6.3 Customer Due Diligence (CDD) Measures
The application of risk-based CDD measures is comprised of several components, in keeping with the customer’s ML/FT risk classification and the specific risk indicators that are identified. Generally, these components include, but are not limited to, the following categories:
• Identification of the customer, Beneficial Owners, beneficiaries, and controlling persons; and the verification of their identity on the basis of documents, data or information from reliable and independent sources (see Section 6.3.1, Customer and Beneficial Owner Identification/Verification).
• Screening of the customer, Beneficial Owners, beneficiaries, and controlling persons, to screen for the applicability of targeted or other international financial sanctions, and, particularly in higher risk situations, to identify any potentially adverse information such as criminal history (see Section 6.4, Enhanced Due Diligence (EDD) Measures).
• Obtaining an understanding of the intended purpose and nature of the Business Relationship, as well as, in the case of legal persons or arrangements, of the nature of the customer’s business and its ownership and control structure (see Section 6.3.3, Establishing a Customer Due Diligence Profile).
• Monitoring and supervision of the Business Relationship, to ensure consistency between the transactions or activities conducted and the information that has been gathered about the customer and their expected behaviour (see Section 6.3.4, Ongoing Monitoring of the Business Relationship).
• Scrutinising transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the FI’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds.
• Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.
In cases involving higher levels of risk, FIs are generally required to exercise enhanced levels of customer due diligence, such as identifying and/or verifying the customer’s source of funds and taking other appropriate risk-mitigation measures (see Section 6.4, Enhanced Due Diligence (EDD) Measures).
As part of their overall AML/CFT framework, FIs should take a risk-based approach in developing the internal CDD policies, procedures and controls. Factors to take into account, include:
• The outcomes of the ML/TF business risk assessment;
• Circumstances, timing, and composition in regard to the application of CDD measures;
• Frequency of reviews and updates in relation to CDD information;
• Extent and frequency of ongoing supervision of the Business Relationship and monitoring of transactions in relation to customers to which CDD measures are applied.
Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, supervised institutions should consider the results of both the NRA and any Topical Risk Assessment. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.
Additional guidance related to these and other key aspects of risk-based CDD measures is provided in the following sub-sections.
6.3.1 Customer and Beneficial Owner Identification and Verification of the Identity
(AML-CFT Decision Articles 4.2(b), 3(a), 5.1, 8.1, 9, 10, 11.2, 13.1, 14.2)
Grounded on the principles of “Know Your Customer” and risk-based CDD, the identification and verification of the identity of customers is a fundamental component of an effective ML/FT risk management and mitigation programme. In accordance with Cabinet Resolution no. 58 of 2020 regulating the Beneficial Owner Procedures (the UBO Resolution), FIs are obliged to identify customers, including the Beneficial Owners, beneficiaries, and controlling persons, whether permanent or walk-in, and whether a natural or legal person or Legal Arrangement, and to verify their identity using documents, data or information obtained from reliable and independent sources.
The specific requirements concerning the timing, extent, and methods of identifying and verifying the identity of customers and Beneficial Owners depend in part on the type of customer (whether a natural or legal person) and on the level of risk involved (also see Sections 6.4, Enhanced Due Diligence (EDD) Measures, and 6.5, Simplified Due Diligence (SDD) Measures). Thus, the type and nature of the customer (including Beneficial Owners, beneficiaries, and controlling persons) should be considered as risk factors in determining the type of CDD that should be applied, whether standard CDD, EDD or SDD. However, the core components of a customer’s identification generally remain the same in all cases. They are:
• Personal data, including details such as the name, passport or identity card number, country of issuance, date issuance and expiry date of the identity card or passport, nationality, date and place of birth (or date and place of establishment or incorporation, in the case of a legal person or arrangement); and
• Principal address, including evidence of the permanent residential address of a natural person, or the registered address of a legal person or arrangement.
In taking adequate CDD measures, FIs are obliged at a minimum to identify and verify the identity of the customer as specified in the relevant articles of the AML-CFT Decision. In fulfilling these requirements, FIs should use a risk-based approach to determine the internal policies, procedures and controls they implement in relation to the identification and verification of customers (including the Beneficial Owners, beneficiaries, and controlling persons). The CDD policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and, in formulating them, entities should consider the following guiding principles.
In relation to natural persons:
• The verification of a customer’s identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the UAE ID and its digital verification.They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer’s ML/FT risk classification.
An example of alternative verification means is verification by way of digital identification systems. Such a digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results. The FATF Guidance on Digital Identity of March 2020 provides further information on how to making a risk-based determination of whether a particular digital ID system provides an appropriate level of reliability and independence.
• The identification data should include the name, nationality, date of birth and place of birth, and national identification number of a natural person.
• With regard to the identification and verification of the identity of foreign nationals, whether customers or Beneficial Owners, beneficiaries or controlling persons, FIs should take steps to understand and request only those types of identification documents that are legally valid in the relevant jurisdictions. Furthermore, when verifying the identity of foreign nationals associated with high-risk factors, FIs should validate the authenticity of customer identification documents obtained. Some of the methods that FIs may consider in order to do so, commensurate with the nature and size of their businesses, include but are not limited to:
- Relying on information from the relevant foreign embassy or consulate, or the relevant issuing authority; - Using commercially available applications to validate the information in machine-readable zones (MRZs) or biometric data chips of foreign identification documents.
• The types of address verification that may generally be considered acceptable include, but are not limited to, the following categories of documents issued in the name of the customer:
- Bills or account statements from public utilities, including electricity, water, gas, or telephone line providers; - Local and national government-issued documents, including municipal tax records; - Registered property purchase, lease or rental agreements; - Documents from supervised third-party financial institutions, such as bank statements, credit or debit card statements, or insurance policies.
In situations where natural persons do not have this documentation in their own name, for instance because they share accommodation or do not (yet) have a permanent or own residence, other evidence of address may be used as long as this evidence gives the FI reasonable confidence. Where the FI has determined that an individual has a valid reason for being unable to produce the usual documentation to verify the address and who would otherwise be excluded from establishing a business relationship with the FI, the address can be verified by other means, provided the FI is satisfied that the method employed adequately verifies the address of the natural person and any additional risk has been appropriately mitigated.
This can for instance be evidence of entitlement to a state or local authority-funded benefit, pension, educational or other grant, or a letter from a reputable employer or school stating the address.
In relation to legal persons and legal arrangements:
• In addition to the identifying and verifying the identity of customers, Beneficial Owners, beneficiaries, and controlling persons, FIs should verify the identity of any person legally empowered to act or transact business on behalf of the customer, whether the customer is a legal or natural person. Such persons may include:
- Signatories or other authorized persons, or persons with authorised remote access credentials to an account, such as internet or phone banking users; - Parents or legal guardians of a minor child, or legal guardians of a physically or mentally disabled or incapacitated person; - Attorneys or other legal representatives, including liquidators or official receivers of a legal person or arrangement.
In the event that a legally empowered representative is also a legal person or Legal Arrangement, the normal CDD procedures for such entities should be applied.
• When verifying that a person purporting to act on behalf of a customer is so authorised, the following types of documents may generally be considered to be acceptable:
- A legally valid power-of-attorney; - A properly executed resolution of a legal person’s or Legal Arrangement’s governing board or committee; - A document from an official registry or other official source, evidencing ownership or the person’s status as an authorised legal representative; - A court order or other official decision.
• As part of their procedures for identifying and verifying the identity of customers, and for authenticating the original documents upon which the verification is based, FIs should include procedures for the certification of the customer identification and address documentation they obtain. Such procedures may encompass certification by employees of the FI (for example, by including the name, title of position, date and signature of the verifying employee(s) on the copies of documents maintained on file), as well as by reputable third parties (for example, by including the name, organization, title of position, date and signature of the verifying person, along with a statement representing that the copy of the document is a “true copy of the original”). In cases where documents are obtained from foreign sources in countries which are members of The Hague Apostille Convention, consideration should be given to requesting documents certified by Apostille seal.
• Whenever possible, FIs should incorporate a “four-eyes” principle (review by at least two people) into their procedures with regard to the verification of customer identification documentation and other CDD information, as well as with regard to the entry of the relevant data into their information systems.
6.3.2 CDD Measures Concerning Wire Transfers
(AML-CFT Decision Articles 27-30)
Financial institutions are obliged to undertake certain CDD measures concerning wire transfers, as laid out in detail in the above-referenced articles of the AML-CFT Decision. In particular, these measures relate to the identification of the originators and beneficiaries; the maintenance of information in regard to the same; and the implementation of risk-based policies and procedures for handling the disposition of wire transfers and for taking appropriate follow-up action.
The purpose of these measures are to ensure that information on the originator and the beneficiary shall accompany (meaning sent at the same time but not necessarily in the same message) cross-border wire transfers at all stages of its execution in case the amount of the transfer of funds equals or exceeds AED 3,500 or equivalent in any other currency.
The FI of the originator (or payer) shall ensure that the transfer of funds is accompanied by the information on the originator and beneficiary (or payee) as follows:
Information on the originator:
• The name of the originator (in case of natural person – the name and surname);
• The originator’s account number (or in absence thereof the transfer shall be accompanied by a unique transaction reference number);
• The originator’s address, identification document number or customer identification number, and date and place of birth.
Information on the beneficiary:
• The name of the beneficiary (in case of natural person – the name and surname); • The beneficiary’s account number (or in absence thereof, a unique transaction reference number).
In case of cross-border wire transfers of less than AED 3,500 or equivalent it not required to verify the accuracy of the above-mentioned information, unless there are suspicions of ML or TF.
Also for domestic wire transfers, the FI of the originator shall ensure that above-mentioned information is included, unless this information can be made available to the FI of the and by other means.
The FI of the originator shall not execute the transfer if it has not verified the identity of the originator. The FI of the beneficiary shall not credit the beneficiary’s account or make the funds available for the beneficiary if it has not conducted verification of the beneficiary’s identity.
The FI of the beneficiary is required to implement effective procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process. This will include risk-based procedures whether transactions that lack the required information are to be executed, returned, suspended or transferred to the account of the beneficiary, as well as procedures related to the follow-up actions regarding these transfers, including to request the information on the originator and the beneficiary.
An intermediary FI ensures that all information about the originator and the beneficiary accompanied with the cross-border wire transfer is transferred to the beneficiary or other intermediary provider. Should there be technical limitations that prevent the required information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the intermediary FI shall keep a record of all the information received from the ordering FI or another cross-border intermediary FI.
The intermediary FI is required to implement effective risk-based procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process.
The procedures can include defining and documenting specific AML/CFT system parameters (such as transaction value, aggregate transaction amounts at the customer level, customer risk classification, or others) which would trigger an exception to straight-through processing and require manual review and intervention. This will also include procedures for determining when to execute, reject, or suspend a wire transfer lacking required information and the appropriate follow-up action.
Where an FI repeatedly fails to provide the required information on the originator and the beneficiary, the beneficiary’s or intermediary FI, taking into consideration the risks and frequency of the violations by the FI of the originator, shall take steps, which may initially include the issuing of warnings and setting deadlines. These steps can ultimately consist of rejecting any future transactions from the FI or restricting or terminating its business relationship with that FI.
Similar requirements apply to VASPs. Originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to the beneficiary VASP or FI (if any) immediately and securely. Beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers. For the purposes of applying the wire transfer requirements to VASPs, all virtual asset transfers are to be treated as cross-border.
In addition to the above, as part of their ongoing account monitoring procedures, FIs should also review the purpose of wire transfers, as indicated in their description fields, for potential red-flag indicators (see Section 7.2, Identification of Suspicious Transactions).
6.3.3 CDD Measures Concerning Legal Persons and Arrangements
(AML-CFT Decision Articles 8, 9, 37.1-3)
FIs are obliged to undertake CDD measures concerning legal persons and Legal Arrangements, including identification and verification of the identity of the Beneficial Owners, beneficiaries, and other controlling persons, in accordance with the provisions of the AML-CFT Decision. In fulfilling these requirements, they should take the following guidance into consideration:
• Without prejudice to the provisions of Article 9.1(b) of the AML-CFT Decision, when customers that are legal persons are owned or controlled by other legal persons or Legal Arrangements (for example, when customers are subsidiaries of a parent company or a Trust), FIs should make reasonable efforts to identify and verify the Beneficial Owners by looking through each layer of legal persons or Legal Arrangements (intermediate entities) until the natural persons with owning or controlling interests of 25% or more in aggregate are identified. Furthermore, in the event of multiple legal persons or arrangements with ownership or controlling interests, even where each legal person or Legal Arrangement owns or controls less than 25%, FIs should consider whether there are indications that the entities may be related by common ownership, which could reach or surpass the Beneficial Ownership threshold level of 25% in aggregate.
• When undertaking CDD measures on Legal Arrangements which allow funds or other forms of assets to be added or contributed to the arrangement after the initial settlement and by any persons other than the identified settlor(s), FIs should take the necessary steps to ascertain and verify the identity of the Beneficial Owners, and to understand the nature of their relationship with the Legal Arrangement. For customers that are trusts or other legal arrangements, the FI should verify the identity of beneficial owners, being the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership), or equivalent or similar positions for other legal arrangements. For beneficiaries of trusts or other legal arrangements that are designated by characteristics or by class, the FI should obtain sufficient information concerning the beneficiary to satisfy the FI that it will be able to establish the identity of the beneficiary at the time of the payout or when the beneficiary intends to exercise vested rights.
• The AML-CFT Decision obliges trustees in Legal Arrangements to maintain basic information relating to intermediaries, who are subject to supervision, and service providers, including consultants, investors or investment advisors, directors, accountants and tax advisors, who have responsibilities in relation to its management. In order to understand the control structure of a customer that is a Legal Arrangement, FIs should obtain this information from the trustees, representatives, or governing or managing officials and including it in the customer’s CDD profile. They should also give the same consideration to other forms of Legal Arrangements and their controlling persons (such as, for example, foundations, membership clubs, religious institutions, or others, along with their founders, representatives and other governing or managing officials).
6.3.4 CDD Measures for Life Insurance Activities
For life or other investment-related insurance business, FIs should, in addition to the CDD measures required for the customer and the beneficial owner, conduct the following CDD measures on the beneficiary(ies) of life insurance and other investment related insurance policies, as soon as the beneficiary(ies) are identified/designated:
(a) For beneficiary(ies) that are identified as specifically named natural or legal persons or legal arrangements – taking the name of the person;
(b) For beneficiary(ies) that are designated by characteristics or by class (e.g. spouse or children at the time that the insured event occurs) or by other means (e.g. under a will) – obtaining sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout. The information collected under (a) and/or (b) should be recorded and maintained.
For both the cases referred to above, the verification of the identity of the beneficiary(ies) should occur at the time of the payout.
In determining whether enhanced CDD measures are applicable, an FI should take into account as a factor the beneficiary of a life insurance policy. If an FI determines that a beneficiary who is a legal person or a Legal Arrangement presents a higher risk, then the enhanced CDD measures should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.
In case an FI cannot comply with this, the FI should consider filing an STR with the FIU.
6.3.5 Ongoing Monitoring of the Business Relationship
(AML-CFT Decision Article 4.2(b), Article 4.3(c), 7.1)
With regard to established Business Relationships, FIs are obliged to undertake ongoing supervision of customers’ activity, including monitoring of transactions executed throughout the course of the relationship to ensure that they are consistent with the information, types of activity, and the risk profiles of the customers. FIs should use a risk-based approach to determine the policies, methods, procedures and controls they implement in relation to monitoring customers’ transactions and activities, as well as in regard to the extent of monitoring for specific customers or categories of customers.
As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high risk, FIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low risk, FIs may consider monitoring and reviewing transactions at a reduced frequency.
Thus, in keeping with the level of risk involved, FIs should monitor and examine transactions in relation to the CDD information and risk profile of the customer (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures). Where necessary, FIs should also obtain sufficient information on the counterparties and/or other parties involved (including but not limited to information from public sources, such as internet searches), in order to determine whether the transactions appear to be:
• Normal (consideration should be given as to whether the transactions are typical for the customer, for the other parties involved, and for similar types of customers);
• Reasonable (consideration should be given as to whether the transactions have a clear rationale and are compatible with the types of activities that the customer and the counterparties are usually engaged in);
• Legitimate (consideration should be given as to whether the customer and the counterparties are permitted to engage in such transactions, such as when specific licenses, permits, or official authorisations are required).
Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:
• Threshold-based rules, in which transactions above certain pre-determined values, numerical volumes, or aggregate amounts are examined;
• Transaction-based rules, in which the transactions of a certain type are examined;
• Location-based rules, in which the transactions involving a specific location (either as origin or destination) are examined;
• Customer-based rules, in which the transactions of particular customers are examined.
FIs may use all or any combination of the above methods, or any others that are appropriate to their particular circumstances, to effect ongoing monitoring of the Business Relationship. Furthermore, monitoring systems and methods may be automated, semi-automated, or manual, depending on the nature and size of their businesses. Whichever methods FIs elect to use, however, FIs should document them (see Section 9, Record Keeping), obtain senior management approval for them, and periodically review and update them to ensure their effectiveness. FIs should also establish specific monitoring procedures for customers and business relationships which have been reported as suspicious to the FIU (see Section 7.11, Handling of Transactions and Business Relationships after Filing of STRs).
6.3.6 Reviewing and Updating the Customer Due Diligence Information
(AML-CFT Decision Articles 4.2(b), 4.3(b), 7.2, 12)
The timely review and update of CDD information is a fundamental component of an effective ML/FT risk management and mitigation programme. FIs are obliged to maintain the CDD documents, data and information obtained on customers, and their Beneficial Owners or beneficiaries in the case of legal persons or arrangements, up to date. The AML-CFT Decision provides that FIs should update the CDD information on High Risk Customers more frequently, and that, in the absence of a ML/FT suspicion, FIs may update the CDD information of identified low-risk customers less frequently.
In order to be able to update the CDD information of customer in a risk-based manner, FIs should develop internal policies, procedures and controls in relation to the periodic or event-driven review and updating of CDD information. These policies and procedures should be reasonable and proportionate to the risks involved, and, in formulating them, FIs are advised to consider parameters such as:
• Circumstances, timing and frequency of reviews and updates. Generally, FIs should establish clear rules per customer risk category with respect to the maximum period of time that should be allowed to elapse between CDD reviews and updates of customer records. The expiry of a customer’s or Beneficial Owner’s identification documents is a circumstance that call for updating the customer information. Changes in legislation or internal procedures are also a cause for reviewing and updating customer files.
• Additionally, FIs should also establish clear rules with respect to circumstances that would trigger an interim or event-driven review, or the acceleration of a particular customer’s review cycle. Circumstances or events that might trigger an interim review include:
- Discovery of information about a customer that is either contradictory or otherwise puts in doubt the appropriateness of the customer’s existing risk classification or the accuracy of previously gathered CDD information; - Material change in ownership, legal structure, or other relevant data (such as name, registered address, purpose, capital structure) of a legal person or arrangement; - Initiation of legal or judicial proceedings against a customer or Beneficial Owner; - Finding materially adverse information about a customer or Beneficial Owner, such as media reports about allegations or investigations of fraud, corruption or other crimes; - Qualified opinion from an independent auditor on the financial statements of a legal entity customer; - Transactions that indicate potentially unusual or suspicious transactions or activities.
• Components and extent of reviews and updates. In keeping with the nature and size of their businesses, FIs should clearly define the moments, contents and extent of CDD reviews for Business Relationships in different risk categories, including which data elements, documents, or information should be examined and updated if necessary. In this regard, FIs are advised that tools such as checklists and procedural manuals will help to enhance the effectiveness of CDD reviews and updates. Examples of procedures might include, but are not necessarily limited to:
- When the source of wealth or the source funds of a customer should be verified; - When additional inquiries or investigations should be made pertaining to the nature of a customer’s business, the purpose of a Business Relationship, or the reasons for a transaction; - How much of a customer’s transactional history, including how many and which specific transactions or transaction types, should be reviewed as part of a periodic or an interim review.
• Organisational responsibilities. In keeping with the nature and size of their businesses, FIs should consider clearly defining the relevant organisational arrangements in relation to the CDD review and update process. Examples of such responsibilities might include, but are not necessarily limited to:
- Carrying out reviews and updates; - Escalating and/or reporting situations in which risk classifications should be changed, Business Relationships should be suspended or terminated, or potentially unusual or suspicious activities should be further investigated; - Approving or rejecting reviews of Business Relationships (including senior management involvement with regard to PEPs and other High Risk Customers); - Undertaking CDD file remediation measures when necessary; - Auditing the quality of CDD reviews and updates; - Maintaining records with regard to CDD reviews and updates, in accordance with statutory record-keeping requirements (see Section 9, Record Keeping).