
(AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1)
A customer can be anyone who performs a one-off or occasional financial activity or transaction or anyone who establishes an ongoing commercial or financial relationship with the FI.
The accurate assessment of customer or business relationship risk is fundamental to the risk classification of customers and the effective application of appropriate risk-based customer due diligence measures. FIs should take the necessary steps to ensure that their customer or business relationship risk assessment processes are robust and reliable, and that they incorporate the results of the NRA, any Topical Risk Assessment and their own ML/TF business risk assessment, as well as the input of relevant internal stakeholders, including the designated AML/CFT compliance officer.
In assessing customer or business relationship risk, FIs should analyse customers on the basis of the identified risk factors in order to arrive at a risk classification. FIs may utilize different methodologies to accomplish their risk classification, depending on the nature and size of their businesses, and of the risks involved. For example, some entities with smaller or less complex businesses, or with more homogenous customer bases, may elect to assess business relationship risk and assign customer risk classifications on the basis of generic profiles for customers of the same type. Other larger or more complex FIs may elect to assess business relationship risk and assign customer risk classifications using more sophisticated models or scorecards based on weightings of various risk factors.
Regardless of the methodologies they choose, FIs should ensure that their business relationship risk assessment processes and the rationale for their methodologies are well-documented, approved by senior management, and communicated at the appropriate levels of the organisation. They should also decide on policies and procedures related to both the periodic review of their business relationship risk assessment processes, and to the frequency for updating the individual business relationship risk assessments and customer risk classifications produced by them, taking into consideration changes in internal or external factors.
6.1.2 Establishing a Customer Risk Profile
(AML-CFT Decision Articles 7.1, 8.3-4)
FIs should establish a risk profile for their customers, commensurate with the types and levels of risk involved. Such risk profiles allow FIs to compare a customer’s actual activity with the expected activity more effectively, and thus contribute to their capacity to discover unusual circumstances or potentially suspicious transactions.
Where legal persons or legal arrangements are concerned, FIs are obliged to identify any natural person who owns or controls an interest of 25% or more. In order to achieve an effective understanding of the ownership and control structure of a customer that is a legal person or arrangement, FIs should obtain from the customer and including in the risk profile a detailed explanation or a company structure chart providing the details of any ownership interests of 25% or more, and tracing them through any intermediate entities (whether legal persons or arrangements, or natural persons who are nominee stakeholders) to the natural persons who ultimately own or control them.
Furthermore, in order to understand the nature of the business of a legal person or Legal Arrangement, FIs should obtain and include in the profile a detailed explanation or company structure chart showing the entity’s internal management structure, identifying the persons holding senior management positions, or other positions of control. They should also obtain information about the legal person’s or arrangement’s majority-owned or controlled operating subsidiaries, including the nature of the business and the operating locations of those subsidiaries.
FIs are also required to understand the intended purpose and nature of the Business Relationship, and, for legal persons or arrangements, the nature of the customer’s business and its ownership and control structure.
Based on the risk profile, FIs should carry out ongoing due diligence of their Business Relationships, so as to be able to ensure that the transactions conducted are consistent with the information they have about the customer, the type of activity they are engaged in, the risks they entail, and, where necessary, their source of funds.
When dealing with higher-risk or more complex customers, in addition to the type of information referred to above, FIs may obtain and include in the customer’s risk profile more detailed information about their customers’ activities, such as:
• Anticipated size and/or turnover of account balances or transactional activity;
• Expected types and volumes of transactions;
• Known or expected counterparties or third-party intermediaries with whom the customer conducts transactions;
• Known or expected locations related to transactional activity;
• Anticipated timing or seasonality of transactional activity.
Where lower-risk customers are concerned, FIs may consider applying more generic risk profiles in order to compare actual and expected types and levels of activity.
6.2 Circumstances and Timing for Undertaking CDD Measures
(AML-CFT Decision Article 5.1)
Under normal circumstances, FIs are obliged to undertake CDD measures (including verifying the identity of customers, Beneficial Owners, beneficiaries, and controlling persons) either prior to or during the establishment of a Business Relationship or the opening of an account, or prior to the execution of a transaction for a customer with whom there is no Business Relationship. Guidance in regard to these requirements and certain exceptional circumstances provided for in the AML-CFT Decision is provided in the sub-sections below.
6.2.1 Establishment of a Business Relationship
FIs establish a Business Relationship with a customer when they perform any act for, on behalf of, or at the direction or request of the customer, with the anticipation that it will be of an ongoing or recurring nature, whether permanent or temporary. Such acts may include, but are not limited to:
• Assigning an account number or opening an account in the customer’s name;
• Effecting any transaction in the customer’s name or on their behalf, or at the customer’s direction or request for the benefit of someone else;
• Providing any form of tangible or intangible product or service (including but not limited to granting credits, guarantees, or other forms of value) to or on behalf of the customer, or at the customer’s direction or request for the benefit of someone else;
• Signing any form of contract, agreement, letter of intent, memorandum of understanding, or other document with the customer in relation to the performance of a transaction or series of transactions, or to the provision of any form of tangible or intangible product or service as described above;
• Accepting any form of compensation or remuneration (including a promise of future payment) for the provision of tangible or intangible products or services, as described above, from or on behalf of the customer;
• Receiving funds or proceeds of any kind (including those held on a fiduciary basis, for safekeeping, or in escrow) from or on behalf of the customer, whether for their account or for the benefit of someone else;
• Any other act performed by FIs in the course of conducting their ordinary business, when done on behalf of, or at the request or direction of, a customer.
In such cases, and other than in the exceptional circumstances described below (see Section 6.2.3, Exceptional Circumstances), FIs are required to undertake appropriate risk-based CDD measures (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures for further guidance).
In addition, CDD also needs to be conducted when
• there is a ML/FT suspicion (see Section 7.2, Identification of Suspicious Transactions);
• there are doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.
Among other things, the CDD measures should include verifying the identity of the customer as well as the Beneficial Owners, beneficiaries, and controlling persons, and understanding the nature of their business and the purpose of the Business Relationship.
6.2.2 Occasional Transactions
During the course of business, FIs may be called upon to perform occasional or non-recurring transactions for customers with whom there is no ongoing account or Business Relationship. Examples of such transactions include, but are not limited to:
• Exchange of currencies;
• Issue or cashing/redemption of traveler’s cheques;
• Transfer of money or other value for a walk-in customer;
On such occasions, and other than in the exceptional circumstances described below (see Section 6.2.3, Exceptional Circumstances), FIs are required to identify the customer and verify the customer’s identity as well as that of the Beneficial Owners, beneficiaries, and controlling persons. Furthermore, FIs are required to undertake appropriate risk-based CDD measures (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures for further guidance), including among other things understanding the nature of the customer’s business and the purpose of the transaction, in the cases specified in Article 6 of the AML-CFT Decision, as follows:
• When carrying out occasional transactions in favour of a Customer for amounts equal to or exceeding AED 55,000 (or equivalent in any other currency), whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
• When carrying out occasional transactions in the form of Wire Transfers for amounts equal to or exceeding AED 3,500 (or equivalent in any other currency) (see Section 6.3.2, CDD Requirements Concerning Wire Transfers);
• When there is a ML/FT suspicion (see Section 7.2, Identification of Suspicious Transactions);
• When there are doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.
