Skip to main content
  • Part IV—AML/CFT Administration and Reporting

    • 7. Suspicious Transaction Reporting

      (AML-CFT Law Articles 9.1, 15, 30; AML-CFT Decision Articles 16-18)

      Under the AML/CFT legal and regulatory framework of the UAE, all FIs are obliged to promptly report to the Financial Intelligence Unit (FIU) suspicious transactions and any additional information required in relation to them, when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime. FIs are required to put in place and update indicators that can be used to identify possible suspicious transactions.

      In order to fulfil these obligations, FIs should implement adequate internal policies, procedures and controls in relation to the identification and the immediate reporting of suspicious transactions. The following sub-sections provide additional guidance in this regard.

      • 7.1 Role of the Financial Intelligence Unit

        (AML-CFT Law Articles 9-10; AML-CFT Decision Articles 13, 16, 17.1, 21.2 and 5, 40-43, 46.1-4, 49.2-3)

        The FIU of the UAE is established within the premises of the Central Bank, however, the FIU operates independently by legal and regulatory mandate as the central national agency with sole responsibility for performing the following functions:

        Receiving and analysing STRs from FIs and DNFBPs, and disseminating the results of its analysis to the Competent Authorities of the State;
         
        Receiving and analysing reports of suspicious cases from the Federal Customs Authority;
         
        Requesting additional information and documents relating to STRs, or any other data or information it deems necessary to perform its duties, from FIs, DNFBPs, and Competent Authorities, including information relating to customs disclosures;
         
        Cooperating and coordinating with Supervisory Authorities by disseminating the outcomes of its analysis, specifically with respect to the quality of STRs, to ensure the compliance of FIs and DNFBPs with their statutory AML/CFT obligations;
         
        Sending data relating to STRs and the outcomes of its analyses and other relevant data, including information obtained from foreign FIUs, to national Law Enforcement Authorities, prosecutorial authorities and judiciary authorities when actions are required by those authorities in relation to a suspected crime;
         
        Exchanging information with its counterparts in other countries, with respect to STRs or any other information to which it has access.
         

        Under the aegis of the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, and for the effective performance of its functions, the FIU maintains operational protocols with numerous national and international Competent Authorities.

        The FIU has launched the GoAML system for the purposes of facilitating the filing of STRs by all FIs. FIs shall register themselves on the GoAML system by following the procedure manual and maintain their registration in an active status. The Compliance Officer of the company can register as the user of the system. GoAML provides a secure link of each FI to the FIU through their respective supervisory authorities. The system hosts processes for facilitating filing of STRs. It also has an .xml schema for filing batches of STRs. The guidance documents for filing of STRs are posted on the dashboard of this system. All new licensed FIs shall register themselves immediately after obtaining their financial services license so as to confirm their readiness for filing of STRs from the beginning.

        The STRs are received by the FIU and processed for any required further information or documents or for further action by Law Enforcement or Supervisory Authorities. The FIU maintains a record of these STRs, performs a trend analysis to understand the prevailing trends in transactions and sectors or Institutions where possibility of ML or FT exists and this trend analysis is shared with all the registered users of GoAML through the system by means of a periodic trends and typologies report.

      • 7.2 Processing of STRs by the FIU

        (AML-CFT Law Articles 9-10; AML-CFT Decision Articles 42, 43.1-3, 49.3)

        A core function of the FIU is to conduct operational analysis on STRs and information received from FIs, DNFBPs, as well as from Competent Authorities, and to support the investigations of Law Enforcement Authorities. It does so by identifying specific targets (such as persons, funds, or criminal networks) and by following the trail of specific transactions in order to determine the linkages between those targets and the possible proceeds of crime, money laundering, predicate offences and terrorist financing.

        Upon the receipt of STRs or information from reporting institutions or other sources, the FIU assesses the information, prioritises the risk, and performs its own analyses using a variety of information sources and analytical techniques.

        In certain cases, the FIU may request additional information from the reporting entity, Competent Authorities, or even from other FIs which also have a business relationship with the subject of its analysis or investigation, through the Integrated Enquiries Management System (IEMS). Upon concluding its analysis or investigation, the FIU may disseminate information about the case to Law Enforcement Authorities or foreign FIUs, and may, at its own discretion, also provide feedback to the reporting entity in the form of instructions regarding required actions to be taken, or recommendations and guidance.

        In addition to the above, the FIU also performs strategic analysis, using data aggregated from the STRs and other information it receives, including from national and international Competent Authorities and FIUs of other countries, to identify trends and patterns relating to ML/FT. As a result of this analysis, the FIU may from time to time disseminate enhanced due diligence and fraud alerts to FIs as a preventive measure, and may also disseminate information to FIs about prevalent or new and emerging ML/FT typologies, or other specific risks which FIs should take into consideration.

      • 7.3 Meaning of Suspicious Transaction

        (AML-CFT Law Article 16; AML-CFT Decision Article 17.1)

        Within the meaning of the AML-CFT Law and its implementing AML-CFT Decision, a suspicious transaction refers to any transaction, attempted transaction, or funds which an FI has reasonable grounds to suspect as constituting—in whole or in part, and regardless of the amount or the timing—any of the following:

        The proceeds of crime (whether designated as a misdemeanour or felony, and whether committed within the State or in another country in which it is also a crime);
         
        Being related to the crimes of money laundering, the financing of terrorism, or the financing of illegal organisations;
         
        Being intended to be used in an activity related to such crimes.
         

        It should be noted that the only requirement for a transaction to be considered as suspicious is “reasonable grounds” in relation to the conditions referenced above. Thus, the suspicious nature of a transaction can be inferred from certain information, including indicators, behavioural patterns, or CDD information, and it is not dependent on obtaining evidence that a predicate offence has actually occurred or on proving the illicit source of the proceeds involved. FIs do not need to have knowledge of the underlying criminal activity nor any founded suspicion that the proceeds originate from a criminal activity; reasonable grounds are sufficient.

        FIs should also note that transactions need not be completed, in progress or pending completion in order to be considered as suspicious. Attempted transactions, transactions that are not executed and past transactions, regardless of their timing or completion status, which are found upon review to cause reasonable grounds for suspicion, must be reported in accordance with the relevant requirements.

      • 7.4 Identification of Suspicious Transactions

        (AML-CFT Decision 16)

        FIs are obliged to put in place indicators that can be used to identify suspicious transactions, and to update those indicators on an ongoing basis in accordance with the instructions of the Supervisory Authorities or the FIU, as well as in keeping with relevant developments concerning ML/FT typologies. FIs should also consider the results of the NRA, any Topical Risk Assessment and their own ML/FT business risk assessments in this regard.

