3.3.1. Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring
Effective from 1/8/2022
Under Article 5 of the AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. Payment Sector participants, including providers of SVF, retail payment services, and card schemes, generally establish relationships with their customers rather than treat all customers as occasional or walk-in customers. In these scenarios, LFIs must perform, no matter the customer type, all the elements of CDD required under sections 2 and 3 of the AML-CFT Decision, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer’s business and purpose of the business relationship, and ongoing monitoring. CDD, and where necessary enhanced due diligence (EDD), are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers.
In addition to these mandatory elements, LFIs should consider the following additional elements of CDD that are particularly important in the context of NPPS:
•
User identification and verification. Many, if not most, NPPS involve the use of digital as opposed to face-to-face methods of onboarding and identifying customers (a.k.a. “electronic Know Your Customer,” or “e-KYC”). Digital delivery of services is increasingly common, but can present higher risks when LFIs do not take appropriate steps to ensure that they fully understand the customer and that the person using the services is in fact the identified customer. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) LFIs must use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
•
Use of IP addresses and geographical (spatial and temporal) locators. As discussed above, payment services that are internet-based or accessible through smartphones can allow customers to access financial services no matter where they are in the world. LFIs are of course free to allow their customers to access their services while outside the UAE, but should take advantage of geographical location tools at both the onboarding and the ongoing monitoring stages to ensure that they understand the geographic risk they might be exposed to by their customers. This can include:
o
Requiring additional authentication or verification when a customer accesses the service from an IP address or device different from the one used at onboarding, or from a different country and/or time zone than the customer’s stated country of residence.
o
Reviewing the customer’s log-in locations during CDD refresh to identify any suspicious log-in or movement patterns (for example, high numbers of transactions taking place when the customer is near a border with a high-risk country where the PPS is blocked).
•
SVF due diligence: Risk mitigating measures should include as per Article 14.4 of the SVF Regulation: (a) the application of limits on the maximum storage values, cumulative turnover or transaction amounts; (b) disallowing higher risk funding sources; (c) restricting the SVF product being used for higher risk activities; (d) restricting higher risk functions such as cash access; and (e) implementing measures to detect multiple SVF accounts/cards held by the same Customer or group of Customers.
•
Merchant due diligence. Payment Sector participants that deal directly with merchants (whether as providers of SVF or card schemes, or conducting merchant acquisition or payment aggregation) may have two main classes of customers: consumers and merchants. It is important to remember that merchants who use the service are customers of the LFI and that merchants that may engage in deceptive or fraudulent business practices or use their legitimate business as a cover for criminal activities, can expose the LFI to extremely high ML/FT risk. Merchants should therefore be subject to CDD designed to understand the nature of their business and the expected transaction volumes. LFIs should understand the merchant’s current financial and payments operations and in particular ascertain why the merchant is seeking a new provider of financial services, as fraudulent merchants may move from LFI to LFI seeking to conceal their activities. Merchants operating in higher-risk sectors, and those that are cash-intensive businesses, are likely to require EDD that could involve performing a periodic site visit of the merchant’s place of business. For more information, please consult the CBUAE’s Guidance for LFIs providing services to the Real Estate and Precious Metals and Stones sectors, and Guidance for LFIs providing services to Cash-Intensive Businesses.
As per Article 7 of the AML-CFT Decision, all customers must be subject to ongoing monitoring to make sure that CDD information on file is accurate, complete and up-to-date and to ensure that transactions conducted are consistent with the expected customer profile. To support this process, LFIs should apply solutions that ensure the accuracy and completeness of their data. It also may be appropriate to include non-standard elements of monitoring to reflect the risks of payments customers, such as geographic and IP-address monitoring discussed above, and the monitoring of the balance between peer-to-peer and merchant payments in a customer’s account. For merchant relationships, ongoing monitoring should include an examination of the number of ‘chargebacks’ or refunds the LFI has had to award to customers of the merchant, as well as any customer complaints the LFI has received. Where a merchant generates a large number of customer complaints or refund requests, or none at all, it may be a sign that it is operating a fraudulent business.
Book traversal links for 3.3.1. Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring