Part II: Guidance for RHP
1 Sanctions Obligations and Freezing Without Delay
Targeted Financial Sanctions (TFS) are legal restrictions on financial activity imposed by the United Nations Security Council (UNSC) or the UAE. An individual or legal person subject to TFS cannot send or receive money, or engage in any other kind of financial activity, without specific permission from the government of the UAE. The names of individuals or legal persons that are subject to TFS are included in lists published by the UN and the UAE (also known as "listed persons'' or "sanctioned persons.'')
RHP are required to fully comply with the obligation to implement all necessary measures without delay as described in the Cabinet Decision No. (74) of 2020, the ''Guidance on TFS for FIs and Designated Non-Financial Business and Professions (DNFBPs)'' issued by the Executive Office of the Committee for Goods & Material Subject to Import and Export Control (''Executive Office''), the ''Guidance for LFIs on the implementation of TFS'' issued by the CBUAE, the CBUAE Notice No. 3895/2021, and any of their amendments or updates thereof.5 RHP should be aware that it is a crime in the UAE to provide funds or financial services, including money transmissions services, to a person subject to TFS. This means that if a person is subject to TFS, the RHP cannot do any of the following:
• Send that person money on behalf of a customer, no matter where in the world they are; • Provide that person with money that another person has sent them; or • Carry out a transaction of any kind for that person.
Appropriate implementation of TFS has four key steps, which RHP must follow to ensure they are compliant:
1. Maintain awareness of UNSC and UAE sanctions lists, and rapidly become informed of changes to these lists.
RHP should rely on the official website of the UNSC for the most updated UN Consolidated List:
• https://www.un.org/securitycouncil/content/un-sc-consolidated-list
RHP should rely on the official website of the Executive Office to obtain the most recent publication of the UAE sanctions List (Local Terrorist List) List issued by the UAE Cabinet:
• https://www.uaeiec.gov.ae/en-us/un-page • https://www.uaeiec.gov.ae/ar-ae/un-page
In addition, under Article 21 of Cabinet Decision 74, RHP must register on the Executive Office's website in order to receive automated email notifications with updated and timely information about the listing and de-listing of individuals or entities in the Local Terrorist List and in the UN Consolidated List.
2. Check the names of customers against the lists of sanctioned persons.
Every time an RHP carries out a transaction, it must check before it sends or receives any money to make sure its customer, counterparty, or anyone else involved in the transaction is not listed on the UN or UAE sanctions lists. This process is known as 'screening process.' The RHP must screen the customer and the person to or from whom the customer is sending or receiving money. Where the customer is a legal person, it must screen the customer's beneficial owners (see section 3.3.3 below) and senior managing official. The RHP must also screen its counterparty who is executing the transaction at the other end. The result of the screening process can have the following results:
• A ''confirmed match''; i.e. a customer or a customer's counterparty has the same full name as a sanctioned person; or • A ''potential match''; i.e. a customer or a customer's counterparty has a similar or partially matching name as a sanctioned person; in those cases, the RHP should use additional information, such as the person's date of birth, address, and nationality, to distinguish the two persons.
In addition, every time there is a change to the sanctions lists, the RHP must compare the newly listed persons against its list of past customers. If an RHP finds that it previously carried out a transaction involving a person who was not listed at the time but is now listed, it has not done anything wrong. But it must report the transaction so that the authorities are aware (see step 4 below).
3. Immediately freeze any funds in the possession or under the control of the RHP that may belong to a listed person and cancel (where possible) any transactions involving a listed person.
When a ''confirmed match'' is found through the screening process, RHP must immediately, without delay and without prior notice, freeze all funds.
i. ''Freeze all funds'' means that you must hold the funds. You cannot send them or give them to anyone except to a UAE authority. You cannot return them to the person who gave them to you. If the funds are cash, you should place the funds in a safe place, separate from other funds, until the authorities can collect them. If the funds are held in a financial institution, such as a bank, you should notify the financial institution, who will place them in a special account. If an RHP has recently completed a transaction that involves a listed person, the RHP should notify its counterparty so that they can freeze the funds at the other end if possible. It must keep records of the information that it used to confirm this. ii. ''Without delay'' means within 24 hours of the listing decision being issued by the UNSC, the Sanctions Committee or the UAE Cabinet, as the case may be. This means that you must take active efforts to become aware of changes to the sanctions lists by registering on the Executive Office's website in order to receive automated email notifications, and that once a change has been made, you must immediately put it into effect by refusing to carry out any transactions for or with a listed person. iii. ''Without prior notice'' means that you must not tell the customer, or the person whose funds are being frozen, what the RHP is going to do.