Some of the indicators of transactions that may appear to be linked include, but are not limited to the following:
- Multiple transactions with the same or similar customer reference codes; - Transactions executed sequentially or in close time proximity, and involving the same or related counterparties; - Multiple transactions attempted by a customer with whom there is no Business Relationship at different branches of the same FI on the same day.
6.2.3 Exceptional Circumstances
(AML-CFT Decision Articles 4.3, 5.1(a)-(c), 10, 11.1(b), 13.2)
From time to time, certain situations may arise which fall outside of the normal course of CDD processes. Under these circumstances, described below, FIs are permitted to handle the timing, customer identification, and other aspects of customer due diligence procedures exceptionally. Specifically:
• When there is no ML/FT suspicion, and the ML/FT risks are identified as low, FIs may complete the verification of the customer’s identity after establishing the Business Relationship under the conditions specified in the relevant provisions of the AML-CFT Decision. In such circumstances, the verification of the identity must be conducted in a timely fashion, and FIs must ensure that they implement appropriate and effective measures to manage and mitigate the risks of crime and of the customer benefiting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
- Holding funds in suspense or in escrow until the verification of the identity is completed; - Making the completion of the verification of the identity a condition precedent to the closing of a transaction.
• In the case of Legal Arrangements, such as Trusts or foundations, or of life insurance policies (including funds-generating transactions, such as life insurance products relating to investments and family Takaful insurance) in which there are beneficiaries who are not named, but instead belong to a designated class of future or contingent beneficiaries, FIs are required to obtain sufficient information about the details of the class of beneficiaries so as to be in a position to establish the identity of each beneficiary at the time of the settlement, pay-out, or exercise of their legally acquired rights. Furthermore, FIs must verify the identity of the beneficiaries at the time of settlement or pay-out and prior to the exercise of any related legally acquired rights. They should also ensure that they implement appropriate and effective measures to manage and mitigate the risks of crime and of the customer benefiting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
- Holding funds in suspense or in escrow until the verification of the identity is completed; - Making the completion of the verification of the identity a condition precedent to the closing of a transaction.
• When a legal entity customer or its controlling stakeholder meets the conditions specified in Article 10.1-2 of the AML-CFT Decision with regard to publicly listed companies (including the condition that information concerning the identity of the shareholders, partners, or Beneficial Owners with an interest of 25% or more is available from reliable sources), FIs are exempted from taking the normally required identity verification measures. In this regard, FIs should ensure that the disclosure and transparency requirements of the regulated stock exchange are at least equivalent to those of the State, and should document the evidence they obtain concerning the relevant disclosure and transparency requirements.
It is important to note that, while FIs are exempted in such situations from identifying and verifying the identity of the shareholders, partners or Beneficial Owners (or in the event that no such person can be identified, of the relevant senior management officers), they are not exempted from ascertaining the identity of senior management.
Examples of reliable information sources in this regard include, but are not limited to:
- Stock exchange disclosure reports or websites; - Corporate annual reports, websites, or other forms of official public disclosure; - Official or public registries; - Credit reporting agencies; - Recognized, well-established media outlets.
• When FIs suspect that a customer or Beneficial Owner is involved in the commitment of a crime related to money laundering, the financing of terrorism, or the financing of illegal organisations, and they have reasonable grounds to believe that undertaking customer due diligence measures would tip off the customer, then they should not apply CDD measures, but should instead report their suspicion to the FIU along with the reasons that prevented them from carrying out the CDD measures.
6.3 Customer Due Diligence (CDD) Measures
The application of risk-based CDD measures is comprised of several components, in keeping with the customer’s ML/FT risk classification and the specific risk indicators that are identified. Generally, these components include, but are not limited to, the following categories:
• Identification of the customer, Beneficial Owners, beneficiaries, and controlling persons; and the verification of their identity on the basis of documents, data or information from reliable and independent sources (see Section 6.3.1, Customer and Beneficial Owner Identification/Verification).
• Screening of the customer, Beneficial Owners, beneficiaries, and controlling persons, to screen for the applicability of targeted or other international financial sanctions, and, particularly in higher risk situations, to identify any potentially adverse information such as criminal history (see Section 6.4, Enhanced Due Diligence (EDD) Measures).
• Obtaining an understanding of the intended purpose and nature of the Business Relationship, as well as, in the case of legal persons or arrangements, of the nature of the customer’s business and its ownership and control structure (see Section 6.3.3, Establishing a Customer Due Diligence Profile).
• Monitoring and supervision of the Business Relationship, to ensure consistency between the transactions or activities conducted and the information that has been gathered about the customer and their expected behaviour (see Section 6.3.4, Ongoing Monitoring of the Business Relationship).
• Scrutinising transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the FI’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds.
• Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.
In cases involving higher levels of risk, FIs are generally required to exercise enhanced levels of customer due diligence, such as identifying and/or verifying the customer’s source of funds and taking other appropriate risk-mitigation measures (see Section 6.4, Enhanced Due Diligence (EDD) Measures).
As part of their overall AML/CFT framework, FIs should take a risk-based approach in developing the internal CDD policies, procedures and controls. Factors to take into account, include:
• The outcomes of the ML/TF business risk assessment;
• Circumstances, timing, and composition in regard to the application of CDD measures;
• Frequency of reviews and updates in relation to CDD information;
• Extent and frequency of ongoing supervision of the Business Relationship and monitoring of transactions in relation to customers to which CDD measures are applied.
Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, supervised institutions should consider the results of both the NRA and any Topical Risk Assessment. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.
Additional guidance related to these and other key aspects of risk-based CDD measures is provided in the following sub-sections.
6.3.1 Customer and Beneficial Owner Identification and Verification of the Identity
(AML-CFT Decision Articles 4.2(b), 3(a), 5.1, 8.1, 9, 10, 11.2, 13.1, 14.2)
Grounded on the principles of “Know Your Customer” and risk-based CDD, the identification and verification of the identity of customers is a fundamental component of an effective ML/FT risk management and mitigation programme. In accordance with Cabinet Resolution no. 58 of 2020 regulating the Beneficial Owner Procedures (the UBO Resolution), FIs are obliged to identify customers, including the Beneficial Owners, beneficiaries, and controlling persons, whether permanent or walk-in, and whether a natural or legal person or Legal Arrangement, and to verify their identity using documents, data or information obtained from reliable and independent sources.
The specific requirements concerning the timing, extent, and methods of identifying and verifying the identity of customers and Beneficial Owners depend in part on the type of customer (whether a natural or legal person) and on the level of risk involved (also see Sections 6.4, Enhanced Due Diligence (EDD) Measures, and 6.5, Simplified Due Diligence (SDD) Measures). Thus, the type and nature of the customer (including Beneficial Owners, beneficiaries, and controlling persons) should be considered as risk factors in determining the type of CDD that should be applied, whether standard CDD, EDD or SDD. However, the core components of a customer’s identification generally remain the same in all cases. They are:
• Personal data, including details such as the name, passport or identity card number, country of issuance, date issuance and expiry date of the identity card or passport, nationality, date and place of birth (or date and place of establishment or incorporation, in the case of a legal person or arrangement); and
• Principal address, including evidence of the permanent residential address of a natural person, or the registered address of a legal person or arrangement.
In taking adequate CDD measures, FIs are obliged at a minimum to identify and verify the identity of the customer as specified in the relevant articles of the AML-CFT Decision. In fulfilling these requirements, FIs should use a risk-based approach to determine the internal policies, procedures and controls they implement in relation to the identification and verification of customers (including the Beneficial Owners, beneficiaries, and controlling persons). The CDD policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and, in formulating them, entities should consider the following guiding principles.
In relation to natural persons:
• The verification of a customer’s identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the UAE ID and its digital verification.They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer’s ML/FT risk classification.
An example of alternative verification means is verification by way of digital identification systems. Such a digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results. The FATF Guidance on Digital Identity of March 2020 provides further information on how to making a risk-based determination of whether a particular digital ID system provides an appropriate level of reliability and independence.
• The identification data should include the name, nationality, date of birth and place of birth, and national identification number of a natural person.
• With regard to the identification and verification of the identity of foreign nationals, whether customers or Beneficial Owners, beneficiaries or controlling persons, FIs should take steps to understand and request only those types of identification documents that are legally valid in the relevant jurisdictions. Furthermore, when verifying the identity of foreign nationals associated with high-risk factors, FIs should validate the authenticity of customer identification documents obtained. Some of the methods that FIs may consider in order to do so, commensurate with the nature and size of their businesses, include but are not limited to:
- Relying on information from the relevant foreign embassy or consulate, or the relevant issuing authority; - Using commercially available applications to validate the information in machine-readable zones (MRZs) or biometric data chips of foreign identification documents.
• The types of address verification that may generally be considered acceptable include, but are not limited to, the following categories of documents issued in the name of the customer:
- Bills or account statements from public utilities, including electricity, water, gas, or telephone line providers; - Local and national government-issued documents, including municipal tax records; - Registered property purchase, lease or rental agreements; - Documents from supervised third-party financial institutions, such as bank statements, credit or debit card statements, or insurance policies.
In situations where natural persons do not have this documentation in their own name, for instance because they share accommodation or do not (yet) have a permanent or own residence, other evidence of address may be used as long as this evidence gives the FI reasonable confidence. Where the FI has determined that an individual has a valid reason for being unable to produce the usual documentation to verify the address and who would otherwise be excluded from establishing a business relationship with the FI, the address can be verified by other means, provided the FI is satisfied that the method employed adequately verifies the address of the natural person and any additional risk has been appropriately mitigated.
This can for instance be evidence of entitlement to a state or local authority-funded benefit, pension, educational or other grant, or a letter from a reputable employer or school stating the address.
In relation to legal persons and legal arrangements:
• In addition to the identifying and verifying the identity of customers, Beneficial Owners, beneficiaries, and controlling persons, FIs should verify the identity of any person legally empowered to act or transact business on behalf of the customer, whether the customer is a legal or natural person. Such persons may include:
- Signatories or other authorized persons, or persons with authorised remote access credentials to an account, such as internet or phone banking users; - Parents or legal guardians of a minor child, or legal guardians of a physically or mentally disabled or incapacitated person; - Attorneys or other legal representatives, including liquidators or official receivers of a legal person or arrangement.
In the event that a legally empowered representative is also a legal person or Legal Arrangement, the normal CDD procedures for such entities should be applied.
• When verifying that a person purporting to act on behalf of a customer is so authorised, the following types of documents may generally be considered to be acceptable:
- A legally valid power-of-attorney; - A properly executed resolution of a legal person’s or Legal Arrangement’s governing board or committee; - A document from an official registry or other official source, evidencing ownership or the person’s status as an authorised legal representative; - A court order or other official decision.
• As part of their procedures for identifying and verifying the identity of customers, and for authenticating the original documents upon which the verification is based, FIs should include procedures for the certification of the customer identification and address documentation they obtain. Such procedures may encompass certification by employees of the FI (for example, by including the name, title of position, date and signature of the verifying employee(s) on the copies of documents maintained on file), as well as by reputable third parties (for example, by including the name, organization, title of position, date and signature of the verifying person, along with a statement representing that the copy of the document is a “true copy of the original”). In cases where documents are obtained from foreign sources in countries which are members of The Hague Apostille Convention, consideration should be given to requesting documents certified by Apostille seal.
• Whenever possible, FIs should incorporate a “four-eyes” principle (review by at least two people) into their procedures with regard to the verification of customer identification documentation and other CDD information, as well as with regard to the entry of the relevant data into their information systems.
6.3.2 CDD Measures Concerning Wire Transfers
(AML-CFT Decision Articles 27-30)
Financial institutions are obliged to undertake certain CDD measures concerning wire transfers, as laid out in detail in the above-referenced articles of the AML-CFT Decision. In particular, these measures relate to the identification of the originators and beneficiaries; the maintenance of information in regard to the same; and the implementation of risk-based policies and procedures for handling the disposition of wire transfers and for taking appropriate follow-up action.
The purpose of these measures are to ensure that information on the originator and the beneficiary shall accompany (meaning sent at the same time but not necessarily in the same message) cross-border wire transfers at all stages of its execution in case the amount of the transfer of funds equals or exceeds AED 3,500 or equivalent in any other currency.
The FI of the originator (or payer) shall ensure that the transfer of funds is accompanied by the information on the originator and beneficiary (or payee) as follows:
Information on the originator:
• The name of the originator (in case of natural person – the name and surname);
• The originator’s account number (or in absence thereof the transfer shall be accompanied by a unique transaction reference number);
• The originator’s address, identification document number or customer identification number, and date and place of birth.
Information on the beneficiary:
• The name of the beneficiary (in case of natural person – the name and surname); • The beneficiary’s account number (or in absence thereof, a unique transaction reference number).
In case of cross-border wire transfers of less than AED 3,500 or equivalent it not required to verify the accuracy of the above-mentioned information, unless there are suspicions of ML or TF.
Also for domestic wire transfers, the FI of the originator shall ensure that above-mentioned information is included, unless this information can be made available to the FI of the and by other means.
The FI of the originator shall not execute the transfer if it has not verified the identity of the originator. The FI of the beneficiary shall not credit the beneficiary’s account or make the funds available for the beneficiary if it has not conducted verification of the beneficiary’s identity.
The FI of the beneficiary is required to implement effective procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process. This will include risk-based procedures whether transactions that lack the required information are to be executed, returned, suspended or transferred to the account of the beneficiary, as well as procedures related to the follow-up actions regarding these transfers, including to request the information on the originator and the beneficiary.
An intermediary FI ensures that all information about the originator and the beneficiary accompanied with the cross-border wire transfer is transferred to the beneficiary or other intermediary provider. Should there be technical limitations that prevent the required information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the intermediary FI shall keep a record of all the information received from the ordering FI or another cross-border intermediary FI.
The intermediary FI is required to implement effective risk-based procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process.
The procedures can include defining and documenting specific AML/CFT system parameters (such as transaction value, aggregate transaction amounts at the customer level, customer risk classification, or others) which would trigger an exception to straight-through processing and require manual review and intervention. This will also include procedures for determining when to execute, reject, or suspend a wire transfer lacking required information and the appropriate follow-up action.
Where an FI repeatedly fails to provide the required information on the originator and the beneficiary, the beneficiary’s or intermediary FI, taking into consideration the risks and frequency of the violations by the FI of the originator, shall take steps, which may initially include the issuing of warnings and setting deadlines. These steps can ultimately consist of rejecting any future transactions from the FI or restricting or terminating its business relationship with that FI.
Similar requirements apply to VASPs. Originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to the beneficiary VASP or FI (if any) immediately and securely. Beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers. For the purposes of applying the wire transfer requirements to VASPs, all virtual asset transfers are to be treated as cross-border.
In addition to the above, as part of their ongoing account monitoring procedures, FIs should also review the purpose of wire transfers, as indicated in their description fields, for potential red-flag indicators (see Section 7.2, Identification of Suspicious Transactions).
6.3.3 CDD Measures Concerning Legal Persons and Arrangements
(AML-CFT Decision Articles 8, 9, 37.1-3)
FIs are obliged to undertake CDD measures concerning legal persons and Legal Arrangements, including identification and verification of the identity of the Beneficial Owners, beneficiaries, and other controlling persons, in accordance with the provisions of the AML-CFT Decision. In fulfilling these requirements, they should take the following guidance into consideration:
• Without prejudice to the provisions of Article 9.1(b) of the AML-CFT Decision, when customers that are legal persons are owned or controlled by other legal persons or Legal Arrangements (for example, when customers are subsidiaries of a parent company or a Trust), FIs should make reasonable efforts to identify and verify the Beneficial Owners by looking through each layer of legal persons or Legal Arrangements (intermediate entities) until the natural persons with owning or controlling interests of 25% or more in aggregate are identified. Furthermore, in the event of multiple legal persons or arrangements with ownership or controlling interests, even where each legal person or Legal Arrangement owns or controls less than 25%, FIs should consider whether there are indications that the entities may be related by common ownership, which could reach or surpass the Beneficial Ownership threshold level of 25% in aggregate.
• When undertaking CDD measures on Legal Arrangements which allow funds or other forms of assets to be added or contributed to the arrangement after the initial settlement and by any persons other than the identified settlor(s), FIs should take the necessary steps to ascertain and verify the identity of the Beneficial Owners, and to understand the nature of their relationship with the Legal Arrangement. For customers that are trusts or other legal arrangements, the FI should verify the identity of beneficial owners, being the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership), or equivalent or similar positions for other legal arrangements. For beneficiaries of trusts or other legal arrangements that are designated by characteristics or by class, the FI should obtain sufficient information concerning the beneficiary to satisfy the FI that it will be able to establish the identity of the beneficiary at the time of the payout or when the beneficiary intends to exercise vested rights.
• The AML-CFT Decision obliges trustees in Legal Arrangements to maintain basic information relating to intermediaries, who are subject to supervision, and service providers, including consultants, investors or investment advisors, directors, accountants and tax advisors, who have responsibilities in relation to its management. In order to understand the control structure of a customer that is a Legal Arrangement, FIs should obtain this information from the trustees, representatives, or governing or managing officials and including it in the customer’s CDD profile. They should also give the same consideration to other forms of Legal Arrangements and their controlling persons (such as, for example, foundations, membership clubs, religious institutions, or others, along with their founders, representatives and other governing or managing officials).
6.3.4 CDD Measures for Life Insurance Activities
For life or other investment-related insurance business, FIs should, in addition to the CDD measures required for the customer and the beneficial owner, conduct the following CDD measures on the beneficiary(ies) of life insurance and other investment related insurance policies, as soon as the beneficiary(ies) are identified/designated:
(a) For beneficiary(ies) that are identified as specifically named natural or legal persons or legal arrangements – taking the name of the person;
(b) For beneficiary(ies) that are designated by characteristics or by class (e.g. spouse or children at the time that the insured event occurs) or by other means (e.g. under a will) – obtaining sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout. The information collected under (a) and/or (b) should be recorded and maintained.
For both the cases referred to above, the verification of the identity of the beneficiary(ies) should occur at the time of the payout.
In determining whether enhanced CDD measures are applicable, an FI should take into account as a factor the beneficiary of a life insurance policy. If an FI determines that a beneficiary who is a legal person or a Legal Arrangement presents a higher risk, then the enhanced CDD measures should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.
In case an FI cannot comply with this, the FI should consider filing an STR with the FIU.
6.3.5 Ongoing Monitoring of the Business Relationship
(AML-CFT Decision Article 4.2(b), Article 4.3(c), 7.1)
With regard to established Business Relationships, FIs are obliged to undertake ongoing supervision of customers’ activity, including monitoring of transactions executed throughout the course of the relationship to ensure that they are consistent with the information, types of activity, and the risk profiles of the customers. FIs should use a risk-based approach to determine the policies, methods, procedures and controls they implement in relation to monitoring customers’ transactions and activities, as well as in regard to the extent of monitoring for specific customers or categories of customers.
As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high risk, FIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low risk, FIs may consider monitoring and reviewing transactions at a reduced frequency.
Thus, in keeping with the level of risk involved, FIs should monitor and examine transactions in relation to the CDD information and risk profile of the customer (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures). Where necessary, FIs should also obtain sufficient information on the counterparties and/or other parties involved (including but not limited to information from public sources, such as internet searches), in order to determine whether the transactions appear to be:
• Normal (consideration should be given as to whether the transactions are typical for the customer, for the other parties involved, and for similar types of customers);
• Reasonable (consideration should be given as to whether the transactions have a clear rationale and are compatible with the types of activities that the customer and the counterparties are usually engaged in);
• Legitimate (consideration should be given as to whether the customer and the counterparties are permitted to engage in such transactions, such as when specific licenses, permits, or official authorisations are required).
Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:
• Threshold-based rules, in which transactions above certain pre-determined values, numerical volumes, or aggregate amounts are examined;
• Transaction-based rules, in which the transactions of a certain type are examined;
• Location-based rules, in which the transactions involving a specific location (either as origin or destination) are examined;
• Customer-based rules, in which the transactions of particular customers are examined.
FIs may use all or any combination of the above methods, or any others that are appropriate to their particular circumstances, to effect ongoing monitoring of the Business Relationship. Furthermore, monitoring systems and methods may be automated, semi-automated, or manual, depending on the nature and size of their businesses. Whichever methods FIs elect to use, however, FIs should document them (see Section 9, Record Keeping), obtain senior management approval for them, and periodically review and update them to ensure their effectiveness. FIs should also establish specific monitoring procedures for customers and business relationships which have been reported as suspicious to the FIU (see Section 7.11, Handling of Transactions and Business Relationships after Filing of STRs).
6.3.6 Reviewing and Updating the Customer Due Diligence Information
(AML-CFT Decision Articles 4.2(b), 4.3(b), 7.2, 12)
The timely review and update of CDD information is a fundamental component of an effective ML/FT risk management and mitigation programme. FIs are obliged to maintain the CDD documents, data and information obtained on customers, and their Beneficial Owners or beneficiaries in the case of legal persons or arrangements, up to date. The AML-CFT Decision provides that FIs should update the CDD information on High Risk Customers more frequently, and that, in the absence of a ML/FT suspicion, FIs may update the CDD information of identified low-risk customers less frequently.
In order to be able to update the CDD information of customer in a risk-based manner, FIs should develop internal policies, procedures and controls in relation to the periodic or event-driven review and updating of CDD information. These policies and procedures should be reasonable and proportionate to the risks involved, and, in formulating them, FIs are advised to consider parameters such as:
• Circumstances, timing and frequency of reviews and updates. Generally, FIs should establish clear rules per customer risk category with respect to the maximum period of time that should be allowed to elapse between CDD reviews and updates of customer records. The expiry of a customer’s or Beneficial Owner’s identification documents is a circumstance that call for updating the customer information. Changes in legislation or internal procedures are also a cause for reviewing and updating customer files.
• Additionally, FIs should also establish clear rules with respect to circumstances that would trigger an interim or event-driven review, or the acceleration of a particular customer’s review cycle. Circumstances or events that might trigger an interim review include:
- Discovery of information about a customer that is either contradictory or otherwise puts in doubt the appropriateness of the customer’s existing risk classification or the accuracy of previously gathered CDD information; - Material change in ownership, legal structure, or other relevant data (such as name, registered address, purpose, capital structure) of a legal person or arrangement; - Initiation of legal or judicial proceedings against a customer or Beneficial Owner; - Finding materially adverse information about a customer or Beneficial Owner, such as media reports about allegations or investigations of fraud, corruption or other crimes; - Qualified opinion from an independent auditor on the financial statements of a legal entity customer; - Transactions that indicate potentially unusual or suspicious transactions or activities.
• Components and extent of reviews and updates. In keeping with the nature and size of their businesses, FIs should clearly define the moments, contents and extent of CDD reviews for Business Relationships in different risk categories, including which data elements, documents, or information should be examined and updated if necessary. In this regard, FIs are advised that tools such as checklists and procedural manuals will help to enhance the effectiveness of CDD reviews and updates. Examples of procedures might include, but are not necessarily limited to:
- When the source of wealth or the source funds of a customer should be verified; - When additional inquiries or investigations should be made pertaining to the nature of a customer’s business, the purpose of a Business Relationship, or the reasons for a transaction; - How much of a customer’s transactional history, including how many and which specific transactions or transaction types, should be reviewed as part of a periodic or an interim review.
• Organisational responsibilities. In keeping with the nature and size of their businesses, FIs should consider clearly defining the relevant organisational arrangements in relation to the CDD review and update process. Examples of such responsibilities might include, but are not necessarily limited to:
- Carrying out reviews and updates; - Escalating and/or reporting situations in which risk classifications should be changed, Business Relationships should be suspended or terminated, or potentially unusual or suspicious activities should be further investigated; - Approving or rejecting reviews of Business Relationships (including senior management involvement with regard to PEPs and other High Risk Customers); - Undertaking CDD file remediation measures when necessary; - Auditing the quality of CDD reviews and updates; - Maintaining records with regard to CDD reviews and updates, in accordance with statutory record-keeping requirements (see Section 9, Record Keeping).
6.4 Enhanced Due Diligence (EDD) Measures
(AML-CFT Decision Articles 4.2(b), 7.2, 15, 22, 25)
In keeping with a risk-based approach to CDD, FIs are obliged to enhance their CDD measures with regard to customers identified as high-risk, including the specific categories of customers as provided for in the relevant articles of the AML-CFT Decision, such as politically exposed persons (PEPs) (see Section 6.4.1, Requirements for Politically Exposed Persons), customers associated with high-risk countries (see Section 6.4.3, Requirements for High-Risk Countries), and correspondent relationships (see Section 6.4.4, Requirements for Correspondent Relationships).
Generally speaking, EDD involves a more rigorous application of CDD measures, including elements such as:
• Increased scrutiny and higher standards of verification and documentation from reliable and independent sources with regard to customer identity;
• More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds and source of wealth, and the purpose of individual transactions;
• Increased supervision of the Business Relationship, including the requirement for higher levels of management approval, more frequent monitoring of transactions, and more frequent review and updating of customer due diligence information.
EDD means that FIs should intensify their measures, specifically by obtaining further evidence and supporting documentation. FIs should obtain additional information and evidence from high-risk customers such as:
○ Source of funds (revenue) and source of wealth; ○ Identifying information on individuals with control over the customer (legal person or arrangement) or account, such as signatories or guarantors; ○ Occupation or type of business; ○ Financial statements; ○ Banking references; ○ Domicile; ○ Proximity of the customer’s residence, place of employment or place of business to the FI; ○ Description of the customer’s primary trade area and whether international transactions are expected to be routine; ○ Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers; and ○ Explanations for changes in account activity.
In addition, FIs should also apply specific EDD measures in case there are doubts about the accuracy or appropriateness of a customer’s ML/FT risk classification in order to determine the appropriate risk classification. EDD should also be applied when there are red-flag indicators of potentially unusual or suspicious transactions or activities. In all cases in which EDD is applied, FIs should ensure that they take reasonable measures to obtain adequate, substantiated, information about the customer, commensurate with the level of the risks identified.
As part of their overall AML/CFT framework, FIs should develop risk-based internal policies, procedures and controls in connection with the application of EDD measures. Examples of the some of the factors they should consider when developing the risk-based policies include:
• the ML/FT risks identified in the ML/TF business risk assessment;
• Circumstances, timing, and composition regarding the application of EDD measures;
• Frequency of reviews and updates in relation to information on high-risk customers;
• Extent and frequency of ongoing monitoring of the Business Relationship and monitoring of transactions in relation to high-risk customers.
Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of the NRA, any Topical Risk Assessment and their own ML/FT business risk assessments. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.
Additional guidance regarding the application of EDD measures to statutory high-risk Business Relationship categories is provided in the following sub-sections.
6.4.1 Requirements for Politically Exposed Persons (PEPs)
Due to their potential ability to influence government policies, determine the outcome of public funding or procurement decisions, or obtain access to public funds, politically exposed persons (PEPs) are classified as high-risk individuals from an AML/CFT perspective. The AML-CFT Law and the AML-CFT Decision define PEPs as:
“Natural persons who are or have been entrusted with prominent public functions in the State or any other foreign country such as Heads of States or Governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties and persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation; and the definition also includes the following:
• Direct family members (of the PEP, who are spouses, children, spouses of children, parents).
• Associates known to be close to the PEP, which include:
- Individuals having joint ownership rights in a legal person or arrangement or any other close Business Relationship with the PEP. - Individuals having individual ownership rights in a legal person or arrangement established in favour of the PEP.
FIs are obliged to put in place appropriate risk management systems to determine whether a customer, Beneficial Owner, beneficiary, or controlling person is a PEP. In addition to undertaking standard CDD procedures, FIs are also required to take reasonable measures to establish the source of funds and the source of wealth of customers and Beneficial Owners identified as PEPs. In this regard, and commensurate with the nature and size of their businesses, FIs should take measures that include:
• Implementing automated screening systems which screen customer and transaction information for matches with known PEPs;
• Incorporating thorough background searches into their CDD procedures, using tools such as:
- Manual internet search protocols; - Public or private databases; - Publicly accessible or subscription information aggregation services; - Commercially available background investigation services.
If a customer, Beneficial Owner, beneficiary, or controlling person is identified as a PEP, FIs are required to take reasonable measures to establish the PEP’s source of funds and source of wealth. In this regard, they should also evaluate the legitimacy of the source of funds and source of wealth, including making reasonable investigations into the individual’s professional and financial background.
Furthermore, FIs are also required to obtain senior management approval before establishing a Business Relationship with a PEP, or before continuing an existing one. In regard to the latter, senior management should be notified and their approval should be obtained for the continuance of a PEP relationship each time any of the following situations occur:
• An existing customer, Beneficial Owner, beneficiary, or controlling person becomes, or is newly identified as, a PEP;
• An existing PEP Business Relationship is reviewed and the CDD information is updated, either on a periodic or an interim basis, according to the organisation’s internal policies and procedures;
• A material transaction that appears unusual or illogical for the PEP Business Relationship is identified;
• The beneficiary or Beneficial Owner of a life insurance policy or family takaful insurance policy is identified as a PEP, and in case higher risks are identified, the overall Business Relationship should also be thoroughly examined and consideration given to filing an STR. Senior management should be informed before the payout of the policy proceeds.
With regard to identified Domestic PEPs and individuals who were previously (but are no longer) entrusted with prominent functions at international organisations, the AML-CFT Decision provides that FIs should implement the measures described above when, apart from their PEP status, the Business Relationships associated with such persons could be classified as high-risk for any other reason.
The handling of a customer who is no longer entrusted with a prominent public function should be based on an assessment of risk. This risk based approach requires that FIs assess the ML/FT risk of a PEP who is no longer entrusted with a prominent public function, and take effective action to mitigate this risk. Possible risk factors are the level of (informal) influence that the individual could still exercise; the seniority of the position that the individual held as a PEP; or whether the individual’s previous and current function are linked in any way (e.g., formally by appointment of the PEPs successor, or informally by the fact that the PEP continues to deal with the same substantive matters).
6.4.2 EDD Measures for High-Risk Customers or Transactions
(AML-CFT Decision Article 4.2(b))
FIs are obliged to apply EDD measures to manage and mitigate the risks associated with identified High Risk Customers and/or transactions. The AML-CFT Decision defines a High Risk Customers as including those who represent a risk:
“…either in person, activity, Business Relationship, nature or geographical area, such as a customer from a high-risk country or non-resident in a country that does not hold an identity card, or a customer having a complex structure, performing complex operations or having unclear economic objective, or who conducts cash-intensive operations, or operations with an unknown third party...”
Examples of the EDD measures that should be taken by FIs are laid out in the relevant article of the AML-CFT Decision. When carrying out such measures (especially as regards obtaining and investigating more information about the nature of the customer’s business, purpose of the Business Relationship, or reason for the transaction), FIs should pay particular attention to the reasonableness of the information obtained, and should evaluate it for possible inconsistencies and for potentially unusual or suspicious circumstances. Examples of factors that FIs should take into consideration in this regard include, but are not limited to:
• An illogical reason for a foreign customer’s or Beneficial Owner’s presence, or establishment of a Business Relationship, in the UAE;
• Consistency between the nature of the customer’s business and transactions and the customer’s or Beneficial Owner’s professional background and employment history, in regard to which FIs may find it helpful to obtain background information from reliable and independent sources, as well as from internet and social media searches, and from the customer’s or Beneficial Owner’s CV;
• The level of complexity and transparency of the customer’s transactions, especially in comparison with the customer’s or Beneficial Owner’s educational and professional background;
• The level of complexity and transparency of the customer’s legal structure of legal persons or arrangements;
• The nature of any other business interests of the customer or Beneficial Owner, including any other legal persons or arrangements owned or controlled;
• Consistency between the customer’s line of business and that of the counterparty to the customer’s transactions (as identified, for example, through internet searches).
Additionally, and commensurate with the nature and size of their businesses, when carrying out EDD measures in respect of High Risk Customers or Beneficial Owners, FIs should take appropriate risk-mitigation measures such as, but not limited to:
• Performing background checks (among other via internet searches, public databases, or subscription information aggregation services) to screen for possible matches with targeted and other international financial sanctions lists, indications of criminal activity (including financial crime), or other adverse information;
• Using more rigorous methods for the verification of the customer’s or Beneficial Owner’s identity in regard to High Risk Customers (see Section 6.3.1, Customer and Beneficial Owner Identification/Verification for more information).
6.4.3 Requirements for High-Risk Countries
(AML-CFT Law Article 16.1(e); AML-CFT Decision Article 22, 44.7, 60)
FIs are obliged to implement EDD measures commensurate with the ML/FT risks associated with Business Relationships and transactions with customers from high-risk countries subject to a Call for Action and Jurisdictions under Increased Monitoring and the countries identified by NAMLCFTFC. In the case of legal persons and arrangements, their Beneficial Owners, beneficiaries and other controlling persons from high-risk countries.
FIs can obtain guidance on high risk countries from NAMLCFTFC, from the FATF list of High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring, and from NRA report. In addition, reference can also be made to the Organisation for Economic Cooperation and Development (OECD) list of jurisdictions classified as tax havens. The Basel AML index can be a useful source to determine the risk of a country.
Examples of some of the measures FIs should apply in this regard include:
• Increased scrutiny and higher standards of verification and documentation from reliable and independent sources with regard to the identity of customers, Beneficial Owners, beneficiaries and other controlling persons;
• More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
• Increased investigation to ascertain whether the customers or related persons (Beneficial Owners, beneficiaries and other controlling persons, in the case of legal persons and arrangements) are foreign PEPs;
• Increased supervision of the Business Relationship, including the requirement for higher levels of internal reporting and management approval, more frequent monitoring of transactions, and more frequent review/ updating of customer due diligence information.
Additionally, FIs are obliged to implement all specific CDD measures and countermeasures regarding High Risk Countries as defined by the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, including those related to the implementation of the decisions of the UN Security Council under Chapter VII of the Charter of the United Nations, the International Convention for the Suppression of the Financing of Terrorism and the Treaty on the Non-Proliferation of Nuclear Weapons, and other related directives, and those called for by the Financial Action Task Force (FATF) and/or other FSRBs.
In order to fulfil these obligations, and commensurate with the nature and size of their businesses and the risks involved, FIs should establish adequate internal policies, procedures and controls in relation to the application of EDD measures and risk-proportionate effective countermeasures to customers and Business Relationships associated with high-risk countries. Some of the factors to which FIs should give consideration when formulating such policies, procedures and controls, include but are not limited to the following:
• The organisation’s risk appetite with respect to Business Relationships involving high-risk countries;
• Methodologies and procedures for assessing and categorising country risk, and identifying high-risk countries, including the statutorily defined High Risk Countries as established by the NAMLCFTC, and taking into consideration advice or notifications of concerns about weaknesses in the AML/CFT system of other countries issued by the relevant Supervisory Authorities and/or Competent Authorities;
• Determination and implementation of appropriate risk-based controls (for example, certain product or service restrictions, transaction limits, or others) with regard to customers and Business Relationships associated with high-risk countries;
• Organisational roles and responsibilities in relation to the monitoring, management reporting, and risk management of high-risk country Business Relationships;
• Appropriate procedures for the enhanced investigation of Business Relationships involving high-risk countries in relation to their assessment for possible PEP associations;
• Independent audit policies in respect of EDD procedures pertaining to customers/Business Relationships involving high-risk countries and the business units that deal with them.
For all countries identified as high-risk, the FATF calls on all members and urges all jurisdictions to apply EDD, and in the most serious cases, countries are called upon to apply countermeasures to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing risks emanating from the country. However, specific countermeasures which need to be applied by FIs shall be advised by the corresponding supervisory authorities, the FIU or the NAMLCFTC.
6.4.4 Requirements for Correspondent Relationships
Financial Institutions are obliged to fulfil certain due diligence requirements with regard to the correspondent banking relationships and other similar relationships they maintain, regardless of whether these involve foreign or domestic financial institutions. Additional guidance in respect of the measures specified in the relevant article of the AML-CFT Decision is provided below. Similar relationships to which FIs should apply the guidance below include, for example those established for securities transactions or funds transfers.
FIs are prohibited from entering into or maintaining correspondent relationships with shell banks, or with institutions that allow their accounts to be used by shell banks. The AML-CFT Decision defines a shell bank as a “bank that has no physical presence in the country in which it is incorporated and licensed, and is unaffiliated with a regulated financial group that is subject to effective consolidated supervision.”
• FIs are required to collect sufficient information about any receiving correspondent institution for the purpose of identifying and achieving a full understanding of the nature of its business, and to determine, through publicly available information, its reputation and level of AML/CFT controls, including whether it has been subject to a ML/FT investigation or regulatory action.
• FIs are obliged to evaluate the AML/CFT controls applied by the receiving correspondent institution.
• FIs are required to obtain approval from senior management before establishing new correspondent relationships.
• FIs are obliged to understand the responsibilities of each institution in the field of combating the crimes of money laundering, the financing of terrorism and of illegal organisations.
Regulatory and supervisory environments governing the operation of financial institutions around the world vary greatly. Thus, not all foreign financial institutions are subject to the same AML/CFT requirements as FIs in the UAE; and as a consequence, some of these foreign institutions may pose a higher ML/FT risk. To mitigate against these risks, FIs that maintain correspondent relationships with foreign financial institutions should consider implementing adequate procedures to assess and periodically review the relevant regulatory and supervisory frameworks of the countries concerned.
Furthermore, when gathering information about financial institutions with which they maintain correspondent relationships, whether foreign or domestic, FIs should take appropriate steps to assess the nature, size and extent of their businesses in the countries where they are incorporated and licensed, as well as their ownership and management structures (taking into consideration the nature and extent of any PEP involvement), in order to evaluate whether they exhibit the characteristics of shell banks, and whether they offer downstream correspondent services (also known as “nested accounts”) to other banks. If they do offer downstream correspondent services, FIs should also take reasonable steps to understand the types of services offered, the number and types of financial institutions they are offered to, the types of customers those institutions serve, and to identify the associated ML/FT risk issues.
In order to collect sufficient information about the nature of a financial institution and the AML/CFT controls it applies, and to assess the ML/FT risks associated with it, FIs should take appropriate measures such as implementing a suitable correspondent relationships questionnaire and, when necessary, conducting follow-up interviews. (FIs may find the correspondent banking questionnaire which has been developed by the Wolfsberg Group, as well as the Wolfsberg Anti-Money Laundering Principles for Correspondent Banking, instructive in this regard. See Appendix 11.2, Useful Links.)
In addition to obtaining senior management approval prior to establishing new correspondent relationships, FIs should also periodically review and update their due diligence information in relation to the financial institutions with which they maintain correspondent relationships, commensurate with the risks involved (see 6.3.6 Reviewing and Updating the Customer Due Diligence Information). In the event of a deterioration in the risk profile of a financial institution with which a correspondent relationship is maintained, including the discovery of material adverse information concerning the institution, FIs should ensure that senior management is informed and appropriate risk-based measures are taken to assess and mitigate the ML/FT risks involved.
FIs should also maintain agreements or contracts with financial institutions with which they maintain correspondent relationships. In addition to operational details concerning the products and services covered, these agreements should clearly describe each party’s responsibilities in regard to ML/FT risk mitigation, due diligence procedures, and the detailed conditions related to any permitted third-party usage of the correspondent account.
6.4.5 Requirements for Money or Value Transfer Services
(AML-CFT Decision Articles 26, 30)
As part of a risk-based AML/CFT approach, FIs that enter into or maintain Business Relationships with Money or Value Transfer Services (MVTSs) should take adequate CDD measures that are commensurate with the risks involved (see Sections 6.3, Customer Due Diligence (CDD) Measures and 6.4, Enhanced Due Diligence (EDD) Measures). Examples of measures that FIs should consider in this regard include, but are not limited to:
• Ensuring that the MVTS is properly licensed or registered; in particular, when opening any accounts for Hawala Providers, FIs licensed by the Central Bank must physically check the original Hawala Provider registration certificate issued by the Central Bank and keep a copy thereof;
• Obtaining information about and assessing the adequacy of the MVTS’s AML/CFT policies, procedures and controls, including those related to Wire Transfers as stipulated in the relevant provisions of the AML-CFT Decision;
• Obtaining the MVTS’s list of agents, and identifying and assessing the associated ML/FT risks, especially with regard to high-risk countries or other identified high-risk factors;
• Obtaining sufficient information about the MVTS’s ownership and management structure (including taking into consideration the possibility of PEP involvement), the nature and scope of its business, the nature of its customer base, and the geographic areas in which it operates, so as to be in a position to identify, assess, and manage or mitigate the associated ML/FT risks.
FIs that enter into or maintain relationships with MTVSs should also use a risk-based approach to determine the appropriate internal AML/CFT policies, procedures and controls FIs implement in relation to the risk assessment, risk classification, and the type and extent of CDD they perform on the MVTSs. The policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and should be adequately documented, senior management approved, and communicated to the relevant employees of the organisation.
6.4.6 Requirements for Non-Profit Organisations
Non-Profit Organisations (NPOs) can often pose increased risks in regard to money laundering, the financing of terrorism, and the financing of illegal organisations. As part of an effective risk-based approach to AML/CFT, FIs that enter into or maintain Business Relationships with NPOs should take adequate CDD measures that are commensurate with the risks involved (see Sections 6.3, Customer Due Diligence (CDD) Measures and 6.4, Enhanced Due Diligence (EDD) Measures). Examples of measures that FIs should consider include, but are not limited to:
• Ensuring that the NPO is properly licensed or registered; in particular, when opening any accounts for Non-Profit Organisations, FIs licensed by the Central Bank must obtain an original signed letter from the Ministry of Community Development for opening accounts to collect donations and an authorization from the UAE Red Crescent for conducting financial transfers out of the UAE through some of these accounts;
• Obtaining information about and assessing the adequacy of the NPO’s AML/CFT policies, procedures and controls;
• Obtaining sufficient information about the NPO’s legal, regulatory and supervisory status, including requirements relating to regulatory disclosure, accounting, financial reporting and audit (especially where community/social or religious/cultural organisations are involved, and when those organisations are based, or have significant operations, in jurisdictions that are unfamiliar or in which transparency or access to information may be limited for any reason);
• Obtaining sufficient information about the NPO’s ownership and management structure (including taking into consideration the possibility of PEP involvement); the nature and scope of its activities; the nature of its donor base, as well as of that of the beneficiaries of its activities and programmes; and the geographic areas in which it operates, so as to be in a position to identify, assess, and manage or mitigate the associated ML/FT risks;
• Performing thorough background checks (including but not limited to the use of internet searches, public databases, or subscription information aggregation services) on the NPO’s key persons, such as senior management, branch or field managers, major donors and major beneficiaries, to screen for possible matches with targeted and other international financial sanctions lists, indications of criminal activity (including financial crime), or other adverse information.
FIs that enter into or maintain relationships with NPOs should also use a risk-based approach to determine the appropriate internal AML/CFT policies, procedures and controls the FIs implement in relation to the risk assessment, risk classification, and the type and extent of CDD they perform on NPOs. The policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and should be adequately documented, senior management approved, and communicated to the relevant employees of the organisation.
6.5 Simplified Due Diligence (SDD) Measures
(AML-CFT Decision Articles 4.3, 5, 10)
In keeping with a risk-based approach to CDD, under certain circumstances and in the absence of a ML/FT suspicion, FIs are only permitted to exercise simplified customer due diligence measures (SDD) with regard to customers identified as low-risk through an adequate analysis of risks.
SDD generally involves a more lenient application of certain aspects of CDD measures, including elements as:
• A reduction in verification requirements with regard to customer or Beneficial Owner identification;
• Fewer and less detailed inquiries in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
• More limited supervision of the Business Relationship, including less frequent monitoring of transactions, and less frequent review/updating of customer due diligence information.
Specifically, the AML-CFT Decision permits the application of SDD in the following circumstances:
• Identified low-risk customers. When the customer or Beneficial Owner is identified as posing a low risk of ML/FT, FIs are permitted to complete the verification of their identity after the establishment of a Business Relationship under the conditions specified in the relevant provisions of the AML-CFT Decision. In this regard, FIs are required to implement appropriate and effective measures to control the risks of ML/FT, including the risks in regard to the customer or Beneficial Owner benefitting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
- Holding funds in suspense or in escrow until the verification of the identity is completed; - Making the completion of verification of the identity a condition precedent to the closing of a transaction.
It should be noted that the provision allowing a relaxation of the timing for the completion of the identity verification procedures does not imply that FIs are permitted to establish a Business Relationship without any customer identification at all. On the contrary, in all cases, the basic identification information in relation to the customer (whether a natural or legal person or arrangement) should be obtained; however under the specified conditions, FIs are permitted to establish the Business Relationship prior to the completion of the verification process, which may include such steps as: obtaining appropriate supporting documentation, certifications or attestations, when necessary (for example, as regards the corporate documents of a legal person); or obtaining all the necessary information related to the relevant parties of a legal person or Legal Arrangement, such as Beneficial Owners, settlors, trustees or executors, protectors, beneficiaries, or other controlling persons.
• Listed companies. FIs are exempted from identifying and verifying the identity of any shareholder, partner or Beneficial Owner of a legal person under the conditions specified in the relevant provisions of the AML-CFT Decision. Namely:
- When the relevant information on the shareholder, partner or Beneficial Owner is obtained from reliable sources; and - When the customer, or the owner holding the controlling interest of the customer, is a company listed on a regulated stock exchange subject to adequate disclosure and transparency requirements related to Beneficial Ownership; or when the customer, or the owner holding the controlling interest of a legal entity customer, is the majority-held subsidiary of such a listed company.
Without prejudice to the above, in the case of foreign stock exchanges, FIs should take steps to adequately assess and document the relevant disclosure and transparency requirements related to Beneficial Ownership, and to ensure that they are at least equivalent to those of the UAE.
In addition, FIs should be aware that, regardless of the exemption mentioned above, FIs are required with respect to listed companies to verify that any person purporting to act on behalf of the customer is so authorised, and verify the identity of that person.
As part of their overall AML/CFT framework, FIs should use a risk-based approach to determine the internal policies, procedures and controls they implement in connection with the application of SDD procedures. Examples of some of the factors they should consider when developing their risk-based policies include:
• the ML/FT risks identified in the ML/TF business risk assessment, especially with regard to low-risk categories of customers;
• Circumstances, timing, and composition in regard to the application of SDD measures;
• Frequency of reviews and updates in relation to customer SDD information;
• Extent and frequency of ongoing supervision of the Business Relationship and monitoring of transactions in relation to customers to which SDD measures are applied.
Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of both the NRA and any Topical Risk Assessment and their own ML/FT business risk assessments. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.
6.6 Reliance on a Third Party
(AML-CFT Decision Articles 19)
Under certain conditions, the AML-CFT Decision permits FIs to rely on third parties to undertake the required CDD measures, including those measures specifically laid out in regard to identified high-risk countries (see Section 6.4.3, Requirements for High-Risk Countries), with the responsibility for the validity of the measures resting directly with the FIs. Among the conditions set forth in the AML-CFT Decision concerning the reliance on third parties, it is stipulated that FIs shall:
“Ensure that the third party is regulated and supervised, and adheres to the CDD measures towards Customers and record-keeping provisions of the present Decision.”
In order to fulfil this obligation, FIs that rely on third parties to undertake CDD measures on their behalf should implement adequate measures, in keeping with the nature and size of their businesses, to ensure the third party’s adherence to the requirements of the AML-CFT Law and the AML-CFT Decision in relation to CDD measures. Examples of such measures include:
• Clearly defined procedures for determining the adequacy of a third-party’s CDD and record-keeping measures, including the evaluation of such factors as the comprehensiveness and quality of its AML/CFT policies, procedures and controls; the number of personnel dedicated to CDD; and its audit and/or quality assurance policies in regard to CDD. In this regard, FIs are advised that tools such as questionnaires, scorecards, and on-site visits may be useful in evaluating the adequacy of a third party’s adherence.
• Service-level agreements, clearly setting out the roles and responsibilities of the FI and the third party and specifying the nature of the CDD and record-keeping requirements to be fulfilled.
• Procedures for the certification by third parties of documents and other records pertaining to the CDD measures undertaken.
In addition to the above, when relying on foreign third parties for the undertaking of CDD measures, FIs should take steps to ensure that the AML/CFT regulatory and supervisory framework under which the third party operates is at least equivalent to that of the State. This means that FIs should ensure that the third party is regulated and supervised for AML/CFT purposes, and adheres to the equivalent CDD and record-keeping measures.
Whichever methods are utilized to ensure the adherence of third parties to the statutory CDD and record-keeping requirements, FIs should document and periodically review them for effectiveness.
Reliance on a third party refers to an FI’s reliance on a third party of the entire or part of the CDD process as well as reliance on a third party when to introducing business. FIs should therefore take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay. This includes the identification and verification of the identity of customers and Beneficial Owners, beneficiaries or controlling persons of legal entities or arrangements, as well as the investigation and assembly of other relevant customer documents, information and data, as per the statutory CDD and record-keeping requirements. Nevertheless, FIs remain ultimately responsible for the outcome of the CDD process. Furthermore, FIs should themselves assess the risks of the customer, including the customer’s risk profile. FIs should thus document their rationale for the assignment of relevant customer risk classifications, as well as their analysis of the CDD information obtained from the third parties. Moreover, FIs remain themselves responsible for conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship.
For the purpose of this guidance, it is important to note that FIs are expected to use documents, data or information from reliable and independent sources in carrying out their CDD obligations, which include, among other things, verifying the identity of customers and Beneficial Owners, beneficiaries or controlling persons of legal entities or arrangements.
Reliable and independent sources may include, but are not necessarily limited to, official bodies such as Competent Authorities, governmental departments or agencies, governmental or state-sponsored business registries, public utilities or similar official enterprises; as well as non-official organisations, such as publicly accessible free or subscription information aggregation services, credit reporting agencies, and others.
FIs are reminded that simply obtaining CDD documents and supporting information from reliable and independent sources during the course of performing their own CDD procedures is not necessarily considered as reliance on a third party. On occasion that FIs during the course of carrying out their own CDD procedures, receive certain documents, information or data from a third-party, FIs should obtain evidence of the third party’s regulatory and supervisory status and good standing, and they should also consider obtaining the third party’s certification that any CDD documents provided by them (such as identification documents, proof of address, or documents corroborating a customer’s source of funds) are true copies of the originals.