        As part of their overall AML/CFT framework, and commensurate with the nature and size of their businesses, FIs should determine the internal policies, procedures and controls they apply in connection with the identification, implementation, and updating of indicators, as well as with the identification and evaluation of potentially suspicious transactions. Some factors that should be considered include, but are not limited to:

        Organisational roles and responsibilities with respect to the implementation and review/updating of the relevant indicators, especially in relation to obligatory indicators required by the Supervisory Authorities or the FIU;
         
        Operational and IT systems procedures and controls in connection with the application of relevant indicators to processes such as transaction handling and monitoring, customer due diligence measures and review, and alert escalation;
         
        Staff training in relation to the identification and reporting of suspicious transactions (including attempted transactions), the appropriate use and assessment of the relevant indicators, and the degree and extent of internal investigation that is appropriate prior to the reporting of a suspicious transaction.
         

        FIs should ensure that they have an adequate process and dedicated, experienced staff for the investigation of and dealing with alerts. The investigation of alerts and the conclusion of the investigation should be documented, including the decision to close the alert or to promptly report the transaction as suspicious.

        Prompt reporting to the FIU is one of the key elements of the AML/CFT process. This means that FIs must report to the FIU the transaction immediately once the suspicious nature of the transaction becomes clear. This will be the case when from an objective point of view, taking the available information into account, there is a reason to believe that a transaction is suspicious. This means that FIs expeditiously investigate alerts and possible indications of ML/FT and immediately report the transaction upon determining that the transaction should be reported to the FIU. FIs therefore need to able to show that from the moment of the alert immediate and continuous action has been taken.

        In this respect, FIs must have a procedure in place that defines the reporting process, and what steps to take in such cases. When investigating alerts it is important to examine the customer’s earlier and related transactions, and to reconsider the customer’s risk profile.

        When identifying suspicious transactions, FIs, and their management and employees, should be aware of the facts that, in relation to ML/FT crimes, there is no minimum threshold or monetary value for reporting, and that no amount or transaction size should be considered too small for suspicion. This is of particular significance where the crimes of the financing of terrorism and of illegal organisations is concerned, since typologies related to them may often involve very small amounts of money.

        Furthermore, with the exception of obligatory indicators for which reporting is required by the relevant Supervisory Authorities or the FIU, FIs should note that the presence of an indicator means that a transaction needs to be immediately investigated in order to determine whether the transaction needs to be reported. When determining whether a transaction is suspicious or whether there is reasonable ground for a suspicion, FIs should give consideration to the nature of the specific circumstances, including the products or services involved, and the details of the customer in the context of its risk profile. In some cases, patterns of activity or behaviour that might be considered as suspicious in relation to a specific customer or a particular product type, might not be suspicious in regard to another. For this reason, clear internal policies and procedures with regard to alert escalation and investigation, and internal suspicious transaction reporting are critical to an effective ML/FT risk-mitigation programme. This includes an adequate training program that will allow staff to detect possible unusual or suspicious transactions.

        While it is impossible to list all the indicators of suspicion in these Guidelines, some useful links to sources of AML/CFT suspicious transaction indicators are provided in Appendix 11.2, Useful Links. A few examples of potentially suspicious transaction types that FIs should take into consideration include:

        Transactions or series of transactions that appear to be unnecessarily complex, that make it difficult to identify the Beneficial Owner, or that do not appear to have an economic or commercial rationale;
         
        Numbers, sizes, or types of transactions that appear to be inconsistent with the customer’s expected activity and/or previous activity;
         
        Transactions that appear to be exceptionally large in relation to a customer’s declared income or turnover;
         
        Large unexplained cash deposits and/or withdrawals, especially when they are inconsistent with the nature of the customer’s business;
         
        Loan repayments that appear to be inconsistent with a customer’s declared income or turnover;
         
        Early repayment of a loan followed by an application for another loan;
         
        Third-party loan agreements, especially when there are amendments to or assignments of the loan agreement;
         
        Requests for third-party payments, including those involving transactions related to loans, investments, or insurance policies;
         
        Transactions involving high-risk countries, including those involving “own funds” transfers, particularly in circumstances in which there are no clear reasons for the specific transaction routing;
         
        Frequent or unexplained changes in ownership or management of Business Relationships;
         
        Illogical changes in business activities, especially where high-risk activities are involved;
         
        Situations in which CDD measures cannot be performed, such as when the customers or Beneficial Owners refuse to provide CDD documentation, or provide documentation that is false, misleading, fraudulent or forged.
         
         When reporting an STR in the GoAML system, the user is required to select the most appropriate reason for reporting available from the menu selection provided. More than one reason may also be provided, if deemed necessary. In order to select the appropriate indicator, click ‘Add’ to select the appropriate reason for the report.
         
         Select the reason(s) applicable and then press ‘Close’. Alternatively, the user may search for reasons using the search bar available on the top left when expanding the form. It is imperative that a minimum of one reason for reporting must be selected to avoid rejection of the report by the GoAML system.
         
      • 7.5 Requirement to Report

        (AML-CFT Law Articles 9.1, 15, 24; AML-CFT Decision Articles 13.2, 17.1, 20.2)

        FIs are obliged to report transactions to the FIU without delay when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime. There is no minimum reporting threshold; all suspicious transactions, including attempted transactions, should be reported regardless of the amount of the transaction. There is also no statute of limitations with regard to when the possible crimes or the suspicious transaction took place.

        Under federal law and regulations, whether the FI operates in the mainland UAE or in a Financial or Commercial Free Zone, the designated Competent Authority for the reporting of suspicious transactions is the FIU.

        Failure to – immediately - report a suspicious transaction, whether intentionally or by gross negligence, is a federal crime. Any person, including FIs or their managers and employees, who fails to perform their statutory obligation to report a suspicion of money laundering, or the financing of terrorism or of illegal organisations, is liable to a fine of no less than AED100,000 and no more than AED1,000,000 and/or imprisonment.

        There are no exemptions from the statutory reporting requirement provided for FIs under the AML-CFT Law or AML-CFT Cabinet Decision.

      • 7.6 Procedures for the Reporting of Suspicious Transactions

        (AML-CFT Law Article 9; AML-CFT Decision Articles 17.1(a), 21.2)

        As the designated Competent Authority for receiving and analysing STRs from all FIs, it is within the purview of the FIU to determine the procedures for the reporting of suspicious transactions. As stated in the AML-CFT Decision, FIs shall report STRs “via the electronic system of the FIU or by any other means approved by the FIU”, which is the FIU’s GoAML system.

        Without prejudice to the above, it should be noted that the AML-CFT Decision provides for the reporting of STRs to be effected by the designated compliance officer of the FI. Specifically, the Cabinet Decision states that the duty of a compliance officer is to:

        “Review, scrutinise and study records, receive data concerning Suspicious Transactions, and take decisions to either notify the FIU or maintain the Transaction with the reasons for maintaining while maintaining complete confidentiality.”

        In this regard, as part of their overall risk-based AML/CFT framework and commensurate with the nature and size of their businesses, FIs should establish appropriate policies, procedures and controls pertaining to the internal reporting by their managers and employees of potentially suspicious transactions, including the provision of the necessary records and data, to the designated AML/CFT compliance officer for further analysis and reporting decisions, as well as to the reporting of STRs by the compliance officer to the FIU. The relevant policies, procedures and controls should take into consideration such factors as:

        Policies and procedures for the internal investigation of potentially suspicious transactions prior to the reporting of STRs;
         
        Conditions, timing, and methods for filing internal potentially suspicious transactions;
         
        Content requirements and format of internal potentially suspicious transactions;
         
        Appropriate controls for ensuring confidentiality and the protection of data from unauthorized access (also see Section 7.8, Confidentiality and Prohibition against “Tipping Off”);
         
        Procedures related to the provision of additional information, follow-up actions pertaining to the transactions, and the handling of Business Relationships after the filing of STRs;
         
        Policies and procedures for the analysis and decision-making of suspicious transactions by the compliance officer in regard to reporting to the FIU;
         
        Other conditions deemed appropriate by the AML/CFT compliance officer.
         

        Such policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation, in keeping with the nature and size of the FI’s business.

      • 7.7 Timing of Suspicious Transaction Reports (STRs)

        (AML-CFT Law 9; AML-CFT Decision 17.1(a), 21.2)

        FIs are obliged to report STRs to the FIU without delay. Since it is the responsibility of the designated AML/CFT compliance officer to “review, scrutinise and study records, receive data concerning suspicious transactions, and take decisions to either notify the FIU or maintain the transaction,” (see Section 8.1, Compliance Officer) it follows that the STRs should be immediately reported once the suspicious nature of the transaction becomes clear. This means that the internal reporting of suspicious transactions to the compliance officer should be done directly once the suspicion or reasonable grounds for suspicion are established, and immediately the designated AML/CFT compliance officer has confirmed that the transaction (whether pending, in progress, or past) is suspicious, it should be reported.

        Without prejudice to the above, FIs should note that, with the exception of any obligatory indicators for which immediate reporting to the FIU is required by the relevant Competent Authorities, some potentially suspicious transactions or indicators of suspicion may require a degree of internal investigation before a suspicion or reasonable grounds for suspicion are established and an internal STR is reported to the designated AML/CFT compliance officer. The FI should however be able to demonstrate that this investigation is started immediately and has been ongoing continuously until the transaction is reported to the FIU. In this regard, and commensurate with the nature and size of their businesses, FIs should establish clear policies, procedures and staff training programmes pertaining to the identification, investigation and internal reporting of suspicious transactions (including attempted transactions), and the degree and extent of investigations that are appropriate prior to the internal reporting of a suspicious transaction (also see Section 7.2, Identification of Suspicious Transactions). These policies and procedures should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

      • 7.8 Confidentiality and Prohibition against “Tipping Off”

        (AML-CFT Law Article 25; AML-CFT Decision Articles 17.2, 21.2, 31.3, 39)

        When reporting suspicious transactions to the FIU, FIs are obliged to maintain confidentiality with regard to both the information being reported and to the act of reporting itself, and to make reasonable efforts to ensure the information and data reported are protected from access by any unauthorized person.

        As part of their risk-based AML/CFT framework, and in keeping with the nature and size of their businesses, FIs, and their foreign branches or group affiliates where applicable, should establish adequate policies, procedures and controls to ensure the confidentiality and protection of information and data related to STRs. These policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

        FIs must ensure that all relevant information relating to STRs is kept confidential, with due regard to the conditions and exceptions provided for in the law, and the guiding principles for this must be established in policies and procedures. FIs need to ensure that policy and procedures are reflected in for example, appropriate access rights with regard to core systems used for case management and notifications, secure information flows and guidance/training to all staff members involved. This guidance and training is primarily important for the first-line staff who have contact with customers. It is essential that these staff know when there may be cases of suspicious transactions, what questions they have to ask the customer and which information they must not under any circumstances disclose to the customer.

        It should be noted that the confidentiality requirement does not pertain to communication within the FI or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention or reporting of suspicious transactions and/or crimes related to ML/FT.

        It is a federal crime for FIs or their managers, employees or representatives, to inform a customer or any other person, whether directly or indirectly, that a report has been made or will be made, or of the information or data contained in the report, or that an investigation is under way concerning the transaction. Any person violating this prohibition is liable to a penalty of no less than AED100,000 and no more than AED500,000 and imprisonment for a term of not less than six months.

      • 7.9 Protection against Liability for Reporting Persons

        (AML-CFT Law Article 27; AML-CFT Decision Article 17.3)

        FIs, as well as their board members, employees and authorised representatives, are protected by the relevant articles of the AML-CFT Law and AML-CFT Decision from any administrative, civil or criminal liability resulting from their good-faith performance of their statutory obligation to report suspicious activity to the FIU. This is also the case even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred. However, it should be noted that such protections do not extend to the unlawful disclosure to the customer or any other person, whether directly or indirectly, that they have reported or intend to report a suspicious transaction, or of the information or data the report contains, or that an investigation is being conducted in relation to the transaction.

      • 7.10 Handling of Transactions and Business Relationships after Filing of STRs

        Once a Suspicious Transaction or other suspicious information related to a Customer or Business Relationship has been reported to the FIU, there are two immediate consequences:

        FIs are obliged to follow the instructions, if any, of the FIU in relation to both the specific transaction and to the business relationship in general.
         
        The Customer or Business Relationship should immediately be classified as a High Risk Customer and appropriate risk-based enhanced due diligence and ongoing monitoring procedures should be implemented in order to mitigate the associated ML/FT risks (see Sections 6.4, Enhanced Due Diligence (EDD) Measures, especially 6.4.2, EDD Measures for High-Risk Customers or Transactions, and 6.3.5 Ongoing Monitoring of the Business Relationship). It is however not required to terminated the relationship.
         

        Further guidance on both of these topics is provided below.

        FIU Instructions

        After receiving an STR from an FI, the FIU may or may not revert to the reporting institution with specific instructions, requests for additional information, feedback or further guidance related to the STR or to the business relationship in general. In such cases, these communications will generally be directed to the designated AML/CFT compliance officer of the FI.

        Confidentiality of FIU’s Instructions

        The responsibility for coordinating the FI’s prompt compliance with the FIU’s instructions or requests lies with the designated AML/CFT compliance officer. It should be noted that, depending on the nature of the case, the FIU may require the compliance officer to maintain certain information related to its instructions or requests privileged and/or confidential within the FI’s organisation. In other words, in some cases, the compliance officer could be restricted from divulging information about a transaction or business relationship to anyone other than certain members of senior management or the board of directors of the FI. Regardless of the circumstances surrounding the FIU’s instructions or requests, including whether or not the compliance officer is permitted to provide explanations to the staff of the FI, the FI is obliged at all times to follow the compliance officer’s instructions in regard to any follow-up actions required in relation to an STR.

        Timing of FIU’s Instructions

        Whether or not the FIU issues instructions or requests for additional information to a reporting institution, or how quickly this may occur after the STR is initially reported, both depend on numerous factors. These may include the prioritisation of the incoming STR among all of the STRs received by the FIU, the results of the ensuing analysis, or the possible need for information to be exchanged with other Competent Authorities or international FIUs, as well as the timing and the results of such exchanges.

        When an STR involves an anticipated, pending, or already in-progress transaction, FIs should use their best efforts to delay the execution or completion of the transaction, in order to allow for a reasonable amount of time in which to receive feedback, instructions, or additional information requests from the FIU. In taking such measures, FIs should take the necessary steps to avoid “tipping off” or arousing the customer’s suspicion that the transaction is being investigated or reported. Examples of some of the measures FIs may consider taking, either singly or in combination, in order to delay the execution or completion of transactions include but are not limited to:

        Delaying processing of the transaction without explanation for as long as possible;
         
        Advising the customer that the transaction has been delayed due to an unspecified operational, technical or other problem, and that efforts are underway to resolve it;
         
        Requesting additional information and/or supporting documentation (for example, evidence of relevant licences or authorisations, shipping or customs documents, additional identification documents, bank or other references) relating to the transaction, the customer, or the counterparty;
         
        Advising the customer that paperwork related to the transaction has been lost and requesting that it be resubmitted;
         
        Advising the customer that the transaction is pending an internal approval process;
         
        Any other reasonable delaying tactics, bearing in mind the obligation to avoid “tipping off” the customer.
         

        During the time interval during which an anticipated, pending, or in-progress STR that has already been reported to the FIU is being delayed by the FI, any additional suspicions that may arise should also be immediately reported to the FIU as a follow-up to the original STR. Examples of such additional suspicions may include, but are not limited to:

        New adverse information obtained in relation to the transaction, the business relationship, or the counterparty to the transaction;
         
        Unusual behaviour of the customer as a result of the transaction being delayed, such as but not limited to:
         
        -Sudden material amendments or changes to the circumstances or details of the transaction;
        -Excessive pressure, intimidation, displays of anger (beyond what would normally be expected) or threats of any kind, aimed at forcing the FI or its employees to complete the transaction;
        -Abrupt cancellation of the transaction, termination of the business relationship, or sudden attempts to close out the customer’s account and/or withdraw the balance of funds or other assets held by the FI;
        -Any other indication or reasonable grounds to suspect that the customer has become aware that the transaction is being investigated or reported as suspicious.
         

        If a reasonable amount of time has not yet elapsed before the receipt of feedback, instructions, or requests for additional information from the FIU in regard to an STR, and it becomes impossible for the FI to delay the execution or completion of the reported transaction any longer without arousing the customer’s suspicion that the transaction is being investigated or reported, then the FI should request specific instructions or permission from the FIU in regard to executing or rejecting the transaction.

        No Instructions, Feedback or Additional Information Requests from the FIU

        Due to the factors previously mentioned, FIs may not receive instructions, additional information requests, or other feedback from the FIU in regard to STRs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, FIs should determine the appropriate handling of the STR and of the business relationship in general, taking into consideration all of the risk factors involved.

        In particular, FIs are reminded that, unless they are specifically instructed by the FIU to do so, they are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a Crime. Furthermore, unless they are specifically instructed by the FIU to maintain the business relationship (for example, so that the Competent Authorities may monitor the customer’s activity), FIs should take appropriate steps in order to decide whether or not to maintain the business relationship. These steps may include, but are not limited to:

        Reassessing the business relationship risk and re-evaluate the customer’s risk profile, where necessary;
         
        Initiating an enhanced customer due diligence review;
         
        Considering the performance of an enhanced background investigation (including, if appropriate, the use of a third-party investigation service);
         
        Any other reasonable steps, commensurate with the nature and size of their businesses, and bearing in mind the obligation to avoid “tipping off” the customer.
         

        FIs should be aware that filing an STR does not automatically mean that the relationship with the customer needs to be terminated. However, when deciding to terminate a business relationship for which an STR has been filed and no feedback has been received from the FIU after a reasonable time period, FIs should formally advise the FIU of their intention to do so unless there is an official objection.

        Reasonable Time Period for Receiving Feedback from the FIU

        FIs should note that there are no pre-established processing times, and no statute of limitations, in regard to the time interval during which the FIU may provide feedback, including instructions or requests for additional information in response to an STR. Furthermore, the time period that may be considered reasonable in relation to such feedback depends on numerous factors, including but not limited to the:

        Type, size and circumstances of the transaction;
         
        Normal average processing times for the specific transaction type;
         
        Type of customer or business relationship;
         
        Nature and size of the FI’s business;
         
        Precise nature of the suspicion.
         

        The time period considered to be reasonable could thus vary widely from one case to another.

        As a general guideline, the reasonable time periods for feedback from the FIU concerning transaction types that are less complex, more routine, and have faster average processing times (such as account-to-account or wire transfers, the exchange of currencies, or over-the-counter purchases of precious metals or stones, for example) would normally be expected to be shorter than those for more complex, less routine transaction types (such as, for example, purchases of real estate or other complex assets, trade finance transactions, or various forms of loan or credit agreements). FIs that require further assistance in determining reasonable time periods should consult with the FIU or the relevant Supervisory Authorities.

        High-Risk Classification of Reported Business Relationships

        When a transaction or other information about a business relationship is reported to the FIU as suspicious, it means that, by definition, the customer or business relationship to which it pertains should be classified as high risk (in case the business relationship has not yet been classified as such). In situations in which no feedback or instructions have been received from the FIU, FIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

        Document the process by which the decision was made to maintain the business relationship, along with the rationale for, and any conditions related to, the decision;
         
        Implement adequate EDD measures to manage and mitigate the ML/FT risks associated with the business relationship.
         

        In such cases, beyond the EDD measures described in previous sections (see Sections 6.4, Enhanced Due Diligence (EDD) Measures and 6.3.5, Ongoing Monitoring of the Business Relationship), FIs should also implement additional control measures such as, but not limited to:

        Requiring additional data, information or documents from the customer in order to carry out transactions (for example, evidence of relevant licenses or authorisations, customs documents, additional identification documents, bank or other references);
         
        Restricting the customer’s use of certain products or services;
         
        Placing restrictions and/or additional approval requirements on the processing of the customer’s transactions (for example, transaction size and/or volume limits, or limits to the number of transactions of certain types that can be executed during a given time period).
         

        FIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, FIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the ML/FT risks associated with the business relationship.

    • 8. Governance

      (AML-CFT Law Article 16.1(d); AML-CFT Decision Articles 4.2(a), 20, 21, 44.4)

      In order for the AML/CFT framework of any organisation to be effective, it must be based on the foundation of a sound governance structure, and held together by a strong compliance culture.

      The governance structure should take the following into consideration:

      Establish clear accountability lines and responsibilities to ensure that there is appropriate and effective oversight of staff who engage in activities which may pose a greater AML/CFT risk.
      Have the mechanism to inform the board of directors (or a committee of the board) and senior management of compliance initiatives, compliance deficiencies, STRs filed and corrective actions taken;
      Develop and maintain a system of reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created and STRs filed;
      Develop and implement quality assurance testing programs to assess the effectiveness of the AML/CFT program’s implementation and execution of its requirements.
       

      FIs should also make sure to have management structures which are accountable for clear ML/FT risk management and mitigation measures, as well as appropriate independent control functions. Implicit in both the AML-CFT Law and the AML-CFT Decision are the elements of both, concerning which additional guidance is provided in the sections below.

      • 8.1 Compliance Officer

        (AML-CFT Decision Articles 20.3, 21 and 44.12)

        • 8.1.1 Appointment and Approval

          FIs are obliged to appoint a compliance officer (CO) with the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role. The AML-CFT Decision stipulates that the CO performs these duties “under his or her own responsibility”, referring to the independent nature of the function and from which it should be understood that the position should be at a management level.

          FIs must take all appropriate steps to identify and to prevent or manage confilicts of interests between:

          The FI, its’ personnel including its CO, or any other representatives, including any person who is directly or indirectly associated with the organization and who has control to make decisions, and the FI’s customer.
          The CO and senior management of the organization including the Board of Directors. The CO must be independent and must hold a position of sufficient seniority within the organization, to ensure informed decisions are made without undue pressure to challenge decisions that are considered ill-suited, to protect the organization from possible ML/TF abuse. The MLRO’s independence of judgement is required to be free from conflicts of interest, whether it is pecuniary or otherwise.
           

          The AML-CFT Decision further provides that the appointment of a person to the position of CO requires the prior consent of the relevant Supervisory Authority. Some FIs might also have appointed a Money Laundering Reporting Officer (MLRO).

          In determining the competencies, level of experience, and organizational reporting structures that are appropriate for their COs, FIs should take several factors into consideration, including but not limited to:

          The results of the NRA and any topical risk assessment
           
          The nature, size, complexity, and risk profile of their industries and businesses, as well as those associated with the products and services they offer and the markets and customer segments they serve;
           
          The organisation’s governance framework and management structure, with particular consideration given to the independent nature of compliance as a control function;
           
          The specific duties and responsibilities of the CO’s role (described below).
           

          Where appropriate, FIs may also consider engaging in dialogue with Supervisory Authorities, professional associations in their sectors, and industry peers, in relation to the competencies, experience, and governance structures that make for an effective compliance officer and an effective AML/CFT programme.

        • 8.1.2 Responsibilities

          (AML-CFT Decision Article 21.1-5)

          The specific tasks of the CO are detailed in the relevant provisions of the AML-CFT Decision. In general, the CO will collaborate with the relevant Supervisory Authority and the FIU to ensure that these can perform their respective duties. The CO’s tasks can be grouped broadly into the following categories:

          ML/FT Reporting. The compliance officer is FI’s officer in charge of reviewing, scrutinizing and reporting STRs. In this capacity, the CO is ultimately responsible for the detection of transactions related to the crimes of money laundering and the financing of terrorism and of illegal organisations, for reporting suspicions to the FIU, and for cooperating with the Competent Authorities in relation to the performance of their duties in regard to AML/CFT.
           
          AML/CFT Programme Management. The CO should ensure the quality, strength and effectiveness of the FI’s AML/CFT programme. As such, the CO should be a stakeholder with respect to the FI’s ML/FT business risk assessment, and the overarching AML/CFT risk mitigation framework, including its AML/CFT policies, controls and CDD measures. The CO is in charge of informing and reporting to senior management on the level of compliance and report on that to the relevant Supervisory Authority.
           
          AML/CFT Training and Development. The CO is responsible for helping to establish and maintain a strong and effective AML/CFT compliance culture within the FI. This duty includes working with senior management and other internal and external stakeholders to ensure that the FI’s staff are well-qualified, well-trained, well-equipped, and well-aware of their responsibility to combat the threat posed by ML/FT.
           
      • 8.2 Staff Screening and Training

        (AML-CFT Decision Articles 20.4-5, 21.4)

        In order for their ML/FT risk assessment and AML/CFT mitigation measures to be effective, FIs should ensure that their employees have a clear understanding of the ML/FT risks that the FI is exposed to and can exercise sound judgment, both when adhering to the FI’s AML/CFT risk mitigation measures and when identifying suspicious transactions. Furthermore, due to the ever-evolving nature of ML/FT risks, FIs should ensure that their employees are kept up to date on an ongoing basis in relation to emerging ML/FT typologies and new internal and external risks. . Depending on the nature, size and level of complexity of an FI, an FI should also screen staff to ensure high standards when hiring employees.

        Thus, to ensure a high level of competence and AML/CFT programme effectiveness, FIs should formulate and implement appropriate policies, procedures and controls with regard to staff screening and training. An effective training program should not only explain the relevant AML/CFT laws and regulations, but also cover the institutions’ policies and procedures used to mitigate ML/FT risks, scope of target employees such as but not limited:

         
          
        Customer-facing staff.
        AML/CFT compliance staff.
        Senior management and board of directors
         

        These measures should be applied across organisations and financial groups, including their foreign branches and majority-owned subsidiaries. Examples of some of the factors that should be considered when determining appropriate staff screening and training measures include, but are not limited to:

        The results of the NRA and any topical risk assessment
         
        The nature, size, complexity, and risk profile of FIs’ sectors and businesses, as well as those associated with the products and services they offer and the markets and customer segments they serve;
         
        Effective screening and selection methods in relation the AML/CFT cultural compatibility of their employment candidates;
         
        Assessment of staff AML/CFT competency in relation to training and development needs;
         
        The type, frequency, structure, content, and delivery channels of AML/CFT training programmes and development opportunities;
         
        The effective identification, deployment and management of both internal and external training resources;
         
        Appropriate methods and tools for assessing the effectiveness of staff hiring, training, and development programmes, including screening procedures to ensure high standards when hiring employees.
         
      • 8.3 Group Oversight

        (AML-CFT Decision Articles 20, 31, 32)

        When an FI is part of a group, the FI is obliged to implement appropriate group-wide AML/CFT programmes, and to apply them in relation to all branches and majority-owned subsidiaries of the financial group. The specific requirements that must be met by FIs with respect to their foreign branches and majority-owned subsidiaries are set out in the relevant provisions of the AML-CFT Decision, and reflect those to which FIs are subject within the State.

        In meeting these obligations with regard to their branches and majority-owned subsidiaries in foreign countries, FIs, and in particular FIs that are members of financial groups, should ensure that the measures they apply are consistent with the requirements of the AML-CFT Law and AML-CFT Decision. In this regard, FIs should establish appropriate policies and procedures for the exchange and sharing of data and information, including those required for the purposes of CDD and ML/FT risk management, between the foreign branches and subsidiaries and the head office, for the purpose of combating the crimes of money laundering and the financing of terrorism and of illegal organisations, and for reporting suspicious transactions.

        In situations where these measures are not possible due to legislative or regulatory restrictions in the foreign countries in which their branches and majority-owned subsidiaries operate, FIs (including those which are members of Financial Groups) should implement the necessary additional measures, commensurate with the nature and size of their businesses, that will enable them to manage and mitigate appropriately the ML/FT risks that relate to their foreign operations. Examples of some of the measures that should be considered include but are not limited to:

        Assessing the effectiveness of foreign branches and majority-owned subsidiaries’ AML/CFT measures, including evaluating such factors as the comprehensiveness and quality of their policies, procedures and controls, and performing gap analyses in relation to the requirements of the AML-CFT Law and AML-CFT Decision;
         
        Establishing clear policies, procedures and controls in relation to the type and extent of access which managers and employees of foreign branches and majority-owned subsidiaries have to the FIs’ IT and operational systems, including CDD and transaction processing systems;
         
        Establishing clear policies, procedures and controls in relation to the type and extent of access which customers and Business Relationships of foreign branches and majority-owned subsidiaries have to the FIs’ products, services and transactional processing capabilities;
         
        Establishing clear policies, procedures and controls in relation to the type of CDD and transaction-related information, data, and analysis FIs accept from their foreign branches and majority-owned subsidiaries in relation to customer or Business Relationship referrals, and the extent of their reliance on such information (see Section 6.6, Reliance on a Third Party);
         
        Implementing service-level agreements, clearly setting out the roles and responsibilities of the parties and specifying the nature of the CDD and record-keeping requirements to be fulfilled in relation to customer or Business Relationship referrals;
         
        Establishing protocols for the certification by the foreign branches and subsidiaries of documents and other records pertaining to the CDD measures undertaken in relation to customer or Business Relationship referrals.
         

        In particular, in cases in which the minimum AML/CFT requirements of host countries in which FIs maintain foreign operations are less strict than those of the State, FIs should take the necessary measures to ensure that their foreign branches and/or majority-owned subsidiaries in those countries implement requirements consistent with those of the State, to the extent permitted by the laws and regulations of the host countries. If such host countries do not permit the proper implementation of the AML/CFT requirements consistent with those of the State, FIs should apply appropriate additional measures to manage and mitigate the ML/FT risks (including but not limited to those described above). They should also inform the relevant Supervisory Authorities of the circumstances and comply with any additional supervisory actions, controls, or requirements of the Competent Authorities of the State (up to and including, if requested, terminating their operations in the host countries).

      • 8.4 Independent Audit Function

        (AML-CFT Decision Article 20.6)

        A robust and independent audit function is a key component to a well-functioning governance structure and an effective AML/CFT framework. FIs are obliged to have in place an independent audit function to test the effectiveness and adequacy of their internal polices, controls and procedures relating to combating the crimes of money laundering and the financing of terrorism and of illegal organisations. In this regard, FIs should ensure that their independent audit function is appropriately staffed and organized, and that it has the requisite competencies and experience to carry out its responsibilities effectively, commensurate with the ML/FT risks to which the FIs are exposed, and with the nature and size of their businesses.

        It should be noted that, while most FIs are expected to have the capacity to meet these requirements internally, depending on the nature and size of their businesses, some FIs (particularly smaller ones) may not necessarily have the resources to maintain a fully functioning and effective internal audit unit. In such cases, those FIs should ensure that they take adequate measures to obtain the necessary capabilities from qualified external sources. They should also ensure that they have in place adequate internal capabilities to provide sufficient coordination with and oversight of any external resources they may utilise, and that such external resources are adequately regulated and supervised by relevant Competent Authorities.

        FIs should ensure that the periodic inspection and testing of all aspects of their AML/CFT compliance programmes, including ML/FT business risk assessment and AML/CFT mitigation measures, and CDD policies, procedures and controls, is incorporated into their regular audit plans. They should also ensure that all their branches and the subsidiaries in which they hold a majority interest, whether domestic or foreign, are part of an independent audit testing programme that covers the effectiveness and adequacy of their internal AML/CFT polices, controls and procedures.

        Some of the factors FIs should consider in determining the appropriate frequency and extent of audit testing of their AML/CFT programmes by their independent audit functions include but are not limited to:

        The results of the NRA and any topical risk assessment;
         
        The nature, size, complexity, and geographic scope of the FIs’ businesses, and the results of their ML/TF business risk assessments;
         
        The risk profile associated with the products and services they offer and the markets and customer segments they serve;
         
        The frequency of supervision and inspection by, and the nature of the feedback (including the imposition of administrative sanctions) they receive from, Supervisory Authorities, relative to enhancing the effectiveness of their AML/CFT measures;
         
        Internal and external developments in relation to ML/FT risks, as well as developments pertaining to the management and operations of the FIs.
         

        The scope of such audits should include but not be limited to:

        Examine the adequacy of AML/CFT and CDD policies, procedures and processes, and whether they comply with regulatory requirements.
         
        Assess training adequacy, including its comprehensiveness, accuracy of materials, training schedule, attendance tracking and escalation procedures for lack of attendance.
         
        Review all the aspects of any AML/CFT compliance function that have been outsourced to third parties, including the qualifications of the personnel, the contract and the performance and reputation of the company.
         
        Review case management and STR systems, including an evaluation of the research and referral of unusual transactions, and a review of policies, procedures and processes for referring unusual or suspicious activity from all business lines to the personnel responsible for investigating unusual activity
         
      • 8.5 Responsibilities of Senior Management

        (AML-CFT Decision Articles 4.2(a), 4.2(b)(5), 8.1(a), 15.1(b) and 15.2, 17.3, 21.3, 25.1(d))

        A cornerstone of any sound governance structure, including those related to AML/CFT compliance, is senior management involvement and accountability. The members of an FI’s senior management (together with the members of the board of directors in those organisations that have one) are ultimately responsible for the quality, strength and effectiveness of the FI’s AML/CFT framework, as well as for the robustness of its compliance culture. In this regard, an FI’s senior management should set the ML/FT risk appetite and a proper “tone at the top,” by demonstrating their commitment to ensuring an effective AML/CFT compliance programme is in place, and by clearly articulating their expectations with regard to the responsibilities and accountability of all staff members in relation to it.

        Under the AML/CFT legal and regulatory framework of the UAE, the senior management of all FIs are responsible for performing certain functions related to the assessment, management and mitigation of the ML/FT risks to which their organisations are exposed. These responsibilities can be grouped broadly into categories which include:

        Implementation of governance, control, and operating systems. These include such elements as:
         
        -Appointing a qualified compliance officer in line with the requirements of the relevant Supervisory Authority;
        -Ensuring a robust and effective independent audit function is in place;
        -Putting in place and monitoring the implementation of adequate management and information systems, internal controls, and policies, procedures to mitigate risks.
         
        Approval of internal policies, procedures and controls. These include such elements as the FI’s overall ML/FT risk appetite as well as the framework of AML/CFT policies, procedures and controls related to areas such as:
         
        -Identification, assessment, understanding, management and mitigation of ML/FT risks;
        -Performance, review and updating of CDD (including EDD and SDD) measures;
        -Identification and implementation of indictors to identify suspicious transactions;
        -Record retention and data protection;
        -Staff screening, training and development.
         
        Oversight of the AML/CFT compliance programme. This includes such elements as:
         
        -Reviewing and providing comments in relation to the compliance officer’s semi-annual reports to the relevant Supervisory Authority;
        -Approving the establishment and continuance of High Risk Customer Business Relationships and their associated transactions, including those with PEPs;
        -Approving the establishment and continuance of Business Relationships involving high-risk countries;
        -Approving the establishment and continuance of relationships with correspondent institutions;
        -Ensuring the adequate application of the appropriate components of the AML/CFT compliance programme to all branches and majority-owned subsidiaries, including those operating in foreign jurisdictions.
         
        Application of the directives of Competent Authorities. This includes such elements as:
         
        -Applying the directives of Competent Authorities for implementing UN Security Council decisions under Chapter VII of the Charter of the United Nations, and other related directives, including Cabinet Decision (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions On the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions;
        -Implementing CDD measures defined by the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, regarding High Risk Countries.
         
      • 8.6 Governance Issues of Small Organisations

        Some FIs may operate as small or mid-sized businesses, without large staff organisations or sophisticated IT infrastructures. In such cases, individual managers and employees may often be called upon to undertake multiple roles and responsibilities in the course of day-today business activities, and it may be difficult at times to maintain a clear separation of duties or functions. While an FI’s small size does not in any way exempt it from fulfilling its obligations under the AML-CFT Law and AML-CFT Decision, and without prejudice to guidance provided in the previous sections, the following additional considerations are of particular importance to small and mid-sized FIs.

        In situations in which the responsibilities of the AML/CFT compliance officer are delegated to a manager or staff member who also has other responsibilities, FIs should undertake their best efforts to ensure that the designated AML/CFT compliance officer does not have day-to-day responsibility for sales and/or customer business relationship management.
         
        When an adequate separation of responsibilities is not possible due to the small size of an FI’s organisation, FIs should take the necessary steps to ensure that operational and AML/CFT policies and procedures (particularly those pertaining to CDD, the identification and reporting of Suspicious Transactions, and the monitoring and updating of required High Risk Country CDD measures, and Local and Sanctions Lists—see Sections 6, Customer Due Diligence (CDD), 6.4.3 Requirements for High-Risk Countries, and 10, International Financial Sanctions) are clearly formulated, documented, and adhered to during the establishment and ongoing monitoring of business relationships and the carrying out of transactions.
         
        In such cases, FIs should ensure that they clearly document the rationale for any policy and/or procedural exceptions they make, along with any additional AML/CFT risk mitigation measures they implement, and that these records are properly retained in accordance with the statutory record-keeping requirements (see Section 9, Record Keeping). FIs should also consider referring to any significant policy or procedural exceptions, along with their rationale, associated additional AML/CFT risk mitigation measures, and senior management comments, in the AML/CFT compliance officer’s required semi-annual reports to the relevant Supervisory Authorities.
         
        FIs that are unable to ensure a clear and effective separation of AML/CFT responsibilities from those related to the day-to-day management of their businesses, including but not limited to sales and customer business relationship management functions, due to the small size of their organisation should also consider taking additional measures to enhance the application of their independent audit controls (see Section 8.4, Independent Audit Function). Examples of such measures include but are not limited to:
         
        -Incorporating the audit of policies, procedures (particularly those pertaining to CDD, the identification of Suspicious Transactions, and the monitoring and updating of required High Risk Country CDD measures, and Local and Sanctions Lists), and records related to exceptions made to them, as part of their audit plans and/or their service-level agreements with their external providers of independent audit services;
        -Increasing the frequency of independent audits and random audit inspections;
        -Applying stricter criteria with regard to the review of past transactions, such as increasing the number of transactions reviewed for a given time period, reducing size threshold limits for transactions to be reviewed, or taking other reasonable measures in this regard.
         
    • 9. Record Keeping

      • 9.1 Obligations and Timeframe for the Retention and Availability of Records

        (AML-CFT Law Articles 16.1(a),(f); AML-CFT Decision Articles 7.2, 24, 36, 37.3)

        FIs are obliged to maintain detailed records, documents, data and statistics for all transactions, all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, as well as a variety of record types and documents associated with their ML/FT risk assessment and mitigation measures, as specified in the relevant provisions of the AML-CFT Decision (see Section 9.2, Required Record Types). FIs are required to maintain the records in an organized fashion so as to permit data analysis and the tracking of financial transactions, and to make the records available to the Competent Authorities immediately upon request. They should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. All CDD information and transaction records should be available swiftly to Competent Authorities upon appropriate authority.

        The statutory retention period for all records is at least five (5) years, depending on the circumstances, from the date of the most recent of any of the following events:

        Termination of the Business Relationship or the closing of a customer’s account with the FI;
         
        Completion of an occasional transaction (in respect of a customer with whom no Business Relationship is established);
         
        Completion of an inspection of the records by the Supervisory Authorities;
         
        The issue date of a final judgment by the competent judicial authorities;
         
        Liquidation, dissolution, or other form of termination of a legal person or arrangement.
         

        Without prejudice to the above, FIs should note that it is the prerogative of the Competent Authorities to require the retention of the records of any FI, whether data, statistics, or records pertaining to a specific customer or transaction or to general categories of customers or transactions which they deemed to be of interest, for a longer period of time at their own discretion.

        In order to fulfil their record-keeping obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Examples of the factors which FIs should give consideration to when formulating the relevant policies, procedures and controls, include but are not limited to:

        Organisational roles and responsibilities in regard to the ML/TF business risk assessment, implementation, review and updating of AML/CFT policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
         
        Organisational roles and responsibilities in relation to record-keeping (including logging, cataloguing and organisation, archiving, handling and transferring of records and documents, as well as of the destruction of expired records) of CDD information and transactions;
         
        Physical and cyber security, and the protection of active and archived data and records from unauthorised access;
         
        Appropriate audit and quality assurance testing policies.
         
      • 9.2 Required Record Types

        (AML-CFT Law Articles 16.1(a),(b),(f); AML-CFT Decision Articles 7.2, 24)

        The AML-CFT Law and AML-CFT Decision oblige FIs to retain several types of records, which can be classified broadly into the following categories:

        Transaction Records. This category relates to operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature.
         
        CDD Records. This category relates to records, documents, and information about customers, their due diligence, and the investigation and analysis of their activities, and can be further divided into sub-categories such as records pertaining to:
         
        -Customer Information, including account files and business correspondence, and results of any analysis undertaken
        -Company Information
        -Reliance on Third Parties to Undertake CDD
        -Ongoing Monitoring of Business Relationships
        -Suspicious Transaction Reports (STRs)
         

        Additional guidance related to these record types is provided in the following sub-sections.

        • 9.2.1 Transactions

          (AML-CFT Law Articles 16.1(f); AML-CFT Decision Articles 24.1-3, 28.1-2, 29.4)

          FIs are obliged to retain the operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature, and irrespective of the type of customer and whether or not a Business Relationship is maintained, for a minimum period of five (5) years. Some examples of the type of records, documents and information which must be retained include but are not limited to:

          Customer credit or debit advices, and transaction orders or applications (including those for cash deposits or withdrawals, currency exchange transactions);
           
          Credit-related documentation, including loan or guarantee applications, agreements, amendments and supporting documents, disbursement or repayment records, collateral pledges, letter of credit documentation, promissory notes;
           
          Deal tickets, trade blotters and ledgers, settlement and dividend payment records related to foreign exchange, securities dealing or investing transactions;
           
          Escrow or fiduciary account transaction records;
           
          Insurance policy premiums, pay-outs, and related transaction records and documents;
           
          Money transfer records, including book transfers orders, and domestic and cross-border wire transfer orders, and their related originator and beneficiary records;
           
          Statistics and analytical data related to customers’ financial transactions, including their monetary values, volumes, currencies, interest rates, and other information.
           

          In addition to the above, FIs should compile notes on any particularly large or unusual transactions, and keep these notes as part of their records. In particular, FIs licensed by the Central Bank must examine the background and purpose of all complex, unusual large transactions and all unusual patterns of transactions, which have no apparent economic or lawful purpose, and document their findings in writing. This includes transactions that are not considered necessary to be reported as suspicious. These findings must be maintained for inspection by the Central Bank for a period of at least five years.

        • 9.2.2 Customer Information

          (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 24.2-4, 27.7, 28.1-2, 29.4, 37.1-3)

          FIs are required to retain all customer records and documents obtained through the performance of CDD measures in relation to Business Relationships, including customers, Beneficial Owners, beneficiaries, or other controlling persons. Examples of such records include but are not limited to:

          Customer account information and files;
           
          Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls);
           
          Copies of personal identification documents, CDD (including EDD and SDD) forms, profiles and supporting documentation, and results of due diligence background searches, queries and investigations;
           
          Customer risk assessment and classification records.
           
        • 9.2.3 Company Information

          (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 8.1(b), 9.1, 34-36)

          The AML-CFT Decision provides that the administrators, liquidators, or any other stakeholders involved in the dissolution of a company are obliged to retain the records, documents and information specified in the relevant articles for a minimum period of five (5) years from the date of its dissolution, liquidation or termination. These records pertain to corporate documents as well as to information on Beneficial Owners, legal shareholders, and senior managers. Such records include but are not limited to documents and information concerning:

          Company formation, registration, deregistration, liquidation, dissolution or expiry, including documents such as share registers, memoranda and articles of association, deeds of settlement and foundation charters, or similar documents, along with any amendments to them (whether the organisation is for-profit or not-for-profit);
           
          Changes to company information, such as name, registered address, legal representatives and corporate officers (directors, company secretary), or legal form;
           
          Identification and identity verification documents related to Beneficial Owners, shareholders, nominee shareholders, directors and senior management officers and, in the case of Legal Arrangements, settlors or founders, protectors, beneficiaries, trustees or executors, governing council or committee members, or similar controlling persons.
           

          In order to fulfil their statutory record-keeping obligations in this regard, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records when they dissolve or liquidate companies in which they hold a controlling interest. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation (see Section 9.1, Obligations and Timeframe for the Retention and Availability of Records for additional guidance concerning policies, procedures, controls and statutory retention periods related to record-keeping and data protection).

        • 9.2.4 Reliance on Third Parties to Undertake CDD

          (AML-CFT Law Article 16.1(b); AML-CFT Decision Articles 24.2-4, 19.1(b)-2(a))

          FIs that rely on third parties, whether unaffiliated or members of their own financial groups, are obliged to ensure that copies of all the necessary documents collected through the performance of CDD measures can be obtained upon request and without delay, and that the third parties adhere to the record-keeping provisions of the AML-CFT Decision. See Section 9.2.2, Customer Information above for examples of such records.

          In order to fulfil their statutory obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the assessment, monitoring, and testing of third parties’ record-retention frameworks. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Some of the factors to which FIs should give consideration when formulating relevant policies, procedures and controls include but are not limited to:

          Organisational roles and responsibilities in regard to the assessment, monitoring and testing of the third party’s policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
           
          Organisational roles and responsibilities for the implementation of service-level agreements with third parties governing the provision of record-keeping services;
           
          Operational procedures related to request and transfer of records and documents, as well as their physical and cyber security, and the protection of active and archived data and records from unauthorised access;
           
          Appropriate audit and quality assurance testing policies related to the monitoring and testing of the third-party’s record-retention framework.
           
        • 9.2.5 Ongoing Monitoring of Business Relationships

          (AML-CFT Law Article 16.1(b),(f); AML-CFT Decision Article 24.2-4)

          FIs are required to retain all customer records and documents obtained through the ongoing monitoring of Business Relationships. Examples of such records include but are not limited to:

          Transaction review, analysis, and investigation files, with their related correspondence;
           
          Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls) related to those transactions or their analysis and investigation;
           
          CDD records, documents, profiles or information gathered in the course of reviewing, analysing or investigating transactions, as well as transaction-related supporting documentation, including the results of background searches on customers, Beneficial Owners, beneficiaries, controlling persons, or counterparties to transactions;
           
          Transaction handling decisions, including approval or rejection records, together with related analysis and correspondence.
           
        • 9.2.6 Suspicious Transaction Reports (STRs)

          (AML-CFT Law Article 16.1(f); AML-CFT Decision Articles 24.2-4)

          FIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed. Such records relate to both internal STRs and those filed with the FIU, and include but are not limited to:

          Suspicious transaction indicator alert records, logs, investigations, recommendations and decision records, and all related correspondence;
           
          Competent authority request for information, correspondent bank requests for assistance, and their related investigation files and correspondence;
           
          CDD and Business Relationship monitoring records, documents and information obtained in the course of analysing or investigating potentially suspicious transactions, and all internal or external correspondence or communication records associated with them;
           
          STRs (internal and external), logs, and statistics, together with their related analysis, recommendations and decision records, and all related correspondence;
           
          Notes concerning feedback provided by the FIU with respect to reported STRs, as well as notes or records pertaining to any other actions taken by, or required by, the FIU.
           
    • 10. International Financial Sanctions

      The UAE is a member of several multinational and international organisations and governing bodies, including the United Nations. As such, the UAE is a party to many international agreements and conventions pertaining to the combating of money laundering and the financing of terrorism, as well as to the prevention and suppression of the proliferation of weapons of mass destruction. These conventions include, among others, the International Convention for the Suppression of the Financing of Terrorism and the Treaty on the Non-Proliferation of Nuclear Weapons.

      FIs are obliged to comply with the directives of the Competent Authorities of the State in relation to the agreements and conventions referred to above, including but not limited to Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions On the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions.

      Because it is outside of the scope of these Guidelines to provide detailed guidance on this, reference is made to the guidance on TFS issued by the Executive Office for the Import and Export of Goods. Due to the significance, complexity and extent of the subject matter of international financial sanctions, it is deemed appropriate that this material be covered in depth in separate guidance materials.