When a ''potential match'' is found through the screening process, the RHP must suspend without delay any transaction and refrain from offering any funds or services. It must keep records of the information that it used to confirm this.
4. Report any listed persons and the actions the RHP has taken to the appropriate authorities
With regards to LFIs obligation for TFS reporting, the CBUAE in coordination with the Executive Office, has established a unified mechanism to report TFS obligations utilizing the UAE Financial Intelligence Unit's (FIU) online reporting platform (goAML).
In case of any ''confirmed match'' to a listing of names of individuals or legal persons to the Local Terrorist List and the UN Consolidated List, the RHP are required to report any freezing measures, prohibition to provide funds or services or any attempted transactions via the goAML platform within two business days by selecting the Fund Freeze Report (FFR). The RHP must also ensure all the necessary information and documents are submitted.
In case of any ''potential match'' to a listing of names of individuals or legal persons to the Local Terrorist List or UN Consolidated List, the RHP are required to report the potential match via the goAML Platform by selecting the Partial Name Match Report (PMNR). The RHP must also ensure all the necessary information and documents are submitted. In addition, the RHP must uphold suspension measures related to the ''potential match'' until further instructions are received via the goAML Platform on whether to cancel the suspension or implement freezing measures.
The TFS related reports (FFR or PMNR) submitted via the goAML Platform will be received simultaneously by the CBUAE and the Executive Office. RHP should also consult the CBUAE's6 and the Executive Office's7 websites respectively as updated from time to time.
5 Available at https://www.centralbank.ae/en/cbuae-amlcft.
6 Available at: https://www.centralbank.ae/en/cbuae-amlcft
7 Available at: https://www.uaeiec.gov.ae/en-us/un-page2 Registration and other Requirements
2.1 Registration
Under Article 2 of Circular No. 24/2019, a resident natural person or legal person may not carry on Hawala Activity in the UAE unless the applicant holds a Hawala Provider Certificate issued by the CBUAE and registered in the CBUAE Hawala Providers Register. Any resident natural person or legal person may apply for registration and obtain a Hawala Provider Certificate from the CBUAE. The applicant should not be of UAE nationality, should be legally competent, and officially residing in the UAE. The said application shall be made on the CBUAE's prescribed forms on the CBUAE's website.8
8 Available at https://www.centralbank.ae/en/cbuae-amlcft.
2.2 CBUAE Notification of Approval/Rejection
Under Article 3 of Circular No. 24/2019, the CBUAE may agree or decline an application for a Hawala Provider Certificate. In case of approval, the CBUAE shall issue a Hawala Provider Certificate valid for one year, renewable for similar periods. The CBUAE shall notify the applicant in writing, and may include in the Hawala Provider Certificate whatever terms and conditions it deems appropriate. In case of rejection, the CBUAE shall notify the applicant in writing indicating reasons for rejection.
2.3 Re-Registration
Under Articles 2 and 4 of Circular No. 24/2019, RHP should submit to the CBUAE an application for renewal of the Hawala Provider Certificate within a period of not less than two months from the date of expiry of the original certificate or any renewals thereof. The said application should be made on the CBUAE's prescribed form titled ''Application to Re-register Hawala Providers'' on the CBUAE's website.
2.4 Requirements for Trade License, Security and Reporting Systems
As per Article 2 of Circular No. 24/2019 and the respective application requirements, RHP must complete the following requirements within 90 days from the date mentioned in the final registration certificate as well as submit proof of completion to the Licensing Division of the CBUAE:
• Add Hawala Activity to the commercial trade license. • Install security systems; i.e. CCTV and police connections. • Register in the relevant Services Access Control Manager (SACM) and subsequently to the UAE FIU's goAML portal by following the steps in the registration guides issued by the FIU previously sent to RHP. Registration on SACM is a prerequisite for goAML registration; • Register in the relevant SACM and subsequently to the CBUAE's Remittance Reporting System (RRS) for the daily reporting and Integrated Regulatory Reporting System (IRR) for the quarterly reporting (see Part II section 4 below). Registration in SACM is a prerequisite for RRS & IRR registration. In order to register in SACM, RHP will be required to provide the following information to the CBUAE via e-mail on hawala@cbuae.gov.ae: • Trade name of the RHP; • First and last name of the user; • Emirates ID number and copy of Emirates ID; • Email address; and • Mobile phone number. • RHP should register for the Integrated Enquiries Management System (IEMS) by referring to the IEMS User Guide available at the relevant link in FIU's website.9
Failure to submit the above within the specified period may result in a registration certificate withdrawal.
9 Available at: https://www.uaefiu.gov.ae.
2.5 Requirement for a Bank Account
As per Article 2 of Circular No. 24/2019 the RHP must maintain an account with a bank operating in the UAE to be used for settlement and provide the CBUAE with details of such account. In addition, they should inform their account manager at the bank of their intention to use the account to carry out Hawala Activity.
3 AML/CFT Program
As per Articles 4, 20, 21 and 26 of the AML-CFT Decision, RHP are required to establish and maintain effective AML/CFT compliance programs designed to prevent them from being misused to facilitate money laundering or terrorist financing (ML/TF). The program must be risk-based and appropriate to the risk of the RHP, taking into consideration its:
• Size; • Volume of transactions; • Types of remittances offered (personal only or personal and commercial); • Complexity; • The nature and volume of its Hawala Activity; • The nature of its customer base; and • The geographic areas in which it operates.
This means that where an RHP engages in higher-risk activities (as discussed below in section 3.2), or does a higher volume of business, it must have a more sophisticated AML/CFT program and employ more intensive measures to manage this risk. The section that follows discusses the mandatory minimum elements of an AML/CFT program under the legal and regulatory framework in the UAE as well as ways that RHP can make adjustments to respond to their risk. It is divided into four parts, as follows:
1. The AML/CFT Program and the Compliance Officer. This part discusses the content of the AML/CFT program and how it should be implemented by the RHP. 2. Understanding Risks. This section discusses how to identify the RHP's ML/TF risks so that the RHP can build an appropriate AML/CFT program. 3. Customer Due Diligence. This section discusses the mandatory procedures for identifying and understanding the RHP's customers and counterparties. 4. Record Keeping. This section discusses the records of activity that the RHP must maintain and provide to law enforcement authorities and counterparties.
3.1 The AML/CFT Program and the Compliance Officer
As per Article 21 of the AML-CFT Decision, each RHP must have a specific person, the Compliance Officer, who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT program. This person must be an employee, manager, or owner of the RHP. In large RHP, with multiple employees and substantial revenues from Hawala Activity, the CBUAE expects that the Compliance Officer will be a full-time position without any other responsibilities for managing the business. In small RHP, however, the CBUAE recognizes that the Compliance Officer is likely to have other responsibilities beyond management of the compliance program. If the RHP is owned and operated by a single person, that person will be the Compliance Officer.
The Compliance Officer is responsible for the following:
• Ensure full compliance with the legal and regulatory framework in the UAE and this Guidance. • Making sure that other employees of the RHP (where relevant) comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's own policies and procedures; and • Implementing the compliance program elements described in this Guidance, including conducting the risk assessment.
The RHP's AML/CFT compliance program must include all the measures discussed in the following sections as well as the following components:
• Provide education and training to appropriate personnel. RHP employees who participate in Hawala Activity must be trained to understand how to comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's policies and procedures. It is not acceptable for an untrained employee to have responsibility for collecting or disbursing customer funds and initiating transactions. • Conduct a periodic audit of the AML/CFT program. RHP are required to arrange for a regular independent audit of their program by hiring an external qualified independent auditor approved by the CBUAE. Small RHP should be audited once every two or three years, while large RHP once every year. It is important to note that the audit must be independent; i.e. an RHP may not audit itself.
3.2 Understanding Risks
According to Article 16 of the AML-CFT Law and Article 4 of the AML-CFT Decision, RHP must identify, assess and understand the ML/TF risks to which they are exposed, and how they may be affected by those risks, in order to determine the nature and extent of AML/CFT resources necessary to mitigate and manage those risks. The sophistication of an RHP's risk assessment process depends on the RHP's size and operations. A large RHP is expected to produce an extensive risk assessment that complies fully with the standards outlined in the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof. This assessment may be done by an external consultant, but the RHP retains ultimate responsibility for its content and its compliance with the standard set in the Guidelines. The CBUAE recognizes, however, that a small RHP has limited services and resources. RHP of this type can follow the risk assessment process discussed below. All RHP must document their risk assessment, even if it is in the form of notes, to demonstrate that they have thoughtfully completed this process. They must be able to understand their findings and explain them if called upon to the CBUAE.
The Compliance Officer should begin the risk assessment process by carefully reading and understanding Parts I and II of this Guidance, which contain essential information about the risks faced by an RHP. The Compliance Officer should then consider the RHP's risk in the following risk categories. The discussion below does not cover every factor that increases or decreases risk and RHP should consider any other factors based on their knowledge and experience.
1. Customer Risk. This is the risk that your customers may be involved in ML/TF. By receiving money from a customer who is involved in illegal activities, the RHP itself can unwittingly become involved in those activities. Some examples of questions that RHP can use to assess customer risk include:
a. Are my customers mostly individuals, or do I have many customers that are legal persons? When you provide services to a company, you don't always know who you're really dealing with. So having many legal person customers may increase your risk.
b. Are my customers only sending remittances to family, or are they engaging in business? Business activities are generally considered to be higher risk for ML/TF because amounts are higher and it's harder for the RHP to understand the true purpose of the transaction.
2. Geographic Risk. Some countries are high risk for illicit activity, whether because they have a high volume of crime and terrorism, or because their financial sector doesn't have controls to prevent the movement of illicit funds. If an RHP operates in those countries, either because it has agents there or because it frequently sends or receives money there, then it is exposed to that risk. Questions an RHP can ask to assess its geographic risk include:
a. Do I regularly do business in or with countries that have an ongoing insurgency? Where terrorist attacks are frequent? These countries will be very high risk.
b. Do I regularly do business in or with countries listed on the FATF list of monitored jurisdictions?10
3. Products and Services Risk. RHP are permitted to offer only limited products and services (see Part I section 4.1 above). Within the group of permitted products, transfers connected to commercial activity are generally considered to be higher risk than those connected to personal remittances.
4. Delivery Channel Risk. The way an RHP delivers its products and services will also impact its risk, because some delivery channels make it difficult to understand and observe the customer. For example, if an RHP accepts orders for remittances via text message or phone call, or allows customers to initiate a transaction by giving money to an associate, who then delivers it to the RHP, this will make their activities higher risk.
Based on the considerations above, RHP should give themselves an overall score of Low, Medium, or High risk. RHP should complete the risk assessment process at least once a year. RHP should understand their risk assessment, its findings, and what it means for their business. They should consider their risk assessment when designing and implementing their AML/CFT program. Where they assess themselves as higher risk, they should take additional precautions.
10 The FATF list can be found at https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/?hf=10&b=0&s=desc(fatf_releasedate).
3.3 Customer Due Diligence
Customer due diligence (''CDD'') is the process by which an RHP identifies and understands its customer. CDD is required by Article 5 of the AML-CFT Decision and is essential to protecting the RHP from abuse, and to deterring and detecting ML/TF schemes. In specific cases outlined below, and whenever the RHP believes that higher risks are present, the RHP must perform Enhanced Due Diligence (''EDD''). EDD involves more intensive measures to discover information about the customer.
The RHP must perform Customer Identification Diligence (''CID''), CDD or EDD prior to conducting each and every transaction, even if the customer is a repeat customer (see sections 3.3.1 to 3.3.4 below for their details). An RHP must not conduct a transaction if the appropriate diligence has not been performed or completed.
When to Use CID, CDD and EDD Transaction What is Required A natural person sends or receives a transfer between AED 1 and AED 3,499 CID, unless higher risks are present, in which case CDD & EDD as well. A natural person sends or receives a transfer of between AED 3,500 to AED.54,999 CDD, unless higher risks are present, in which case EDD as well. A natural person sends or receives a transfer of AED 55,000 or greater. CDD and EDD A natural person from a high-risk jurisdiction sends or receives a transfer of any value. CDD and EDD A natural person who is a politically exposed person sends or receives a transfer of any value. CDD and EDD A legal person sends or receives a transfer of any value. CDD and EDD 3.3.1 Customer Identification Diligence
The CID process must be applied for a natural person who sends or receives a transfer between AED 1 and AED 3,499. The CID process is the verification of the original identification documents of the customer who is a natural person and the systematic recording of basic customer information in the point of sale system without the need to retain copies of the identification documents. The customer's full name, address, mobile number, nationality, date of birth, ID type (Emirates ID, or passport number when Emirates ID is not available) and ID number must be recorded in the point of sale system and printed on receipts.
3.3.2 Customer Due Diligence for Natural Persons
Article 4 of Circular No. 24/2019 requires RHP to identify and verify the identity of their customers, including remitters and beneficiaries, by using Emirates ID, or passport when Emirates ID is not available. RHP must collect at least the following information for each customer:
• Name, • Emirates ID number or passport number when Emirates ID is not available; • Date of birth and nationality; • Address; • Mobile number; • Occupation; and • The name of the person from whom the customer is receiving money, or the person to whom the customer is sending money and their country.
This information must be printed on customer receipts. RHP must record this information and store it in their files for five years. RHP must also take a clear photo or photocopy of the customer's identification document and retain it for five years.
The CDD process should also be applied when it appears that a natural person may be deliberately splitting up a larger transfer to evade the CDD requirement (for example by repeatedly once in a week transfer value below AED 3,500 per transaction).
Using this information, as discussed in Part II section 1 above on sanctions obligations, RHP should screen their customers, including the sender/beneficiary as appropriate, and the transaction against the UN Consolidated List and the Local UAE Terrorist List. Screening must be performed before carrying out any transaction for the customer. If there is a match, the RHP should carefully consider whether the other data collected (date of birth, country of birth) match the information available for the listed person in question. The RHP may continue with the transaction only if it is confident that its customer or the person on the other end of the transaction is not a listed person. In addition, if the RHP discovers that any party to the transaction is listed on the UN Consolidated List and the Local Terrorist List, it must not return the customer's funds or provide the customer with funds that have been sent to him, but must instead freeze the funds.
Furthemore, RHP should obtain a clear understanding of the intended purpose and nature of the transaction and ensure that it does not breach the permitted services by RHP listed in Part I section 4 above. RHP should consider whether it is consistent with what they know about the customer. Some examples of transactions that may require further investigation include:
• A customer who says he works as a labourer wishes to transfer a sum that is greater than the average yearly income for someone in his position.
• A customer visits the RHP on a regular basis and makes small or moderate-sized transfers, but the sum of the amounts he transfers over the course of the year is greater than the yearly income for someone in his position.
• A customer says that he has no occupation, but continues to make transfers or transfers a large sum.
• A customer who is from country A states that he is sending funds to a family member, but the beneficiary is located in country B.
• A customer from country A makes regular transfers to people he says are family members in that country, but they appear to live in different regions of country A and their relationship to the customer is not clear.
These transactions are not necessarily illicit, but they suggest that the RHP needs to collect additional information. For example, a customer may actually be acting on behalf of a business. In that case, the RHP's customer is actually the business, and it must perform CDD on the business as described in section 3.3.3 below. If the RHP has any additional concerns, it should follow the EDD procedures discussed in section 3.3.4 below.
RHP must cease and reject any transaction if they cannot collect any of the information required above, or if they cannot comply with any of the above requirements.
3.3.3 Customer Due Diligence for Legal Persons
When a legal person like a company uses an RHP to conduct a transaction, the RHP's customer is the company itself, not the individual representing the company. A legal person conducts a transaction when the funds involved belong to the legal person, and when the transaction is made as part of carrying out the legal person's business. If the customer is a legal person, it must be registered and based in the UAE to carry out transactions through a RHP. Legal persons such as companies, bodies corporate, foundations, partnerships, or associations, along with similar entities do not have bio-data like individuals and can transact under their own names while being controlled by other individuals. This means that they require specific CDD procedures. As per Articles 8 and 9 of the AML-CFT Decision RHP must perform the following actions for a legal person customer:
1. Collecting and recording the following information about the legal person customer: a. The legal person's name; b. The legal person's legal form (e.g., limited liability company); c. The address of the legal person's main office or headquarters; d. The legal person's trade license; and e. The name of the legal person's senior managing official. 2. Conducting CDD as described in section 3.3.2 above on the individual representing the customer (the individual who is directly ordering the transaction). 3. Determining that the representative is authorized to conduct the transaction via a valid authorization, such as the trade license and/or a letter from the legal person customer's management on its letterhead. 4. Identifying and verifying the identity of the customer's beneficial owners. a. Beneficial owners are the individuals who own and control the legal person. In many cases, the managing director or other similar top official will also be the beneficial owner, but not always. b. RHP must identify every individual who owns 25% or more of the legal person customer. They must collect their names, and then perform CDD on them as required by section 3.3.2 above. c. RHP can collect the names of beneficial owners, and thus determine who to perform CDD on, by asking the customer's representative. If they are concerned about the information provided by the representative, they should ask for documentation to prove ownership. d. If no individual owns 25% of the legal person customer, RHP must identify, and conduct CDD on the individual who is the customer's senior managing official. e. Beneficial owners cannot be other legal persons. If a legal person customer is owned by other legal persons, the RHP must understand their ownership as well until it identifies all individuals owning at least 25% of its customer. 5. Understanding the customer's ownership and control structure. The RHP must understand who owns the customer, who exercises control over it and how. 6. Understanding the nature of the customer business. The RHP must understand what sort of business the customer engages in and how the customer makes its money. If the customer's business doesn't make sense, or if the customer has no apparent business activities, that calls into question whether the funds involved in the transaction actually came from legitimate business activities. • Conducting sanctions screening on all related parties. The RHP must at least screen the following names against sanctions lists: a. The name of the legal person customer; b. The name of the customer's representative; c. The name of the beneficial owner(s); d. The name of the customer's senior managing official; and e. The customer's address.
As with CDD for natural persons, RHP must take a clear, readable photo or photocopy of documents obtained from the customer during CDD, and must retain those documents for five years after the transaction.
3.3.4 Enhanced Due Diligence
Sometimes CDD alone as described above is not sufficient to fully understand a customer. In addition, for certain customers, an extra level of due diligence is required. In those cases, the RHP must perform EDD in the following circumstances:
1. The customer is a legal person. In these cases, the RHP must perform all the steps listed in section 3.3.3 above, plus additional due diligence as described here.
2. The customer is a natural person carrying out a transfer worth AED 55,000 or above. In those cases, the RHP must perform all the steps listed in section 3.3.2 above, plus additional due diligence as described in this section below.
3. The customer is a politically exposed person. During CDD, the RHP must collect information regarding the occupation of a natural person customer, and the beneficial owners of a legal person customer. If the customer, or the beneficial owners of a legal person customer, indicates that he or she is a government official with any government, the RHP must ask additional questions to understand that individual's rank and status. If the individual holds a high-ranking position in any government, then EDD is required for the customer. This is to make sure that the funds involved are not related to corruption or abuse of the customer's position.
4. The customer is from, or is sending a remittance to, a high-risk jurisdiction. As discussed in section 3.2 above, high-risk jurisdictions are those with a higher risk of ML/TF.
RHP should consider performing EDD when there are other high risks associated with the transaction, such as concerns about the customer's behaviour or about the source of the funds involved in the transaction.
When performing EDD, RHP must follow the following mandatory steps:
• Seek approval from the manager of the RHP to carry out the transaction. If the RHP is owned and operated by a single person, this step is not necessary. • Collect additional information to understand the source of funds involved in the transaction and the customer's overall source of funds (i.e. source of wealth). For instance, the RHP may ask for a pay slip to verify the customer's income. • Collect additional information about the customer's business. For example, if a transaction is linked to the sale of goods, the RHP may request to see the invoice.
3.3.5 Agent Due Diligence
RHP may use agents in a foreign country to carry out activity on their behalf in that foreign country. This generally entails the corresponding agent in the foreign country executing payments on instructions from the RHP, or the agent sending instructions to the RHP to execute payments domestically. It should be noted that RHP are not permitted to use agents to carry out activity on their behalf in the UAE (as they are required by Circular No. 24/2019 to manage their business personally and never assign such task to another person, also known as ''nesting''.)
RHP are exposed to risks when their agents engage in transactions that create risks for ML or TF. RHP must identify and assess the ML/TF risks they may be exposed to from the use of agents to provide activity on their behalf in a foreign country. RHP should ensure that they understand who their agents are, and that they are not breaching any applicable AML/CFT laws and regulations. In order to reduce their exposure to ML/TF risks, RHP are required to perform appropriate due diligence on their agents, to ensure they thoroughly know their agents and monitor their transactions to ensure that they are legitimate. The required elements of due diligence on agents are as follows:
• When entering into a business relationship with an agent, as a first step, the RHP should identify and verify the identity of the agent, using reliable, independent source documents, data or information. • RHP should also identify and take reasonable measures to verify the identity of the beneficial owner(s) and understand the ownership and control structure of the agent, such that the RHP is satisfied that it knows the beneficial owner(s) and that the agent is not a shell bank. • RHP should gather sufficient information to understand the purpose and intended nature of the business relationship, which includes understanding what types of customers the agent intends to service through the business relationship, how it will offer services, the transaction volume and value, and the extent to which any of these are assessed as high risk. • RHP should also gather sufficient information and determine from publicly available information the reputation of the agent, including whether it has been subject to a ML/TF investigation or regulatory action. In addition, RHP should ensure that the agent has proper AML/CFT controls. • RHP should conduct ongoing due diligence of the business relationship, including periodical reviews of the CDD information on the agent, and ongoing monitoring to detect any changes in the agents' activity pattern that may indicate unusual activity.
RHP should keep up-to-date agent lists and retain them for a period of five years. RHP must provide the CBUAE current lists of their agents and the countries in which they operate. In addition, RHP should make current lists of their agents available to the relevant authorities within the country in which they operate. RHP should ensure that their agents fully adhere to the procedures of record keeping as described in this Guidance and that they make those records available to the RHP immediately upon request.
3.4 Record Keeping
Under Article 16 of AML-CFT Law and Article 24 of the AML-CFT Decision, RHP, as remittance providers, have very important obligations relating to the records they maintain about the remittances they execute.
3.4.1 Record Keeping Related to Remittances
1. Sending a Remittance
When the RHP's customer is the person originating a transaction, the RHP must collect the following information through the CID and CDD process:
• The sending customer's name; • His or her Emirates ID, or passport number when Emirates ID is not available; • His or her date and nationality; • His or her address; • Mobile number; • Occupation; and • The name of the beneficiary of the transaction and the country it is sent to.
The RHP must assign the transaction a unique ID number that allows the RHP to quickly identify and track the transaction. The RHP must provide all of this information to the hawala provider at the other end of the transaction and keep the relevant record. The RHP must not carry out the transaction if it has not supplied this information.
2. Receiving a Remittance
When the RHP's customer is the person receiving the remittance, the RHP must conduct CDD on the beneficiary and make sure that its customer's information matches that of the beneficiary identified in the information provided by the Originating Hawala Provider and keep the relevant record. The information must include:
• The receiving customer's name; • His or her Emirates ID, or passport number when Emirates ID is not available; • His or her date and nationality; • His or her address; • Mobile number; • Occupation; and • The name of the sender of the transaction and the country it is sent from.
The RHP's partners and agents outside the UAE should comply with the requirements under ``Sending a Remittance'' above even though they are not subject to UAE laws. If a RHP receives a transaction order from a hawala provider outside the UAE that does not contain the information required under ``Sending a Remittance'' above, it cannot perform required sanctions screening or identify whether the transaction is suspicious and needs to be reported to the FIU. Therefore, the RHP should require its agent or counterpart to provide the information listed before it releases the funds to the beneficiary.
3.4.2 Other Types of Record Keeping
According to the AML-CFT Law and the AML-CFT Decision, RHP must keep all records obtained through the CDD process; copies of personal identification documents provided during CDD; and copies of Suspicious Transaction Reports (STR) filed with the FIU. Under Article 4 of Circular No. 24/2019, RHP are required to have forms in which the customers fills in the necessary information to originate the transaction; RHP must retain these forms as well.
RHP must also maintain records of transactions. These records must be sufficiently detailed to allow authorities to reconstruct and understand the transaction. They must at least include the names of the sender and beneficiary, the date of the transaction, and the amount of the transaction, and be organized in such a way so that the RHP and authorities can easily find the records they need for a specific transaction.
RHP must make the records described here, or any other records, available to the competent authorities immediately upon request. All the records described in this section must be kept for at least five (5) years, from the date of completion of the transaction, or for longer if directed by the CBUAE or other authority.
4 Reporting Obligations
4.1 Daily Reporting
Under Article 4 of Circular No. 24/2019, RHP are required on a daily basis to upload electronically to the CBUAE, via its Remittance Reporting System (``RRS'') and/or other applicable system, the data and details of all transfers, remitters and beneficiaries as per the forms prepared by the CBUAE for this purpose.
4.2 Quarterly Settlement Statements
Under Article 4 of Circular No. 24/2019, RHP should submit to the CBUAE statements of their settlement accounts on a quarterly basis along with other required forms, as well as provide the CBUAE with any data, information, or statistics it may require at any time and for any specific period.
4.3 Reporting Suspicious Transactions and Registration to GoAML
RHP must monitor transactions that they carry out to identify those that may be suspicious and where a Suspicious Transaction Report (``STR''), or suspicious activity report ("SAR") or other report types may need to be filed with the FIU. Monitoring begins at the CDD stage, but does not end there. RHP must keep records of customer activity so that they can examine it to identify patterns over time that may be cause concern. RHP must take into account all information available, including regarding the originator and beneficiary(ies) of a transaction, in order to determine whether an STR is to be filed.
Situations in which it may be necessary to file an STR/ SAR include:
• A customer begins the CDD process, but cancels the transaction and leaves when he discovers the information that the RHP is required to collect.
• The RHP completes CDD on a customer, but still has doubts as to whether the transaction was legitimate or whether the customer's stated reason for the transaction was the true one.
• A customer carries out transactions larger than his stated income without providing a valid justification.
• A natural person customer regularly orders transactions just below the AED 55,000 threshold for when EDD is required (i.e. either tied to the threshold or if there are other risk factors that may trigger EDD).
• Multiple customers send money to, or receive money from, the same person, and there is no clear connection between the customers.
• The RHP suspects that a customer is carrying out transactions that are disallowed under Part I, section 4.1 of this guidance.
Under Article 15 of the AML-CFT Law and Article 17 of the AML-CFT Decision, if the RHP suspects that a transaction, attempted transaction, activity, or funds (including agents' transactions), constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime, they must submit an STR, SAR or other report types to the FIU using the ``goAML'' portal. RHP must submit this report without delay, meaning as soon as reasonably possible after the transaction takes place or their suspicions develop. All RHP must register with the goAML portal so that they can easily file these reports.
Reporting a suspicious transaction is not an admission of guilt or wrongdoing. STRs filed by RHP help law enforcement authorities identify and track potential criminal behaviour. As long as the RHP complies with the procedures in this guidance document, it will not generally be held responsible for a transaction that turns out to have been involved in a crime. But a failure to report a transaction that an RHP should know to be suspicious can result in penalties.
For more detail and information, please refer to the ``CBUAE Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting.''
5 Penalties
Under Article 7 of Circular No. 24/2019, violation of any provision may be subject to supervisory action as deemed appropriate by the CBUAE. In addition, without prejudice to other sanctions stated in other laws in the UAE, the CBUAE may impose administrative and financial sanctions and penalties in accordance with the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and the CBUAE Regulations issued in implementation thereof.